deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into atp-public-preview

Browse Source
This commit is contained in:
Joey Caparas 2017-08-30 10:10:55 -07:00
commit a8807ae813
118 changed files with 3194 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.openpublishing.redirection.json
View File

@ -227,7 +227,7 @@
},
{
"source_path": "windows/manage/set-up-a-device-for-anyone-to-use.md",
"redirect_url": "/windows/configuration/set-up-a-device-for-anyone-to-use",
"redirect_url": "/windows/configuration/kiosk-shared-pc",
"redirect_document_id": true
},
{

13
devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
View File

@ -114,6 +114,7 @@ Use this procedure if you use Exchange on-prem.
Next, you enable the device account with [Skype for Business Online](#skype-for-business-online), [Skype for Business on-prem](#skype-for-business-on-prem), or [Skype for Business hybrid](#skype-for-business-hybrid).
<span id="sfb-online"/>
### Skype for Business Online
To enable Skype for Business online, your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required). The following table explains which plans or additional services you need.
@ -309,18 +310,10 @@ Use this procedure if you use Exchange online.
Next, you enable the device account with [Skype for Business Online](#sfb-online), [Skype for Business on-prem](#sfb-onprem), or [Skype for Business hybrid](#sfb-hybrid).
<span id="sfb-online"/>
### Skype for Business Online
In order to enable Skype for Business, your environment will need to meet the following prerequisites:
- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
- Your tenant users must have Exchange mailboxes (at least one Exchange mailbox in the tenant is required).
- Your Surface Hub account does require a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](#sfb-online).
1. Start by creating a remote PowerShell session to the Skype for Business online environment from a PC.

BIN
devices/surface-hub/images/mfa-options.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 62 KiB

After

Width:  |  Height:  |  Size: 70 KiB

7
devices/surface-hub/online-deployment-surface-hub-device-accounts.md
View File

@ -83,11 +83,8 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow
Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true
```
7. Surface Hub requires a license for Skype for Business functionality.
- Your Surface Hub account requires a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license.
- You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability.
- If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3).
7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online).
Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant.
Once you list out the SKUs, you can add a license using the `Set-MsolUserLicense` cmdlet. In this case, `$strLicense` is the SKU code that you see (for example, *contoso:STANDARDPACK*).

8
devices/surface-hub/surface-hub-authenticator-app.md
View File

@ -24,7 +24,7 @@ To let people in your organization sign in to Surface Hub with their phones and
- Make sure you have at minimum an Office 365 E3 subscription.
- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication). Select **Allow users to create app passwords to sign in to non-browser apps**, and make sure **Notification through mobile app** is selected.
- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication). Make sure **Notification through mobile app** is selected.
![multi-factor authentication options](images/mfa-options.png)
@ -42,6 +42,8 @@ Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs tha
- The most recent version of the Microsoft Authenticator app from the appropriate app store
>[!NOTE]
>On iOS, the app version must be 5.4.0 or higher.
>
>The Microsoft Authenticator app on phones running a Windows operating system can't be used to sign in to Surface Hub.
- Passcode or screen lock on your device is enabled
@ -53,11 +55,15 @@ Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs tha
>[!NOTE]
>If Company Portal is installed on your Android device, uninstall it before you set up Microsoft Authenticator. After you set up the app, you can reinstall Company Portal.
>
>If you have already set up Microsoft Authenticator on your phone and registered your device, go to the [sign-in instructions](#signin).
1. Add your work or school account to Microsoft Authenticator for Multi-Factor Authentication. You will need a QR code provided by your IT department. For help, see [Get started with the Microsoft Authenticator app](https://docs.microsoft.com/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to).
2. Go to **Settings** and register your device.
1. Return to the accounts page and choose **Enable phone sign-in** from the account dropdown menu.
<span id="signin" />
## How to sign in to Surface Hub during a meeting
1. After youve set up a meeting, go to the Surface Hub and select **Sign in to see your meetings and files**.

1
education/get-started/TOC.md
View File

@ -1,7 +1,6 @@
# [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
## [Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
## [Use School Data Sync to import student data](use-school-data-sync.md)
## [Enable Microsoft Teams for your school](enable-microsoft-teams.md)
## [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
## [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
## [Set up Windows 10 education devices](set-up-windows-10-education-devices.md)

6
education/get-started/configure-microsoft-store-for-education.md
View File

@ -15,6 +15,10 @@ ms.date: 07/10/2017
# Configure Microsoft Store for Education
> [!div class="step-by-step"]
[<< Use School Data Sync to import student data](use-school-data-sync.md)
[Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
You can watch the video to see how this is done, or follow the step-by-step guide. </br>
@ -58,7 +62,7 @@ Your Microsoft Store for Education account is now linked to Intune for Education
-->
> [!div class="step-by-step"]
[<< Enable Microsoft Teams for your school](enable-microsoft-teams.md)
[<< Use School Data Sync to import student data](use-school-data-sync.md)
[Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)

41
education/get-started/finish-setup-and-other-tasks.md
View File

@ -14,6 +14,10 @@ ms.date: 07/10/2017
---
# Finish Windows 10 device setup and other tasks
> [!div class="step-by-step"]
[<< Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
Once you've set up your Windows 10 education device, it's worth checking to verify the following:
> [!div class="checklist"]
@ -70,6 +74,7 @@ You can follow the rest of the walkthrough to finish setup and complete other ta
> * Update group settings in Intune for Education
> * Configure Azure settings
> * Complete Office 365 for Education setup
> * Enable Microsoft teams for your school
> * Add more users
> * Connect other devices, like BYOD devices, to your cloud infrastructure
@ -136,6 +141,38 @@ Follow the steps in this section to ensure that settings for the each user follo
## Complete Office 365 for Education setup
Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
## Enable Microsoft Teams for your school
Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education.
To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school.
**To enable Microsoft Teams for your school**
1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
2. Click **Admin** to go to the Office 365 admin center.
3. Go to **Settings > Services & add-ins**.
4. On the **Services & add-ins** page, select **Microsoft Teams**.
**Figure 1** - Select Microsoft Teams from the list of services & add-ins
![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
**Figure 2** - Select the license that you want to configure
![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
**Figure 3** - Turn on Microsoft Teams for your organization
![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
7. Click **Save**.
You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins* getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
## Add more users
After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
@ -173,6 +210,10 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
It may take several minutes before the new device shows up so check again later.
> [!div class="step-by-step"]
[<< Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
## Related topic
[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)

36
education/get-started/get-started-with-microsoft-education.md
View File

@ -10,7 +10,7 @@ ms.localizationpriority: high
ms.pagetype: edu
author: CelesteDG
ms.author: celested
ms.date: 07/10/2017
ms.date: 08/29/2017
---
# Get started: Deploy and manage a full cloud IT solution with Microsoft Education
@ -43,21 +43,20 @@ With Microsoft Education, schools can:
Go to the <a href="https://www.microsoft.com/en-us/education" target="_blank">Microsoft Education site</a> to learn more. See <a href="https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" target="_blank">How to buy</a> to learn about pricing and purchasing options for schools, students, and teachers as well as academic pricing and offers for qualified K-12 and higher education institutions.
## What we're doing
In this walkthrough, we'll show you the basics on how to:
> [!div class="checklist"]
> * Acquire an Office 365 for Education tenant, if you don't already have one
> * Import school, student, teacher, and class data using School Data Sync (SDS)
> * Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
> * Manage apps and settings deployment with Intune for Education
> * Acquire additional apps in Microsoft Store for Education
> * Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
> * Log in and use the devices
The end-to-end process for deploying and managing a full cloud IT solution with Microsoft Education is outlined here. Depending on your [setup scenario](#setup-options), you may not need to implement all these steps.
This diagram shows a high-level view of what we cover in this walkthrough. The numbers correspond to the sections in the walkthrough and roughly correspond to the flow of the overall process; but, note that not all sections in this walkthrough are shown in the diagram.
Click the link to watch the video or follow the step-by-step guidance for each.
1. [Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
2. [Use School Data Sync to import student data](use-school-data-sync.md)
3. [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
4. [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
5. [Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
6. [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md)
**Figure 1** - Microsoft Education IT administrator workflow
![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft_education_it_getstarted_workflow.png)
![Deploy and manage a full cloud IT solution using Microsoft Education](images/MSES_Get_Started_IT_082917.png)
## Prerequisites
Complete these tasks before you start the walkthrough:
@ -130,19 +129,6 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
4. If you don't already have Microsoft Teams deployed to your tenant, you can start with [Enable Microsoft Teams for your school](enable-microsoft-teams.md) and then follow the rest of the instructions in this walkthrough.
## End-to-end process
The end-to-end process for deploying and managing a full cloud IT solution with Microsoft Education is outlined here. Depending on scenario, you may not need to implement all these steps.
Click the link to watch the video or follow the step-by-step guidance for each.
1. [Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
2. [Use School Data Sync to import student data](use-school-data-sync.md)
3. [Enable Microsoft Teams for your school](enable-microsoft-teams.md)
4. [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
5. [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
6. [Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
7. [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md)
## Get more info
### Microsoft Education documentation and resources hub

BIN
education/get-started/images/MSES_Get_Started_IT_082917.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 662 KiB

4
education/get-started/set-up-office365-edu-tenant.md
View File

@ -15,6 +15,10 @@ ms.date: 07/10/2017
# Set up an Office 365 Education tenant
> [!div class="step-by-step"]
[<< Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
[Use School Data Sync to import student data >>](use-school-data-sync.md)
Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud.
Don't have an Office 365 for Education verified tenant or just starting out? Follow these steps to set up an Office 365 for Education tenant. [Learn more about Office 365 for Education plans and pricing](https://products.office.com/en-us/academic/compare-office-365-education-plans). </br>

4
education/get-started/set-up-windows-10-education-devices.md
View File

@ -15,6 +15,10 @@ ms.date: 07/10/2017
# Set up Windows 10 education devices
> [!div class="step-by-step"]
[<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
[Finish setup and other tasks >>](finish-setup-and-other-tasks.md)
We recommend using the latest build of Windows 10, version 1703 on your education devices.
To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options and follow the link to watch the video or follow the step-by-step guide:

4
education/get-started/use-intune-for-education.md
View File

@ -15,6 +15,10 @@ ms.date: 07/10/2017
# Use Intune for Education to manage groups, apps, and settings
> [!div class="step-by-step"]
[<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
[Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>.
## Example - Set up Intune for Education, buy apps from the Store, and install the apps

6
education/get-started/use-school-data-sync.md
View File

@ -15,6 +15,10 @@ ms.date: 07/10/2017
# Use School Data Sync to import student data
> [!div class="step-by-step"]
[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
School Data Sync (SDS) helps you import Student Information System (SIS) data into Office 365. It helps automate the process for importing and integrating SIS data that you can use with Office 365 and apps like OneNote Class Notebooks.
Follow all the steps in this section to use SDS and sample CSV files in a trial environment. To use SDS in a production environment, see step 2 in [Try out Microsoft Education in a production environment](https://docs.microsoft.com/en-us/education/get-started/get-started-with-microsoft-education#setup-options) instead.
@ -177,7 +181,7 @@ That's it for importing sample school data using SDS.
> [!div class="step-by-step"]
[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
[Enable Microsoft Teams for your school >>](enable-microsoft-teams.md)
[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
## Related topic
[Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)

41
education/windows/test-windows10s-for-edu.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.localizationpriority: high
author: CelesteDG
ms.author: celested
ms.date: 08/07/2017
ms.date: 08/29/2017
---
# Test Windows 10 S on existing Windows 10 education devices
@ -77,32 +77,21 @@ Make sure all drivers are installed and working properly on your device running
Check with your device manufacturer before trying Windows 10 S on your device to see if the drivers are available and supported by the device manufacturer.
<!--
| | | |
| - | - | - |
| [Acer](https://www.acer.com/ac/en/US/content/windows10s-compatible-list) | [American Future Tech](https://www.ibuypower.com/Support/Support) | [Asus](https://www.asus.com/event/2017/win10S/) |
| [Atec](http://www.atec.kr/contents/ms_info.html) | [Axdia](https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html) | [Casper](http://www.casper.com.tr/window10sdestegi) |
| [Cyberpower](https://www.cyberpowerpc.com/support/) | [Daewoo](http://www.lucoms.com/v2/cs/cs_windows10.asp) | [Fujitsu](http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update) |
| [Global K](http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html) | [HP](https://support.hp.com/us-en/document/c05588871) | [LANIT Trading](http://irbis-digital.ru/support/podderzhka-windows-10-s/) |
| [Lenovo](https://support.lenovo.com/us/en/solutions/ht504589) | [LG](http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html) | [MCJ](https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361) |
| [Micro P/Exertis](http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx) | [Microsoft](https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s) | [MSI](https://www.msi.com/Landing/Win10S) |
| [Panasonic](https://panasonic.net/cns/pc/Windows10S/) | [Positivo SA](http://www.positivoinformatica.com.br/atualizacao-windows-10) | [Positivo da Bahia](http://www.br.vaio.com/atualizacao-windows-10/) |
| [Samsung](http://www.samsung.com/us/support/windows10s/) | [Toshiba](http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en) | [Trekstor](http://www.trekstor.de/windows-10-s-en.html) |
| [Trigem](http://www.trigem.co.kr/windows/win10S.html) | [Vaio](http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/) | [Wortmann](https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx) |
-->
| | | |
| - | - | - |
| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="https://www.ibuypower.com/Support/Support" target="_blank">American Future Tech</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> |
| <a href="http://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> | <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="http://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> |
| <a href="https://www.cyberpowerpc.com/support/" target="_blank">Cyberpower</a> | <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> |
| <a href="http://support.ts.fujitsu.com/IndexProdSupport.asp?OpenTab=win10_update" target="_blank">Fujitsu</a> | <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> |
| <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> | <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> |
| <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> | <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> |
| <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> | <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> |
| <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> |
| <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> |
| <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> |
| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="http://www.51cube.com/ch/win10s-help.php" target="_blank">Alldocube</a> | <a href="https://www.ibuypower.com/site/computer/windows-10-s" target="_blank">American Future Tech</a> |
| <a href="http://www.prestigio.com/support/compatibility-with-windows-10-s/" target="_blank">ASBISC</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> | <a href="http://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> |
| <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="http://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> | <a href="https://www.cyberpowerpc.com/page/Windows-10-S/" target="_blank">Cyberpower</a> |
| <a href="http://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="http://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> | <a href="http://www.dell.com/support/article/us/en/19/sln307174/dell-computers-tested-for-windows-10-s?lang=en" target="_blank">Dell</a> |
| <a href="http://www.epson.jp/support/misc/windows10s.htm" target="_blank">Epson</a> | <a href="http://exo.com.ar/actualizaciones-de-windows-10" target="_blank">EXO</a> | <a href="http://www.fujitsu.com/au/products/computing/pc/microsoft/s-compatible/" target="_blank">Fujitsu</a> |
| <a href="http://apac.getac.com/support/windows10s.html" target="_blank">Getac</a> | <a href="http://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> |
| <a href="http://consumer.huawei.com/cn/support/notice/detail/index.htm?id=1541" target="_blank">Huawei</a> | <a href="http://www.inet-tek.com/en/product-qadetail-86.html" target="_blank">iNET</a> | <a href="http://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> |
| <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="http://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> | <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> |
| <a href="http://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://www.microsoft.com/surface/en-us/support/windows-and-office/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> | <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> |
| <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="http://www.bangho.com.ar/windows10s" target="_blank">PC Arts</a> | <a href="http://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> |
| <a href="http://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="http://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="http://www.dospara.co.jp/support/share.php?contents=about_windows10s" target="_blank">Thirdwave</a> |
| <a href="http://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> | <a href="http://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> | <a href="http://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | | <a href="http://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> | <a href="http://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> | <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> |
| <a href="http://www.yifangdigital.com/Customerservice/win10s.aspx" target="_blank">Yifang</a> | | |
> [!NOTE]
@ -228,7 +217,7 @@ Common support questions for the Windows 10 S test program:
* **What if I want to move from Windows 10 S to Windows 10 Pro?**
If you want to discontinue using Windows 10 S, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you are testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, ther emay be a cost to acquire a Windows 10 Pro license in the Store.
If you want to discontinue using Windows 10 S, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you are testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store.
For help with activation issues, click on the appropriate link below for support options.
* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you are seeking commercial support to contact our commercial support team.

10
windows/client-management/mdm/bitlocker-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/14/2017
ms.date: 08/28/2017
---
# BitLocker CSP
@ -211,6 +211,9 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
> [!Note]
> In Windows 10, version 1709, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.
<p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
@ -298,6 +301,11 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
> [!Note]
> In Windows 10, version 1709, you can use a minimum PIN length of 4 digits.
>
>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
<p style="margin-left: 20px">If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.</p>
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.</p>

12
windows/client-management/mdm/devdetail-csp.md
View File

@ -150,32 +150,32 @@ The following diagram shows the DevDetail configuration service provider managem
> [!NOTE]
> This is not supported in Windows 10 for desktop editions.
<a href="" id="volteservicesetting"></a>**VoLTEServiceSetting**
<a href="" id="volteservicesetting"></a>**Ext/VoLTEServiceSetting**
<p style="margin-left: 20px">Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlanipv4address"></a>**WlanIPv4Address**
<a href="" id="wlanipv4address"></a>**Ext/WlanIPv4Address**
<p style="margin-left: 20px">Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlanipv6address"></a>**WlanIPv6Address**
<a href="" id="wlanipv6address"></a>**Ext/WlanIPv6Address**
<p style="margin-left: 20px">Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlandnssuffix"></a>**WlanDnsSuffix**
<a href="" id="wlandnssuffix"></a>**Ext/WlanDnsSuffix**
<p style="margin-left: 20px">Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlansubnetmask"></a>**WlanSubnetMask**
<a href="" id="wlansubnetmask"></a>**Ext/WlanSubnetMask**
<p style="margin-left: 20px">Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="devicehardwaredata"></a>**DeviceHardwareData**
<a href="" id="devicehardwaredata"></a>**Ext/DeviceHardwareData**
<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!Note]

18
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/21/2017
ms.date: 08/25/2017
---
# What's new in MDM enrollment and management
@ -981,9 +981,19 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Bitlocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top"><p>Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[ADMX-backed policies in Policy CSP](policy-configuration-service-provider.md#admx-backed-policies)</td>
<td style="vertical-align:top"><p>Added new policies.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Browser/LockdownFavorites</li>
<li>Browser/ProvisionFavorites</li>
<li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
<li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
<li>DeviceGuard/RequirePlatformSecurityFeatures</li>
@ -1033,6 +1043,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Education/PreventAddingNewPrinters</li>
<li>Education/PrinterNames</li>
<li>Security/ClearTPMIfNotReady</li>
<li>Update/DisableDualScan</li>
<li>Update/ScheduledInstallEveryWeek</li>
<li>Update/ScheduledInstallFirstWeek</li>
<li>Update/ScheduledInstallFourthWeek</li>
@ -1382,7 +1393,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top">Added information to the ADMX-backed policies.
<td style="vertical-align:top">Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
@ -1407,6 +1418,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Browser/ProvisionFavorites</li>
<li>Browser/LockdownFavorites</li>
<li>ExploitGuard/ExploitProtectionSettings</li>
<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
@ -1434,6 +1447,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
<li>Privacy/EnableActivityFeed</li>
<li>Privacy/PublishUserActivities</li>
<li>Update/DisableDualScan</li>
</ul>
<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
<p>Changed the names of the following policies:</p>

17
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/21/2017
ms.date: 08/25/2017
---
# Policy CSP
@ -456,6 +456,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-homepages" id="browser-homepages">Browser/HomePages</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-lockdownfavorites" id="browser-lockdownfavorites">Browser/LockdownFavorites</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge" id="browser-preventaccesstoaboutflagsinmicrosoftedge">Browser/PreventAccessToAboutFlagsInMicrosoftEdge</a>
</dd>
@ -474,6 +477,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc" id="browser-preventusinglocalhostipaddressforwebrtc">Browser/PreventUsingLocalHostIPAddressForWebRTC</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-provisionfavorites" id="browser-provisionfavorites">Browser/ProvisionFavorites</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer" id="browser-sendintranettraffictointernetexplorer">Browser/SendIntranetTraffictoInternetExplorer</a>
</dd>
@ -2748,6 +2754,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-update.md#update-detectionfrequency" id="update-detectionfrequency">Update/DetectionFrequency</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-disabledualscan" id="update-disabledualscan">Update/DisableDualScan</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-engagedrestartdeadline" id="update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
</dd>
@ -3359,7 +3368,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@ -3368,7 +3376,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage)
- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
@ -3414,7 +3421,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Experience/AllowCortana](#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@ -3423,7 +3429,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)
@ -3514,6 +3519,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)
- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@ -3522,6 +3528,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
- [System/AllowFontProviders](#system-allowfontproviders)

124
windows/client-management/mdm/policy-csp-browser.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/09/2017
ms.date: 08/25/2017
---
# Policy CSP - Browser
@ -679,6 +679,39 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="browser-alwaysenablebookslibrary"></a>**Browser/AlwaysEnableBooksLibrary**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">
<p style="margin-left: 20px">This is only a placeholder.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
@ -965,6 +998,51 @@ Employees cannot remove these search engines, but they can set any one as the de
> [!NOTE]
> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="browser-lockdownfavorites"></a>**Browser/LockdownFavorites**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
<p style="margin-left: 20px">If you enable this setting, employees won't be able to add, import, or change anything in the Favorites list. Also as part of this, Save a Favorite, Import settings, and the context menu items (such as, Create a new folder) are all turned off.
> [!Important]
> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
<ul>
<li> 0 - Disabled. Do not lockdown Favorites.</li>
<li> 1 - Enabled. Lockdown Favorites.</li>
</ul>
<p style="margin-left: 20px">If you disable or don't configure this setting (default), employees can add, import and make changes to the Favorites list.
<p style="margin-left: 20px">Data type is integer.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
@ -1191,6 +1269,50 @@ Employees cannot remove these search engines, but they can set any one as the de
- 0 (default) The localhost IP address is shown.
- 1 The localhost IP address is hidden.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="browser-provisionfavorites"></a>**Browser/ProvisionFavorites**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.
 
<p style="margin-left: 20px">URL can be specified as:
- HTTP location: "SiteList"="http://localhost:8080/URLs.html"
- Local network: "SiteList"="\\network\shares\URLs.html"
- Local file: "SiteList"="file:///c:\\Users\\<user>\\Documents\\URLs.html"
> [!Important]
> Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.
<p style="margin-left: 20px">If you disable or don't configure this setting, employees will see the favorites they set in the Hub and Favorites Bar.
<p style="margin-left: 20px">Data type is string.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->

29
windows/client-management/mdm/policy-csp-exploitguard.md
View File

File diff suppressed because one or more lines are too long

118
windows/client-management/mdm/policy-csp-update.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/09/2017
ms.date: 08/25/2017
---
# Policy CSP - Update
@ -46,8 +46,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
@ -88,8 +86,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
@ -127,8 +123,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
@ -169,9 +163,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
@ -221,9 +212,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
@ -261,9 +249,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
@ -305,9 +290,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store.
@ -387,9 +369,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
@ -426,9 +405,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
@ -466,9 +442,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
@ -506,8 +479,7 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
@ -546,9 +518,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
@ -584,8 +553,6 @@ ms.date: 08/09/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
@ -683,8 +650,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
@ -729,6 +694,46 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="update-disabledualscan"></a>**Update/DisableDualScan**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709, but was added to 1607 and 1703 service releases. Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
<p style="margin-left: 20px">For more information about dual scan, see [Demystifying "Dual Scan"](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/) and [Improving Dual Scan on 1607](https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/).
- 0 - allow scan against Windows Update
- 1 - do not allow update deferral policies to cause scans against Windows Update
<p style="margin-left: 20px">This is the same as the Group Policy in Windows Components > Window Update "Do not allow update deferral policies to cause scans against Windows Update."
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
@ -758,9 +763,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
@ -797,9 +799,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
@ -836,9 +835,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
@ -876,7 +872,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
@ -1051,8 +1046,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
@ -1096,8 +1089,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
@ -1170,8 +1161,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
@ -1243,8 +1232,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
@ -1284,11 +1271,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<br>
> [!NOTE]
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
@ -1331,9 +1313,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
@ -1409,10 +1388,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Enables the IT admin to schedule the day of the update installation.
<p style="margin-left: 20px">The data type is a integer.
@ -1677,10 +1652,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations.
<p style="margin-left: 20px">The following list shows the supported values:
@ -1753,9 +1724,6 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
> [!Important]
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
@ -1815,8 +1783,6 @@ Example
<!--EndSKU-->
<!--StartDescription-->
> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
<p style="margin-left: 20px">Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
<p style="margin-left: 20px">This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.

4
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -457,7 +457,7 @@ To turn off Live Tiles:
- Create a REG\_DWORD registry setting called **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one).
You must also unpin all tiles that are pinned to Start.
In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
### <a href="" id="bkmk-mailsync"></a>10. Mail synchronization
@ -1261,7 +1261,7 @@ To turn off **Let apps read or send messages (text or MMS)**:
-or-
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
To turn off **Choose apps that can read or send messages**:

6
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -239,8 +239,8 @@ This section contains several procedures to support Zero Touch installation with
1. Type the following commands at a Windows PowerShell prompt on SRV1:
```
New-Item -ItemType Directory -Path "C:Sources\OSD\Boot"
New-Item -ItemType Directory -Path "C:Sources\OSD\OS"
New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
New-Item -ItemType Directory -Path "C:\Sources\OSD\OS"
New-Item -ItemType Directory -Path "C:\Sources\OSD\Settings"
New-Item -ItemType Directory -Path "C:\Sources\OSD\Branding"
New-Item -ItemType Directory -Path "C:\Sources\OSD\MDT"
@ -560,7 +560,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
```
New-Item -ItemType Directory -Path "C:Sources\OSD\OS\Windows 10 Enterprise x64"
New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
cmd /c copy /z "C:\MDTBuildLab\Captures\REFW10X64-001.wim" "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
```

3
windows/device-security/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 08/29/2017
---
# System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
@ -32,7 +33,7 @@ For the EFS service, this policy setting supports the 3DES and Advanced Encrypti
**Remote Desktop Services (RDS)**
For encrypting Remote Desktop Services network communication, this policy setting supports only the Triple DES encryption algorithm.
If you're using Remote Desktop Services, this policy setting should only be enabled if the 3DES encryption algorithm is supported.
**BitLocker**

30
windows/threat-protection/TOC.md
View File

@ -154,6 +154,36 @@
#### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
#### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
## [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
#### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
#### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
### [Exploit Protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
#### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
#### [Evaluate Exploit Protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
#### [Enable Exploit Protection](windows-defender-exploit-guard\enable-exploit-protection.md)
#### [Customize Exploit Protection](windows-defender-exploit-guard\customize-exploit-protection.md)
##### [Import, export, and deploy Exploit Protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
### [Attack Surface Reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
#### [Evaluate Attack Surface Reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
#### [Enable Attack Surface Reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
#### [Customize Attack Surface Reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
### [Controlled Folder Access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
#### [Evaluate Controlled Folder Access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
#### [Enable Controlled Folder Access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
#### [Customize Controlled Folder Access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)

1
windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
View File

@ -11,6 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---

2
windows/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Reference topics for management and configuration tools

3
windows/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
View File

@ -10,6 +10,9 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Configure scanning options in Windows Defender AV

2
windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---

2
windows/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Configure the cloud block timeout period

2
windows/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Configure end-user interaction with Windows Defender Antivirus

2
windows/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Prevent or allow users to locally modify Windows Defender AV policy settings

2
windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Configure and validate network connections for Windows Defender Antivirus

2
windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Configure the notifications that appear on endpoints

2
windows/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Configure behavioral, heuristic, and real-time protection

2
windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---

2
windows/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---

2
windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Configure Windows Defender Antivirus features

2
windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Customize, initiate, and review the results of Windows Defender AV scans and remediation

2
windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Deploy, manage, and report on Windows Defender Antivirus

2
windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Deploy and enable Windows Defender Antivirus

2
windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment

2
windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Detect and block Potentially Unwanted Applications

2
windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Enable cloud-delivered protection in Windows Defender AV

2
windows/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Evaluate Windows Defender Antivirus protection

2
windows/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Manage event-based forced updates

1
windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
View File

@ -11,6 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Manage updates and scans for endpoints that are out of date

2
windows/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Manage the schedule for when protection updates should be downloaded and applied

1
windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -11,6 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Manage the sources for Windows Defender Antivirus protection updates

2
windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Manage Windows Defender Antivirus updates and apply baselines

2
windows/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Manage updates for mobile devices and virtual machines (VMs)

2
windows/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Prevent users from seeing or interacting with the Windows Defender AV user interface

2
windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Report on Windows Defender Antivirus protection

2
windows/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Review Windows Defender AV scan results

2
windows/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---

2
windows/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---

2
windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Specify the cloud-delivered protection level

2
windows/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Use Group Policy settings to configure and manage Windows Defender AV

2
windows/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV

2
windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Use PowerShell cmdlets to configure and manage Windows Defender AV

2
windows/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV

2
windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus

2
windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Windows Defender Antivirus in Windows 10 and Windows Server 2016

2
windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---

2
windows/threat-protection/windows-defender-antivirus/windows-defender-offline.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Run and review the results of a Windows Defender Offline scan

2
windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
View File

@ -10,6 +10,8 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---

2
windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -40,7 +40,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|-----------|------------------|-----------|-------|
|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|

4
windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: iawilt
author: iaanw
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01/2017
---

4
windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: iawilt
author: iaanw
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01/2017
---

178
windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md Normal file
View File

@ -0,0 +1,178 @@
---
title: Use Attack Surface Reduction rules to prevent malware infection
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Reduce attack surfaces with Windows Defender Exploit Guard
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Attack Surface Reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Attack Surface Reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
- Scripts that are obfuscated or otherwise suspicious
- Behaviors that apps undertake that are not usually inititated during normal day-to-day work
See the [Attack Surface Reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule.
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack Surface Reduction would impact your organization if it were enabled.
## Attack Surface Reduction rules
The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
Rule name | GUIDs
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
### Rule: Block executable content from email client and webmail
This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com):
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Script archive files
### Rule: Block Office applications from creating child processes
Office apps, such as Word or Excel, will not be allowed to create child processes.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
### Rule: Block Office applications from creating executable content
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique.
Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
### Rule: Block Office applications from injecting into other processes
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes.
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
### Rule: Impede JavaScript and VBScript to launch executables
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
### Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
This rule prevents scripts that appear to be obfuscated from running.
It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
## Requirements
The following requirements must be met before Attack Surface Reduction will work:
Windows 10 version | Windows Defender Antivirus
- | -
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
## Review Attack Surface Reduction events in Windows Event Viewer
You can review the Windows event log to see events that are created when an Attack Surface Reduction rule is triggered (or audited):
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
![](images/events-import.gif)
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
Event ID | Description
-|-
5007 | Event when settings are changed
1122 | Event when rule fires in Audit-mode
1121 | Event when rule fires in Block-mode
### Event fields
- **ID**: matches with the Rule-ID that triggered the block/audit.
- **Detection time**: Time of detection
- **Process Name**: The process that performed the "operation" that was blocked/audited
- **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus
## In this section
Topic | Description
---|---
[Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
[Enable Attack Surface Reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack Surface Reduction in your network.
[Customize Attack Surface Reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack Surface Reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.

82
windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Test how Windows Defender EG features will work in your organization
description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled
keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Use audit mode to evaluate Windows Defender Exploit Guard features
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
You can enable each of the features of Windows Defender Explot Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode.
Audit options | How to enable audit mode | How to view events
- | - | -
Audit applies to all events | [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled Folder Access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
Audit applies to individual rules | [Enable Attack Surface Reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack Surface Reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
Audit applies to all events | [Enable Network Protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network Protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
Audit applies to individual mitigations | [Enable Exploit Protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit Protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
You can also use the a custom PowerShell script that enables the features in audit mode automatically:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine.
1. Type **powershell** in the Start menu.
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
3. Enter the following in the PowerShell window to enable Controlled Folder Access and Attack Surface Reduction in audie mode:
```PowerShell
Set-ExecutionPolicy Bypass -Force
<location>\Enable-ExploitGuardAuditMode.ps1
```
Replace \<location> with the folder path where you placed the file.
A message should appear to indicate that audit mode was enabled.
## Related topics
Topic | Description
---|---
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md)

99
windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md Normal file
View File

@ -0,0 +1,99 @@
---
title: Prevent ransomware and other threats from encrypting and changing important files
description: Files in default folders, such as Documents and Desktop, can be protected from being changed by malicious apps. This can help prevent ransomware encrypting your files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Protect important folders with Controlled Folder Access
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Controlled Folder Access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specifc-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled Folder Access would impact your organization if it were enabled.
## Requirements
The following requirements must be met before Controlled Folder Access will work:
Windows 10 version | Windows Defender Antivirus
-|-
Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
## Review Controlled Folder Access events in Windows Event Viewer
You can review the Windows event log to see events that are created when Controlled Folder Access blocks (or audits) an app:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
![](images/events-import.gif)
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
Event ID | Description
-|-
5007 | Event when settings are changed
1124 | Audited Controlled Folder Access event
1123 | Blocked Controlled Folder Access event
## In this section
Topic | Description
---|---
[Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled Folder Access works, and what events would typically be created.
[Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled Folder Access in your network
[Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.

94
windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md Normal file
View File

@ -0,0 +1,94 @@
---
title: Configure how ASR works so you can finetune the protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Customize Attack Surface Reduction
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic describes how to customize Attack Surface Reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
You can exclude files and folders from being evaluated by Attack Surface Reduction rules.
You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
### Use Group Policy to exclude files and folders
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
6. Double-click the **Exclude files and paths from Attack Surface Reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to exclude files and folderss
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
```
Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
>[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to exclude files and folders
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
## Customize the notification
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Enable Attack Surface Reduction](enable-attack-surface-reduction.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)

194
windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md Normal file
View File

@ -0,0 +1,194 @@
---
title: Add additional folders and apps to be protected by Windows 10
description: Add additional folders that should be protected by Controlled Folder Access, or whitelist apps that are incorrectly blocking changes to important files.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Customize Controlled Folder Access
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
This topic describes how to customize the following settings of the Controlled Folder Access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
- [Add additional folders to be protected](#protect-additional-folders)
- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
## Protect additional folders
Controlled Folder Access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
You can add additional folders to be protected, but you cannot remove the default folders in the default list.
Adding other folders to Controlled Folder Access can be useful, for example, if you dont store files in the default Windows libraries or youve changed the location of the libraries away from the defaults.
You can also enter network shares and mapped drives, but environment variables and wildcards are not supported.
You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
### Use the Windows Defender Security Center app to protect additional folders
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
![](images/cfa-prot-folders.png)
### Use Group Policy to protect additional folders
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder.
> [!IMPORTANT]
> Environment variables and wildcards are not supported.
### Use PowerShell to protect additional folders
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Add-MpPreference -ControlledFolderAccessProtectedFolders "<the folder to be protected>"
```
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
![](images/cfa-allow-folder-ps.png)
>[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to protect additional folders
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Allow specifc apps to make changes to controlled folders
You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if youre finding a particular app that you know and trust is being blocked by the Controlled Folder Access feature.
>[!IMPORTANT]
>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets.
>You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the whitelist and may be blocked by Controlled Folder Access.
### Use the Windows Defender Security app to whitelist specific apps
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Under the **Controlled folder access** section, click **Allow an app through Controlled folder access**
4. Click **Add an allowed app** and follow the prompts to add apps.
![](images/cfa-allow-app.png)
### Use Group Policy to whitelist specific apps
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app as Value? Or Value Name? what are the requirements? Have to be exe? Do you have to enter fully qualified path, or will it apply to any .exe with that name?
### Use PowerShell to whitelist specific apps
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be whitelisted, including the path>"
```
For example, to add the executable *test.exe*, located in the folder *C:\apps*, the cmdlet would be as follows:
```PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
```
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
![](images/cfa-allow-app-ps.png)
>[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to whitelist specific apps
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Customize the notification
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Enable Controlled Folder Access](enable-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

260
windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md Normal file
View File

@ -0,0 +1,260 @@
---
title: Enable or disable specific mitigations used by Exploit Protection
keywords: exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Customize Exploit Protection
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
This topic lists each of the mitigations available in Exploit Protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
## Exploit Protection mitigations
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
You can set each of the mitigations to on, off, or to their default value as indicated in the following table. Some mitigations have additional options, these are indicated in the description in the table.
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
- | - | - | -
Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On** | No
Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On** | No
Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off** | No
Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On** | No
Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On** | No
Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off** | No
Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | Yes
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | Yes
Block remote images | Prevents loading of images from remote devices. | App-level only | Yes
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | Yes
Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Windows Store signed images. | App-level only | Yes
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | No
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | Yes
Do not allow child processes | Prevents an app from creating child processes. | App-level only | Yes
Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | Yes
Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | Yes
Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | No
Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | Yes
Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | Yes
### Configure system-level mitigations with the Windows Defender Security Center app
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
![](images/wdsc-exp-prot.png)
3. Under the **System settings** section, find the mitigation you want to configure and select either:
- **On by default**
- **Off by default**
-**Use default**
>[!NOTE]
>You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
Changing some settings may required a restart, which will be indicated in red text underneath the setting.
![](images/wdsc-exp-prot-sys-settings.png)
4. Repeat this for all the system-level mitigations you want to configure.
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
### Configure app-specific mitigations with the Windows Defender Security Center app
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
![](images/wdsc-exp-prot.png)
3. Go to the **Program settings** section and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
![](images/wdsc-exp-prot-app-settings.png)
4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
![](images/wdsc-exp-prot-app-settings-options.png)
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
## PowerShell reference
You can use the Windows Defender Security Center app to configure exploit protection, or you can use PowerShell cmdlets.
The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
>[!IMPORTANT]
>Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overriden.
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```PowerShell
Get-ProcessMitigation -Name processName.exe
```
Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
```
Where:
- \<Scope>:
- `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- `-System` to indicate the mitigation should be applied at the system level
- \<Action>:
- `-Enable` to enable the mitigation
- `-Disable` to disable the mitigation
- \<Mitigation>:
- The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
```PowerShell
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
```
>[!IMPORTANT]
>Seperate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
```PowerShell
Set-Processmitigation -System -Enable DEP
```
To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app.
If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example:
```PowerShell
Set-Processmitigation -Name test.exe -Remove -Disable DEP
```
You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
```PowerShell
Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
You can disable audit mode by using the same command but replacing `-Enable` with `-Disable`.
### PowerShell reference table
This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
<a id="cmdlets-table"></a>
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
- | - | - | -
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available
Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocate | Audit not available
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
Block remote images | App-level only | BlockRemoteImages | Audit not available
Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter <a href="#r1" id="t1">\[1\]</a> | Audit not available
Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
Validate handle usage | App-level only | StrictHandle | Audit not available
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
## Customize the notification
See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Enable Exploit Protection](enable-exploit-protection.md)
- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)

46
windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md Normal file
View File

@ -0,0 +1,46 @@
---
title: Compare the features in Exploit Protection with EMET
keywords: emet, enhanced mitigation experience toolkit, configuration, exploit
description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
**Applies to:**
- Windows 10 Insider Preview, build 16232 and later
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
We're still working on this content and will have it published soon!
Check out the following topics for more information about Exploit Protection:
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Enable Exploit Protection](enable-exploit-protection.md)
- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)

118
windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md Normal file
View File

@ -0,0 +1,118 @@
---
title: Enable ASR rules individually to protect your organization
description: Enable ASR rules to protect your devices from attacks the use macros, scripts, and common injection techniques
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Enable Attack Surface Reduction
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
## Enable and audit Attack Surface Reduction rules
You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
Attack Surface Reduction rules are identified by their unique rule ID.
You can manually add the rules by using the GUIDs in the following table:
Rule description | GUIDs
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
### Use Group Policy to enable Attack Surface Reduction rules
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction**.
6. Double-click the **Configure Attack Surface Reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- Block mode = 1
- Disabled = 0
- Audit mode = 2
![](images/asr-rules-gp.png)
### Use PowerShell to enable Attack Surface Reduction rules
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID>
```
You can enable the feature in audit mode using the following cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
### Use MDM CSPs to enable Attack Surface Reduction rules
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Customize Attack Surface Reduction](customize-attack-surface-reduction.md)
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)

108
windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md Normal file
View File

@ -0,0 +1,108 @@
---
title: Turn on the protected folders feature in Windows 10
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
description: Learn how to protect your important files by enabling Controlled Folder Access
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Enable Controlled Folder Access
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
This topic describes how to enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
## Enable and audit Controlled Folder Access
You can enable Controlled Folder Access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
### Use the Windows Defender Security app to enable Controlled Folder Access
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](../windows-defender-antivirus/images/defender/wdav-protection-settings-wdsc.png)
3. Set the switch for the feature to **On**
![](images/cfa-on.png)
### Use Group Policy to enable Controlled Folder Access
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access**.
6. Double-click the **Configure controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- **Disable (Default)** - The Controlled Folder Access feature will not work. All apps can make changes to files in protected folders.
- **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
![](images/cfa-gp-enable.png)
>[!IMPORTANT]
>To fully enable the Controlled Folder Access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
### Use PowerShell to enable Controlled Folder Access
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess Enabled
```
You can enable the feauting in audit mode by specifying `AuditMode` instead of `Enabled`.
Use `Disabled` to turn the feature off.
### Use MDM CSPs to enable Controlled Folder Access
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Customize Controlled Folder Access](customize-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)

76
windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Turn on Exploit Protection to help mitigate against attacks
keywords: exploit, mitigation, attacks, vulnerability
description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Enable Exploit Protection
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
## Enable and audit Exploit Protection
You enable and configure each Exploit Protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps.
The mitigations available in Exploit Protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network.
You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
You can also convert an existing EMET configuration file (in XML format) and import it into Exploit Protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
See the following topics for instructions on configuring Exploit Protection mitigations and importing, exporting, and converting configurations:
1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md)
2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md).
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)

100
windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md Normal file
View File

@ -0,0 +1,100 @@
---
title: Turn Network Protection on
description: Enable Network Protection with Group Policy, PowerShell, or MDM CSPs
keywords: ANetwork Protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Enable Network Protection
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic describes how to enable Network Protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
## Enable and audit Network Protection
You can enable Network Protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
### Use Group Policy to enable or audit Network Protection
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network Protection**.
6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- **Block** - Users will not be able to access malicious IP addresses and domains
- **Disable (Default)** - The Network Protection feature will not work. Users will not be blocked from accessing malicious domains
- **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
>[!IMPORTANT]
>To fully enable the Network Protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
### Use PowerShell to enable or audit Network Protection
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```
Set-MpPreference -EnableNetworkProtection Enabled
```
You can enable the feauting in audit mode using the following cmdlet:
```
Set-MpPreference -EnableNetworkProtection AuditMode
```
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
### Use MDM CSPs to enable or audit Network Protection
Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network Protection.
## Related topics
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Evaluate Network Protection](evaluate-network-protection.md)

249
windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md Normal file
View File

@ -0,0 +1,249 @@
---
title: Use a demo tool to see how ASR could help protect your organization's devices
description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks
keywords: Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Evaluate Attack Surface Reduction rules
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Attack Surface Reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
This topic helps you evaluate Attack Surface Reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
>[!NOTE]
>This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
## Use the demo tool to see how Attack Surface Reduction works
Use the **ExploitGuard ASR test tool** app to see how Attack Surface Reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule.
When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
![](images/asr-test-tool.png)
Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
>[!IMPORTANT]
>The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
**Run a rule using the demo tool:**
1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop).
2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
>[!IMPORTANT]
>Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10.
3. Select the rule from the drop-down menu.
4. Select the mode, **Disabled**, **Block**, or **Audit**.
1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**.
5. Click **RunScenario**.
The scenario will run, and an output will appear describing the steps taken.
You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer.
>[!TIP]
>You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules.
Choosing the **Mode** will change how the rule functions:
Mode option | Description
-|-
Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack Surface Reduction at all.
Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack Surface Reduction.
Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack Surface Reduction will work but without impacting how you use the machine.
Block mode will cause a notification to appear on the user's desktop:
![](images/asr-notif.png)
You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
The following sections describe what each rule does and what the scenarios entail for each rule.
### Rule: Block executable content from email client and webmail
This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail.
The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule:
Scenario name | File type | Program
- | - | -
Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail
Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook
Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook
Mail Client Script Archive | Script archive files | Microsoft Outlook
WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail
WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail
WebMail Script Archive | Script archive files | Web mail
### Rule: Block Office applications from creating child processes
>[!NOTE]
>There is only one scenario to test for this rule.
Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
### Rule: Block Office applications from creating executable content
This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique.
The following scenarios can be individually chosen:
- Random
- A scenario will be randomly chosen from this list
- Extension Block
- Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
### Rule: Block Office applications from injecting into other processes
>[!NOTE]
>There is only one scenario to test for this rule.
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
### Rule: Impede JavaScript and VBScript to launch executables
JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
- Random
- A scenario will be randomly chosen from this list
- JScript
- JavaScript will not be allowed to launch executable files
- VBScript
- VBScript will not be allowed to launch executable files
### Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running.
- Random
- A scenario will be randomly chosen from this list
- AntiMalwareScanInterface
- This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
- OnAccess
- Potentially obfuscated scripts will be blocked when an attempt is made to access them
## Review Attack Surface Reduction events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool:
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Attack Surface Reduction:
Event ID | Description
-|-
5007 | Event when settings are changed
1122 | Event when rule fires in Audit-mode
1121 | Event when rule fires in Block-mode
## Use audit mode to measure impact
You can also enable the Attack Surface Reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use.
To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
This enables all Attack Surface Reduction rules in audit mode.
>[!TIP]
>If you want to fully audit how Attack Surface Reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack Surface Reduction topic](attack-surface-reduction-exploit-guard.md).
## Customize Attack Surface Reduction
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
See the [Customize Exploit Protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)

133
windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md Normal file
View File

@ -0,0 +1,133 @@
---
title: See how Windows 10 can protect your files from being changed by malicious apps
description: Use a custom tool to see how Controlled Folder Access works in Windows 10.
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Evaluate Controlled Folder Access
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Controlled Folder Access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md).
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
This topic helps you evaluate Controlled Folder Access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organisation.
>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
## Use the demo tool to see how Controlled Folder Access works
Use the **ExploitGuard CFA File Creator** tool to see how Controlled Folder Access can prevent a suspicious app from creating files in protected folders.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
This tool can be run locally on an individual machine to see the typical behavior of Controlled Folder Access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
You can enable Controlled Folder Access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
1. Type **powershell** in the Start menu.
2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
3. Enter the following in the PowerShell window to enable Controlled Folder Access:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess Enabled
```
4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop).
5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**.
6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
![](images/cfa-filecreator.png)
7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
![](images/cfa-notif.png)
## Review Controlled Folder Access events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool:
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Controlled Folder Access:
Event ID | Description
-|-
5007 | Event when settings are changed
1124 | Audited Controlled Folder Access event
1123 | Blocked Controlled Folder Access event
## Use audit mode to measure impact
As with other Windows Defender EG features, you can enable the Controlled Folder Access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess AuditMode
```
>[!TIP]
>If you want to fully audit how Controlled Folder Access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled Folder Access topic](controlled-folders-exploit-guard.md).
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
## Customize protected folders and apps
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
See the main [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)

133
windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md Normal file
View File

@ -0,0 +1,133 @@
---
title: See how Exploit Protection works in a demo
description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps.
keywords: exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Evaluate Exploit Protection
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Exploit Protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit Protection.
This topcs helps you evaluate Exploit Protection. See the [Exploit Protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit Protection does and how to configure it for real-world deployment.
>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
>For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit Protection topic](exploit-protection-exploit-guard.md) .
## Enable and validate an Exploit Protection mitigation
For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app:
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set—ProcessMitigation Name iexplore.exe Enable DisallowChildProcessCreation
```
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
1. Type **run** in the Start menu andp ress **Enter** to open the run dialog box.
2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer.
3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process).
Lastly, we can disable the mitigation so that Internet Explorer works properly again:
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
## Review Exploit Protection events in Windows Event Viewer
You can now review the events that Exploit Protection sent to the Windows Event log to confirm what happened:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Exploit Protection, which are all listed in the [Exploit Protection](exploit-protection-exploit-guard.md) topic.
6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'.
## Use audit mode to measure impact
As with other Windows Defender EG features, you can enable Exploit Protection in audit mode. You can enable audit mode for individual mitigations.
This lets you see a record of what *would* have happened if you had enabled the mitigation.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period.
See the [**PowerShell reference** section in the Customize Exploit Protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Enable Exploit Protection](enable-exploit-protection.md)
- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md)

115
windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md Normal file
View File

@ -0,0 +1,115 @@
---
title: Conduct a demo to see how Network Protection works
description: Quickly see how Network Protection works by performing common scenarios that it protects against
keywords: Network Protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Evaluate Network Protection
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- PowerShell
Network Protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network Protection by enabling the feature and guiding you to a testing site.
>[!NOTE]
>The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious.
## Enable Network Protection
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`.
### Visit a (fake) malicious domain
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
![](images/np-notif.png)
## Review Network Protection events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when performing the demo:
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to Network Protection:
Event ID | Description
-|-
5007 | Event when settings are changed
1125 | Event when rule fires in Audit-mode
1126 | Event when rule fires in Block-mode
## Use audit mode to measure impact
You can also enable the Network Protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
>[!TIP]
>If you want to fully audit how Network Protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network Protection topic](network-protection-exploit-guard.md).
## Related topics
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)

55
windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Evaluate the impact of each of the four features in Windows Defender Exploit Guard
description: Use our evaluation guides to quickly enable and configure features, and test them against common attack scenarios
keywords: evaluate, guides, evaluation, exploit guard, controlled folder access, attack surface reduction, exploit protection, network protection, test, demo
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Evaluate Windows Defender Exploit Guard
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization.
Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisutes are.
- [Evaluate Attack Surface Reduction](evaluate-attack-surface-reduction.md)
- [Evaluate Controlled Folder Access](evaluate-controlled-folder-access.md)
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
- [Evaluate Network Protection](evaluate-network-protection.md)
You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
## Related topics
Topic | Description
---|---
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Protect important folders with Controlled Folder Access](controlled-folders-exploit-guard.md)

183
windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md Normal file
View File

@ -0,0 +1,183 @@
---
title: Import custom views in XML to see Windows Defender Exploit Guard events
description: Use Windows Event Viewer to import individual views for each of the features.
keywords: event view, exploit guard, audit, review, events
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.date: 08/25/2017
localizationpriority: medium
author: iaanw
ms.author: iawilt
---
# Reduce attack surfaces with Windows Defender Exploit Guard
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windos Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
## Use custom views to review Windows Defender Exploit Guard features
You can create custom views in the Windows Event Viewer to only see events for specific features and settings.
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
### Import an existing XML custom view
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
- Controlled Folder Access events custom view: *cfa-events.xml*
- Exploit Protection events custom view: *ep-events.xml*
- Attack Surface Reduction events custom view: *asr-events.xml*
- Network Protection events custom view: *np-events.xml*
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
3. On the left panel, under **Actions**, click **Import Custom View...**
![](images/events-import.gif)
4. Navigate to where you extracted XML file for the custom view you want and select it.
4. Click **Open**.
5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
### Copy the XML directly
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
3. On the left panel, under **Actions**, click **Create Custom View...**
![](images/events-create.gif)
4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
5. Paste the XML code for the feature you want to filter events from into the XML section.
4. Click **OK**. Specify a name for your filter.
5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
### XML for Attack Surface Reduction events
```xml
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
</Query>
</QueryList>
```
### XML for Controlled Folder Access events
```xml
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select>
</Query>
</QueryList>
```
### XML for Exploit Protection events
```xml
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Security-Mitigations/KernelMode">
<Select Path="Microsoft-Windows-Security-Mitigations/KernelMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Concurrency">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Contention">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Messages">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Operational">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Power">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Render">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Tracing">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/UIPI">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Security-Mitigations/UserMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID &gt;= 1 and EventID &lt;= 24) or EventID=5 or EventID=260)]]</Select>
</Query>
</QueryList>
```
### XML for Network Protection events
```xml
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
</Query>
</QueryList>
```
## List of all Windows Defender Exploit Guard events
All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
Feature | Provider/source | Event ID | Description
:-|:-|:-:|:-
Exploit Protection | Security-Mitigations | 1 | ACG audit
Exploit Protection | Security-Mitigations | 2 | ACG enforce
Exploit Protection | Security-Mitigations | 3 | Do not allow child processes audit
Exploit Protection | Security-Mitigations | 4 | Do not allow child processes block
Exploit Protection | Security-Mitigations | 5 | Block low integrity images audit
Exploit Protection | Security-Mitigations | 6 | Block low integrity images block
Exploit Protection | Security-Mitigations | 7 | Block remote images audit
Exploit Protection | Security-Mitigations | 8 | Block remote images block
Exploit Protection | Security-Mitigations | 9 | Disable win32k system calls audit
Exploit Protection | Security-Mitigations | 10 | Disable win32k system calls block
Exploit Protection | Security-Mitigations | 11 | Code integrity guard audit
Exploit Protection | Security-Mitigations | 12 | Code integrity guard block
Exploit Protection | Security-Mitigations | 13 | EAF audit
Exploit Protection | Security-Mitigations | 14 | EAF enforce
Exploit Protection | Security-Mitigations | 15 | EAF+ audit
Exploit Protection | Security-Mitigations | 16 | EAF+ enforce
Exploit Protection | Security-Mitigations | 17 | IAF audit
Exploit Protection | Security-Mitigations | 18 | IAF enforce
Exploit Protection | Security-Mitigations | 19 | ROP StackPivot audit
Exploit Protection | Security-Mitigations | 20 | ROP StackPivot enforce
Exploit Protection | Security-Mitigations | 21 | ROP CallerCheck audit
Exploit Protection | Security-Mitigations | 22 | ROP CallerCheck enforce
Exploit Protection | Security-Mitigations | 23 | ROP SimExec audit
Exploit Protection | Security-Mitigations | 24 | ROP SimExec enforce
Exploit Protection | WER-Diagnostics | 5 | CFG Block
Exploit Protection | Win32K | 260 | Untrusted Font
Network Protection | Windows Defender | 5007 | Event when settings are changed
Network Protection | Windows Defender | 1125 | Event when Network Protection fires in Audit-mode
Network Protection | Windows Defender | 1126 | Event when Network Protection fires in Block-mode
Controlled Folder Access | Windows Defender | 5007 | Event when settings are changed
Controlled Folder Access | Windows Defender | 1124 | Audited Controlled Folder Access event
Controlled Folder Access | Windows Defender | 1123 | Blocked Controlled Folder Access event
Attack Surface Reduction | Windows Defender | 5007 | Event when settings are changed
Attack Surface Reduction | Windows Defender | 1122 | Event when rule fires in Audit-mode
Attack Surface Reduction | Windows Defender | 1121 | Event when rule fires in Block-mode

125
windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md Normal file
View File

@ -0,0 +1,125 @@
---
title: Apply mitigations that help prevent attacks that use vulnerabilities in software
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Exploit Protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
---
# Protect devices from exploits with Windows Defender Exploit Guard
**Applies to:**
- Windows 10 Insider Preview
[!include[Prerelease information](prerelease.md)]
**Audience**
- Enterprise security administrators
**Manageability available with**
- Windows Defender Security Center app
- Group Policy
- PowerShell
Exploit Protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Exploit Protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit Protection would impact your organization if it were enabled.
Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit Protection, and you can convert and import existing EMET configuration profiles into Exploit Protection.
>[!IMPORTANT]
>If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit Protection in Windows 10. You can [convert an existing EMET configuration file into Exploit Protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
## Requirements
The following requirements must be met before Exploit Protection will work:
Windows 10 version | Windows Defender Advanced Threat Protection
-|-
Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
## Review Exploit Protection events in Windows Event Viewer
You can review the Windows event log to see events that are created when Exploit Protection blocks (or audits) an app:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**
![](images/events-import.gif)
4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
5. Click **OK**.
6. This will create a custom view that filters to only show the following events related to Exploit Protection:
Provider/source | Event ID | Description
-|:-:|-
Security-Mitigations | 1 | ACG audit
Security-Mitigations | 2 | ACG enforce
Security-Mitigations | 3 | Do not allow child processes audit
Security-Mitigations | 4 | Do not allow child processes block
Security-Mitigations | 5 | Block low integrity images audit
Security-Mitigations | 6 | Block low integrity images block
Security-Mitigations | 7 | Block remote images audit
Security-Mitigations | 8 | Block remote images block
Security-Mitigations | 9 | Disable win32k system calls audit
Security-Mitigations | 10 | Disable win32k system calls block
Security-Mitigations | 11 | Code integrity guard audit
Security-Mitigations | 12 | Code integrity guard block
Security-Mitigations | 13 | EAF audit
Security-Mitigations | 14 | EAF enforce
Security-Mitigations | 15 | EAF+ audit
Security-Mitigations | 16 | EAF+ enforce
Security-Mitigations | 17 | IAF audit
Security-Mitigations | 18 | IAF enforce
Security-Mitigations | 19 | ROP StackPivot audit
Security-Mitigations | 20 | ROP StackPivot enforce
Security-Mitigations | 21 | ROP CallerCheck audit
Security-Mitigations | 22 | ROP CallerCheck enforce
Security-Mitigations | 23 | ROP SimExec audit
Security-Mitigations | 24 | ROP SimExec enforce
WER-Diagnostics | 5 | CFG Block
Win32K | 260 | Untrusted Font
## In this section
Topic | Description
---|---
[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit Protection. This topic identifies those features and explains how the features have changed or evolved.
[Evaluate Exploit Protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit Protection mitigations can protect your network from malicious and suspicious behavior.
[Enable Exploit Protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit Protection in your network.
[Customize and configure Exploit Protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps.
[Import, export, and deploy Exploit Protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit Protection.

BIN
windows/threat-protection/windows-defender-exploit-guard/images/asr-notif.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.8 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/cfa-on.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

Some files were not shown because too many files have changed in this diff Show More