deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #29 from MicrosoftDocs/public

Browse Source 
public to master
This commit is contained in:
Dani Halfin
2019-04-18 11:11:23 -07:00
committed by GitHub
parent 360e093b86 453c702020
commit b58dd6eea6
27 changed files with 83 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -43,6 +43,14 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
To enforce processing of the group policy, you can run ```gpupdate /force```.
### Enable Windows Defender Credential Guard by using Intune
1. From **Home** click **Microsoft Intune**
2. Click **Device configuration**
3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
> [!NOTE]
> It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
### Enable Windows Defender Credential Guard by using the registry

4
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
View File

@ -35,9 +35,9 @@ On-premises certificate-based deployments of Windows Hello for Business needs th
## Enable Windows Hello for Business Group Policy
The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
## Use certificate for on-premises authentication

2
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -187,7 +187,7 @@ Joining a device is an extension to registering a device. This means, it provide
[Return to Top](hello-how-it-works-technology.md)
## Key Trust
The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
### Related topics
[Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type)

4
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -50,7 +50,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br> *Minimum:* Windows 10, version 1703<br> *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).</br>**Azure AD Joined:**<br> Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),<br> and</br>Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter |
@ -67,7 +67,7 @@ The table shows the minimum requirements for each deployment.
| Windows 10, version 1703 or later | Windows 10, version 1703 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema|
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
| Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) |
| AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter |

4
windows/security/identity-protection/remote-credential-guard.md
View File

@ -89,7 +89,7 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
The Remote Desktop client device:
- Must be running at least Windows 10, version 1703 to be able to supply credentials.
- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the users signed-in credentials. This requires the users account be able to sign in to both the client device and the remote host.
- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
@ -176,4 +176,4 @@ mstsc.exe /remoteGuard
- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
- The server and client must authenticate using Kerberos.
- The server and client must authenticate using Kerberos.

2
windows/security/threat-protection/auditing/event-4716.md
View File

@ -132,7 +132,7 @@ This event is generated only on domain controllers.
| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT |
| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |

4
windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
View File

@ -24,7 +24,7 @@ Describes the best practices, location, values, management, and security conside
## Reference
Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the users session locks by invoking the screen saver. This policy setting allows you to control the locking time by using Group Policy.
Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the users session locks by invoking the screen saver (screen saver should be active on the destination machine). This policy setting allows you to control the locking time by using Group Policy.
### Possible values
@ -40,6 +40,8 @@ Set the time for elapsed user-input inactivity based on the devices usage and
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options (While creating and linking group policy on server)
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policys property page.

3
windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
View File

@ -14,7 +14,8 @@ ms.localizationpriority: medium
# Use Windows Event Forwarding to help with intrusion detection
**Applies to**
- Windows 10
- Windows 10
- Windows Server
Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.

3
windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
View File

@ -24,6 +24,9 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying
Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above.
>[!TIP]
>The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.

28
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
View File

@ -56,14 +56,11 @@ SIP is a built-in macOS security feature that prevents low-level tampering with
## Installation and configuration overview
There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
In general you'll need to take the following steps:
- [Register macOS devices](#register-macos-devices) with Windows Defender ATP
- Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools:
- [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
- [JAMF based deployment](#jamf-based-deployment)
- [Manual deployment](#manual-deployment)
## Deploy Microsoft Defender ATP for Mac
Use any of the supported methods to deploy Microsoft Defender ATP for Mac
- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal
- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
* [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
* [JAMF based deployment](#jamf-based-deployment)
* [Manual deployment](#manual-deployment)
## Microsoft Intune based deployment
@ -293,7 +290,6 @@ After some time, the machine's User Approved MDM status will change to Yes.
You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned.
### Deployment
Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected.
@ -329,7 +325,7 @@ Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
You can also check the onboarding status:
```
mavel-mojave:~ testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
@ -351,13 +347,13 @@ For example, this script removes Microsoft Defender ATP from the /Applications d
```
echo "Is WDAV installed?"
ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
echo "Uninstalling WDAV..."
rm -rf '/Applications/Microsoft Defender.app'
rm -rf '/Applications/Microsoft Defender ATP.app'
echo "Is WDAV still installed?"
ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
echo "Done!"
```
@ -374,7 +370,7 @@ Configure the appropriate scope in the **Scope** tab to specify the machines tha
You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
```
/Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
```
This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
@ -435,7 +431,7 @@ The installation will proceed.
The client machine is not associated with orgId. Note that the orgid is blank.
```
mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid :
```
@ -449,7 +445,7 @@ The installation will proceed.
3. Verify that the machine is now associated with orgId:
```
mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
```

2
windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
View File

@ -61,7 +61,7 @@ AppLocker uses path variables for well-known directories in Windows. Path variab
| Windows directory or drive | AppLocker path variable | Windows environment variable |
| - | - | - |
| Windows | %WINDIR% | %SystemRoot% |
| System32 | %SYSTEM32%| %SystemDirectory%|
| System32 and sysWOW64 | %SYSTEM32%| %SystemDirectory%|
| Windows installation directory | %OSDRIVE%|%SystemDrive%|
| Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%|
| Removable media (for example, CD or DVD) | %REMOVABLE%| |

2
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -60,6 +60,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|Lee Christensen|@tifkin_|
|Vladas Bulavas | Kaspersky Lab |
|Lasse Trolle Borup | Langkjaer Cyber Defence |
|Jimmy Bayne | @bohops |
|Philip Tsukerman | @PhilipTsukerman |
<br />

2
windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
View File

@ -49,7 +49,7 @@ If the machine was offboarded it will still appear in machines list. After 7 day
If the machine is not sending any signals for more than 7 days to any of the Windows Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive.
Do you expect a machine to be in Active status? [Open a support ticket ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
Do you expect a machine to be in Active status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
## Misconfigured machines
Misconfigured machines can further be classified to:

1
windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
View File

@ -112,7 +112,6 @@ Icon | Description
![Possible active alert icon](images\tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert
![Recommendation insights icon](images\tvm_insight_icon.png) | Threat & Vulnerability Management - recommendation insights
## Related topics
- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)

3
windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -100,6 +100,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
>CFG will be enabled for *miles.exe*.
>[!NOTE]
>If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
### Configure system-level mitigations with the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.

2
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -17,7 +17,7 @@ ms.author: v-anbic
[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules.
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
## Exclude files and folders from ASR rules

11
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -49,10 +49,11 @@ You can also use Group Policy, Intune, MDM, or System Center Configuration Manag
The following controlled folder access events appear in Windows Event Viewer.
Event ID | Description
5007 | Event when settings are changed
1124 | Audited controlled folder access event
1123 | Blocked controlled folder access event
| Event ID | Description |
| --- | --- |
| 5007 | Event when settings are changed |
| 1124 | Audited controlled folder access event |
| 1123 | Blocked controlled folder access event |
## Customize protected folders and apps
@ -63,4 +64,4 @@ See [Protect important folders with controlled folder access](controlled-folders
## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode](audit-windows-defender-exploit-guard.md)
- [Use audit mode](audit-windows-defender-exploit-guard.md)