diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 11b7ed4a4f..16a10bcb81 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -6,11 +6,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
-"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
-"redirect_document_id": true
-},
-{
"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
"redirect_document_id": true
@@ -631,8 +626,8 @@
"redirect_document_id": true
},
{
-"source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md",
-"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md",
+"redirect_url": "windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3",
"redirect_document_id": true
},
{
@@ -726,96 +721,196 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/controlled-folders",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders-exploit-guard",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/enable-network-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/evaluate-windows-defender",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/event-views",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/graphics.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/graphics",
"redirect_document_id": true
@@ -826,11 +921,21 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard",
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/network-protection",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/prerelease",
"redirect_document_id": true
@@ -841,13 +946,18 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr",
+"redirect_document_id": true
+},
+{
"source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations",
"redirect_document_id": true
},
{
-"source_path": "windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md",
-"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations",
"redirect_document_id": true
},
{
@@ -856,6 +966,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection",
+"redirect_document_id": false
+},
+{
"source_path": "windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection",
"redirect_document_id": true
@@ -1005,7 +1120,6 @@
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction",
"redirect_document_id": true
},
-
{
"source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
@@ -3087,11 +3201,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md",
-"redirect_url": "/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security",
-"redirect_document_id": true
-},
-{
"source_path": "windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md",
"redirect_url": "/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard",
"redirect_document_id": true
@@ -3132,6 +3241,16 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md",
+"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md",
+"redirect_url": "/windows/security/threat-protection/device-guard/memory-integrity",
+"redirect_document_id": true
+},
+{
"source_path": "windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy",
"redirect_document_id": true
@@ -4422,6 +4541,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md",
+"redirect_url": "/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity",
+"redirect_document_id": true
+},
+{
"source_path": "windows/device-security/get-support-for-security-baselines.md",
"redirect_url": "/windows/security/threat-protection/get-support-for-security-baselines",
"redirect_document_id": true
@@ -9642,6 +9766,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security.md",
+"redirect_url": "/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security",
+"redirect_document_id": true
+},
+{
"source_path": "windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md",
"redirect_url": "/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus",
"redirect_document_id": true
@@ -12167,11 +12296,6 @@
"redirect_document_id": true
},
{
-"source_path": "windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md",
-"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
-"redirect_document_id": true
-},
-{
"source_path": "windows/keep-secure/requirements-for-deploying-applocker-policies.md",
"redirect_url": "/windows/device-security/applocker/requirements-for-deploying-applocker-policies",
"redirect_document_id": true
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index f796a9ae53..067c82000d 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1821,7 +1821,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
+Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
@@ -2815,4 +2815,3 @@ Footnote:
- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
-
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 8e0abebf9d..b1150dc1b9 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -65,7 +65,7 @@ manager: dansimp
-Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
+Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
The system settings require a reboot; the application settings do not require a reboot.
diff --git a/windows/deployment/planning/windows-10-1709-removed-features.md b/windows/deployment/planning/windows-10-1709-removed-features.md
index 6126b5272f..5a745277d5 100644
--- a/windows/deployment/planning/windows-10-1709-removed-features.md
+++ b/windows/deployment/planning/windows-10-1709-removed-features.md
@@ -1,46 +1,47 @@
----
-title: Windows 10, version 1709 removed features
-description: Learn about features that will be removed in Windows 10, version 1709
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-manager: laurawi
-ms.topic: article
----
-# Features that are removed or deprecated in Windows 10, version 1709
-
-> Applies to: Windows 10, version 1709
-
-The following features and functionalities in the Windows 10, version 1709 are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases.
-
-This list is intended to help customers consider these removals and deprecations for their own planning. The list is subject to change and may not include every deprecated feature or functionality.
-
-For more information about a listed feature or functionality and its replacement, see the documentation for that feature. You can also follow the provided links in this table to see additional resources.
-
-| Feature | Removed | Not actively developed |
-|----------|---------|------------|
-|**3D Builder app** No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | |
-|**Apndatabase.xml** For more information about the replacement database, see the following Hardware Dev Center articles: [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | |
-|**Enhanced Mitigation Experience Toolkit (EMET)** Use will be blocked. Consider using the [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) feature of Windows Defender Exploit Guard as a replacement.| X | |
-|**IIS 6 Management Compatibility** We recommend that users use alternative scripting tools and a newer management console. | | X |
-|**IIS Digest Authentication** We recommend that users use alternative authentication methods.| | X |
-|**Microsoft Paint** Will be available through the Windows Store. Functionality integrated into Paint 3D.| | X |
-|**Outlook Express** Removing this non-functional legacy code.| X | |
-|**Reader app** Functionality to be integrated into Microsoft Edge.| X | |
-|**Reading List** Functionality to be integrated into Microsoft Edge.| X | |
-|**Resilient File System (ReFS)** Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. (added: August 17, 2017)| | X |
-|**RSA/AES Encryption for IIS** We recommend that users use CNG encryption provider.| | X |
-|**Screen saver functionality in Themes** Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X |
-|**Sync your settings** Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work. (updated: August 17, 2017) | | X |
-|**Syskey.exe** Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | |
-|**System Image Backup (SIB) Solution** We recommend that users use full-disk backup solutions from other vendors.| | X |
-|**TCP Offload Engine** Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article: [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| X ||
-|**Tile Data Layer** To be replaced by the Tile Store.| X ||
-|**TLS RC4 Ciphers** To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)|| X|
-|**Trusted Platform Module (TPM) Owner Password Management** This legacy code to be removed.|| X |
-|**Trusted Platform Module (TPM): TPM.msc and TPM Remote Management** To be replaced by a new user interface in a future release.| | X |
-|**Trusted Platform Module (TPM) Remote Management** This legacy code to be removed in a future release.|| X |
-|**Windows Hello for Business deployment that uses System Center Configuration Manager** Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience.|| X |
-|**Windows PowerShell 2.0** Applications and components should be migrated to PowerShell 5.0+.| | X |
+---
+title: Windows 10, version 1709 removed features
+description: Learn about features that will be removed in Windows 10, version 1709
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: ITPro
+author: greg-lindsay
+manager: laurawi
+ms.topic: article
+---
+# Features that are removed or deprecated in Windows 10, version 1709
+
+> Applies to: Windows 10, version 1709
+
+The following features and functionalities in the Windows 10, version 1709 are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases.
+
+This list is intended to help customers consider these removals and deprecations for their own planning. The list is subject to change and may not include every deprecated feature or functionality.
+
+For more information about a listed feature or functionality and its replacement, see the documentation for that feature. You can also follow the provided links in this table to see additional resources.
+
+| Feature | Removed | Not actively developed |
+-|-|-
+|**3D Builder app** No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | |
+|**Apndatabase.xml** For more information about the replacement database, see the following Hardware Dev Center articles: [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | |
+|**Enhanced Mitigation Experience Toolkit (EMET)** Use will be blocked. Consider using [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) as a replacement.| X | |
+|**IIS 6 Management Compatibility** We recommend that users use alternative scripting tools and a newer management console. | | X |
+|**IIS Digest Authentication** We recommend that users use alternative authentication methods.| | X |
+|**Microsoft Paint** Will be available through the Windows Store. Functionality integrated into Paint 3D.| | X |
+|**Outlook Express** Removing this non-functional legacy code.| X | |
+|**Reader app** Functionality to be integrated into Microsoft Edge.| X | |
+|**Reading List** Functionality to be integrated into Microsoft Edge.| X | |
+|**Resilient File System (ReFS)** Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. (added: August 17, 2017)| | X |
+|**RSA/AES Encryption for IIS** We recommend that users use CNG encryption provider.| | X |
+|**Screen saver functionality in Themes** Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X |
+|**Sync your settings** Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work. (updated: August 17, 2017) | | X |
+|**Syskey.exe** Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | |
+|**System Image Backup (SIB) Solution** We recommend that users use full-disk backup solutions from other vendors.| | X |
+|**TCP Offload Engine** Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article: [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| X ||
+|**Tile Data Layer** To be replaced by the Tile Store.| X ||
+|**TLS RC4 Ciphers** To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)|| X|
+|**Trusted Platform Module (TPM) Owner Password Management** This legacy code to be removed.|| X |
+|**Trusted Platform Module (TPM): TPM.msc and TPM Remote Management** To be replaced by a new user interface in a future release.| | X |
+|**Trusted Platform Module (TPM) Remote Management** This legacy code to be removed in a future release.|| X |
+|**Windows Hello for Business deployment that uses System Center Configuration Manager** Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience.|| X |
+|**Windows PowerShell 2.0** Applications and components should be migrated to PowerShell 5.0+.| | X |
diff --git a/windows/deployment/planning/windows-10-fall-creators-removed-features.md b/windows/deployment/planning/windows-10-fall-creators-removed-features.md
index bec34fa0f2..9c2f192856 100644
--- a/windows/deployment/planning/windows-10-fall-creators-removed-features.md
+++ b/windows/deployment/planning/windows-10-fall-creators-removed-features.md
@@ -1,87 +1,107 @@
----
-title: Windows 10 Fall Creators Update - Features removed or planned for removal
-description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future?
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 10/09/2017
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.topic: article
----
-# Features removed or planned for replacement starting with Windows 10 Fall Creators Update (version 1709)
-
-> Applies to: Windows 10, version 1709
-
-Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Read on for details about the features and functionalities that we removed in Windows 10 Fall Creators Update (version 1709). This list also includes information about features and functionality that we're considering removing in a future release of Windows 10. This list is intended to make you aware of current and future changes and inform your planning. **The list is subject to change and might not include every affected feature or functionality.**
-
-## Features removed from Windows 10 Fall Creators Update
-We've removed the following features and functionalities from the installed product image in Windows 10, version 1709. Applications, code, or usage that depend on these features won't function in this release unless you employ an alternate method.
-
-### 3D Builder
-No longer installed by default, [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) is still available for download from the Microsoft Store. You can also consider using Print 3D and Paint 3D in its place.
-
-### APN database (Apndatabase.xml)
-Replaced by the Country and Operator Settings Asset (COSA) database. For more information, see the following Hardware Dev Center articles:
-- [Planning your COSA/APN database submission](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
-- [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq)
-
-### Enhanced Mitigation Experience Toolkit (EMET)
-Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature of Windows Defender Exploit Guard](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details.
-
-### Outlook Express
-Removed this non-functional code.
-
-### Reader app
-Integrated the Reader functionality into Microsoft Edge.
-
-### Reading list
-Integrated the Reading list functionality into Microsoft Edge.
-
-### Resilient File System (ReFS)
-We changed the way that ReFS works, based on the edition of Windows 10 you have. We didn't **remove** ReFS, but how you can use ReFS depends on your edition.
-
-If you have Windows 10 Enterprise or Windows 10 Pro for Workstations: You can create, read, and write volumes.
-
-If you have any other edition of Windows 10: You can read and write volumes, but you can't create volumes. If you need to create volumes, upgrade to the Enterprise or Pro for Workstations edition.
-
-### Syskey.exe
-Removed this security feature. Instead, we recommend using [BitLocker](/device-security/bitlocker/bitlocker-overview). For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window).
-
-### TCP Offload Engine
-Removed this code. The TCP Offload Engine functionality is now available in the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features (KB4014193)?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193/)
-
-### TPM Owner Password Management
-Removed this code.
-
-## Features being considered for replacement starting after Windows Fall Creators Update
-We are considering removing the following features and functionalities from the installed product image, starting with releases after Windows 10, version 1709. Eventually, we might completely remove them and replace them with other features or functionality (or, in some instances, make them available from different sources). These features and functionalities are *still available* in this release, but **you should begin planning now to either use alternate methods or to replace any applications, code, or usage that depend on these features.**
-
-If you have feedback to share about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
-
-### IIS 6 Management Compatibility
-We're considering replacing the following specific DISM features:
-
-- IIS 6 Metabase Compatibility (Web-Metabase)
-- IIS 6 Management Console (Web-Lgcy-Mgmt-Console)
-- IIS 6 Scripting Tools (Web-Lgcy-Scripting)
-- IIS 6 WMI Compatibility (Web-WMI)
-
-Instead of IIS 6 Metabase Compatibility (which acts as an emulation layer between IIS 6-based metabase scripts and the file-based configuration used by IIS 7 or newer versions) you should start migrating management scripts to target IIS file-based configuration directly, by using tools such as the Microsoft.Web.Administration namespace.
-
-You should also start migration from IIS 6.0 or earlier versions, and move to the [latest version of IIS](/iis/get-started/whats-new-in-iis-10/new-features-introduced-in-iis-10).
-
-### IIS Digest Authentication
-We're considering removing the IIS Digest Authentication method. Instead, you should start using other authentication methods, such as [Client Certificate Mapping](/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings) or [Windows Authentication](/iis/configuration/system.webServer/security/authentication/windowsAuthentication/).
-
-### Microsoft Paint
-We're considering removing MS Paint from the basic installed product image - that means it won't be installed by default. **You'll still be able to get the app separately from the [Microsoft Store](https://www.microsoft.com/store/b/home) for free.** Alternately, you can get [Paint 3D](https://www.microsoft.com/store/p/paint-3d/9nblggh5fv99) and [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) from the Microsoft Store today; both of these offer the same functionality as Microsoft Paint, plus additional features.
-
-### RSA/AES Encryption for IIS
-We're considering removing RSA/AES encryption because the superior [Cryptography API: Next Generation (CNG)](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx) method is already available.
-
-### Sync your settings
-We're considering making changes to the back-end storage that will affect the sync process: [Enterprise State Roaming](/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview) and all other users will use a single cloud storage system. Both the "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
+---
+title: Windows 10 Fall Creators Update - Features removed or planned for removal
+description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future?
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 10/09/2017
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.topic: article
+---
+
+# Features removed or planned for replacement starting with Windows 10 Fall Creators Update (version 1709)
+
+> Applies to: Windows 10, version 1709
+
+Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Read on for details about the features and functionalities that we removed in Windows 10 Fall Creators Update (version 1709). This list also includes information about features and functionality that we're considering removing in a future release of Windows 10. This list is intended to make you aware of current and future changes and inform your planning. **The list is subject to change and might not include every affected feature or functionality.**
+
+## Features removed from Windows 10 Fall Creators Update
+
+We've removed the following features and functionalities from the installed product image in Windows 10, version 1709. Applications, code, or usage that depend on these features won't function in this release unless you employ an alternate method.
+
+### 3D Builder
+
+No longer installed by default, [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) is still available for download from the Microsoft Store. You can also consider using Print 3D and Paint 3D in its place.
+
+### APN database (Apndatabase.xml)
+
+Replaced by the Country and Operator Settings Asset (COSA) database. For more information, see the following Hardware Dev Center articles:
+
+- [Planning your COSA/APN database submission](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
+- [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq)
+
+### Enhanced Mitigation Experience Toolkit (EMET)
+
+Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details.
+
+### Outlook Express
+
+Removed this non-functional code.
+
+### Reader app
+
+Integrated the Reader functionality into Microsoft Edge.
+
+### Reading list
+
+Integrated the Reading list functionality into Microsoft Edge.
+
+### Resilient File System (ReFS)
+
+We changed the way that ReFS works, based on the edition of Windows 10 you have. We didn't **remove** ReFS, but how you can use ReFS depends on your edition.
+
+If you have Windows 10 Enterprise or Windows 10 Pro for Workstations: You can create, read, and write volumes.
+
+If you have any other edition of Windows 10: You can read and write volumes, but you can't create volumes. If you need to create volumes, upgrade to the Enterprise or Pro for Workstations edition.
+
+### Syskey.exe
+
+Removed this security feature. Instead, we recommend using [BitLocker](/device-security/bitlocker/bitlocker-overview). For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window).
+
+### TCP Offload Engine
+
+Removed this code. The TCP Offload Engine functionality is now available in the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features (KB4014193)?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193/)
+
+### TPM Owner Password Management
+
+Removed this code.
+
+## Features being considered for replacement starting after Windows Fall Creators Update
+
+We are considering removing the following features and functionalities from the installed product image, starting with releases after Windows 10, version 1709. Eventually, we might completely remove them and replace them with other features or functionality (or, in some instances, make them available from different sources). These features and functionalities are *still available* in this release, but **you should begin planning now to either use alternate methods or to replace any applications, code, or usage that depend on these features.**
+
+If you have feedback to share about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
+
+### IIS 6 Management Compatibility
+
+We're considering replacing the following specific DISM features:
+
+- IIS 6 Metabase Compatibility (Web-Metabase)
+- IIS 6 Management Console (Web-Lgcy-Mgmt-Console)
+- IIS 6 Scripting Tools (Web-Lgcy-Scripting)
+- IIS 6 WMI Compatibility (Web-WMI)
+
+Instead of IIS 6 Metabase Compatibility (which acts as an emulation layer between IIS 6-based metabase scripts and the file-based configuration used by IIS 7 or newer versions) you should start migrating management scripts to target IIS file-based configuration directly, by using tools such as the Microsoft.Web.Administration namespace.
+
+You should also start migration from IIS 6.0 or earlier versions, and move to the [latest version of IIS](/iis/get-started/whats-new-in-iis-10/new-features-introduced-in-iis-10).
+
+### IIS Digest Authentication
+
+We're considering removing the IIS Digest Authentication method. Instead, you should start using other authentication methods, such as [Client Certificate Mapping](/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings) or [Windows Authentication](/iis/configuration/system.webServer/security/authentication/windowsAuthentication/).
+
+### Microsoft Paint
+
+We're considering removing MS Paint from the basic installed product image - that means it won't be installed by default. **You'll still be able to get the app separately from the [Microsoft Store](https://www.microsoft.com/store/b/home) for free.** Alternately, you can get [Paint 3D](https://www.microsoft.com/store/p/paint-3d/9nblggh5fv99) and [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) from the Microsoft Store today; both of these offer the same functionality as Microsoft Paint, plus additional features.
+
+### RSA/AES Encryption for IIS
+
+We're considering removing RSA/AES encryption because the superior [Cryptography API: Next Generation (CNG)](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx) method is already available.
+
+### Sync your settings
+
+We're considering making changes to the back-end storage that will affect the sync process: [Enterprise State Roaming](/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview) and all other users will use a single cloud storage system. Both the "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
index b30db83a7d..5305dd2345 100644
--- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -32,6 +32,7 @@ sections:
- type: markdown
text: "
Summary
Originating update
Status
Date resolved
+
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Resolution: The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional detail and please reach out to Symantec or Norton support if you encounter any issues.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
RASMAN service may stop working and result in the error “0xc0000005” The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.
Initiating a Remote Desktop connection may result in black screen When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows LogsinEvent Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.
This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Mitigation: To mitigate this issue, Symantec and Norton released updates to their anti-virus software. Symantec Endpoint Protection protected devices can safely apply this update and future updates. See the Symantec support article for additional detail. Norton Security and Norton 360 products will automatically install a product update or users may manually run LiveUpdate and reboot until there are no further updates available.
Next Steps: The safeguard hold on affected devices will be removed in the coming week to allow customers time to apply the resolving anti-virus updates.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Resolution: The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional detail and please reach out to Symantec or Norton support if you encounter any issues.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
IA64 and x64 devices may fail to start after installing updates
IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Take Action: To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index a1a64bebe4..5da4caee6b 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -20,8 +20,9 @@ ms.date: 11/29/2018
# TPM recommendations
**Applies to**
-- Windows 10
-- Windows Server 2016
+
+- Windows 10
+- Windows Server 2016
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
@@ -47,27 +48,27 @@ From an industry standard, Microsoft has been an industry leader in moving and s
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
-- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
+- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
-- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
+- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
-- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
+- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
- - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
+ - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
- - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
+ - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
- - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
+ - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
- - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
+ - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
-- TPM 2.0 offers a more **consistent experience** across different implementations.
+- TPM 2.0 offers a more **consistent experience** across different implementations.
- - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
+ - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
- - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
+ - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
-- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
+- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
@@ -78,11 +79,11 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
There are three implementation options for TPMs:
-- Discrete TPM chip as a separate component in its own semiconductor package
+- Discrete TPM chip as a separate component in its own semiconductor package
-- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
+- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
-- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
+- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
@@ -94,39 +95,37 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
-- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
+- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
### IoT Core
-- TPM is optional on IoT Core.
+- TPM is optional on IoT Core.
### Windows Server 2016
-- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
+- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
## TPM and Windows Features
The following table defines which Windows features require TPM support.
-| Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
-|-------------------------|--------------|--------------------|--------------------|----------|
-| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot |
-| BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support |
-| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
-| Windows Defender Application Control (Device Guard) | No | Yes | Yes | |
-| Windows Defender Exploit Guard | No | N/A | N/A | |
-| Windows Defender System Guard | Yes | No | Yes | |
-| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. |
-| Device Health Attestation| Yes | Yes | Yes | |
-| Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. |
-| UEFI Secure Boot | No | Yes | Yes | |
-| TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | |
-| Virtual Smart Card | Yes | Yes | Yes | |
-| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
-| Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
-| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
-| DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
-
+ Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
+-|-|-|-|-
+ Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
+ BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
+ Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
+ Windows Defender Application Control (Device Guard) | No | Yes | Yes
+ Windows Defender System Guard | Yes | No | Yes
+ Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported.
+ Device Health Attestation| Yes | Yes | Yes
+ Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support.
+ UEFI Secure Boot | No | Yes | Yes
+ TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
+ Virtual Smart Card | Yes | Yes | Yes
+ Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
+ Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+ SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+ DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
## OEM Status on TPM 2.0 system availability and certified parts
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index a41132770f..3bb9e5537f 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -28,10 +28,10 @@
##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-#### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-#### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
-#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+#### [Network protection](microsoft-defender-atp/network-protection.md)
+#### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
+#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
@@ -155,10 +155,10 @@
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-##### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
-##### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
-##### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
-##### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md)
+##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md)
+##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
@@ -184,20 +184,20 @@
###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
###### [Memory integrity]()
-####### [Understand memory integrity](windows-defender-exploit-guard/memory-integrity.md)
-####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+####### [Understand memory integrity](device-guard/memory-integrity.md)
+####### [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+####### [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
#### [Exploit protection]()
-##### [Enable exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
-##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
+##### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
-#### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
-#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+#### [Network protection](microsoft-defender-atp/enable-network-protection.md)
+#### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
#### [Attack surface reduction controls]()
-##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
+##### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
@@ -334,6 +334,8 @@
##### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
##### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
##### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
+##### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
+
##### [Troubleshoot onboarding issues]()
###### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
@@ -528,8 +530,8 @@
#### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
### [Troubleshoot attack surface reduction]()
-#### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
-#### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
+#### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
+#### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index 2517d1852c..f900f5ea9c 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -18,31 +18,30 @@ audience: ITPro
**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
+Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
-1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
- - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
- - The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
- - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
-
-2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
- - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
+1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
+ - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
+ - The [Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
+ - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
+
+2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
+ - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral:
- - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
- - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
+ - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
+ - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
>[!Note]
>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
-
## Prevent threats from removable storage
Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals.
-### Enable Windows Defender Antivirus Scanning
+### Enable Windows Defender Antivirus Scanning
-Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
+Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
@@ -55,32 +54,32 @@ Protecting authorized removable storage with Windows Defender Antivirus requires
### Block untrusted and unsigned processes on USB peripherals
-End-users might plug in removable devices that are infected with malware.
-To prevent infections, a company can block USB files that are unsigned or untrusted.
-Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
-This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
-With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
+End-users might plug in removable devices that are infected with malware.
+To prevent infections, a company can block USB files that are unsigned or untrusted.
+Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
+This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
+With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
-These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
3. Use the following settings:
- - Name: Type a name for the profile
- - Description: Type a description
- - Platform: Windows 10 or later
- - Profile type: Endpoint protection
+ - Name: Type a name for the profile
+ - Description: Type a description
+ - Platform: Windows 10 or later
+ - Profile type: Endpoint protection
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
-5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
+5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
@@ -92,11 +91,11 @@ These settings require [enabling real-time protection](https://docs.microsoft.co
DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks:
-1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
+1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
-
- Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
+
+ Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can:
@@ -107,10 +106,10 @@ DMA attacks can lead to disclosure of sensitive information residing on a PC, or
To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender Advanced Threat Protection can help prevent installation and usage of USB drives and other peripherals.
-| Control | Description |
-|----------|-------------|
-| Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
-| Prevent installation and usage of USB drives and other peripherals| Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
+ Control | Description
+-|-
+ Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types
+ Prevent installation and usage of USB drives and other peripherals | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types
All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
@@ -120,18 +119,19 @@ All of the above controls can be set through the Intune [Administrative Template
>Using Intune, you can apply device configuration policies to AAD user and/or device groups.
The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
->[!Note]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production.
+> [!Note]
+> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
### Allow installation and usage of USB drives and other peripherals
-One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
+One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
>[!Note]
>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
->1. Enable **prevent installation of devices not described by other policy settings** to all users.
->2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
+>
+>1. Enable **prevent installation of devices not described by other policy settings** to all users.
+>2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
To enforce the policy for already installed devices, apply the prevent policies that have this setting.
When configuring the allow device installation policy, you will need to allow all parent attributes as well. You can view the parents of a device by opening device manager and view by connection.
@@ -144,38 +144,39 @@ In this example, the following classesneeded to be added: HID, Keboard, and {36f
If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device id that you want to add. For example,
-1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
-2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
+1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
+2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
->[!Note]
->How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
+> [!Note]
+> How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
>Using PowerShell: Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *
>For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers)
### Prevent installation and usage of USB drives and other peripherals
-If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
-1. Enable **Prevent installation of devices that match any of these device IDs**.
-2. Enable the **Prevent installation of devices that match these device setup classes policy**.
+If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
->[!Note]
->The prevent device installation policies take precedence over the allow device installation policies.
+1. Enable **Prevent installation of devices that match any of these device IDs**.
+2. Enable the **Prevent installation of devices that match these device setup classes policy**.
+
+> [!Note]
+> The prevent device installation policies take precedence over the allow device installation policies.
### Block installation and usage of removable storage
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
-3. Use the following settings:
+3. Use the following settings:
- - Name: Type a name for the profile
- - Description: Type a description
- - Platform: Windows 10 and later
- - Profile type: Device restrictions
+ - Name: Type a name for the profile
+ - Description: Type a description
+ - Platform: Windows 10 and later
+ - Profile type: Device restrictions
@@ -211,34 +212,34 @@ The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, repre
### Bluetooth
-Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
+Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
## Detect plug and play connected events
-You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
-For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
+You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
+For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
-## Respond to threats
+## Respond to threats
Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
->[!NOTE]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production.
+> [!NOTE]
+> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
-The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
+The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
-| Control | Description |
-|----------|-------------|
-| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
-| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware |
-| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
+ Control | Description
+-|-
+ [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage
+ [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware
+ [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware
->[!NOTE]
->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+> [!NOTE]
+> Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
### Custom Alerts and Response Actions
@@ -267,6 +268,3 @@ Both machine and file level actions can be applied.
- [Device Control PowerBI Template for custom reporting](https://github.com/microsoft/MDATP-PowerBI-Templates)
- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure)
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
similarity index 83%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
rename to windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index ea7aa818f2..91f7206e6d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -14,16 +14,16 @@ ms.date: 04/01/2019
ms.reviewer:
---
-# Enable virtualization-based protection of code integrity
+# Enable virtualization-based protection of code integrity
**Applies to**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
-Some applications, including device drivers, may be incompatible with HVCI.
-This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
-If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
+This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
+Some applications, including device drivers, may be incompatible with HVCI.
+This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
+If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
>[!NOTE]
>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE.
@@ -37,13 +37,13 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
-## How to turn on HVCI in Windows 10
+## How to turn on HVCI in Windows 10
To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
- [Windows Security app](#windows-security-app)
- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
- [Group Policy](#enable-hvci-using-group-policy)
-- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
+- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
- [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
### Windows Security app
@@ -52,7 +52,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a
### Enable HVCI using Intune
-Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
+Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
### Enable HVCI using Group Policy
@@ -61,11 +61,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
- 
+ 
5. Click **Ok** to close the editor.
-To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
+To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
### Use registry keys to enable virtualization-based protection of code integrity
@@ -185,64 +185,64 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f
> [!NOTE]
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.
-The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
+The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
#### AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
-| Value | Description |
-|--------|-------------|
-| **0.** | If present, no relevant properties exist on the device. |
-| **1.** | If present, hypervisor support is available. |
-| **2.** | If present, Secure Boot is available. |
-| **3.** | If present, DMA protection is available. |
-| **4.** | If present, Secure Memory Overwrite is available. |
-| **5.** | If present, NX protections are available. |
-| **6.** | If present, SMM mitigations are available. |
-| **7.** | If present, Mode Based Execution Control is available. |
+Value | Description
+-|-
+**0.** | If present, no relevant properties exist on the device.
+**1.** | If present, hypervisor support is available.
+**2.** | If present, Secure Boot is available.
+**3.** | If present, DMA protection is available.
+**4.** | If present, Secure Memory Overwrite is available.
+**5.** | If present, NX protections are available.
+**6.** | If present, SMM mitigations are available.
+**7.** | If present, Mode Based Execution Control is available.
#### InstanceIdentifier
-A string that is unique to a particular device. Valid values are determined by WMI.
+A string that is unique to a particular device. Valid values are determined by WMI.
#### RequiredSecurityProperties
This field describes the required security properties to enable virtualization-based security.
-| Value | Description |
-|--------|-------------|
-| **0.** | Nothing is required. |
-| **1.** | If present, hypervisor support is needed. |
-| **2.** | If present, Secure Boot is needed. |
-| **3.** | If present, DMA protection is needed. |
-| **4.** | If present, Secure Memory Overwrite is needed. |
-| **5.** | If present, NX protections are needed. |
-| **6.** | If present, SMM mitigations are needed. |
-| **7.** | If present, Mode Based Execution Control is needed. |
+Value | Description
+-|-
+**0.** | Nothing is required.
+**1.** | If present, hypervisor support is needed.
+**2.** | If present, Secure Boot is needed.
+**3.** | If present, DMA protection is needed.
+**4.** | If present, Secure Memory Overwrite is needed.
+**5.** | If present, NX protections are needed.
+**6.** | If present, SMM mitigations are needed.
+**7.** | If present, Mode Based Execution Control is needed.
-#### SecurityServicesConfigured
+#### SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
-| Value | Description |
-|--------|-------------|
-| **0.** | No services configured. |
-| **1.** | If present, Windows Defender Credential Guard is configured. |
-| **2.** | If present, HVCI is configured. |
-| **3.** | If present, System Guard Secure Launch is configured. |
+Value | Description
+-|-
+**0.** | No services configured.
+**1.** | If present, Windows Defender Credential Guard is configured.
+**2.** | If present, HVCI is configured.
+**3.** | If present, System Guard Secure Launch is configured.
#### SecurityServicesRunning
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
-| Value | Description |
-|--------|-------------|
-| **0.** | No services running. |
-| **1.** | If present, Windows Defender Credential Guard is running. |
-| **2.** | If present, HVCI is running. |
-| **3.** | If present, System Guard Secure Launch is running. |
+Value | Description
+-|-
+**0.** | No services running.
+**1.** | If present, Windows Defender Credential Guard is running.
+**2.** | If present, HVCI is running.
+**3.** | If present, System Guard Secure Launch is running.
#### Version
@@ -252,12 +252,11 @@ This field lists the version of this WMI class. The only valid value now is **1.
This field indicates whether VBS is enabled and running.
-| Value | Description |
-|--------|-------------|
-| **0.** | VBS is not enabled. |
-| **1.** | VBS is enabled but not running. |
-| **2.** | VBS is enabled and running. |
-
+Value | Description
+-|-
+**0.** | VBS is not enabled.
+**1.** | VBS is enabled but not running.
+**2.** | VBS is enabled and running.
#### PSComputerName
@@ -265,8 +264,7 @@ This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
-
-
+
## Troubleshooting
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
rename to windows/security/threat-protection/device-guard/memory-integrity.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
rename to windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png b/windows/security/threat-protection/images/Untitled-1.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png
rename to windows/security/threat-protection/images/Untitled-1.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-notif.png b/windows/security/threat-protection/images/asr-notif.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-notif.png
rename to windows/security/threat-protection/images/asr-notif.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png b/windows/security/threat-protection/images/asr-rules-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png
rename to windows/security/threat-protection/images/asr-rules-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png b/windows/security/threat-protection/images/asr-test-tool.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png
rename to windows/security/threat-protection/images/asr-test-tool.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png b/windows/security/threat-protection/images/cfa-allow-app-ps.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png
rename to windows/security/threat-protection/images/cfa-allow-app-ps.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png b/windows/security/threat-protection/images/cfa-allow-app.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png
rename to windows/security/threat-protection/images/cfa-allow-app.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png b/windows/security/threat-protection/images/cfa-allow-folder-ps.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png
rename to windows/security/threat-protection/images/cfa-allow-folder-ps.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png b/windows/security/threat-protection/images/cfa-audit-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png
rename to windows/security/threat-protection/images/cfa-audit-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png b/windows/security/threat-protection/images/cfa-filecreator.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png
rename to windows/security/threat-protection/images/cfa-filecreator.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png b/windows/security/threat-protection/images/cfa-gp-enable.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png
rename to windows/security/threat-protection/images/cfa-gp-enable.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png b/windows/security/threat-protection/images/cfa-notif.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png
rename to windows/security/threat-protection/images/cfa-notif.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-on.png b/windows/security/threat-protection/images/cfa-on.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-on.png
rename to windows/security/threat-protection/images/cfa-on.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png b/windows/security/threat-protection/images/cfa-prot-folders.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png
rename to windows/security/threat-protection/images/cfa-prot-folders.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/check-no.png b/windows/security/threat-protection/images/check-no.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/check-no.png
rename to windows/security/threat-protection/images/check-no.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/images/create-endpoint-protection-profile.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png
rename to windows/security/threat-protection/images/create-endpoint-protection-profile.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png b/windows/security/threat-protection/images/create-exploit-guard-policy.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png
rename to windows/security/threat-protection/images/create-exploit-guard-policy.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/images/dg-fig11-dgproperties.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png
rename to windows/security/threat-protection/images/dg-fig11-dgproperties.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png b/windows/security/threat-protection/images/enable-cfa-app-allow.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png
rename to windows/security/threat-protection/images/enable-cfa-app-allow.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png b/windows/security/threat-protection/images/enable-cfa-app-folder.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png
rename to windows/security/threat-protection/images/enable-cfa-app-folder.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png b/windows/security/threat-protection/images/enable-cfa-app.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png
rename to windows/security/threat-protection/images/enable-cfa-app.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png b/windows/security/threat-protection/images/enable-cfa-intune.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png
rename to windows/security/threat-protection/images/enable-cfa-intune.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png b/windows/security/threat-protection/images/enable-ep-intune.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png
rename to windows/security/threat-protection/images/enable-ep-intune.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png b/windows/security/threat-protection/images/enable-hvci-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png
rename to windows/security/threat-protection/images/enable-hvci-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png b/windows/security/threat-protection/images/enable-np-intune.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png
rename to windows/security/threat-protection/images/enable-np-intune.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ep-default.png b/windows/security/threat-protection/images/ep-default.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/ep-default.png
rename to windows/security/threat-protection/images/ep-default.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ep-prog.png b/windows/security/threat-protection/images/ep-prog.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/ep-prog.png
rename to windows/security/threat-protection/images/ep-prog.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png b/windows/security/threat-protection/images/event-viewer-import.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png
rename to windows/security/threat-protection/images/event-viewer-import.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif b/windows/security/threat-protection/images/event-viewer.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif
rename to windows/security/threat-protection/images/event-viewer.gif
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/events-create.gif b/windows/security/threat-protection/images/events-create.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/events-create.gif
rename to windows/security/threat-protection/images/events-create.gif
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/events-import.gif b/windows/security/threat-protection/images/events-import.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/events-import.gif
rename to windows/security/threat-protection/images/events-import.gif
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png b/windows/security/threat-protection/images/exp-prot-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png
rename to windows/security/threat-protection/images/exp-prot-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/np-notif.png b/windows/security/threat-protection/images/np-notif.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/np-notif.png
rename to windows/security/threat-protection/images/np-notif.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png b/windows/security/threat-protection/images/sccm-asr-blocks.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png
rename to windows/security/threat-protection/images/sccm-asr-blocks.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png b/windows/security/threat-protection/images/sccm-asr-rules.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png
rename to windows/security/threat-protection/images/sccm-asr-rules.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png b/windows/security/threat-protection/images/sccm-cfa-block.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png
rename to windows/security/threat-protection/images/sccm-cfa-block.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png b/windows/security/threat-protection/images/sccm-cfa.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png
rename to windows/security/threat-protection/images/sccm-cfa.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png b/windows/security/threat-protection/images/sccm-ep-xml.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png
rename to windows/security/threat-protection/images/sccm-ep-xml.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png b/windows/security/threat-protection/images/sccm-ep.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png
rename to windows/security/threat-protection/images/sccm-ep.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png b/windows/security/threat-protection/images/sccm-np-block.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png
rename to windows/security/threat-protection/images/sccm-np-block.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png b/windows/security/threat-protection/images/sccm-np.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png
rename to windows/security/threat-protection/images/sccm-np.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/security/threat-protection/images/svg/check-no.svg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
rename to windows/security/threat-protection/images/svg/check-no.svg
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/security/threat-protection/images/svg/check-yes.svg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
rename to windows/security/threat-protection/images/svg/check-yes.svg
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png b/windows/security/threat-protection/images/wdeg.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png
rename to windows/security/threat-protection/images/wdeg.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/images/wdsc-exp-prot-export.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-export.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/security/threat-protection/images/wdsc-exp-prot.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
rename to windows/security/threat-protection/images/wdsc-exp-prot.png
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 97a809c8de..ed4ed90c14 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -58,16 +58,16 @@ This built-in capability uses a game-changing risk-based approach to the discove
**[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
+- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
- [Application control](windows-defender-application-control/windows-defender-application-control.md)
- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-- [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
-- [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
+- [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+- [Network protection](microsoft-defender-atp/network-protection.md)
+- [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Attack surface reduction rules](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+- [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
rename to windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
similarity index 80%
rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index d4108e91a2..311f6803b0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/07/2019
@@ -16,32 +17,28 @@ ms.reviewer:
manager: dansimp
---
-# Reduce attack surfaces with attack surface reduction rules
+# Reduce attack surfaces with attack surface reduction rules
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
-
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
-
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
-- Executable files and scripts used in Office apps or web mail that attempt to download or run files
-- Obfuscated or otherwise suspicious scripts
-- Behaviors that apps don't usually initiate during normal day-to-day work
+* Executable files and scripts used in Office apps or web mail that attempt to download or run files
+* Obfuscated or otherwise suspicious scripts
+* Behaviors that apps don't usually initiate during normal day-to-day work
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
-Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
+Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
@@ -49,11 +46,11 @@ For information about configuring attack surface reduction rules, see [Enable at
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
-Here is an example query:
+Here is an example query:
-```
+```PowerShell
MiscEvents
| where ActionType startswith 'Asr'
```
@@ -62,13 +59,13 @@ MiscEvents
You can review the Windows event log to view events that are created when attack surface reduction rules fire:
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
3. Click **Import custom view...** on the left panel, under **Actions**.
-
-4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
5. Click **OK**.
@@ -82,13 +79,12 @@ Event ID | Description
The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
-
## Attack surface reduction rules
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:
-Rule name | GUID | File & folder exclusions
--|-|-
+ Rule name | GUID | File & folder exclusions
+-----------|------|--------------------------
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
@@ -111,8 +107,8 @@ Each rule description indicates which apps or file types the rule applies to. In
This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
-- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+* Executable files (such as .exe, .dll, or .scr)
+* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -138,7 +134,7 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
### Block Office applications from creating executable content
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
@@ -154,7 +150,7 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899
Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
-This rule applies to Word, Excel, and PowerPoint.
+This rule applies to Word, Excel, and PowerPoint.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -166,12 +162,12 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
### Block JavaScript or VBScript from launching downloaded executable content
-Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
+Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
-Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
+Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
->[!IMPORTANT]
->File and folder exclusions don't apply to this attack surface reduction rule.
+> [!IMPORTANT]
+> File and folder exclusions don't apply to this attack surface reduction rule.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -206,16 +202,16 @@ SCCM name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-
+
This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
-
-- Executable files (such as .exe, .dll, or .scr)
->[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+* Executable files (such as .exe, .dll, or .scr)
->[!IMPORTANT]
->The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
+> [!NOTE]
+> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+
+> [!IMPORTANT]
+> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
@@ -226,13 +222,13 @@ Intune name: Executables that don't meet a prevalence, age, or trusted list crit
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
-
+
### Use advanced protection against ransomware
-
+
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
->[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+> [!NOTE]
+> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
@@ -241,14 +237,14 @@ Intune name: Advanced ransomware protection
SCCM name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
-
+
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-
+
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
- >[!NOTE]
- >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
-
+> [!NOTE]
+> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Flag credential stealing from the Windows local security authority subsystem
@@ -261,11 +257,11 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
->[!IMPORTANT]
->File and folder exclusions do not apply to this attack surface reduction rule.
+> [!IMPORTANT]
+> File and folder exclusions do not apply to this attack surface reduction rule.
->[!WARNING]
->Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
+> [!WARNING]
+> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
@@ -274,13 +270,13 @@ Intune name: Process creation from PSExec and WMI commands
SCCM name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
-
+
### Block untrusted and unsigned processes that run from USB
-
+
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
-
-- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+
+* Executable files (such as .exe, .dll, or .scr)
+* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
@@ -294,8 +290,8 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
->[!NOTE]
->This rule applies to Outlook and Outlook.com only.
+> [!NOTE]
+> This rule applies to Outlook and Outlook.com only.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
@@ -307,7 +303,7 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
### Block Adobe Reader from creating child processes
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
@@ -319,7 +315,7 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
### Block persistence through WMI event subscription
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
+Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
This rule was introduced in: Windows 10 1903, Windows Server 1903
@@ -331,7 +327,6 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
## Related topics
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
-
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+* [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
similarity index 65%
rename from windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
index dd9c960c79..cb5f42efe4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -16,12 +17,11 @@ ms.reviewer:
manager: dansimp
---
-
-# Use audit mode
+# Use audit mode
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
@@ -33,25 +33,23 @@ To find the audited entries, go to **Applications and Services** > **Microsoft**
You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
+This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
-|Audit options | How to enable audit mode | How to view events |
-|- | - | - |
-|Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) |
-|Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) |
-|Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) |
-|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) |
-
+ Audit options | How to enable audit mode | How to view events
+-|-|-
+Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
+|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Protect your network](network-protection-exploit-guard.md)
-- [Protect important folders](controlled-folders-exploit-guard.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Protect your network](network-protection.md)
+* [Protect important folders](controlled-folders.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
index 706f90cf75..d0dfe6add3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@@ -1,8 +1,7 @@
---
-title:
-ms.reviewer:
-description:
-keywords:
+title: Configure attack surface reduction
+description: Configure attack surface reduction
+keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -23,22 +22,21 @@ ms.date: 07/01/2018
You can configure attack surface reduction with a number of tools, including:
-- Microsoft Intune
-- System Center Configuration Manager
-- Group Policy
-- PowerShell cmdlets
-
+* Microsoft Intune
+* System Center Configuration Manager
+* Group Policy
+* PowerShell cmdlets
The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools).
## In this section
+
Topic | Description
-:---|:---
+-|-
[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements
[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes
-[Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
-[Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
-[Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)|How to protect valuable data from malicious apps
-[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware
+[Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
+[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
+[Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps
+[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware
[Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
index 7f76395800..69c4df40de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -20,34 +20,36 @@ ms.topic: article
# Optimize ASR rule deployment and detections
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
*Attack surface management card*
The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
-- Understand how ASR rules are currently deployed in your organization
-- Review ASR detections and identify possible incorrect detections
-- Analyze the impact of exclusions and generate the list of file paths to exclude
+* Understand how ASR rules are currently deployed in your organization
+* Review ASR detections and identify possible incorrect detections
+* Analyze the impact of exclusions and generate the list of file paths to exclude
Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
->[!NOTE]
->To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
+> [!NOTE]
+> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
-For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
+For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
# Related topics
-- [Ensure your machines are configured properly](configure-machines.md)
-- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
-- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
\ No newline at end of file
+
+* [Ensure your machines are configured properly](configure-machines.md)
+* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 3f4c09e497..3ba4e51fda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -17,15 +17,13 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-
# Configure machine proxy and Internet connectivity settings
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
@@ -43,20 +41,19 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
> [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
-
- Manual static proxy configuration:
- Registry based configuration
- WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
-
-
## Configure the proxy server manually using a registry-based static proxy
+
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.
-The static proxy is configurable through Group Policy (GP). The group policy can be found under:
+The static proxy is configurable through Group Policy (GP). The group policy can be found under:
+
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
- 
+ - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
+ 
- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
- Configure the proxy:
@@ -68,6 +65,7 @@ The static proxy is configurable through Group Policy (GP). The group policy can
```text
:
```
+
For example: 10.0.0.6:8080
The registry value `DisableEnterpriseAuthProxy` should be set to 1.
@@ -87,35 +85,39 @@ Use netsh to configure a system-wide static proxy.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
- ```
+
+ ```PowerShell
netsh winhttp set proxy :
```
+
For example: netsh winhttp set proxy 10.0.0.6:8080
To reset the winhttp proxy, enter the following command and press **Enter**
-```
+
+```PowerShell
netsh winhttp reset proxy
```
+
See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more.
## Enable access to Microsoft Defender ATP service URLs in the proxy server
+
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
->[!NOTE]
-> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
+> [!NOTE]
+> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
-Service location | Microsoft.com DNS record
-:---|:---
+ Service location | Microsoft.com DNS record
+-|-
Common URLs for all locations | ```*.blob.core.windows.net``` ```crl.microsoft.com``` ```ctldl.windowsupdate.com``` ```events.data.microsoft.com``` ```notify.windows.com```
European Union | ```eu.vortex-win.data.microsoft.com``` ```eu-v20.events.data.microsoft.com``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com```
United Kingdom | ```uk.vortex-win.data.microsoft.com``` ```uk-v20.events.data.microsoft.com``` ```winatp-gw-uks.microsoft.com``` ```winatp-gw-ukw.microsoft.com```
United States | ```us.vortex-win.data.microsoft.com``` ```us-v20.events.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com```
-
-
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
-## Microsoft Defender ATP service backend IP range
+## Microsoft Defender ATP service backend IP range
+
If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
@@ -128,13 +130,11 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
- \+\
- \+\
+You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
-You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=41653).
-
->[!NOTE]
+> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
-
## Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
@@ -151,11 +151,13 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
4. Enter the following command and press **Enter**:
- ```
+ ```PowerShell
HardDrivePath\WDATPConnectivityAnalyzer.cmd
```
+
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
- ```
+
+ ```PowerShell
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
```
@@ -163,13 +165,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example:
+
```text
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
- 5 - Command line proxy: Doesn't exist
+ 5 - Command line proxy: Doesn't exist
```
If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.
@@ -177,9 +180,10 @@ If at least one of the connectivity options returns a (200) status, then the Mic
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
> [!NOTE]
-> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Related topics
+
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
similarity index 78%
rename from windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 7aa48ea40e..eb5c9b65bb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
audience: ITPro
@@ -21,7 +22,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
@@ -35,9 +36,9 @@ Controlled folder access is especially useful in helping to protect your documen
With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
@@ -49,7 +50,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
@@ -62,13 +63,13 @@ MiscEvents
You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
1. On the left panel, under **Actions**, click **Import custom view...**.
-1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
1. Click **OK**.
@@ -83,7 +84,7 @@ Event ID | Description
## In this section
Topic | Description
----|---
+-|-
[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
-[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
-[Customize controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
+[Enable controlled folder access](enable-controlled-folders.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
+[Customize controlled folder access](customize-controlled-folders.md) | Add additional protected folders, and allow specified apps to access protected folders.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
similarity index 74%
rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index 2b7dec1738..839daef3d1 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -20,10 +21,10 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
@@ -33,21 +34,20 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
-You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
+You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
->[!WARNING]
->This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+> [!WARNING]
+> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
-Rule description | GUID
--|:-:|-
+Rule description | GUID
+-|-|-
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
@@ -62,19 +62,19 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
+Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
-See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
+See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule.
### Use Group Policy to exclude files and folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to exclude files and folders
@@ -85,10 +85,10 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to
Add-MpPreference -AttackSurfaceReductionOnlyExclusions ""
```
-Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
+Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to exclude files and folders
@@ -100,7 +100,6 @@ See the [Windows Security](../windows-defender-security-center/windows-defender-
## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
similarity index 74%
rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 1acfffd14f..3216d16b87 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -20,19 +21,19 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
-- [Add additional folders to be protected](#protect-additional-folders)
-- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
+* [Add additional folders to be protected](#protect-additional-folders)
+* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
->[!WARNING]
->Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
+> [!WARNING]
+> Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
>
->This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact.
+> This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender.md) to fully assess the feature's impact.
## Protect additional folders
@@ -42,7 +43,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
-You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
You can use the Windows Security app or Group Policy to add and remove additional protected folders.
@@ -55,14 +56,14 @@ You can use the Windows Security app or Group Policy to add and remove additiona
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
-
+
### Use Group Policy to protect additional folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
@@ -77,10 +78,10 @@ You can use the Windows Security app or Group Policy to add and remove additiona
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
-
+
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to protect additional folders
@@ -88,17 +89,16 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
## Allow specific apps to make changes to controlled folders
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
->[!IMPORTANT]
->By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
->You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
+> [!IMPORTANT]
+> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
+> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-
### Use the Windows Defender Security app to allow specific apps
1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -109,15 +109,15 @@ An allowed application or service only has write access to a controlled folder a
4. Click **Add an allowed app** and follow the prompts to add apps.
- 
+ 
### Use Group Policy to allow specific apps
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
@@ -135,22 +135,24 @@ An allowed application or service only has write access to a controlled folder a
```PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
```
+
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
-
+
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to allow specific apps
-Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
-- [Evaluate attack surface reduction rules](evaluate-windows-defender-exploit-guard.md)
+
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Enable controlled folder access](enable-controlled-folders.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
similarity index 72%
rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
index f6197a0a67..64a77031bf 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 03/26/2019
@@ -20,18 +21,18 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
-
+
You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
- This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
->[!WARNING]
->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
+> [!WARNING]
+> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
## Exploit protection mitigations
@@ -39,87 +40,87 @@ All mitigations can be configured for individual apps. Some mitigations can also
You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
-Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
+Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
Mitigation | Description | Can be applied to | Audit mode available
-- | - | - | :-:
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+-|-|-|-
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
->[!IMPORTANT]
->If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
+> [!IMPORTANT]
+> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
>
>
->Enabled in **Program settings** | Enabled in **System settings** | Behavior
->:-: | :-: | :-:
->[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
->[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
->[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
->[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
+> Enabled in **Program settings** | Enabled in **System settings** | Behavior
+> -|-|-
+> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
+> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
+> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
+> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
>
>
->
->- **Example 1**
->
+>
+> * **Example 1**
+>
> Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
->
+>
> Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
->
->The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
->
->
->- **Example 2**
->
+>
+> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
+>
+>
+> * **Example 2**
+>
> Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
>
-> Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+> Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
>
> Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
>
->The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
+>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
>CFG will be enabled for *miles.exe*.
->[!NOTE]
->If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
+> [!NOTE]
+> If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
### Configure system-level mitigations with the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+ * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
>[!NOTE]
>You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
- Changing some settings may require a restart.
+ Changing some settings may require a restart.
4. Repeat this for all the system-level mitigations you want to configure.
@@ -127,15 +128,14 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
-
-You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
+You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
@@ -151,33 +151,34 @@ Exporting the configuration as an XML file allows you to copy the configuration
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```PowerShell
-Get-ProcessMitigation -Name processName.exe
+Get-ProcessMitigation -Name processName.exe
```
->[!IMPORTANT]
->System-level mitigations that have not been configured will show a status of `NOTSET`.
+> [!IMPORTANT]
+> System-level mitigations that have not been configured will show a status of `NOTSET`.
>
->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
+> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
>
->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
+> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
->The default setting for each system-level mitigation can be seen in the Windows Security.
+> The default setting for each system-level mitigation can be seen in the Windows Security.
Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation - -,,
```
+
Where:
-- \:
- - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- - `-System` to indicate the mitigation should be applied at the system level
+* \:
+ * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+ * `-System` to indicate the mitigation should be applied at the system level
- \:
- - `-Enable` to enable the mitigation
- - `-Disable` to disable the mitigation
-- \:
- - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
+ * `-Enable` to enable the mitigation
+ * `-Disable` to disable the mitigation
+* \:
+ * The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
@@ -185,8 +186,8 @@ Where:
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
```
- >[!IMPORTANT]
- >Separate each mitigation option with commas.
+ > [!IMPORTANT]
+ > Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
@@ -202,8 +203,7 @@ Where:
Set-Processmitigation -Name test.exe -Remove -Disable DEP
```
-
- You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
+ You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
@@ -215,11 +215,10 @@ You can disable audit mode by using the same command but replacing `-Enable` wit
### PowerShell reference table
-This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
-
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
- | - | - | -
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
@@ -228,39 +227,36 @@ Force randomization for images (Mandatory ASLR) | System and app-level | Force
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
Validate heap integrity | System and app-level | TerminateOnError | Audit not available
-Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
-Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
-Block remote images | App-level only | BlockRemoteImages | Audit not available
-Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
-Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
+Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
+Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
+Block remote images | App-level only | BlockRemoteImages | Audit not available
+Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
+Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
-Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
-Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
-Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
-Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
+Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
+Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
+Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
+Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
Validate handle usage | App-level only | StrictHandle | Audit not available
-Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
-Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
-
-
+Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
+Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
\[1\]: Use the following format to enable EAF modules for dlls for a process:
```PowerShell
-Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
new file mode 100644
index 0000000000..73df2fb5a4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
@@ -0,0 +1,87 @@
+---
+title: Compare the features in Exploit protection with EMET
+keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert
+description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+author: levinec
+ms.author: ellevin
+ms.date: 08/08/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender
+
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> [!IMPORTANT]
+> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
+>
+> You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP.
+
+Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
+
+EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
+
+After July 31, 2018, it will not be supported.
+
+For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
+
+* [Protect devices from exploits](exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+
+## Mitigation comparison
+
+The mitigations available in EMET are included in Windows Defender, under the [exploit protection feature](exploit-protection.md).
+
+The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
+
+Mitigation | Available in Windows Defender | Available in EMET
+-|-|-
+Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+
+> [!NOTE]
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.
+>
+> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+## Related topics
+
+* [Protect devices from exploits with Windows Defender](exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index b346df9a75..80c8e25156 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -18,7 +19,7 @@ manager: dansimp
# Enable attack surface reduction rules
-[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
+[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
Each ASR rule contains three settings:
@@ -30,11 +31,11 @@ To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We r
You can enable attack surface reduction rules by using any of these methods:
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
@@ -42,20 +43,20 @@ Enterprise-level management such as Intune or SCCM is recommended. Enterprise-le
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
->[!WARNING]
->Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
->
->If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
->[!IMPORTANT]
->File and folder exclusions do not apply to the following ASR rules:
+> [!WARNING]
+> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
>
->- Block process creations originating from PSExec and WMI commands
->- Block JavaScript or VBScript from launching downloaded executable content
+> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
+
+> [!IMPORTANT]
+> File and folder exclusions do not apply to the following ASR rules:
+>
+> * Block process creations originating from PSExec and WMI commands
+> * Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
@@ -66,8 +67,8 @@ The following procedures for enabling ASR rules include instructions for how to
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
-
- *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
+
+ *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
@@ -75,7 +76,7 @@ The following procedures for enabling ASR rules include instructions for how to
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
@@ -83,9 +84,9 @@ Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A776
The values to enable, disable, or enable in audit mode are:
-- Disable = 0
-- Block (enable ASR rule) = 1
-- Audit = 2
+* Disable = 0
+* Block (enable ASR rule) = 1
+* Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
@@ -95,8 +96,8 @@ OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExc
Value: c:\path|e:\path|c:\Whitelisted.exe
->[!NOTE]
->Be sure to enter OMA-URI values without spaces.
+> [!NOTE]
+> Be sure to enter OMA-URI values without spaces.
## SCCM
@@ -105,12 +106,12 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
1. Choose which rules will block or audit actions and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
## Group Policy
->[!WARNING]
->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
+> [!WARNING]
+> If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -119,15 +120,17 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
- - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- - Disable = 0
- - Block (enable ASR rule) = 1
- - Audit = 2
- 
+ * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+
+ * Disable = 0
+ * Block (enable ASR rule) = 1
+ * Audit = 2
+
+ 
+
+5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-
## PowerShell
>[!WARNING]
@@ -141,32 +144,32 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled
```
- To enable ASR rules in audit mode, use the following cmdlet:
+ To enable ASR rules in audit mode, use the following cmdlet:
- ```PowerShell
- Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode
+ ```PowerShell
+ Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode
```
- To turn off ASR rules, use the following cmdlet:
+ To turn off ASR rules, use the following cmdlet:
- ```PowerShell
- Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled
+ ```PowerShell
+ Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled
```
- >[!IMPORTANT]
- >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
- >
- >In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
- >
- >```PowerShell
- >Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
- >```
+ > [!IMPORTANT]
+ > You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
+ >
+ > In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
+ >
+ > ```PowerShell
+ > Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
+ > ```
- You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
+ You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
- >[!WARNING]
- >`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
- >You can obtain a list of rules and their current state by using `Get-MpPreference`
+ > [!WARNING]
+ > `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
+ > You can obtain a list of rules and their current state by using `Get-MpPreference`
3. To exclude files and folders from ASR rules, use the following cmdlet:
@@ -174,14 +177,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
Add-MpPreference -AttackSurfaceReductionOnlyExclusions ""
```
- Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list.
-
- >[!IMPORTANT]
- >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list.
+ > [!IMPORTANT]
+ > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-- [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+* [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 7ed8ec4621..a7ff6da08f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -20,24 +21,25 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019.
+[Controlled folder access](controlled-folders.md) helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is included with Windows 10 and Windows Server 2019.
You can enable controlled folder access by using any of these methods:
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
-- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
-- System Center Endpoint Protection **Allow users to add exclusions and overrides**
+
+* Windows Defender Antivirus **Configure local administrator merge behavior for lists**
+* System Center Endpoint Protection **Allow users to add exclusions and overrides**
For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
@@ -49,9 +51,9 @@ For more information about disabling local list merging, see [Prevent or allow u
3. Set the switch for **Controlled folder access** to **On**.
->[!NOTE]
->If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
->If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
+> [!NOTE]
+> If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+> If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
>If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
@@ -60,21 +62,21 @@ For more information about disabling local list merging, see [Prevent or allow u
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
-1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
+ 
+1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
+1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
- 
+ 
- >[!NOTE]
- >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
+ > [!NOTE]
+ > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-1. Click **OK** to save each open blade and click **Create**.
+1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
-## MDM
+## MDM
-Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
## SCCM
@@ -82,28 +84,28 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
2. Click **Home** > **Create Exploit Guard Policy**.
3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
- >[!NOTE]
- >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
+ > [!NOTE]
+ > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
5. Review the settings and click **Next** to create the policy.
-6. After the policy is created, click **Close**.
+6. After the policy is created, click **Close**.
## Group Policy
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-6. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
- - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+ * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
+ * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
+ * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
- 
+ 
->[!IMPORTANT]
->To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+> [!IMPORTANT]
+> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## PowerShell
@@ -121,6 +123,6 @@ Use `Disabled` to turn the feature off.
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Customize controlled folder access](customize-controlled-folders-exploit-guard.md)
-- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md)
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Customize controlled folder access](customize-controlled-folders.md)
+* [Evaluate Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
similarity index 70%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index e3fd820ba9..76bada624f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/09/2019
@@ -20,93 +21,93 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
+[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
-Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
+Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
You can enable each mitigation separately by using any of these methods:
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
-They are configured by default in Windows 10.
+They are configured by default in Windows 10.
-You can set each mitigation to on, off, or to its default value.
+You can set each mitigation to on, off, or to its default value.
Some mitigations have additional options.
-You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
+You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
## Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-5. Repeat this for all the apps and mitigations you want to configure.
+5. Repeat this for all the apps and mitigations you want to configure.
-3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+ * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
-5. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
Enabled in **Program settings** | Enabled in **System settings** | Behavior
-:-: | :-: | :-:
-[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
-[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
-[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
-[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
+-|-|-
+[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
+[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
+[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
+[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
+
+**Example 1**
-**Example 1**
-
Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
-
+
The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
**Example 2**
Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
-Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
-The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
+The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
CFG will be enabled for *miles.exe*.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
@@ -116,11 +117,11 @@ CFG will be enabled for *miles.exe*.
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
+ 
1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
- 
-1. Click **OK** to save each open blade and click **Create**.
+ 
+1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@@ -134,50 +135,51 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
1. Enter a name and a description, click **Exploit protection**, and click **Next**.
1. Browse to the location of the exploit protection XML file and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
## Group Policy
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-6. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
## PowerShell
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```PowerShell
-Get-ProcessMitigation -Name processName.exe
+Get-ProcessMitigation -Name processName.exe
```
->[!IMPORTANT]
->System-level mitigations that have not been configured will show a status of `NOTSET`.
+> [!IMPORTANT]
+> System-level mitigations that have not been configured will show a status of `NOTSET`.
>
->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
+> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
>
->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
+> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
->The default setting for each system-level mitigation can be seen in the Windows Security.
+> The default setting for each system-level mitigation can be seen in the Windows Security.
Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation - -,,
```
+
Where:
-- \:
- - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- - `-System` to indicate the mitigation should be applied at the system level
-- \:
- - `-Enable` to enable the mitigation
- - `-Disable` to disable the mitigation
-- \:
- - The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
+* \:
+ * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+ * `-System` to indicate the mitigation should be applied at the system level
+* \:
+ * `-Enable` to enable the mitigation
+ * `-Disable` to disable the mitigation
+* \:
+ * The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
@@ -185,8 +187,8 @@ For example, to enable the Data Execution Prevention (DEP) mitigation with ATL t
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
```
->[!IMPORTANT]
->Separate each mitigation option with commas.
+> [!IMPORTANT]
+> Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
@@ -202,8 +204,7 @@ If you need to restore the mitigation back to the system default, you need to in
Set-Processmitigation -Name test.exe -Remove -Disable DEP
```
-This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
-
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
- | - | - | -
@@ -213,39 +214,35 @@ Force randomization for images (Mandatory ASLR) | System and app-level | Force
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
-Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
-Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
-Block remote images | App-level only | BlockRemoteImages | Audit not available
-Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
-Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
+Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
+Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
+Block remote images | App-level only | BlockRemoteImages | Audit not available
+Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
+Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
-Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
-Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
-Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
-Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
+Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
+Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
+Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
+Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
Validate handle usage | App-level only | StrictHandle | Audit not available
-Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
-Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
-
-
+Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
+Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
\[1\]: Use the following format to enable EAF modules for dlls for a process:
```PowerShell
-Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
-
## Related topics
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index dc62facca9..97a6409ed0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.reviewer:
@@ -20,31 +21,29 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
You can enable network protection by using any of these methods:
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-2. Click **Device configuration** > **Profiles** > **Create profile**.
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
-
- 
-
-5. Click **OK** to save each open blade and click **Create**.
-6. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+1. Click **Device configuration** > **Profiles** > **Create profile**.
+1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+ 
+1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
+ 
+1. Click **OK** to save each open blade and click **Create**.
+1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@@ -57,60 +56,58 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d
1. Enter a name and a description, click **Network protection**, and click **Next**.
1. Choose whether to block or audit access to suspicious domains and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
-## Group Policy
+## Group Policy
-You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
+You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
-1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
+1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
-Or-
-
+
On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
- - **Block** - Users will not be able to access malicious IP addresses and domains
- - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
- - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
+ * **Block** - Users will not be able to access malicious IP addresses and domains
+ * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
+ * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
->[!IMPORTANT]
->To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
+> [!IMPORTANT]
+> To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
You can confirm network protection is enabled on a local computer by using Registry editor:
1. Click **Start** and type **regedit** to open **Registry Editor**.
1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
-1. Click **EnableNetworkProtection** and confirm the value:
- - 0=Off
- - 1=On
- - 2=Audit
+1. Click **EnableNetworkProtection** and confirm the value:
+ * 0=Off
+ * 1=On
+ * 2=Audit
## PowerShell
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
- ```
+ ```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
You can enable the feature in audit mode using the following cmdlet:
-```
+```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
-
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-- [Troubleshoot network protection](troubleshoot-np.md)
+* [Network protection](network-protection.md)
+* [Evaluate network protection](evaluate-network-protection.md)
+* [Troubleshoot network protection](troubleshoot-np.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index ee7946c9af..ee4f4e583c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -19,25 +19,30 @@ ms.topic: conceptual
---
# Evaluate Microsoft Defender ATP
+
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/WindowsForBusiness/windows-atp).
-You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions.
+You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions.
## Evaluate attack surface reduction
+
These capabilities help prevent attacks and exploitations from infecting your organization.
-- [Evaluate attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-- [Evaluate exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-- [Evaluate network protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-- [Evaluate controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+
+- [Evaluate attack surface reduction](./evaluate-attack-surface-reduction.md)
+- [Evaluate exploit protection](./evaluate-exploit-protection.md)
+- [Evaluate network protection](./evaluate-exploit-protection.md)
+- [Evaluate controlled folder access](./evaluate-controlled-folder-access.md)
- [Evaluate application guard](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
## Evaluate next generation protection
+
Next gen protections help detect and block the latest threats.
+
- [Evaluate antivirus](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
-
## See Also
+
[Get started with Microsoft Defender Advanced Threat Protection](get-started.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 145da203d5..271622f774 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -20,14 +21,14 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
@@ -43,42 +44,27 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
This enables all attack surface reduction rules in audit mode.
->[!TIP]
->If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md).
+> [!TIP]
+> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
## Review attack surface reduction events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
-
-| Event ID | Description |
-|----------|-------------|
-|5007 | Event when settings are changed |
-| 1121 | Event when an attack surface reduction rule fires in block mode |
-| 1122 | Event when an attack surface reduction rule fires in audit mode |
+ Event ID | Description
+-|-
+ 5007 | Event when settings are changed
+ 1121 | Event when an attack surface reduction rule fires in block mode
+ 1122 | Event when an attack surface reduction rule fires in audit mode
## Customize attack surface reduction rules
-During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
+During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.
See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
similarity index 61%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index 08d11df095..5f8fc8a0da 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 11/16/2018
@@ -20,16 +21,16 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
@@ -43,27 +44,28 @@ To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -EnableControlledFolderAccess AuditMode
```
->[!TIP]
->If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md).
+> [!TIP]
+> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer
The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
-| Event ID | Description |
-| --- | --- |
-| 5007 | Event when settings are changed |
-| 1124 | Audited controlled folder access event |
-| 1123 | Blocked controlled folder access event |
+Event ID | Description
+-|-
+ 5007 | Event when settings are changed
+ 1124 | Audited controlled folder access event
+ 1123 | Blocked controlled folder access event
## Customize protected folders and apps
-During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
+During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
-See [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode](audit-windows-defender-exploit-guard.md)
+
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md)
+* [Use audit mode](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
similarity index 57%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index 4d7e28279c..4d70c50373 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -20,70 +21,69 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices.
+[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices.
It consists of a number of mitigations that can be applied to either the operating system or an individual app.
-Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
+Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
-This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
+This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
## Enable exploit protection in audit mode
-You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
+You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
### Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
### PowerShell
-To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
+To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
Configure each mitigation in the following format:
-
```PowerShell
Set-ProcessMitigation - -,,
```
Where:
-- \:
- - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
-- \:
- - `-Enable` to enable the mitigation
- - `-Disable` to disable the mitigation
-- \:
- - The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
+* \:
+ * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+* \:
+ * `-Enable` to enable the mitigation
+ * `-Disable` to disable the mitigation
+* \:
+ * The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
-| Mitigation | Audit mode cmdlet |
-| - | - |
-|Arbitrary code guard (ACG) | AuditDynamicCode |
-|Block low integrity images | AuditImageLoad |
-|Block untrusted fonts | AuditFont, FontAuditOnly |
-|Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
-|Disable Win32k system calls | AuditSystemCall |
-|Do not allow child processes | AuditChildProcess |
+ Mitigation | Audit mode cmdlet
+-|-
+ Arbitrary code guard (ACG) | AuditDynamicCode
+ Block low integrity images | AuditImageLoad
+ Block untrusted fonts | AuditFont, FontAuditOnly
+ Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned
+ Disable Win32k system calls | AuditSystemCall
+ Do not allow child processes | AuditChildProcess
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
@@ -98,21 +98,21 @@ You can disable audit mode by replacing `-Enable` with `-Disable`.
To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
Feature | Provider/source | Event ID | Description
-:-|:-|:-:|:-
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
+-|-|-|-
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
## Related topics
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
-- [Enable network protection](enable-network-protection.md)
-- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
-- [Enable attack surface reduction](enable-attack-surface-reduction.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
+* [Enable network protection](enable-network-protection.md)
+* [Enable controlled folder access](enable-controlled-folders.md)
+* [Enable attack surface reduction](enable-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
similarity index 76%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
index 5015d0f283..6e3840831e 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/10/2019
@@ -20,15 +21,14 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
## Enable network protection in audit mode
@@ -51,10 +51,10 @@ You might want to do this to make sure it doesn't affect line-of-business apps o
The network connection will be allowed and a test message will be displayed.
-
-
+
+
## Review network protection events in Windows Event Viewer
-
+
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
| Event ID | Provide/Source | Description |
@@ -63,10 +63,8 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
|1125 | Windows Defender (Operational) | Event when a network connection is audited |
|1126 | Windows Defender (Operational) | Event when a network connection is blocked |
-
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Enable network protection](enable-network-protection.md)
-- [Troubleshoot network protection](troubleshoot-np.md)
+* [Network protection](network-protection.md)
+* [Enable network protection](enable-network-protection.md)
+* [Troubleshoot network protection](troubleshoot-np.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
similarity index 90%
rename from windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/event-views.md
index 5652a45bd4..2fe08915a1 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
@@ -11,9 +11,11 @@ ms.sitesec: library
ms.pagetype: security
ms.date: 04/16/2018
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 03/26/2019
+manager: dansimp
---
# View attack surface reduction events
@@ -28,7 +30,7 @@ Reviewing the events is also handy when you are evaluating the features, as you
This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
-You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
+You can also get detailed reporting into events and blocks as part of Windows Security, which you access if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
## Use custom views to review attack surface reduction capabilities
@@ -36,45 +38,43 @@ You can create custom views in the Windows Event Viewer to only see events for s
The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
-You can also manually navigate to the event area that corresponds to the feature.
+You can also manually navigate to the event area that corresponds to the feature.
### Import an existing XML custom view
1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
- - Controlled folder access events custom view: *cfa-events.xml*
- - Exploit protection events custom view: *ep-events.xml*
- - Attack surface reduction events custom view: *asr-events.xml*
- - Network/ protection events custom view: *np-events.xml*
+ - Controlled folder access events custom view: *cfa-events.xml*
+ - Exploit protection events custom view: *ep-events.xml*
+ - Attack surface reduction events custom view: *asr-events.xml*
+ - Network/ protection events custom view: *np-events.xml*
1. Type **event viewer** in the Start menu and open **Event Viewer**.
-3. Click **Action** > **Import Custom View...**
+1. Click **Action** > **Import Custom View...**
- 
+ 
-4. Navigate to where you extracted XML file for the custom view you want and select it.
+1. Navigate to where you extracted XML file for the custom view you want and select it.
-4. Click **Open**.
-
-5. This will create a custom view that filters to only show the events related to that feature.
+1. Click **Open**.
+1. This will create a custom view that filters to only show the events related to that feature.
### Copy the XML directly
-
1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
-3. On the left panel, under **Actions**, click **Create Custom View...**
+1. On the left panel, under **Actions**, click **Create Custom View...**
- 
+ 
-4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
+1. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.
-5. Paste the XML code for the feature you want to filter events from into the XML section.
+1. Paste the XML code for the feature you want to filter events from into the XML section.
-4. Click **OK**. Specify a name for your filter.
+1. Click **OK**. Specify a name for your filter.
-5. This will create a custom view that filters to only show the events related to that feature.
+1. This will create a custom view that filters to only show the events related to that feature.
### XML for attack surface reduction rule events
@@ -131,7 +131,6 @@ You can also manually navigate to the event area that corresponds to the feature
## List of attack surface reduction events
-
All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
You can access these events in Windows Event viewer:
@@ -140,7 +139,7 @@ You can access these events in Windows Event viewer:
2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below.
3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking.
- 
+ 
Feature | Provider/source | Event ID | Description
:-|:-|:-:|:-
@@ -171,13 +170,13 @@ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 24 | ROP Sim
Exploit protection | WER-Diagnostics | 5 | CFG Block
Exploit protection | Win32K (Operational) | 260 | Untrusted Font
Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed
-Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode
-Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode
+Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode
+Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode
Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed
Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event
Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event
Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Controlled folder access sector write block event
Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event
Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
-Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
-Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
+Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
+Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
new file mode 100644
index 0000000000..568f45096f
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
@@ -0,0 +1,137 @@
+---
+title: Apply mitigations to help prevent attacks through vulnerabilities
+keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
+description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+author: levinec
+ms.author: ellevin
+ms.date: 04/02/2019
+ms.reviewer:
+manager: dansimp
+---
+
+# Protect devices from exploits
+
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803.
+
+> [!TIP]
+> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+
+Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+
+You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once.
+
+When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+
+You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.
+
+Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Exploit protection](emet-exploit-protection.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
+
+> [!IMPORTANT]
+> If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+> [!WARNING]
+> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.
+
+## Review exploit protection events in the Microsoft Security Center
+
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
+
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
+
+Here is an example query:
+
+```PowerShell
+MiscEvents
+| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
+```
+
+## Review exploit protection events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
+
+Provider/source | Event ID | Description
+-|-|-
+Security-Mitigations | 1 | ACG audit
+Security-Mitigations | 2 | ACG enforce
+Security-Mitigations | 3 | Do not allow child processes audit
+Security-Mitigations | 4 | Do not allow child processes block
+Security-Mitigations | 5 | Block low integrity images audit
+Security-Mitigations | 6 | Block low integrity images block
+Security-Mitigations | 7 | Block remote images audit
+Security-Mitigations | 8 | Block remote images block
+Security-Mitigations | 9 | Disable win32k system calls audit
+Security-Mitigations | 10 | Disable win32k system calls block
+Security-Mitigations | 11 | Code integrity guard audit
+Security-Mitigations | 12 | Code integrity guard block
+Security-Mitigations | 13 | EAF audit
+Security-Mitigations | 14 | EAF enforce
+Security-Mitigations | 15 | EAF+ audit
+Security-Mitigations | 16 | EAF+ enforce
+Security-Mitigations | 17 | IAF audit
+Security-Mitigations | 18 | IAF enforce
+Security-Mitigations | 19 | ROP StackPivot audit
+Security-Mitigations | 20 | ROP StackPivot enforce
+Security-Mitigations | 21 | ROP CallerCheck audit
+Security-Mitigations | 22 | ROP CallerCheck enforce
+Security-Mitigations | 23 | ROP SimExec audit
+Security-Mitigations | 24 | ROP SimExec enforce
+WER-Diagnostics | 5 | CFG Block
+Win32K | 260 | Untrusted Font
+
+## Mitigation comparison
+
+The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server 2016 (starting with version 1803), under [Exploit protection](exploit-protection.md).
+
+The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
+
+Mitigation | Available under Exploit protection | Available in EMET
+-|-|-
+Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+
+> [!NOTE]
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
+>
+> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+## Related topics
+
+* [Protect devices from exploits](exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png
new file mode 100644
index 0000000000..69836b943c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png
new file mode 100644
index 0000000000..2f027e9054
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png
new file mode 100644
index 0000000000..741770b06a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png
new file mode 100644
index 0000000000..615e107f78
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png
new file mode 100644
index 0000000000..fb441257c0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png
new file mode 100644
index 0000000000..e57b9d3fe4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png
new file mode 100644
index 0000000000..25b0fe742a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png
new file mode 100644
index 0000000000..714a61e399
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png b/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png
new file mode 100644
index 0000000000..13d572f10f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png
new file mode 100644
index 0000000000..3d274ebf9f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png
new file mode 100644
index 0000000000..01ad9116f0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png
new file mode 100644
index 0000000000..647008af7d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png b/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png
new file mode 100644
index 0000000000..68eb6483c1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png
new file mode 100644
index 0000000000..71e3aa0e9f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png
new file mode 100644
index 0000000000..7d64c71ac8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png
new file mode 100644
index 0000000000..3a2b7563bf
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png
new file mode 100644
index 0000000000..2c6069ab3d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png
new file mode 100644
index 0000000000..6931f21e5a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png b/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png
new file mode 100644
index 0000000000..43a41fbd3b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png
new file mode 100644
index 0000000000..f4f0bca971
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
similarity index 61%
rename from windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
rename to windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index 676188aa12..c46302a04f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/30/2018
@@ -20,13 +21,11 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
@@ -34,7 +33,7 @@ You can also convert and import an existing EMET configuration XML file into an
This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
## Create and export a configuration file
@@ -50,14 +49,14 @@ When you have configured exploit protection to your desired state (including bot
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
- 
-
+ 
+
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
-
+
->[!NOTE]
->When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+> [!NOTE]
+> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
### Use PowerShell to export a configuration file
@@ -65,7 +64,7 @@ When you have configured exploit protection to your desired state (including bot
2. Enter the following cmdlet:
```PowerShell
- Get-ProcessMitigation -RegistryConfigFilePath filename.xml
+ Get-ProcessMitigation -RegistryConfigFilePath filename.xml
```
Change `filename` to any name or location of your choosing.
@@ -74,7 +73,7 @@ Example command
**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
> [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
## Import a configuration file
@@ -84,12 +83,11 @@ After importing, the settings will be instantly applied and can be reviewed in t
### Use PowerShell to import a configuration file
-
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
- Set-ProcessMitigation -PolicyFilePath filename.xml
+ Set-ProcessMitigation -PolicyFilePath filename.xml
```
Change `filename` to the location and name of the exploit protection XML file.
@@ -97,11 +95,9 @@ Change `filename` to the location and name of the exploit protection XML file.
Example command
**Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
-
->[!IMPORTANT]
+> [!IMPORTANT]
>
->Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
-
+> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
## Convert an EMET configuration file to an exploit protection configuration file
@@ -109,14 +105,13 @@ You can convert an existing EMET configuration file to the new format used by ex
You can only do this conversion in PowerShell.
->[!WARNING]
+> [!WARNING]
>
->You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
+> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
>
->However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
+> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
>
->You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
-
+> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@@ -127,46 +122,45 @@ You can only do this conversion in PowerShell.
Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
->[!IMPORTANT]
+> [!IMPORTANT]
>
->If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
+> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
>
> 1. Open the PowerShell-converted XML file in a text editor.
> 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
-
## Manage or deploy a configuration
You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
> [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
### Use Group Policy to distribute the configuration
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
+3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
- 
+ 
-6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
+4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
-7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
- - C:\MitigationSettings\Config.XML
- - \\\Server\Share\Config.xml
- - https://localhost:8080/Config.xml
- - C:\ExploitConfigfile.xml
+5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
-8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+ * C:\MitigationSettings\Config.XML
+ * \\\Server\Share\Config.xml
+ * https://localhost:8080/Config.xml
+ * C:\ExploitConfigfile.xml
+6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
similarity index 80%
rename from windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index e4fccb655d..eb4b64456b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/30/2019
@@ -20,40 +21,40 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection is supported beginning with Windows 10, version 1709.
->[!TIP]
->You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled.
+You can also use [audit mode](audit-windows-defender.md) to evaluate how Network protection would impact your organization if it were enabled.
## Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
Windows 10 version | Windows Defender Antivirus
-- | -
+-|-
Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
## Review network protection events in the Microsoft Defender ATP Security Center
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
-Here is an example query
+Here is an example query
-```
+```PowerShell
MiscEvents
| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
```
@@ -62,7 +63,7 @@ MiscEvents
You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
-1. [Copy the XML directly](event-views-exploit-guard.md).
+1. [Copy the XML directly](event-views.md).
2. Click **OK**.
@@ -71,12 +72,10 @@ You can review the Windows event log to see events that are created when network
Event ID | Description
-|-
5007 | Event when settings are changed
- 1125 | Event when network protection fires in audit mode
- 1126 | Event when network protection fires in block mode
+ 1125 | Event when network protection fires in audit mode
+ 1126 | Event when network protection fires in block mode
- ## Related topics
+## Related topics
-Topic | Description
----|---
[Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
[Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index 422ba4da32..f06995f573 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -27,10 +27,10 @@
#### [Application control]()
##### [Windows Defender Application Guard](../windows-defender-application-control/windows-defender-application-control.md)
-#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
-#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md)
+#### [Network protection](../windows-defender-exploit-guard/network-protection.md)
+#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md)
+#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md)
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
@@ -196,8 +196,8 @@
#### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
#### [Controlled folder access]()
-##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
-##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
+##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md)
+##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders.md)
#### [Attack surface reduction controls]()
##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
new file mode 100644
index 0000000000..ce96f68340
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
@@ -0,0 +1,199 @@
+---
+title: Create an onboarding or offboarding notification rule
+description: Get a notification when a local onboarding or offboarding script is used.
+keywords: onboarding, offboarding, local, script, notification, rule
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Create a notification rule when a local onboarding or offboarding script is used
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Create a notification rule so that when a local onboarding or offboardiing script is used, you'll be notified.
+
+## Before you begin
+You'll need to have access to:
+ - Microsoft Flow (Flow Plan 1 at a minimum). For more information, see [Flow pricing page](https://flow.microsoft.com/pricing/).
+ - Azure Table or SharePoint List or Library / SQL DB
+
+## Create the notification flow
+
+1. In [flow.microsoft.com](https://flow.microsoft.com/).
+
+2. Navigate to **My flows > New > Scheduled - from blank**.
+
+ 
+
+
+3. Build a scheduled flow.
+ 1. Enter a flow name.
+ 2. Specify the start and time.
+ 3. Specify the frequency. For example, every 5 minutes.
+
+ 
+
+4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender ATP security center machine(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
+
+ 
+
+
+5. Enter the following HTTP fields:
+
+ - Method: "GET" as a value to get the list of machines.
+ - URI: Enter `https://api.securitycenter.windows.com/api/machines`.
+ - Authentication: Select "Active Directory OAuth".
+ - Tenant: Sign-in to http://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
+ - Audience: `https://securitycenter.onmicrosoft.com/windowsatpservice\`
+ - Client ID: Sign-in to http://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Client ID value.
+ - Credential Type: Select "Secret".
+ - Secret: Sign-in to http://portal.azure.com and navigate tnd navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
+
+ 
+
+
+6. Add a new step by selecting **Add new action** then search for **Data Operations** and select
+**Parse JSON**.
+
+ 
+
+7. Add Body in the **Content** field.
+
+ 
+
+8. Select the **Use sample payload to generate schema** link.
+
+ 
+
+9. Copy and paste the following JSON snippet:
+
+ ```
+ {
+ "type": "object",
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "value": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string"
+ },
+ "computerDnsName": {
+ "type": "string"
+ },
+ "firstSeen": {
+ "type": "string"
+ },
+ "lastSeen": {
+ "type": "string"
+ },
+ "osPlatform": {
+ "type": "string"
+ },
+ "osVersion": {},
+ "lastIpAddress": {
+ "type": "string"
+ },
+ "lastExternalIpAddress": {
+ "type": "string"
+ },
+ "agentVersion": {
+ "type": "string"
+ },
+ "osBuild": {
+ "type": "integer"
+ },
+ "healthStatus": {
+ "type": "string"
+ },
+ "riskScore": {
+ "type": "string"
+ },
+ "exposureScore": {
+ "type": "string"
+ },
+ "aadDeviceId": {},
+ "machineTags": {
+ "type": "array"
+ }
+ },
+ "required": [
+ "id",
+ "computerDnsName",
+ "firstSeen",
+ "lastSeen",
+ "osPlatform",
+ "osVersion",
+ "lastIpAddress",
+ "lastExternalIpAddress",
+ "agentVersion",
+ "osBuild",
+ "healthStatus",
+ "rbacGroupId",
+ "rbacGroupName",
+ "riskScore",
+ "exposureScore",
+ "aadDeviceId",
+ "machineTags"
+ ]
+ }
+ }
+ }
+ }
+
+ ```
+
+10. Extract the values from the JSON call and check if the onboarded machine(s) is / are already registered at the SharePoint list as an example:
+- If yes, no notification will be triggered
+- If no, will register the new onboarded machine(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin
+
+ 
+
+ 
+
+11. Under **Condition**, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0.
+
+ 
+ 
+ 
+ 
+
+## Alert notification
+The following image is an example of an email notification.
+
+
+
+
+## Tips
+
+- You can filter here using lastSeen only:
+ - Every 60 min:
+ - Take all machines last seen in the past 7 days.
+
+- For each machine:
+ - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility.
+ - If first seen is on the past hour -> Alert for onboarding.
+
+In this solution you will not have duplicate alerts:
+There are tenants that have numerous machines. Getting all those machines might be very expensive and might require paging.
+
+You can split it to two queries:
+1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
+2. Take all machines last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 71c91ea9c0..eeaaedc402 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -2,7 +2,7 @@
title: Overview of attack surface reduction
ms.reviewer:
description: Learn about the attack surface reduction capability in Microsoft Defender ATP
-keywords:
+keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender, antivirus, av, windows defender
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -21,16 +21,16 @@ ms.topic: conceptual
# Overview of attack surface reduction
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
+Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
-| Article | Description |
-|------------|-------------|
-| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
-| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. |
-| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
-| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
-| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) |
-| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) |
-| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. |
+Article | Description
+-|-
+[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
+[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
+[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
+[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
+[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus)
+[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus)
+[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
index 2c69aad1d0..75423bc86d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
@@ -18,38 +18,44 @@ ms.topic: conceptual
---
# Configure the security controls in Secure score
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> [!NOTE]
+> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
Each security control lists recommendations that you can take to increase the security posture of your organization.
### Endpoint detection and response (EDR) optimization
+
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool.
->[!IMPORTANT]
->This feature is available for machines on Windows 10, version 1607 or later.
+> [!IMPORTANT]
+> This feature is available for machines on Windows 10, version 1607 or later.
-#### Minimum baseline configuration setting for EDR:
-- Microsoft Defender ATP sensor is on
-- Data collection is working correctly
-- Communication to Microsoft Defender ATP service is not impaired
+#### Minimum baseline configuration setting for EDR
+
+* Microsoft Defender ATP sensor is on
+* Data collection is working correctly
+* Communication to Microsoft Defender ATP service is not impaired
+
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Turn on sensor
-- Fix sensor data collection
-- Fix impaired communications
-For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+* Turn on sensor
+* Fix sensor data collection
+* Fix impaired communications
+
+For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
### Windows Defender Antivirus (Windows Defender AV) optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV.
->[!IMPORTANT]
->This feature is available for machines on Windows 10, version 1607 or later.
+> [!IMPORTANT]
+> This feature is available for machines on Windows 10, version 1607 or later.
#### Minimum baseline configuration setting for Windows Defender AV:
A well-configured machine for Windows Defender AV meets the following requirements:
@@ -60,7 +66,6 @@ A well-configured machine for Windows Defender AV meets the following requiremen
- Real-time protection is on
- Potentially Unwanted Application (PUA) protection is enabled
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
>[!NOTE]
@@ -75,52 +80,56 @@ You can take the following actions to increase the overall security score of you
For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).
-
### OS security updates optimization
+
This tile shows you the number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
-
->[!IMPORTANT]
->This feature is available for machines on Windows 10, version 1607 or later.
+
+> [!IMPORTANT]
+> This feature is available for machines on Windows 10, version 1607 or later.
You can take the following actions to increase the overall security score of your organization:
-- Install the latest security updates
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+
+* Install the latest security updates
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter).
-
### Windows Defender Exploit Guard (Windows Defender EG) optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Windows Defender EG. When endpoints are configured according to the baseline, the Windows Defender EG events shows on the Microsoft Defender ATP Machine timeline.
+
+A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
-#### Minimum baseline configuration setting for Windows Defender EG:
-A well-configured machine for Windows Defender EG meets the following requirements:
+#### Minimum baseline configuration setting for Windows Defender EG
-- System level protection settings are configured correctly
-- Attack Surface Reduction rules are configured correctly
-- Controlled Folder Access setting is configured correctly
+Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met:
+
+* System level protection settings are configured correctly
+* Attack Surface Reduction rules are configured correctly
+* Controlled Folder Access setting is configured correctly
+
+##### System level protection
-##### System level protection:
The following system level configuration settings must be set to **On or Force On**:
-1. Control Flow Guard
+1. Control Flow Guard
2. Data Execution Prevention (DEP)
3. Randomize memory allocations (Bottom-up ASLR)
4. Validate exception chains (SEHOP)
5. Validate heap integrity
->[!NOTE]
->The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
->Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
+> [!NOTE]
+> The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
+> Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
+
+##### Attack Surface Reduction (ASR) rules
-##### Attack Surface Reduction (ASR) rules:
The following ASR rules must be configured to **Block mode**:
-Rule description | GUIDs
+Rule description | GUIDs
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
@@ -129,34 +138,34 @@ Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-5
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-
-
->[!NOTE]
->The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
->Consider enabling this rule in **Audit** or **Block mode** for better protection.
-
+> [!NOTE]
+> The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
+> Consider enabling this rule in **Audit** or **Block mode** for better protection.
##### Controlled Folder Access
+
The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**.
->[!NOTE]
+> [!NOTE]
> Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block suspicious applications.
->Consider enabling Controlled Folder Access for better protection.
+> Consider enabling Controlled Folder Access for better protection.
+
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
+
- Turn on all system-level Exploit Protection settings
- Set all ASR rules to enabled or audit mode
- Turn on Controlled Folder Access
- Turn on Windows Defender Antivirus on compatible machines
-For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
-
### Windows Defender Application Guard (Windows Defender AG) optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline.
+
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender AG:
A well-configured machine for Windows Defender AG meets the following requirements:
@@ -165,104 +174,114 @@ A well-configured machine for Windows Defender AG meets the following requiremen
- Windows Defender AG is turned on compatible machines
- Managed mode is turned on
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Ensure that you meet the hardware and software prerequisites
-
- >[!NOTE]
- >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
-- Turn on Windows Defender AG on compatible machines
-- Turn on managed mode
+* Ensure hardware and software prerequisites are met
+
+ > [!NOTE]
+ > This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on.
+
+* Turn on Microsoft Defender AG on compatible machines
+* Turn on managed mode
-For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
+For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
+### Windows Defender SmartScreen optimization
-### Windows Defender SmartScreen optimization
-A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender SmartScreen.
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen.
->[!WARNING]
-> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
+> [!WARNING]
+> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
-
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender SmartScreen:
-The following settings must be configured with the following settings:
-- Check apps and files: **Warn** or **Block**
-- SmartScreen for Microsoft Edge: **Warn** or **Block**
-- SmartScreen for Microsoft store apps: **Warn** or **Off**
+The following settings must be configured with the following settings:
+
+* Check apps and files: **Warn** or **Block**
+* SmartScreen for Microsoft Edge: **Warn** or **Block**
+* SmartScreen for Microsoft store apps: **Warn** or **Off**
You can take the following actions to increase the overall security score of your organization:
+
- Set **Check app and files** to **Warn** or **Block**
- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+* Set **Check app and files** to **Warn** or **Block**
+* Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
+* Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
+For more information, see [Microsoft Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
### Windows Defender Firewall optimization
-A well-configured machine must have Windows Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Firewall.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall.
-#### Minimum baseline configuration setting for Windows Defender Firewall
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
-- Windows Defender Firewall is turned on for all network connections
-- Secure domain profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
-- Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
-- Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
+#### Minimum baseline configuration setting for Windows Defender Firewall
+
+* Microsoft Defender Firewall is turned on for all network connections
+* Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
+* Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
+* Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy).
->[!NOTE]
+> [!NOTE]
> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Turn on firewall
-- Secure domain profile
-- Secure private profile
-- Secure public profile
-- Verify secure configuration of third-party firewall
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+
+* Turn on firewall
+* Secure domain profile
+* Secure private profile
+* Secure public profile
+* Verify secure configuration of third-party firewall
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).
### BitLocker optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1803 or later.
+A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.
+
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1803 or later.
#### Minimum baseline configuration setting for BitLocker
-- Ensure all supported drives are encrypted
-- Ensure that all suspended protection on drives resume protection
-- Ensure that drives are compatible
+* Ensure all supported drives are encrypted
+* Ensure that all suspended protection on drives resume protection
+* Ensure that drives are compatible
+
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Encrypt all supported drives
-- Resume protection on all drives
-- Ensure drive compatibility
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+
+* Encrypt all supported drives
+* Resume protection on all drives
+* Ensure drive compatibility
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview).
### Windows Defender Credential Guard optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender Credential Guard:
Well-configured machines for Windows Defender Credential Guard meets the following requirements:
@@ -270,31 +289,28 @@ Well-configured machines for Windows Defender Credential Guard meets the followi
- Hardware and software prerequisites are met
- Windows Defender Credential Guard is turned on compatible machines
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Ensure hardware and software prerequisites are met
-- Turn on Credential Guard
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+* Ensure hardware and software prerequisites are met
+* Turn on Credential Guard
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
## Related topics
-- [Overview of Secure score](overview-secure-score.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-
-
-
+* [Overview of Secure score](overview-secure-score.md)
+* [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+* [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+* [Exposure score](tvm-exposure-score.md)
+* [Configuration score](configuration-score.md)
+* [Security recommendations](tvm-security-recommendation.md)
+* [Remediation](tvm-remediation.md)
+* [Software inventory](tvm-software-inventory.md)
+* [Weaknesses](tvm-weaknesses.md)
+* [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
similarity index 84%
rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index 9b3271425d..dc8f75b9f2 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 03/27/2019
@@ -20,44 +21,44 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
+When you use [attack surface reduction rules](attack-surface-reduction.md) you may encounter issues, such as:
-- A rule blocks a file, process, or performs some other action that it should not (false positive)
-- A rule does not work as described, or does not block a file or process that it should (false negative)
+* A rule blocks a file, process, or performs some other action that it should not (false positive)
+* A rule does not work as described, or does not block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
-3. Submit support logs
+4. Submit support logs
## Confirm prerequisites
Attack surface reduction rules will only work on devices with the following conditions:
->[!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
-> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+> [!div class="checklist"]
+> * Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
+> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+> * Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
## Use audit mode to test the rule
-You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
+You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
-3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
+3. [Review the attack surface reductio rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
>
->If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
+>If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
>
>Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
@@ -82,21 +83,24 @@ Use the [Windows Defender Security Intelligence web-based submission form](https
## Collect diagnostic data for file submissions
-When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
+When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
+
```console
cd c:\program files\windows defender
```
+
2. Run this command to generate the diagnostic logs:
+
```console
mpcmdrun -getfiles
```
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+
+3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics
-- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-
+* [Attack surface reduction rules](attack-surface-reduction.md)
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
similarity index 79%
rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
index 63963825e3..ae216de7bb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 08/09/2018
@@ -20,7 +21,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
@@ -46,7 +47,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Write-Host "Removing MitigationAuditOptions for: " $Name
Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
}
-
+
# Remove the FilterFullPath value if there is nothing else
if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
@@ -58,19 +59,19 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Remove-Item -Path $Key.PSPath -ErrorAction Stop
}
}
- Catch {
- Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
+ Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
}
}
# Delete all ExploitGuard ProcessMitigations
function Remove-All-ProcessMitigations {
if (!(Test-IsAdmin)) {
- throw "ERROR: No Administrator-Privileges detected!"; return
+ throw "ERROR: No Administrator-Privileges detected!"; return
}
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
- $MitigationItem = $_;
+ $MitigationItem = $_;
$MitigationItemName = $MitigationItem.PSChildName
Try {
@@ -85,7 +86,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Write-Host "Removing FullPathEntry: " $Name
Remove-ProcessMitigations $FullPathItem $Name
}
-
+
# If there are no subkeys now, we can delete the "UseFilter" value
if ($MitigationItem.SubKeyCount -eq 0) {
Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
@@ -97,8 +98,8 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
}
}
- Catch {
- Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
+ Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
}
}
}
@@ -106,18 +107,18 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
# Delete all ExploitGuard System-wide Mitigations
function Remove-All-SystemMitigations {
- if (!(Test-IsAdmin)) {
- throw "ERROR: No Administrator-Privileges detected!"; return
+ if (!(Test-IsAdmin)) {
+ throw "ERROR: No Administrator-Privileges detected!"; return
}
-
+
$Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
- Try {
- if ($Kernel.GetValue("MitigationOptions"))
+ Try {
+ if ($Kernel.GetValue("MitigationOptions"))
{ Write-Host "Removing System MitigationOptions"
Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
}
- if ($Kernel.GetValue("MitigationAuditOptions"))
+ if ($Kernel.GetValue("MitigationAuditOptions"))
{ Write-Host "Removing System MitigationAuditOptions"
Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
}
@@ -132,30 +133,30 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
- ```xml
+ ```xml
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
-
-
+
+
-
-
-
-
-
+
+
+
+
+
@@ -180,9 +181,9 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
-
-
-
+
+
+
@@ -195,9 +196,9 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
similarity index 69%
rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index cfd19843a9..af397987a0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 03/27/2019
@@ -20,48 +21,50 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- IT administrators
+* IT administrators
-When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as:
+When you use [Network protection](network-protection.md) you may encounter issues, such as:
-- Network protection blocks a website that is safe (false positive)
-- Network protection fails to block a suspicious or known malicious website (false negative)
+* Network protection blocks a website that is safe (false positive)
+* Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
-3. Submit support logs
+4. Submit support logs
## Confirm prerequisites
Network protection will only work on devices with the following conditions:
>[!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
-> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
+> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+> * [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
+> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+## Use audit mode
-## Use audit mode
-
-You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
+You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
1. Set network protection to **Audit mode**.
- ```powershell
+
+ ```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
-2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+
+1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
+
+1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
>
>If network protection is not blocking a connection that you are expecting it should block, enable the feature.
-```powershell
+```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
@@ -75,21 +78,24 @@ To whitelist the website that is being blocked (false positive), add its URL to
## Collect diagnostic data for file submissions
-When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
+When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
- ```
+
+ ```PowerShell
cd c:\program files\windows defender
```
-2. Run this command to generate the diagnostic logs:
- ```
+
+1. Run this command to generate the diagnostic logs:
+
+ ```PowerShell
mpcmdrun -getfiles
```
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+
+1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-- [Enable network protection](enable-network-protection.md)
+* [Network protection](network-protection.md)
+* [Evaluate network protection](evaluate-network-protection.md)
+* [Enable network protection](enable-network-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
deleted file mode 100644
index 7a23a23e04..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Evaluate the impact of Windows Defender Exploit Guard
-description: Use our evaluation guides to quickly enable and configure features, and test them against common attack scenarios
-keywords: evaluate, guides, evaluation, exploit guard, controlled folder access, attack surface reduction, exploit protection, network protection, test, demo
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
-ms.date: 05/30/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Evaluate Windows Defender Exploit Guard
-
-**Applies to:**
-
-- Windows 10, version 1709 and later
-- Windows Server 2016
-
-Windows Defender Exploit Guard is a collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
-
-Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
-Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisites are.
-
-- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-- [Evaluate controlled folder access](evaluate-controlled-folder-access.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-
-You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
-
-- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
-
-## Related topics
-
-| Topic | Description |
-|-------|-------------|
-| | |
-
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Protect your network](network-protection-exploit-guard.md)
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md b/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md
deleted file mode 100644
index 111bb99fc5..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-ms.date: 09/18/2017
-ms.reviewer:
-manager: dansimp
-ms.author: ellevin
-author: levinec
----
-
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png
deleted file mode 100644
index bab791f3c0..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png
deleted file mode 100644
index de277c05e1..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png
deleted file mode 100644
index 97f905f5ea..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png
deleted file mode 100644
index 2bc45259d3..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png
deleted file mode 100644
index 8d47a53b51..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
deleted file mode 100644
index eedb76c8dc..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
+++ /dev/null
@@ -1,30 +0,0 @@
-# [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-
-## [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-### [Use auditing mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
-### [View Exploit Guard events](event-views-exploit-guard.md)
-
-## [Exploit protection](exploit-protection-exploit-guard.md)
-### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-### [Evaluate Exploit protection](evaluate-exploit-protection.md)
-### [Enable Exploit protection](enable-exploit-protection.md)
-### [Customize Exploit protection](customize-exploit-protection.md)
-#### [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-### [Memory integrity](memory-integrity.md)
-#### [Requirements for virtualization-based protection of code integrity](requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-#### [Enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)
-## [Attack surface reduction](attack-surface-reduction-exploit-guard.md)
-### [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
-### [Enable Attack surface reduction](enable-attack-surface-reduction.md)
-### [Customize Attack surface reduction](customize-attack-surface-reduction.md)
-### [Troubleshoot Attack surface reduction rules](troubleshoot-asr.md)
-## [Network Protection](network-protection-exploit-guard.md)
-### [Evaluate Network Protection](evaluate-network-protection.md)
-### [Enable Network Protection](enable-network-protection.md)
-### [Troubleshoot Network protection](troubleshoot-np.md)
-## [Controlled folder access](controlled-folders-exploit-guard.md)
-### [Evaluate Controlled folder access](evaluate-controlled-folder-access.md)
-### [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md)
-### [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md b/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md
deleted file mode 100644
index 6e993c8c0a..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-ms.date: 08/25/2017
-ms.reviewer:
-manager: dansimp
-ms.author: ellevin
-author: levinec
----
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index ca32f2c55a..001c490193 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 04/30/2018
@@ -16,64 +17,63 @@ ms.reviewer:
manager: dansimp
---
-
# App and browser control
**Applies to**
- Windows 10, version 1703 and later
-
The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
-In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) topic in the Windows Defender Exploit Guard library.
+In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](../microsoft-defender-atp/exploit-protection.md).
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Prevent users from making changes to the Exploit protection area in the App & browser control section
You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out or not appear if you enable this setting. Users will still have access to other settings in the App & browser control section, such as those for Windows Defender SmartScreen, unless those options have been configured separately.
You can only prevent users from modifying Exploit protection settings by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> ### Requirements
+>
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Security > App and browser protection**.
+3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-6. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
+4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
## Hide the App & browser control section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
This can only be done in Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
>
->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> ### Requirements
+>
+> You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Security > App and browser protection**.
+3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-6. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
+4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 9692fa9046..d84d263388 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -30,23 +30,23 @@ manager: dansimp
- Group Policy
-You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
+You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
-
+
-This information will also be shown in some enterprise-specific notifications (including those for [Windows Defender Exploit Guard](/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard), the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus).
-
-
+This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus).
+
Users can click on the displayed information to initiate a support request:
+
- Clicking **Call** or the phone number will open Skype to start a call to the displayed number
- Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email
- Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address
## Requirements
-You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
## Use Group Policy to enable and customize contact information
@@ -54,29 +54,26 @@ There are two stages to using the contact card and customized notifications. Fir
This can only be done in Group Policy.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
+3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
-6. You enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 7 and 8), and you can enable both or only one or the other:
+4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or slect one or the other:
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
-7. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
+5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
-8. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**:
+6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**:
1. **Specify contact email address or Email ID**
2. **Specify contact phone number or Skype ID**
3. **Specify contact website**
-9. Click **OK** after configuring each setting to save your changes.
-
+7. Click **OK** after configuring each setting to save your changes.
>[!IMPORTANT]
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
-
-
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index a12e0b136b..af8816db71 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -16,10 +16,6 @@ ms.reviewer:
manager: dansimp
---
-
-
-
-
# The Windows Security app
**Applies to**
@@ -29,6 +25,7 @@ manager: dansimp
This library describes the Windows Security app, and provides information on configuring certain features, including:
+
- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
- [Hiding notifications](wdsc-hide-notifications.md)
@@ -38,33 +35,32 @@ In Windows 10, version 1803, the app has two new areas, **Account protection** a
->[!NOTE]
->The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+> [!NOTE]
+> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
You can't uninstall the Windows Security app, but you can do one of the following:
-- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016).
+- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016).
- Hide all of the sections on client computers (see below).
- Disable Windows Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics:
-
-- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including the Controlled folder access feature of Windows Defender Exploit Guard and sign-in to Microsoft OneDrive.
-- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
+- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including Controlled folder access, and sign-in to Microsoft OneDrive.
+- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
- [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
- [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online.
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
## Open the Windows Security app
+
- Click the icon in the notification area on the taskbar.
@@ -75,34 +71,30 @@ You can find more information about each section, including options for configur
-
> [!NOTE]
> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
-
-
## How the Windows Security app works with Windows security features
-
->[!IMPORTANT]
->Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
->
->The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
->
+> [!IMPORTANT]
+> Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
+>
+> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+>
>These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product.
->
+>
>Windows Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
->
->Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
+>
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
> [!WARNING]
-> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
->
->It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
->
->This will significantly lower the protection of your device and could lead to malware infection.
+> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>
+> It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
+>
+> This will significantly lower the protection of your device and could lead to malware infection.
-The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
+The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
@@ -112,18 +104,3 @@ Disabling any of the individual features (through Group Policy or other manageme
> Individually disabling any of the services will not disable the other services or the Windows Security app.
For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 720dcc1cf3..2c5570e18c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -96,7 +96,7 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is
### Window Defender Exploit Guard
-Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. For more information, see [Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard).
+Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/network-protection).
### Windows Defender Device Guard
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index b86ec98036..bdc31a26e4 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -178,11 +178,11 @@ Windows Defender Antivirus now shares detection status between M365 services and
### Windows Defender Exploit Guard
-Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.
+Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.
-For more information, see [Reduce attack surfaces with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
+For more information, see [Reduce attack surfaces](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction)
-### Windows Defender ATP
+### Windows Defender ATP
[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: