From df9a6bf6c49aaafd6ba886619d17d1a6da135377 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 8 Jan 2020 15:27:33 -0800
Subject: [PATCH] Update enable-exploit-protection.md

---
 .../enable-exploit-protection.md              | 73 ++++++++-----------
 1 file changed, 32 insertions(+), 41 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index 5d3a707826..26b16a6530 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -52,21 +52,19 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
 
 3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
-        
-
-    1. If the app you want to configure is already listed, click it and then click **Edit**
-    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
-        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+    - If the app you want to configure is already listed, click it and then click **Edit**.
+    - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
+        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
-5. Repeat this for all the apps and mitigations you want to configure.
+5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
 
-6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
-    * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:<br/>
+    - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+    - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+    - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
 
 7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
@@ -79,19 +77,15 @@ Enabled in **Program settings** | Enabled in **System settings** | Behavior
 [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
 [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
 
-**Example 1**
+### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
 
-Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
-
-Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
+Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
 
 The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
 
-**Example 2**
+### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
 
-Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
-
-Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
 
 Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
 
@@ -102,28 +96,27 @@ CFG will be enabled for *miles.exe*.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
 
-3. Go to **Program settings** and choose the app you want to apply mitigations to:
-
-    1. If the app you want to configure is already listed, click it and then click **Edit**
-    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
-        * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/>
+    - If the app you want to configure is already listed, click it and then click **Edit**.
+    - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.<br/>
+        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
-5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-1. Click **Device configuration** > **Profiles** > **Create profile**.
-1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+2. Click **Device configuration** > **Profiles** > **Create profile**.
+3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
    ![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
-1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.  
+5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  
    ![Enable network protection in Intune](../images/enable-ep-intune.png)
-1. Click **OK** to save each open blade and click **Create**.
-1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+6. Click **OK** to save each open blade and click **Create**.
+7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
 
 ## MDM
 
@@ -132,21 +125,19 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
 ## SCCM
 
 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
-1. Enter a name and a description, click **Exploit protection**, and click **Next**.
-1. Browse to the location of the exploit protection XML file and click **Next**.
-1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+2. Click **Home** > **Create Exploit Guard Policy**.
+3. Enter a name and a description, click **Exploit protection**, and click **Next**.
+4. Browse to the location of the exploit protection XML file and click **Next**.
+5. Review the settings and click **Next** to create the policy.
+6. After the policy is created, click **Close**.
 
 ## Group Policy
 
 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
 1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-
-1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
 
 ## PowerShell