second pass at links

2025-05-14 06:17:22 +00:00 · 2019-07-30 18:24:07 -04:00 · 2019-07-30 18:24:07 -04:00 · c27a053527
commit c27a053527
parent 1ae0a5455e
10 changed files with 177 additions and 174 deletions
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -27,10 +27,10 @@
 ##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
 #### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-#### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
+#### [Exploit protection](windows-defender-exploit-guard/exploit-protection.md)
-#### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
+#### [Network protection](windows-defender-exploit-guard/network-protection.md)
-#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
+#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders.md)
-#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction.md)
 #### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
 ### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
@ -206,7 +206,7 @@
 ##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 #### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
-#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders)
 #### [Attack surface reduction controls]()
 ##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction.md
@ -64,7 +64,7 @@ You can review the Windows event log to view events that are created when attack
 3. Click **Import custom view...** on the left panel, under **Actions**.
-4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
 5. Click **OK**.
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders.md
@ -20,19 +20,19 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
 This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
- [Add additional folders to be protected](#protect-additional-folders)
+* [Add additional folders to be protected](#protect-additional-folders)
- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
+* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
->[!WARNING]
+> [!WARNING]
->Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
+> Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
 >
->This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact.
+> This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender.md) to fully assess the feature's impact.
 ## Protect additional folders
@ -42,7 +42,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
 Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
-You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
+You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
 You can use the Windows Security app or Group Policy to add and remove additional protected folders.
@ -55,14 +55,14 @@ You can use the Windows Security app or Group Policy to add and remove additiona
 3. Under the **Controlled folder access** section, click **Protected folders**
 4. Click **Add a protected folder** and follow the prompts to add apps.
- 
+
 ### Use Group Policy to protect additional folders
-1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2.  In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
 4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
@ -79,8 +79,8 @@ Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to ad
 ![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png)
->[!IMPORTANT]
+> [!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
 ### Use MDM CSPs to protect additional folders
@ -88,17 +88,16 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
 ## Allow specific apps to make changes to controlled folders
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. 
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
->[!IMPORTANT]
+> [!IMPORTANT]
->By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
+> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
->You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
+> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
 When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
 An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
 ### Use the Windows Defender Security app to allow specific apps
 1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -113,11 +112,11 @@ An allowed application or service only has write access to a controlled folder a
 ### Use Group Policy to allow specific apps
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
 4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
@ -135,22 +134,24 @@ An allowed application or service only has write access to a controlled folder a
    ```PowerShell
    Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
    ```
   Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
 ![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png)
->[!IMPORTANT]
+> [!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
 ### Use MDM CSPs to allow specific apps
-Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
 ## Customize the notification
 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 ## Related topics
- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+
- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) 
+* [Protect important folders with controlled folder access](controlled-folders.md)
- [Evaluate attack surface reduction rules](evaluate-windows-defender-exploit-guard.md)
+* [Enable controlled folder access](enable-controlled-folders.md)
 * [Evaluate attack surface reduction rules](evaluate-windows-defender.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@ -107,7 +107,7 @@ Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
 ## Related topics
-* [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
+* [Windows Defender Exploit Guard](windows-defender.md)
 * [Network protection](network-protection.md)
 * [Evaluate network protection](evaluate-network-protection.md)
 * [Troubleshoot network protection](troubleshoot-np.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
@ -20,13 +20,13 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
 It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection. 
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
 You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
@ -34,7 +34,7 @@ You can also convert and import an existing EMET configuration XML file into an
 This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
 ## Create and export a configuration file
@ -51,13 +51,13 @@ When you have configured exploit protection to your desired state (including bot
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
    ![Highlight of the Exploit protection settings option in the Windows Security app](images/wdsc-exp-prot.png)
-        
+
 3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
 ![Highlight of the Export Settings option](images/wdsc-exp-prot-export.png)
->[!NOTE]
+> [!NOTE]
->When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
 ### Use PowerShell to export a configuration file
@ -65,7 +65,7 @@ When you have configured exploit protection to your desired state (including bot
 2. Enter the following cmdlet:
    ```PowerShell
-    Get-ProcessMitigation -RegistryConfigFilePath filename.xml 
+    Get-ProcessMitigation -RegistryConfigFilePath filename.xml
    ```
 Change `filename` to any name or location of your choosing.
@ -74,7 +74,7 @@ Example command
 **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
 > [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. 
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
 ## Import a configuration file
@ -84,12 +84,11 @@ After importing, the settings will be instantly applied and can be reviewed in t
 ### Use PowerShell to import a configuration file
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
    ```PowerShell
-    Set-ProcessMitigation -PolicyFilePath filename.xml 
+    Set-ProcessMitigation -PolicyFilePath filename.xml
    ```
 Change `filename` to the location and name of the exploit protection XML file.
@ -97,11 +96,9 @@ Change `filename` to the location and name of the exploit protection XML file.
 Example command
 **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
-
+> [!IMPORTANT]
 >[!IMPORTANT]
 >
->Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
+> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
 ## Convert an EMET configuration file to an exploit protection configuration file
@ -109,14 +106,13 @@ You can convert an existing EMET configuration file to the new format used by ex
 You can only do this conversion in PowerShell.
->[!WARNING]
+> [!WARNING]
 >
->You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
+> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
 >
->However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file. 
+> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
 >
->You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
+> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
@ -127,46 +123,45 @@ You can only do this conversion in PowerShell.
 Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
->[!IMPORTANT]
+> [!IMPORTANT]
 >
->If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
+> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
 >
 > 1. Open the PowerShell-converted XML file in a text editor.
 > 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
 ## Manage or deploy a configuration
 You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
 > [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location. 
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
 ### Use Group Policy to distribute the configuration
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5.  Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
+3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
    ![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png)
-6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**. 
+4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
-7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
+5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
    - C:\MitigationSettings\Config.XML
    -  \\\Server\Share\Config.xml
    -  https://localhost:8080/Config.xml
    - C:\ExploitConfigfile.xml
-8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). 
+    * C:\MitigationSettings\Config.XML
    * \\\Server\Share\Config.xml
    * https://localhost:8080/Config.xml
    * C:\ExploitConfigfile.xml
 6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
 ## Related topics
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
+* [Protect devices from exploits](exploit-protection.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
- [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Enable exploit protection](enable-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
@ -1,11 +1,11 @@
 # [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-## [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+## [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender.md)
-### [Use auditing mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
+### [Use auditing mode to evaluate Windows Defender Exploit Guard](audit-windows-defender.md)
-### [View Exploit Guard events](event-views-exploit-guard.md)
+### [View Exploit Guard events](event-views.md)
-## [Exploit protection](exploit-protection-exploit-guard.md)
+## [Exploit protection](exploit-protection.md)
-### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
 ### [Evaluate Exploit protection](evaluate-exploit-protection.md)
 ### [Enable Exploit protection](enable-exploit-protection.md)
 ### [Customize Exploit protection](customize-exploit-protection.md)
@ -13,18 +13,16 @@
 ### [Memory integrity](memory-integrity.md)
 #### [Requirements for virtualization-based protection of code integrity](requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
 #### [Enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)
-## [Attack surface reduction](attack-surface-reduction-exploit-guard.md)
+## [Attack surface reduction](attack-surface-reduction.md)
 ### [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
 ### [Enable Attack surface reduction](enable-attack-surface-reduction.md)
 ### [Customize Attack surface reduction](customize-attack-surface-reduction.md)
 ### [Troubleshoot Attack surface reduction rules](troubleshoot-asr.md)
-## [Network Protection](network-protection-exploit-guard.md)
+## [Network Protection](network-protection.md)
 ### [Evaluate Network Protection](evaluate-network-protection.md)
 ### [Enable Network Protection](enable-network-protection.md)
 ### [Troubleshoot Network protection](troubleshoot-np.md)
-## [Controlled folder access](controlled-folders-exploit-guard.md)
+## [Controlled folder access](controlled-folders.md)
 ### [Evaluate Controlled folder access](evaluate-controlled-folder-access.md)
-### [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md)
+### [Enable Controlled folder access](enable-controlled-folders.md)
-### [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md)
+### [Customize Controlled folder access](customize-controlled-folders.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
@ -20,44 +20,44 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
+When you use [attack surface reduction rules](attack-surface-reduction.md) you may encounter issues, such as:
- A rule blocks a file, process, or performs some other action that it should not (false positive)
+* A rule blocks a file, process, or performs some other action that it should not (false positive)
- A rule does not work as described, or does not block a file or process that it should (false negative)
+* A rule does not work as described, or does not block a file or process that it should (false negative)
 There are four steps to troubleshooting these problems:
 1. Confirm prerequisites
 2. Use audit mode to test the rule
 3. Add exclusions for the specified rule (for false positives)
-3. Submit support logs
+4. Submit support logs
 ## Confirm prerequisites
 Attack surface reduction rules will only work on devices with the following conditions:
->[!div class="checklist"]
+> [!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
+> * Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
-> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+> * Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
 ## Use audit mode to test the rule
-You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. 
+You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
 Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
 1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
-3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
+3. [Review the attack surface reductio rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
 >
->If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. 
+>If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
 >
 >Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
@ -82,21 +82,24 @@ Use the [Windows Defender Security Intelligence web-based submission form](https
 ## Collect diagnostic data for file submissions
-When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 
+When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
 1. Open an elevated command prompt and change to the Windows Defender directory:
   ```console
   cd c:\program files\windows defender
   ```
 2. Run this command to generate the diagnostic logs:
   ```console
   mpcmdrun -getfiles
   ```
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. 
+
 3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
 ## Related topics
- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
+* [Attack surface reduction rules](attack-surface-reduction.md)
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
@ -20,7 +20,7 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
@ -46,7 +46,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
                Write-Host "Removing MitigationAuditOptions for: " $Name
                Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
            }
-        
+
            # Remove the FilterFullPath value if there is nothing else
            if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
                Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
@ -58,19 +58,19 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
                Remove-Item -Path $Key.PSPath -ErrorAction Stop
            }
        }
-        Catch { 
+        Catch {
-            Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" 
+            Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
        }
    }
    # Delete all ExploitGuard ProcessMitigations
    function Remove-All-ProcessMitigations {
        if (!(Test-IsAdmin)) {
-            throw "ERROR: No Administrator-Privileges detected!"; return 
+            throw "ERROR: No Administrator-Privileges detected!"; return
        }
        Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
-            $MitigationItem = $_; 
+            $MitigationItem = $_;
            $MitigationItemName = $MitigationItem.PSChildName
            Try {
@ -85,7 +85,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
                            Write-Host "Removing FullPathEntry:              " $Name
                            Remove-ProcessMitigations $FullPathItem $Name
                        }
-                
+
                        # If there are no subkeys now, we can delete the "UseFilter" value
                        if ($MitigationItem.SubKeyCount -eq 0) {
                            Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
@ -97,8 +97,8 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
                    Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
                }
            }
-            Catch { 
+            Catch {
-                Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" 
+                Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
            }
        }
    }
@ -106,18 +106,18 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
    # Delete all ExploitGuard System-wide Mitigations
    function Remove-All-SystemMitigations {
-        if (!(Test-IsAdmin)) { 
+        if (!(Test-IsAdmin)) {
-            throw "ERROR: No Administrator-Privileges detected!"; return 
+            throw "ERROR: No Administrator-Privileges detected!"; return
        }
-    
+
        $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
-        Try { 
+        Try {
-            if ($Kernel.GetValue("MitigationOptions")) 
+            if ($Kernel.GetValue("MitigationOptions"))
                { Write-Host "Removing System MitigationOptions"
                    Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
                }
-            if ($Kernel.GetValue("MitigationAuditOptions")) 
+            if ($Kernel.GetValue("MitigationAuditOptions"))
                { Write-Host "Removing System MitigationAuditOptions"
                    Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
                }
@ -132,30 +132,30 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
 2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
-	```xml
+    ```xml
     <?xml version="1.0" encoding="UTF-8"?>
-	 <root>
+     <root>
-	    <SystemConfig/>
+        <SystemConfig/>
-	    <AppConfig Executable="ExtExport.exe">
+        <AppConfig Executable="ExtExport.exe">
-		   <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+           <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
-		</AppConfig>
+        </AppConfig>
-	    <AppConfig Executable="ie4uinit.exe">
+        <AppConfig Executable="ie4uinit.exe">
-		   <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
-	    </AppConfig>
+        </AppConfig>
-	    <AppConfig Executable="ieinstal.exe">
+        <AppConfig Executable="ieinstal.exe">
-		   <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
        <AppConfig Executable="ielowutil.exe">
-	       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
-	    <AppConfig Executable="ieUnatt.exe">
+       <AppConfig Executable="ieUnatt.exe">
-	       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
        </AppConfig>
-	    <AppConfig Executable="iexplore.exe">
+       <AppConfig Executable="iexplore.exe">
-	       <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
+          <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
-		</AppConfig>
+        </AppConfig>
-	    <AppConfig Executable="mscorsvw.exe">
+       <AppConfig Executable="mscorsvw.exe">
-		   <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
+           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
        </AppConfig>
        <AppConfig Executable="msfeedssync.exe">
           <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/>
@ -180,9 +180,9 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
        </AppConfig>
        <AppConfig Executable="PrintIsolationHost.exe"/>
        <AppConfig Executable="runtimebroker.exe">
-	       <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
+           <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/>
-		</AppConfig>
+        </AppConfig>
-		    <AppConfig Executable="splwow64.exe"/>
+            <AppConfig Executable="splwow64.exe"/>
        <AppConfig Executable="spoolsv.exe"/>
        <AppConfig Executable="svchost.exe"/>
        <AppConfig Executable="SystemSettings.exe">
@ -195,9 +195,9 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu
 ## Related topics
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
+* [Protect devices from exploits](exploit-protection.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
- [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Enable exploit protection](enable-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
@ -20,48 +20,50 @@ manager: dansimp
 **Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- IT administrators
+* IT administrators
-When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as:
+When you use [Network protection](network-protection.md) you may encounter issues, such as:
- Network protection blocks a website that is safe (false positive)
+* Network protection blocks a website that is safe (false positive)
- Network protection fails to block a suspicious or known malicious website (false negative)
+* Network protection fails to block a suspicious or known malicious website (false negative)
 There are four steps to troubleshooting these problems:
 1. Confirm prerequisites
 2. Use audit mode to test the rule
 3. Add exclusions for the specified rule (for false positives)
-3. Submit support logs
+4. Submit support logs
 ## Confirm prerequisites
 Network protection will only work on devices with the following conditions:
 >[!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
+> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
-> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
+> * [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
 ## Use audit mode
-## Use audit mode 
+You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
 You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled. 
 1. Set network protection to **Audit mode**.
-   ```powershell
+
   ```PowerShell
   Set-MpPreference -EnableNetworkProtection AuditMode
   ```
-2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
+
-3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
 1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
   >
   >If network protection is not blocking a connection that you are expecting it should block, enable the feature.
-```powershell
+```PowerShell
 Set-MpPreference -EnableNetworkProtection Enabled
 ```
@ -75,21 +77,25 @@ To whitelist the website that is being blocked (false positive), add its URL to
 ## Collect diagnostic data for file submissions
-When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 
+When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
 1. Open an elevated command prompt and change to the Windows Defender directory:
-   ```
+
   ```PowerShell
   cd c:\program files\windows defender
   ```
-2. Run this command to generate the diagnostic logs:
+
-   ```
+1. Run this command to generate the diagnostic logs:
   ```PowerShell
   mpcmdrun -getfiles
   ```
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. 
+
 1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
 ## Related topics
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
+* [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
- [Network protection](network-protection-exploit-guard.md)
+* [Network protection](network-protection.md)
- [Evaluate network protection](evaluate-network-protection.md)
+* [Evaluate network protection](evaluate-network-protection.md)
- [Enable network protection](enable-network-protection.md)
+* [Enable network protection](enable-network-protection.md)
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@ -26,7 +26,7 @@ manager: dansimp
 The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
-In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) topic in the Windows Defender Exploit Guard library.
+In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md) topic in the Windows Defender Exploit Guard library.
 You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.