Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md

@@ -12,7 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 04/01/2019
 ---
 
 # Audit: Audit the use of Backup and Restore privilege
@@ -80,7 +80,7 @@ When the backup and restore function is used, it creates a copy of the file syst
 ### Countermeasure
 
 Enable the **Audit: Audit the use of Backup and Restore privilege** setting. Alternatively, implement automatic log backup by configuring the **AutoBackupLogFiles** registry key. If you enable this option when the [Audit privilege use](../auditing/basic-audit-privilege-use.md) setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner.
-For more information about configuring this key, see Microsoft Knowledge Base article [100879](https://go.microsoft.com/fwlink/p/?LinkId=100879).
+For more information about configuring this key, see [Eventlog Key](https://docs.microsoft.com/windows/desktop/EventLog/eventlog-key).
 
 ### Potential impact
 

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/26/2018
+ms.date: 04/02/2019
 ---
 
 # Reduce attack surfaces with attack surface reduction rules 
@@ -259,15 +259,6 @@ SCCM name: Not applicable
 
 GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
-## Review attack surface reduction events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when attack surface rules block (or audit) an app:
-
-Event ID | Description
-5007     | Event when settings are changed
-1121     | Event when an attack surface reduction rule fires in audit mode
-1122     | Event when an attack surface reduction rule fires in block mode
-
 
 ## Related topics
 

windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 09/18/2018
+ms.date: 04/02/2019
 ---
 
 
@@ -37,32 +37,13 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs)
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
 
 
+|Audit options | How to enable audit mode | How to view events |
+|- | - | - |
+|Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) |
+|Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) |
+|Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) |
+|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) |
 
-Audit options | How to enable audit mode | How to view events
-- | - | -
-Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
-Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
-Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
-Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
-
-
-You can also use the a custom PowerShell script that enables the features in audit mode automatically:
-
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *Enable-ExploitGuardAuditMode.ps1* to an easily accessible location on the machine.
-
-1. Type **powershell** in the Start menu.
-
-2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt.
-
-3. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audit mode:
-    ```PowerShell
-    Set-ExecutionPolicy Bypass -Force
-    <location>\Enable-ExploitGuardAuditMode.ps1
-   ```
-
-      Replace \<location> with the folder path where you placed the file. 
-      
-      A message should appear to indicate that audit mode was enabled.
 
 ## Related topics
 

windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md

@@ -10,7 +10,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 03/15/2019
+ms.date: 04/01/2019
 ---
 
 # Enable virtualization-based protection of code integrity 
@@ -28,7 +28,7 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
 >HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*.
 
 >[!TIP]
-> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM).". Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book
+> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book
 
 ## HVCI Features
 
@@ -291,6 +291,6 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
 ### Requirements for running HVCI in Hyper-V virtual machines 
  -   The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
  -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. 
- -   HVCI and [virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
+ -   HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
  -   Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
  -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.

windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 11/16/2018
+ms.date: 04/02/2019
 ---
 
 # Evaluate attack surface reduction rules
@@ -45,6 +45,17 @@ This enables all attack surface reduction rules in audit mode.
 >If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
 You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md).
 
+## Review attack surface reduction events in Windows Event Viewer
+
+To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
+
+
+| Event ID | Description |
+|----------|-------------|
+|5007      | Event when settings are changed |
+| 1121     | Event when an attack surface reduction rule fires in audit mode |
+| 1122     | Event when an attack surface reduction rule fires in block mode |
+
 ## Customize attack surface reduction rules
 
 During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.

windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/26/2019
+ms.date: 04/02/2019
 ---
 
 # Evaluate exploit protection
@@ -109,6 +109,7 @@ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code in
 - [Enable exploit protection](enable-exploit-protection.md)
 - [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
 - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
 - [Enable network protection](enable-network-protection.md)
 - [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
 - [Enable attack surface reduction](enable-attack-surface-reduction.md)

windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/01/2019
+ms.date: 04/02/2019
 ---
 
 # Evaluate network protection
@@ -20,7 +20,7 @@ ms.date: 04/01/2019
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 
 This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visted a malicious site or domain.
 
@@ -55,11 +55,11 @@ The network connection will be allowed and a test message will be displayed.
  
 To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
 
-Event ID | Provide/Source | Description
--|-
-5007 | Windows Defender (Operational) | Event when settings are changed
-1125 | Windows Defender (Operational) | Event when a network connection is audited
-1126 | Windows Defender (Operational) | Event when a network connection is blocked 
+| Event ID | Provide/Source | Description |
+|-|-|-|
+|5007 | Windows Defender (Operational) | Event when settings are changed |
+|1125 | Windows Defender (Operational) | Event when a network connection is audited |
+|1126 | Windows Defender (Operational) | Event when a network connection is blocked |
 
 
 ## Related topics

windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/26/2018
+ms.date: 04/02/2019
 ---
 
 # Protect devices from exploits
@@ -154,5 +154,6 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check
 - [Enable exploit protection](enable-exploit-protection.md)
 - [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
 - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)