edits

windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 02/14/2019
+ms.date: 03/26/2019
 ---
 
 # Enable exploit protection
@@ -24,16 +24,13 @@ ms.date: 02/14/2019
 
 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. 
 
-## Enable and audit exploit protection
+## Enable exploit protection
 
 You enable and configure each exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. 
 
-The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. 
+The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. You can customize the configuration to suit your organization and then deploy that configuration across your network. 
 
-You can also set mitigations to [audit mode](audit-windows-defender-exploit-guard.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
+You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
-
->[!WARNING] 
->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying in production.
 
 You can also convert an existing EMET configuration file (in XML format) and import it into exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
 

windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md

@@ -25,40 +25,63 @@ It consists of a number of mitigations that can be applied to either the operati
 Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. 
 
 This topic helps you enable exploit protection in audit mode and review related events in Event Viewer. 
-You can enable audit mode for any mitigation to see how it will work in a test environment.
+You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
 This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
 You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
 
 >[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
 
-## Use audit mode to measure impact
+## Enable exploit protection in audit mode
 
-1. Go to the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) and download the [EP xml config file](https://demo.wd.microsoft.com/Content/ProcessMitigation.xml?).
+To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet. 
 
-1. Open an elevated PowerShell windows and run:
+Configure each mitigation in the following format:
 
-   ```powershell
+
-   Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml 
+```PowerShell
-   Set-ProcessMitigation –help
+Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
 ```
 
-1. Tp verify the configuration, run:
+Where:
 
-   ```powershell 
+- \<Scope>:
-   Get-ProcessMitigation
+    - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+- \<Action>:
+    - `-Enable` to enable the mitigation
+    - `-Disable` to disable the mitigation
+- \<Mitigation>:
+    - The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
+
+| Mitigation | Audit mode cmdlet |
+| - | - |
+|Arbitrary code guard (ACG) |  AuditDynamicCode |
+|Block low integrity images |  AuditImageLoad   |
+|Block untrusted fonts | AuditFont,   FontAuditOnly |
+|Code integrity guard |   AuditMicrosoftSigned,   AuditStoreSigned |
+|Disable Win32k system calls  |   AuditSystemCall |
+|Do not allow child processes |   AuditChildProcess |
+
+For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
+
+```PowerShell
+Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
 ```
 
-2. Type **event viewer** in the Start menu and open **Event Viewer**.
+You can disable audit mode by replacing `-Enable` with `-Disable`.
 
-3. Click **Action** > **Import Custom View...**
+## Review exploit protection audit events
 
-    ![Animation highlighting Import custom view on the left of Event viewer](images/events-import.gif)
+To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
-
-4. Select the XML > **Open** > **OK**. 
-
-You can see the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
 
+Feature | Provider/source | Event ID | Description
+:-|:-|:-:|:-
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
+Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
 
 ## Related topics
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)