Merged PR 2907: Merge wdeg-misha to master

Launch of Windows Defender Exploit Guard content (and some minor updates to WDAV and WDSC content)

windows/threat-protection/TOC.md

@@ -143,6 +143,36 @@
 #### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
 #### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
 
+
+
+## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
+### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
+#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
+#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
+
+### [Exploit Protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
+#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
+#### [Evaluate Exploit Protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
+#### [Enable Exploit Protection](windows-defender-exploit-guard\enable-exploit-protection.md)
+#### [Customize Exploit Protection](windows-defender-exploit-guard\customize-exploit-protection.md)
+##### [Import, export, and deploy Exploit Protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
+### [Attack Surface Reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
+#### [Evaluate Attack Surface Reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
+#### [Enable Attack Surface Reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
+#### [Customize Attack Surface Reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
+### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
+#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
+#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
+### [Controlled Folder Access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
+#### [Evaluate Controlled Folder Access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
+#### [Enable Controlled Folder Access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
+#### [Customize Controlled Folder Access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+
+
+
+
+
+
 ## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
 ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
 ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)

windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md

@@ -11,6 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 

windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Reference topics for management and configuration tools

windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md

@@ -10,6 +10,9 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+
 ---
 
 # Configure scanning options in Windows Defender AV

windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 

windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure the cloud block timeout period

windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure end-user interaction with Windows Defender Antivirus

windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Prevent or allow users to locally modify Windows Defender AV policy settings

windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure and validate network connections for Windows Defender Antivirus

windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure the notifications that appear on endpoints

windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure behavioral, heuristic, and real-time protection

windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 

windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 

windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Configure Windows Defender Antivirus features

windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Customize, initiate, and review the results of Windows Defender AV scans and remediation

windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Deploy, manage, and report on Windows Defender Antivirus

windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Deploy and enable Windows Defender Antivirus

windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment

windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Detect and block Potentially Unwanted Applications

windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Enable cloud-delivered protection in Windows Defender AV

windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Evaluate Windows Defender Antivirus protection

windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage event-based forced updates

windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md

@@ -11,6 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage updates and scans for endpoints that are out of date

windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage the schedule for when protection updates should be downloaded and applied

windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md

@@ -11,6 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage the sources for Windows Defender Antivirus protection updates

windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage Windows Defender Antivirus updates and apply baselines

windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Manage updates for mobile devices and virtual machines (VMs)

windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Prevent users from seeing or interacting with the Windows Defender AV user interface

windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Report on Windows Defender Antivirus protection

windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Review Windows Defender AV scan results

windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 

windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 

windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Specify the cloud-delivered protection level

windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Use Group Policy settings to configure and manage Windows Defender AV

windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV

windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Use PowerShell cmdlets to configure and manage Windows Defender AV

windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV

windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus

windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Windows Defender Antivirus in Windows 10 and Windows Server 2016

windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 

windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 # Run and review the results of a Windows Defender Offline scan

windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 

windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md

@@ -7,8 +7,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: iawilt
+ms.author: macapara
-author: iaanw
+author: mjcaparas
 ms.localizationpriority: high
 ---
 

windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md

@@ -7,8 +7,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.author: iawilt
+ms.author: macapara
-author: iaanw
+author: mjcaparas
 ms.localizationpriority: high
 ---
 

windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -0,0 +1,108 @@
+---
+title: Use Attack Surface Reduction rules to prevent malware infection
+description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
+keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Reduce attack surfaces with Windows Defender Exploit Guard 
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview 
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
+
+- Executable files and scripts used in Office apps or web mail that attempt to download or run files
+- Scripts that are obfuscated or otherwise suspicious
+- Behaviors that apps undertake that are not usually inititated during normal day-to-day work
+
+When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
+
+
+
+## Requirements
+
+The following requirements must be met before Attack Surface Reduction will work:
+
+Windows 10 version | Windows Defender Antivirus
+- | -
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+
+
+## Review Attack Surface Reduction events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when an Attack Surface Reduction rule is triggered (or audited):
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
+
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+2. On the left panel, under **Actions**, click **Import custom view...**
+
+    ![](images/events-import.gif)
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
+
+ Event ID | Description
+-|-
+5007 | Event when settings are changed
+1122 | Event when rule fires in Audit-mode 
+1121 | Event when rule fires in Block-mode 
+
+
+
+### Event fields
+
+- **ID**: matches with the Rule-ID that triggered the block/audit.
+- **Detection time**: Time of detection
+- **Process Name**: The process that performed the "operation" that was blocked/audited
+- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
+
+
+ ## In this section
+
+Topic | Description 
+---|---
+[Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
+[Enable Attack Surface Reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network.
+[Customize Attack Surface Reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file. 
+

windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md

@@ -0,0 +1,82 @@
+---
+title: Test how Windows Defender EG features will work in your organization
+description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled
+keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+# Use audit mode to evaluate Windows Defender Exploit Guard features
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+You can enable each of the features of Windows Defender Explot Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+
+While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
+
+You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. 
+
+You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode.
+
+
+
+Audit options | How to enable audit mode | How to view events
+- | - | -
+Audit applies to all events | [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled Folder Access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable Attack Surface Reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack Surface Reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to all events | [Enable Network Protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network Protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
+Audit applies to individual mitigations | [Enable Exploit Protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit Protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
+
+
+You can also use the a custom PowerShell script that enables the features in audit mode automatically:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine.
+
+1. Type **powershell** in the Start menu.
+
+2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
+
+3. Enter the following in the PowerShell window to enable Controlled Folder Access and Attack Surface Reduction in audie mode:
+    ```PowerShell
+    Set-ExecutionPolicy Bypass -Force
+    <location>\Enable-ExploitGuardAuditMode.ps1
+   ```
+
+      Replace \<location> with the folder path where you placed the file. 
+      
+      A message should appear to indicate that audit mode was enabled.
+
+
+## Related topics
+
+Topic | Description 
+---|---
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) 
+- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) 
+- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md)
+
+
+

windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md

@@ -0,0 +1,99 @@
+---
+title: Prevent ransomware and other threats from encrypting and changing important files
+description: Files in default folders, such as Documents and Desktop, can be protected from being changed by malicious apps. This can help prevent ransomware encrypting your files.
+keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Protect important folders with Controlled Folder Access
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. 
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Controlled Folder Access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
+
+This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
+
+A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+
+As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled Folder Access would impact your organization if it were enabled.
+
+
+
+## Requirements
+
+The following requirements must be met before Controlled Folder Access will work:
+
+Windows 10 version | Windows Defender Antivirus
+-|-
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+
+
+## Review Controlled Folder Access events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when Controlled Folder Access blocks (or audits) an app:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+3. On the left panel, under **Actions**, click **Import custom view...**
+
+    ![](images/events-import.gif)
+
+4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1124 | Audited Controlled Folder Access event
+1123 | Blocked Controlled Folder Access event
+
+
+ ## In this section
+
+Topic | Description 
+---|---
+[Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled Folder Access works, and what events would typically be created.
+[Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled Folder Access in your network
+[Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.

windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md

@@ -0,0 +1,94 @@
+---
+title: Configure how ASR works so you can finetune the protection in your network
+description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
+keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+# Customize Attack Surface Reduction
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+
+This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
+
+You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
+
+## Exclude files and folders
+
+You can exclude files and folders from being evaluated by Attack Surface Reduction rules. 
+
+You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
+
+### Use Group Policy to exclude files and folders
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
+
+6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
+
+### Use PowerShell to exclude files and folderss
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
+    ```
+
+Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list. 
+
+
+>[!IMPORTANT]
+>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+
+### Use MDM CSPs to exclude files and folders
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
+
+
+
+## Customize the notification
+
+See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+
+
+
+## Related topics
+
+- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
+- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
+- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
+

windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md

@@ -0,0 +1,194 @@
+---
+title: Add additional folders and apps to be protected by Windows 10
+description: Add additional folders that should be protected by Controlled Folder Access, or whitelist apps that are incorrectly blocking changes to important files.
+keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Customize Controlled Folder Access
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+This topic describes how to customize the following settings of the Controlled Folder Access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
+
+- [Add additional folders to be protected](#protect-additional-folders)
+- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
+
+ ## Protect additional folders
+
+Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
+
+You can add additional folders to be protected, but you cannot remove the default folders in the default list.
+
+Adding other folders to Controlled Folder Access can be useful, for example, if you don’t store files in the default Windows libraries or you’ve changed the location of the libraries away from the defaults.
+
+You can also enter network shares and mapped drives, but environment variables and wildcards are not supported. 
+
+You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
+
+### Use the Windows Defender Security Center app to protect additional folders
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Under the **Controlled folder access** section, click **Protected folders**
+
+4. Click **Add a protected folder** and follow the prompts to add apps.
+
+    ![](images/cfa-prot-folders.png)
+
+ 
+### Use Group Policy to protect additional folders
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
+
+6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder.
+
+> [!IMPORTANT]
+> Environment variables and wildcards are not supported. 
+
+
+### Use PowerShell to protect additional folders
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Add-MpPreference -ControlledFolderAccessProtectedFolders "<the folder to be protected>"
+    ```
+
+
+Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
+
+
+![](images/cfa-allow-folder-ps.png)
+
+
+>[!IMPORTANT]
+>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+
+### Use MDM CSPs to protect additional folders
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+
+
+
+ ## Allow specifc apps to make changes to controlled folders
+
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you’re finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature. 
+
+>[!IMPORTANT]
+>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets.
+>You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
+
+
+You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
+
+When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the whitelist and may be blocked by Controlled Folder Access.
+
+### Use the Windows Defender Security app to whitelist specific apps
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
+
+4. Click **Add an allowed app** and follow the prompts to add apps.
+
+    ![](images/cfa-allow-app.png)
+
+### Use Group Policy to whitelist specific apps
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
+
+6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
+
+
+
+### Use PowerShell to whitelist specific apps
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be whitelisted, including the path>"
+    ```
+
+    For example, to add the executable *test.exe*, located in the folder *C:\apps*, the cmdlet would be as follows:
+
+    ```PowerShell
+    Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
+    ```
+
+Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
+
+
+![](images/cfa-allow-app-ps.png)
+
+
+>[!IMPORTANT]
+>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+
+
+
+### Use MDM CSPs to whitelist specific apps
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+
+## Customize the notification
+
+See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+
+## Related topics
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) 
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md

@@ -0,0 +1,260 @@
+---
+title: Enable or disable specific mitigations used by Exploit Protection
+keywords: exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
+description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+# Customize Exploit Protection
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+
+Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
+
+ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+ 
+You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
+
+ This topic lists each of the mitigations available in Exploit Protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+
+It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
+
+
+## Exploit Protection mitigations
+
+All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
+
+You can set each of the mitigations to on, off, or to their default value as indicated in the following table. Some mitigations have additional options, these are indicated in the description in the table.
+
+For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
+
+Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
+- | - | - | -
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On** | No
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On** | No
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off** | No
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On** | No
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On** | No
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off** | No
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | Yes
+Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | Yes
+Block remote images | Prevents loading of images from remote devices. | App-level only | Yes
+Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | Yes
+Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | Yes
+Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | No
+Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | Yes
+Do not allow child processes | Prevents an app from creating child processes. | App-level only | Yes
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
+Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | No
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | Yes
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | Yes
+
+
+
+
+### Configure system-level mitigations with the Windows Defender Security Center app
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
+
+    ![](images/wdsc-exp-prot.png)
+        
+3.	Under the **System settings** section, find the mitigation you want to configure and select either:
+    - **On by default**
+    - **Off by default**
+    -**Use default**
+
+    >[!NOTE]
+    >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
+
+    Changing some settings may required a restart, which will be indicated in red text underneath the setting.
+
+    ![](images/wdsc-exp-prot-sys-settings.png)
+
+4. Repeat this for all the system-level mitigations you want to configure.
+
+You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. 
+
+Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
+
+
+### Configure app-specific mitigations with the Windows Defender Security Center app
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
+
+    ![](images/wdsc-exp-prot.png)
+
+    
+3.	Go to the **Program settings** section and choose the app you want to apply mitigations to:
+
+    1. If the app you want to configure is already listed, click it and then click **Edit**
+    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
+        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
+        ![](images/wdsc-exp-prot-app-settings.png)
+
+
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
+
+5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+
+    ![](images/wdsc-exp-prot-app-settings-options.png)
+
+You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. 
+
+Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
+
+
+ ## PowerShell reference
+
+ You can use the Windows Defender Security Center app to configure exploit protection, or you can use PowerShell cmdlets.
+
+ The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
+
+ >[!IMPORTANT]
+ >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overriden.
+
+
+ You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
+
+```PowerShell
+Get-ProcessMitigation -Name processName.exe 
+```
+
+ Use `Set` to configure each mitigation in the following format:
+
+ ```PowerShell
+Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
+```
+
+
+Where:
+
+- \<Scope>:
+    - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+    - `-System` to indicate the mitigation should be applied at the system level
+- \<Action>:
+    - `-Enable` to enable the mitigation
+    - `-Disable` to disable the mitigation
+- \<Mitigation>:
+    - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
+
+
+ For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
+
+ ```PowerShell
+Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
+```
+
+ >[!IMPORTANT]
+ >Seperate each mitigation option with commas.
+
+ If you wanted to apply DEP at the system level, you'd use the following command:
+
+ ```PowerShell
+Set-Processmitigation -System -Enable DEP
+```
+
+ To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app.
+
+ If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example:
+
+  ```PowerShell
+Set-Processmitigation -Name test.exe -Remove -Disable DEP
+```
+
+
+  You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. 
+
+ For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
+
+ ```PowerShell
+Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
+```
+
+You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`.
+
+### PowerShell reference table
+
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. 
+
+<a id="cmdlets-table"></a>
+
+
+Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
+- | - | - | -
+Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available
+Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available
+Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocate  | Audit not available
+Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
+Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
+Validate heap integrity | System and app-level |   TerminateOnHeapError  | Audit not available
+Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode 
+Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad 
+Block remote images | App-level only |   BlockRemoteImages  | Audit not available 
+Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly 
+Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned 
+Disable extension points | App-level only |   ExtensionPoint  | Audit not available
+Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall
+Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
+Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available 
+Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available 
+Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available 
+Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available 
+Validate handle usage | App-level only |   StrictHandle  | Audit not available
+Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available 
+Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available 
+
+
+
+<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
+
+```PowerShell
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll 
+```
+
+
+## Customize the notification
+
+See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+
+## Related topics
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)

windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md

@@ -0,0 +1,46 @@
+---
+title: Compare the features in Exploit Protection with EMET
+keywords: emet, enhanced mitigation experience toolkit, configuration, exploit
+description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview, build 16232 and later
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+
+
+
+We're still working on this content and will have it published soon!
+
+
+
+Check out the following topics for more information about Exploit Protection:
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)

windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -0,0 +1,120 @@
+---
+title: Enable ASR rules individually to protect your organization
+description: Enable ASR rules to protect your devices from attacks the use macros, scripts, and common injection techniques
+keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+# Enable Attack Surface Reduction 
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+
+
+
+## Enable and audit Attack Surface Reduction rules
+
+You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+Attack Surface Reduction rules are identified by their unique rule ID. 
+
+Rule IDs willl be populated on machines that are enrolled in an E5 license. These machines will also properly report their Attack Surface Reduction rule history in the Windows Defender Security Center web console. 
+
+You can also manually add the rules from the following table:
+
+Rule description | GUIDs 
+-|-
+Block executable content from email client and webmail. | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
+Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+
+See the [Evaluate Attack Surface Reduction rules](evaluate-attack-surface-reduction.md) topic for details on each rule.
+
+### Use Group Policy to enable Attack Surface Reduction rules
+
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
+
+6. Double-click the **Configure Attack Surface Reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
+    - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+        -  Block mode = 1
+        -  Disabled = 0
+        -  Audit mode = 2
+
+
+        ![](images/asr-rules-gp.png)
+
+
+        
+
+ ### Use PowerShell to enable Attack Surface Reduction rules
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID>
+    ```
+    
+You can enable the feature in audit mode using the following cmdlet:
+
+```PowerShell
+Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
+```
+
+Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
+
+
+
+### Use MDM CSPs to enable Attack Surface Reduction rules
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
+
+
+ 
+
+## Related topics
+
+- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
+- [Customize Attack Surface Reduction](customize-attack-surface-reduction.md)
+- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)

windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md

@@ -0,0 +1,108 @@
+---
+title: Turn on the protected folders feature in Windows 10
+keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
+description: Learn how to protect your important files by enabling Controlled Folder Access
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Enable Controlled Folder Access
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+This topic describes how to enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). 
+
+
+## Enable and audit Controlled Folder Access
+
+You can enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+
+### Use the Windows Defender Security app to enable Controlled Folder Access
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+
+    ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
+    
+3.	Set the switch for the feature to **On**
+
+    ![](images/cfa-on.png)
+
+### Use Group Policy to enable Controlled Folder Access
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
+
+6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+    - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
+    - **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
+    - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+
+
+        ![](images/cfa-gp-enable.png)
+
+>[!IMPORTANT]
+>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+
+### Use PowerShell to enable Controlled Folder Access
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Set-MpPreference -EnableControlledFolderAccess Enabled
+    ```
+
+You can enable the feauting in audit mode by specifying `AuditMode` instead of `Enabled`.
+
+Use `Disabled` to turn the feature off.
+
+### Use MDM CSPs to enable Controlled Folder Access
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+
+
+## Related topics
+
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) 
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md

@@ -0,0 +1,76 @@
+---
+title: Turn on Exploit Protection to help mitigate against attacks
+keywords: exploit, mitigation, attacks, vulnerability
+description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Enable Exploit Protection
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+
+Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection. 
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+
+
+## Enable and audit Exploit Protection
+
+You enable and configure each Exploit Protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. 
+
+The mitigations available in Exploit Protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. 
+
+You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
+
+For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+You can also convert an existing EMET configuration file (in XML format) and import it into Exploit Protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
+
+See the following topics for instructions on configuring Exploit Protection mitigations and importing, exporting, and converting configurations:
+
+1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md)
+2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md).
+
+
+## Related topics
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)
+
+
+

windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md

@@ -0,0 +1,100 @@
+---
+title: Turn Network Protection on
+description: Enable Network Protection with Group Policy, PowerShell, or MDM CSPs
+keywords: ANetwork Protection, exploits, malicious website, ip, domain, domains, enable, turn on
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+# Enable Network Protection
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+
+This topic describes how to enable Network Protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
+
+
+## Enable and audit Network Protection
+
+You can enable Network Protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
+
+For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+
+### Use Group Policy to enable or audit Network Protection
+
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection**.
+
+6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+    - **Block** - Users will not be able to access malicious IP addresses and domains
+    - **Disable (Default)** - The Network Protection feature will not work. Users will not be blocked from accessing malicious domains
+    - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
+
+
+>[!IMPORTANT]
+>To fully enable the Network Protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
+
+
+ ### Use PowerShell to enable or audit Network Protection
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```
+    Set-MpPreference -EnableNetworkProtection Enabled
+    ```
+
+You can enable the feauting in audit mode using the following cmdlet:
+
+```
+Set-MpPreference -EnableNetworkProtection AuditMode
+```
+
+Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
+
+
+
+### Use MDM CSPs to enable or audit Network Protection
+
+
+Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network Protection.
+
+
+## Related topics
+
+- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
+- [Evaluate Network Protection](evaluate-network-protection.md)

windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md

@@ -0,0 +1,249 @@
+---
+title: Use a demo tool to see how ASR could help protect your organization's devices
+description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks
+keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+# Evaluate Attack Surface Reduction rules
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+
+
+Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). 
+
+This topic helps you evaluate Attack Surface Reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
+
+>[!NOTE]
+>This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. 
+>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
+
+
+## Use the demo tool to see how Attack Surface Reduction works
+
+Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
+
+The tool is part of the Windows Defender Exploit Guard evaluation package:
+- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
+
+This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
+
+When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
+
+![](images/asr-test-tool.png)
+
+Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
+
+>[!IMPORTANT]
+>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
+
+**Run a rule using the demo tool:**
+
+1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop). 
+
+2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. 
+
+
+    >[!IMPORTANT]
+    >Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10.
+
+3. Select the rule from the drop-down menu.
+
+4. Select the mode, **Disabled**, **Block**, or **Audit**.
+    1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**.
+
+5. Click **RunScenario**.
+
+The scenario will run, and an output will appear describing the steps taken.
+
+You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer.
+
+>[!TIP]
+>You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
+
+
+Choosing the **Mode** will change how the rule functions:
+
+Mode option | Description
+-|-
+Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack Surface Reduction at all.
+Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack Surface Reduction.
+Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack Surface Reduction will work but without impacting how you use the machine.
+
+Block mode will cause a notification to appear on the user's desktop:
+
+![](images/asr-notif.png)
+
+You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+The following sections describe what each rule does and what the scenarios entail for each rule.
+
+### Rule: Block executable content from email client and webmail
+
+
+This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail.
+
+The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule:
+
+Scenario name | File type | Program
+- | - | -
+Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail
+Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
+Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
+Mail Client Script Archive | Script archive files | Microsoft Outlook
+WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail
+WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file)  | Web mail
+WebMail Script Archive | Script archive files  | Web mail
+
+
+### Rule: Block Office applications from creating child processes
+
+>[!NOTE]
+>There is only one scenario to test for this rule.
+
+Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
+
+### Rule: Block Office applications from creating executable content
+
+This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique.
+
+The following scenarios can be individually chosen:
+
+- Random
+    - A scenario will be randomly chosen from this list
+- Extension Block
+    - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
+
+
+### Rule: Block Office applications from injecting into other processes
+
+
+>[!NOTE]
+>There is only one scenario to test for this rule.
+
+
+Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
+
+
+
+### Rule: Impede JavaScript and VBScript to launch executables
+
+JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
+
+- Random
+    - A scenario will be randomly chosen from this list
+- JScript
+    - JavaScript will not be allowed to launch executable files
+- VBScript
+    - VBScript will not be allowed to launch executable files
+
+
+
+### Rule: Block execution of potentially obfuscated scripts
+
+Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running.
+
+
+- Random
+    - A scenario will be randomly chosen from this list
+- AntiMalwareScanInterface
+    - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
+- OnAccess
+    - Potentially obfuscated scripts will be blocked when an attempt is made to access them
+
+
+## Review Attack Surface Reduction events in Windows Event Viewer
+
+You can also review the Windows event log to see the events there were created when using the tool:
+
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+2. On the left panel, under **Actions**, click **Import custom view...**
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1122 | Event when rule fires in Audit-mode 
+1121 | Event when rule fires in Block-mode 
+
+
+## Use audit mode to measure impact
+
+You can also enable the Attack Surface Reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
+
+To enable audit mode, use the following PowerShell cmdlet:
+
+```PowerShell
+Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
+```
+
+This enables all Attack Surface Reduction rules in audit mode.
+
+>[!TIP]
+>If you want to fully audit how Attack Surface Reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
+
+
+
+## Customize Attack Surface Reduction
+
+During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
+
+See the [Customize Exploit Protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
+
+
+## Related topics
+- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+

windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md

@@ -0,0 +1,133 @@
+---
+title: See how Windows 10 can protect your files from being changed by malicious apps
+description: Use a custom tool to see how Controlled Folder Access works in Windows 10.
+keywords: controlled folder access, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+# Evaluate Controlled Folder Access
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+Controlled Folder Access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md). 
+
+It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
+
+This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
+
+>[!NOTE]
+>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. 
+>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
+
+
+## Use the demo tool to see how Controlled Folder Access works
+
+Use the **ExploitGuard CFA File Creator** tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders. 
+
+The tool is part of the Windows Defender Exploit Guard evaluation package:
+- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
+
+This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
+
+You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
+
+
+
+1. Type **powershell** in the Start menu.
+
+2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
+
+3. Enter the following in the PowerShell window to enable Controlled Folder Access:
+    ```PowerShell
+    Set-MpPreference -EnableControlledFolderAccess Enabled
+    ```
+
+4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop).
+ 
+5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. 
+
+6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
+
+    ![](images/cfa-filecreator.png)
+
+7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
+
+    ![](images/cfa-notif.png)
+
+## Review Controlled Folder Access events in Windows Event Viewer
+
+You can also review the Windows event log to see the events there were created when using the tool:
+
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+2. On the left panel, under **Actions**, click **Import custom view...**
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1124 | Audited Controlled Folder Access event
+1123 | Blocked Controlled Folder Access event
+
+
+## Use audit mode to measure impact
+
+As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+
+To enable audit mode, use the following PowerShell cmdlet:
+
+```PowerShell
+Set-MpPreference -EnableControlledFolderAccess AuditMode
+```
+
+>[!TIP]
+>If you want to fully audit how Controlled Folder Access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main  [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
+
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+
+
+## Customize protected folders and apps
+
+During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. 
+
+See the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+
+## Related topics
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)

windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md

@@ -0,0 +1,133 @@
+---
+title: See how Exploit Protection works in a demo
+description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps.
+keywords: exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Evaluate Exploit Protection
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection. 
+
+This topcs helps you evaluate Exploit Protection. See the [Exploit Protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit Protection does and how to configure it for real-world deployment.
+
+>[!NOTE]
+>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. 
+>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit Protection topic](exploit-protection-exploit-guard.md) .
+
+
+## Enable and validate an Exploit Protection mitigation
+
+For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
+
+First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app:
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Set—ProcessMitigation –Name iexplore.exe –Enable DisallowChildProcessCreation
+    ```
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
+
+3.	Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
+
+4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
+
+Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
+
+1. Type **run** in the Start menu andp ress **Enter** to open the run dialog box.
+
+2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer.
+
+3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process).
+
+Lastly, we can disable the mitigation so that Internet Explorer works properly again:
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
+
+3.	Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
+
+4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
+
+5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
+
+
+## Review Exploit Protection events in Windows Event Viewer
+
+You can now review the events that Exploit Protection sent to the Windows Event log to confirm what happened:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+3. On the left panel, under **Actions**, click **Import custom view...**
+
+4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Exploit Protection, which are all listed in the [Exploit Protection](exploit-protection-exploit-guard.md) topic.
+
+6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
+
+    Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. 
+
+
+## Use audit mode to measure impact
+
+As with other Windows Defender EG features, you can enable Exploit Protection in audit mode. You can enable audit mode for individual mitigations.
+
+This lets you see a record of what *would* have happened if you had enabled the mitigation.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period.
+
+See the [**PowerShell reference** section in the Customize Exploit Protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
+
+For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+
+
+
+## Related topics
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)

windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md

@@ -0,0 +1,115 @@
+---
+title: Conduct a demo to see how Network Protection works
+description: Quickly see how Network Protection works by performing common scenarios that it protects against
+keywords: Network Protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+# Evaluate Network Protection
+
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+
+
+
+Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). 
+
+It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+
+This topic helps you evaluate Network Protection by enabling the feature and guiding you to a testing site.
+
+>[!NOTE]
+>The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious.
+
+## Enable Network Protection
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Set-MpPreference -EnableNetworkProtection Enabled
+    ```
+
+You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`.
+
+### Visit a (fake) malicious domain
+
+1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
+
+1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
+
+You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
+
+![](images/np-notif.png)
+ 
+ 
+ ## Review Network Protection events in Windows Event Viewer
+ 
+You can also review the Windows event log to see the events there were created when performing the demo:
+
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+2. On the left panel, under **Actions**, click **Import custom view...**
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Network Protection:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1125 | Event when rule fires in Audit-mode 
+1126 | Event when rule fires in Block-mode 
+
+
+## Use audit mode to measure impact
+
+You can also enable the Network Protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
+
+You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
+
+To enable audit mode, use the following PowerShell cmdlet:
+
+```PowerShell
+Set-MpPreference -EnableNetworkProtection AuditMode
+```
+
+
+>[!TIP]
+>If you want to fully audit how Network Protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network Protection topic](network-protection-exploit-guard.md).
+
+
+
+
+ ## Related topics
+
+- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)

windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md

@@ -0,0 +1,55 @@
+---
+title: Evaluate the impact of each of the four features in Windows Defender Exploit Guard
+description: Use our evaluation guides to quickly enable and configure features, and test them against common attack scenarios
+keywords: evaluate, guides, evaluation, exploit guard, controlled folder access, attack surface reduction, exploit protection, network protection, test, demo
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Evaluate Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
+
+Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization.
+
+Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisutes are.
+
+
+- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
+- [Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Evaluate Network Protection](evaluate-network-protection.md)
+
+You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
+
+- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
+
+## Related topics
+
+Topic | Description 
+---|---
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) 
+- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) 
+- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md)

windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md

@@ -0,0 +1,183 @@
+---
+title: Import custom views in XML to see Windows Defender Exploit Guard events
+description: Use Windows Event Viewer to import individual views for each of the features.
+keywords: event view, exploit guard, audit, review, events
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.date: 08/25/2017
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+
+---
+
+
+# Reduce attack surfaces with Windows Defender Exploit Guard 
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windos Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
+
+Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
+
+This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
+
+## Use custom views to review Windows Defender Exploit Guard features
+
+You can create custom views in the Windows Event Viewer to only see events for specific features and settings.
+
+The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
+
+### Import an existing XML custom view
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
+    -  Controlled Folder Access events custom view: *cfa-events.xml*
+    -  Exploit Protection events custom view: *ep-events.xml*
+    -  Attack Surface Reduction events custom view: *asr-events.xml*
+    -  Network Protection events custom view: *np-events.xml*
+
+1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
+
+3. On the left panel, under **Actions**, click **Import Custom View...**
+
+    ![](images/events-import.gif)
+
+4. Navigate to where you extracted XML file for the custom view you want and select it. 
+
+4. Click **Open**.
+
+5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
+
+
+### Copy the XML directly
+
+
+1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
+
+3. On the left panel, under **Actions**, click **Create Custom View...**
+
+    ![](images/events-create.gif)
+
+4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
+
+5.  Paste the XML code for the feature you want to filter events from into the XML section.
+
+4. Click **OK**. Specify a name for your filter.
+
+5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
+
+
+
+
+
+### XML for Attack Surface Reduction events
+
+```xml
+<QueryList>
+  <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
+   <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
+   <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
+  </Query>
+</QueryList>
+```
+
+### XML for Controlled Folder Access events
+
+```xml
+<QueryList>
+  <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
+   <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
+   <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
+  </Query>
+</QueryList>
+```
+
+### XML for Exploit Protection events
+
+```xml
+<QueryList>
+  <Query Id="0" Path="Microsoft-Windows-Security-Mitigations/KernelMode">
+   <Select Path="Microsoft-Windows-Security-Mitigations/KernelMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Concurrency">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Contention">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Messages">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Operational">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Power">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Render">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/Tracing">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Win32k/UIPI">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+   <Select Path="Microsoft-Windows-Security-Mitigations/UserMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24)  or EventID=5 or EventID=260)]]</Select>
+  </Query>
+</QueryList>
+```
+
+### XML for Network Protection events
+
+```xml
+<QueryList>
+ <Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
+  <Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
+  <Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
+ </Query>
+</QueryList>
+
+```
+
+
+
+## List of all Windows Defender Exploit Guard events
+
+
+All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
+
+Feature | Provider/source | Event ID | Description
+:-|:-|:-:|:-
+Exploit Protection | Security-Mitigations | 1 | ACG audit
+Exploit Protection | Security-Mitigations | 2 | ACG enforce
+Exploit Protection | Security-Mitigations | 3 | Do not allow child processes audit
+Exploit Protection | Security-Mitigations | 4 | Do not allow child processes block
+Exploit Protection | Security-Mitigations | 5 | Block low integrity images audit
+Exploit Protection | Security-Mitigations | 6 | Block low integrity images block
+Exploit Protection | Security-Mitigations | 7 | Block remote images audit
+Exploit Protection | Security-Mitigations | 8 | Block remote images block
+Exploit Protection | Security-Mitigations | 9 | Disable win32k system calls audit
+Exploit Protection | Security-Mitigations | 10 | Disable win32k system calls block
+Exploit Protection | Security-Mitigations | 11 | Code integrity guard audit
+Exploit Protection | Security-Mitigations | 12 | Code integrity guard block
+Exploit Protection | Security-Mitigations | 13 | EAF audit
+Exploit Protection | Security-Mitigations | 14 | EAF enforce
+Exploit Protection | Security-Mitigations | 15 | EAF+ audit
+Exploit Protection | Security-Mitigations | 16 | EAF+ enforce
+Exploit Protection | Security-Mitigations | 17 | IAF audit
+Exploit Protection | Security-Mitigations | 18 | IAF enforce
+Exploit Protection | Security-Mitigations | 19 | ROP StackPivot audit
+Exploit Protection | Security-Mitigations | 20 | ROP StackPivot enforce
+Exploit Protection | Security-Mitigations | 21 | ROP CallerCheck audit
+Exploit Protection | Security-Mitigations | 22 | ROP CallerCheck enforce
+Exploit Protection | Security-Mitigations | 23 | ROP SimExec audit
+Exploit Protection | Security-Mitigations | 24 | ROP SimExec enforce
+Exploit Protection | WER-Diagnostics | 5 | CFG Block
+Exploit Protection | Win32K | 260 | Untrusted Font
+Network Protection | Windows Defender | 5007 | Event when settings are changed
+Network Protection | Windows Defender | 1125 | Event when Network Protection fires in Audit-mode 
+Network Protection | Windows Defender | 1126 | Event when Network Protection fires in Block-mode 
+Controlled Folder Access | Windows Defender | 5007 | Event when settings are changed
+Controlled Folder Access | Windows Defender | 1124 | Audited Controlled Folder Access event
+Controlled Folder Access | Windows Defender | 1123 | Blocked Controlled Folder Access event
+Attack Surface Reduction | Windows Defender | 5007 | Event when settings are changed
+Attack Surface Reduction | Windows Defender | 1122 | Event when rule fires in Audit-mode 
+Attack Surface Reduction | Windows Defender | 1121 | Event when rule fires in Block-mode 

windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md

@@ -0,0 +1,125 @@
+---
+title: Apply mitigations that help prevent attacks that use vulnerabilities in software
+keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
+description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Protect devices from exploits with Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+
+Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. 
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Exploit Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+ You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
+
+ When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+  You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit Protection would impact your organization if it were enabled.
+
+ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection.
+
+ >[!IMPORTANT]
+ >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit Protection in Windows 10. You can [convert an existing EMET configuration file into Exploit Protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+ 
+
+## Requirements
+
+The following requirements must be met before Exploit Protection will work:
+
+Windows 10 version | Windows Defender Advanced Threat Protection
+-|-
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
+
+
+ ## Review Exploit Protection events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when Exploit Protection blocks (or audits) an app:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+3. On the left panel, under **Actions**, click **Import custom view...**
+
+    ![](images/events-import.gif)
+
+4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
+
+Provider/source | Event ID | Description
+-|:-:|-
+Security-Mitigations | 1 | ACG audit
+Security-Mitigations | 2 | ACG enforce
+Security-Mitigations | 3 | Do not allow child processes audit
+Security-Mitigations | 4 | Do not allow child processes block
+Security-Mitigations | 5 | Block low integrity images audit
+Security-Mitigations | 6 | Block low integrity images block
+Security-Mitigations | 7 | Block remote images audit
+Security-Mitigations | 8 | Block remote images block
+Security-Mitigations | 9 | Disable win32k system calls audit
+Security-Mitigations | 10 | Disable win32k system calls block
+Security-Mitigations | 11 | Code integrity guard audit
+Security-Mitigations | 12 | Code integrity guard block
+Security-Mitigations | 13 | EAF audit
+Security-Mitigations | 14 | EAF enforce
+Security-Mitigations | 15 | EAF+ audit
+Security-Mitigations | 16 | EAF+ enforce
+Security-Mitigations | 17 | IAF audit
+Security-Mitigations | 18 | IAF enforce
+Security-Mitigations | 19 | ROP StackPivot audit
+Security-Mitigations | 20 | ROP StackPivot enforce
+Security-Mitigations | 21 | ROP CallerCheck audit
+Security-Mitigations | 22 | ROP CallerCheck enforce
+Security-Mitigations | 23 | ROP SimExec audit
+Security-Mitigations | 24 | ROP SimExec enforce
+WER-Diagnostics | 5 | CFG Block
+Win32K | 260 | Untrusted Font
+
+
+ ## In this section
+
+Topic | Description 
+---|---
+[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit Protection. This topic identifies those features and explains how the features have changed or evolved.
+[Evaluate Exploit Protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit Protection mitigations can protect your network from malicious and suspicious behavior.
+[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit Protection in your network. 
+[Customize and configure Exploit Protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps.
+[Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection.

windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md

@@ -0,0 +1,172 @@
+---
+title: Deploy Exploit Protection mitigations across your organization
+keywords: exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
+description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit Protection configuration.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Import, export, and deploy Exploit Protection configurations
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Windows Defender Security Center app
+- Group Policy
+- PowerShell
+
+
+
+
+Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit Protection. 
+
+You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
+
+You can also convert and import an existing EMET configuration XML file into an Exploit Protection configuration XML.
+
+This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
+
+The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit Protection and then review the settings in the Windows Defender Security Center app, as described further in this topic.
+
+
+
+## Create and export a configuration file
+
+Before you export a configuration file, you need to ensure you have the correct settings.
+
+You should first configure Exploit Protection on a single, dedicated machine. See the [Customize Exploit Protection](customize-exploit-protection.md) topic for descriptions about and instrucitons for configuring mitigations.
+
+When you have configured Exploit Protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
+
+### Use the Windows Defender Security Center app to export a configuration file
+
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
+
+    ![](images/wdsc-exp-prot.png)
+        
+3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
+
+
+    ![](images/wdsc-exp-prot-export.png)
+
+>[!NOTE]
+>When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+
+
+### Use PowerShell to export a configuration file
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Get-ProcessMitigation -RegistryConfigFilePath filename.xml 
+    ```
+
+Change `filename` to any name or location of your choosing.
+
+> [!IMPORTANT]
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. 
+
+
+## Import a configuration file
+
+You can import an Exploit Protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
+
+After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app.
+
+### Use PowerShell to import a configuration file
+
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    Set-ProcessMitigation -RegistryConfigFilePath filename.xml 
+    ```
+
+Change `filename` to the location and name of the Exploit Protection XML file.
+
+>[!IMPORTANT]
+>Ensure you import a configuration file that is created specifically for Exploit Protection. You cannot directly import an EMET configuration file, you must convert it first.
+
+
+## Convert an EMET configuration file to an Exploit Protection configuration file
+
+You can convert an existing EMET configuration file to the new format used by Exploit Protection. You must do this if you want to import an EMET configuration into Exploit Protection in Windows 10.
+
+You can only do this conversion in PowerShell.
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+2. Enter the following cmdlet:
+
+    ```PowerShell
+    ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
+    ```
+
+Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
+
+
+## Manage or deploy a configuration
+
+You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
+
+> [!IMPORTANT]
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location. 
+
+### Use Group Policy to distribute the configuration
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit Protection**.
+
+    ![](images/exp-prot-gp.png)
+
+6. Double-click the **Use a common set of exploit protection settings** setting and set the option to **Enabled**. 
+
+7. In the **Options::** section, enter the location and filename of the Exploit Protection configuration file that you want to use, such as in the following examples:
+    - C:\MitigationSettings\Config.XML
+    -  \\Server\Share\Config.xml
+    -  https://localhost:8080/Config.xml
+
+8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). 
+
+
+## Related topics
+
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
+- [Enable Exploit Protection](enable-exploit-protection.md)
+- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)

windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md

@@ -0,0 +1,95 @@
+---
+title: Use Network Protection to prevent connections to suspicious domains
+description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
+keywords: Network Protection, exploits, malicious website, ip, domain, domains
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Protect your network with Windows Defender Exploit Guard
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Configuration service providers for mobile device management
+
+
+Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. 
+
+It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outboud HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
+
+It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+
+Network Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+When Network Protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network Protection would impact your organization if it were enabled.
+
+
+
+## Requirements
+
+The following requirements must be met before Network Protection will work:
+
+Windows 10 version | Windows Defender Antivirus
+- | -
+Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
+
+
+## Review Network Protection events in Windows Event Viewer
+
+
+You can review the Windows event log to see events that are created when Network Protection blocks (or audits) access to a malicious IP or domain:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine.
+
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+
+2. On the left panel, under **Actions**, click **Import custom view...**
+
+    ![](images/events-import.gif)
+
+3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Click **OK**.
+
+5. This will create a custom view that filters to only show the following events related to Network Protection:
+
+ Event ID | Description
+-|-
+5007 | Event when settings are changed
+1125 | Event when Network Protection fires in Audit-mode 
+1126 | Event when Network Protection fires in Block-mode 
+
+
+
+
+ ## In this section
+
+Topic | Description 
+---|---
+[Evaluate Network Protection](evaluate-network-protection.md) | Undertake aa quick scenario that demonstrate how the feature works, and what events would typically be created.
+[Enable Network Protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network Protection feature in your network.

windows/threat-protection/windows-defender-exploit-guard/prerelease.md

@@ -0,0 +1,2 @@
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md

@@ -0,0 +1,79 @@
+---
+title: Use Windows Defender Exploit Guard to protect your corporate network
+description: Windows Defender Exploit Guard consists of features that can protect your network from malware and threat infection, including helping to prevent ransomware encryption and exploit attacks
+keywords: emet, exploit guard, Controlled Folder Access, Network Protection, Exploit Protection, Attack Surface Reduction, hips, host intrusion prevention system
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
+---
+
+
+
+# Windows Defender Exploit Guard
+
+
+**Applies to:**
+
+- Windows 10 Insider Preview
+
+[!include[Prerelease information](prerelease.md)]
+
+**Audience**
+
+- Enterprise security administrators
+
+Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of the operating system and apps used by your employees.
+
+There are four features in Windows Defender EG:
+
+- [Exploit Protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
+- [Attack Surface Reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-,  script- and mail-based malware 
+- [Network Protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices
+- [Controlled Folder Access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
+
+
+You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
+- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+
+
+You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
+
+Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
+- [The Windows Defender ATP console](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
+- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+- [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
+- Windows Defender Device Guard
+- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md)
+
+You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+
+Each of the features in Windows Defender EG have slightly different requirements:
+
+Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) 
+-|-|-|-
+Exploit Protection | No requirement | Required for reporting in the Windows Defender ATP console
+Attack Surface Reduction | Must be enabled | Required for reporting in the Windows Defender ATP console
+Network Protection | Must be enabled | Required for reporting in the Windows Defender ATP console
+Controlled Folder Access | Must be enabled | Required for reporting in the Windows Defender ATP console
+
+> [!NOTE]
+> Each feature's requirements are further described in the individual topics in this library.
+
+
+ ## In this library
+
+Topic | Description 
+---|---
+[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit Protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent  threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. 
+[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.   
+[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
+[Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. 
+
+

windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md

@@ -10,6 +10,8 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
+ms.author: iawilt
+ms.date: 08/25/2017
 ---
 
 
@@ -108,6 +110,43 @@ See the following links for more information on the features in the Windows Defe
 - Family options, which include a number of parental controls along with tips and information for keeping kids safe online
     - Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
 
+## Customize notifications from the Windows Defender Security Center
+
+You can customize notifcations so they show information to users about how to get more help from your organization's help desk.
+
+![](images/security-center-custom-notif.png)
+
+This information will also appear as a pop-out window on the Windows Defender Security Center app.
+
+![](images/security-center-custom-flyout.png)
+
+Users can click on the displayed information to get more help:
+- Clicking **Call** or the phone number will open Skype to start a call to the displayed number
+- Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email
+- Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address
+
+
+### Use Group Policy to customize the notification
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Security Center > Enterprise Customization**.
+
+6. Open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
+
+7. Open the **Specify contact company name** setting and set it to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
+
+8. To ensure the custom notification appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**:
+    1. Specify contact email address of Email ID
+    2. Specify contact phone number or Skype ID
+    3. Specify contact website
+
+9. Click **OK** after configuring each setting to save your changes. 
+
 
 
 >[!NOTE]