deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 23:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into FromPrivateRepo

Browse Source
This commit is contained in:
huaping yu
2019-08-06 10:35:45 -07:00
parent 6f78999097 2b715331fa
commit a355bccbda
35 changed files with 187 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/TOC.md
View File

@ -249,7 +249,7 @@
##### [Manage updates and apply baselines]()
###### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
###### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
###### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
###### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
###### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)

4
windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
View File

@ -49,7 +49,7 @@ The Microsoft Defender ATP service utilizes state of the art data protection tec
There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview).
In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
## Do I have the flexibility to select where to store my data?
@ -80,7 +80,7 @@ No. Customer data is isolated from other customers and is not shared. However, i
You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. Theres a flexibility of choosing in the range of 1 month to six months to meet your companys regulatory compliance needs.
**At contract termination or expiration**<br>
Your data will be kept and will be available to you while the licence is under grace period or suspended mode. At the end of this period, that data will be erased from Microsofts systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsofts systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
## Can Microsoft help us maintain regulatory compliance?

2
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -20,6 +20,8 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can

2
windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
View File

@ -23,6 +23,8 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
>[!TIP]

1
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -44,6 +44,7 @@ The following features are included in the preview release:
- [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) <BR> You can now onboard Windows Server 2008 R2 SP1.
- [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac) <BR> Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.

10
windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Apply Windows Defender Antivirus updates after certain events
description: Manage how Windows Defender Antivirus applies protection updates after startup or receiving cloud-delivered detection reports.
description: Manage how Windows Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
keywords: updates, protection, force updates, events, startup, check for latest, notifications
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -32,7 +32,7 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**.
3. Click **OK**.
@ -99,9 +99,9 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**.
5. Double-click **Initiate definition update on startup** and set the option to **Enabled**.
5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
6. Click **OK**.
@ -143,7 +143,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
1. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
> [!NOTE]

8
windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
View File

@ -36,10 +36,10 @@ If Windows Defender Antivirus did not download protection updates for a specifie
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Definition updates** section and configure the following settings:
2. Go to the **Security intelligence updates** section and configure the following settings:
1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
3. Click **OK**.
@ -55,7 +55,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
6. Click **OK**.

14
windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
View File

@ -37,13 +37,13 @@ You can also randomize the times when each endpoint checks and downloads protect
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Definition updates** section.
2. Go to the **Security intelligence updates** section.
3. To check and download updates at a certain time:
1. Set **Check for Endpoint Protection definitions at a specific interval...** to **0**.
2. Set **Check for Endpoint Protection definitions daily at...** to the time when updates should be checked.
1. Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to **0**.
2. Set **Check for Endpoint Protection security intelligence updates daily at...** to the time when updates should be checked.
3
4. To check and download updates on a continual interval, Set **Check for Endpoint Protection definitions at a specific interval...** to the number of hours that should occur between updates.
4. To check and download updates on a continual interval, Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to the number of hours that should occur between updates.
5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
@ -60,9 +60,9 @@ You can also randomize the times when each endpoint checks and downloads protect
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.

4
windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -93,7 +93,7 @@ The procedures in this article first describe how to set the order, and then how
4. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
1. Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.
1. Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.
2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
@ -101,7 +101,7 @@ The procedures in this article first describe how to set the order, and then how
3. Click **OK**. This will set the order of protection update sources.
4. Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.
4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths then this source will be skipped when the VM downloads updates.

6
windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
View File

@ -56,7 +56,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
6. Double-click the **Allow definition updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
**Use a VBScript to opt-in to Microsoft Update**
@ -75,7 +75,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
**Use Group Policy to prevent definition updates on battery power:**
**Use Group Policy to prevent security intelligence updates on battery power:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -85,7 +85,7 @@ You can configure Windows Defender Antivirus to only download protection updates
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting:
1. Double-click the **Allow definition updates when running on battery power** setting and set the option to **Disabled**.
1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**.
2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.

2
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
View File

@ -94,7 +94,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Protection |Do a quick scan |`mdatp --scan --quick` |
|Protection |Do a full scan |`mdatp --scan --full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
|Protection |Request a definition update |`mdatp --definition-update` |
|Protection |Request a security intelligence update |`mdatp --definition-update` |
## Microsoft Defender ATP portal information

10
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
View File

@ -1487,7 +1487,7 @@ Symbolic name:
Message:
</td>
<td >
<b>The antimalware definition update failed.
<b>The security intelligence update failed.
</b>
</td>
</tr>
@ -1498,12 +1498,12 @@ Description:
<td >
Windows Defender Antivirus has encountered an error trying to update signatures.
<dl>
<dt>New Signature Version: &lt;New version number&gt;</dt>
<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
<dt>New security intelligence version: &lt;New version number&gt;</dt>
<dt>Previous security intelligence version: &lt;Previous version&gt;</dt>
<dt>Update Source: &lt;Update source&gt;, for example:
<ul>
<li>Signature update folder</li>
<li>Internal definition update server</li>
<li>Security intelligence update folder</li>
<li>Internal security intelligence update server</li>
<li>Microsoft Update Server</li>
<li>File share</li>
<li>Microsoft Malware Protection Center (MMPC)</li>

20
windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
View File

@ -124,20 +124,20 @@ Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled
Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Security intelligence updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Allow real-time definition updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Define file shares for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days after which a catch up definition update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define the order of sources for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Initiate definition update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)

2
windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
View File

@ -85,7 +85,7 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
<a id="definition-version"></a>
**Review the definition update version and download the latest updates in the Windows Security app**
**Review the security intelligence update version and download the latest updates in the Windows Security app**
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).

13
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: dansimp
audience: ITPro
ms.date: 04/09/2019
ms.reviewer:
manager: dansimp
@ -149,6 +150,11 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" />
<!-- msxml3.dll pick correct version based on release you are supporting -->
<!-- msxml6.dll pick correct version based on release you are supporting -->
<!-- jscript9.dll pick correct version based on release you are supporting -->
@ -885,6 +891,10 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
<FileRuleRef RuleID="ID_DENY_MSBUILD_DLL" />
<FileRuleRef RuleID="ID_DENY_DOTNET" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD_FMWK" />
<FileRuleRef RuleID="ID_DENY_D_1"/>
<FileRuleRef RuleID="ID_DENY_D_2"/>
<FileRuleRef RuleID="ID_DENY_D_3"/>
@ -1499,6 +1509,5 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<CiSigners />
<HvciOptions>0</HvciOptions>
</SiPolicy>
```
```
<br />

41
windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -11,8 +11,9 @@ ms.pagetype: security
ms.localizationpriority: medium
author: levinec
ms.author: ellevin
ms.date: 11/29/2018
ms.reviewer:
audience: ITPro
ms.date: 08/05/2019
ms.reviewer: v-maave
manager: dansimp
---
@ -22,14 +23,17 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders.
This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
Apps can also be manually added to the trusted list via SCCM and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
@ -43,13 +47,13 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
## Review controlled folder access events in the Microsoft Defender ATP Security Center
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
Here is an example query
```
```PowerShell
MiscEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
```
@ -60,15 +64,15 @@ You can review the Windows event log to see events that are created when control
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**.
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
1. On the left panel, under **Actions**, click **Import custom view...**.
4. Click **OK**.
1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
5. This will create a custom view that filters to only show the following events related to controlled folder access:
1. Click **OK**.
1. This will create a custom view that filters to only show the following events related to controlled folder access:
Event ID | Description
-|-
@ -76,10 +80,9 @@ Event ID | Description
1124 | Audited controlled folder access event
1123 | Blocked controlled folder access event
## In this section
## In this section
Topic | Description
Topic | Description
---|---
[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network