mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-23 14:23:38 +00:00
Update enable-exploit-protection.md
This commit is contained in:
Denise Vangel-MSFT
@ -52,21 +52,19 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au
|
||||
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
|
||||
|
||||
3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
|
||||
|
||||
|
||||
1. If the app you want to configure is already listed, click it and then click **Edit**
|
||||
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
|
||||
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
- If the app you want to configure is already listed, click it and then click **Edit**.
|
||||
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
|
||||
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
|
||||
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
|
||||
|
||||
5. Repeat this for all the apps and mitigations you want to configure.
|
||||
5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
|
||||
|
||||
6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
|
||||
* **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
|
||||
* **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
|
||||
* **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
|
||||
6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:<br/>
|
||||
- **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
|
||||
- **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
|
||||
- **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
|
||||
|
||||
7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
|
||||
|
||||
@ -79,19 +77,15 @@ Enabled in **Program settings** | Enabled in **System settings** | Behavior
|
||||
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
|
||||
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
|
||||
|
||||
**Example 1**
|
||||
### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
|
||||
|
||||
Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
|
||||
|
||||
Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
|
||||
Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
|
||||
|
||||
The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
|
||||
|
||||
**Example 2**
|
||||
### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
|
||||
|
||||
Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
|
||||
|
||||
Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
|
||||
Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
|
||||
|
||||
Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
|
||||
|
||||
@ -102,28 +96,27 @@ CFG will be enabled for *miles.exe*.
|
||||
|
||||
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
|
||||
|
||||
3. Go to **Program settings** and choose the app you want to apply mitigations to:
|
||||
|
||||
1. If the app you want to configure is already listed, click it and then click **Edit**
|
||||
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
|
||||
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/>
|
||||
- If the app you want to configure is already listed, click it and then click **Edit**.
|
||||
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.<br/>
|
||||
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
|
||||
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
|
||||
|
||||
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
|
||||
5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
|
||||
|
||||
## Intune
|
||||
|
||||
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
|
||||
1. Click **Device configuration** > **Profiles** > **Create profile**.
|
||||
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
|
||||
2. Click **Device configuration** > **Profiles** > **Create profile**.
|
||||
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
|
||||
|
||||
1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
|
||||
1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
|
||||
4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
|
||||
5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
|
||||
|
||||
1. Click **OK** to save each open blade and click **Create**.
|
||||
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
|
||||
6. Click **OK** to save each open blade and click **Create**.
|
||||
7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
|
||||
|
||||
## MDM
|
||||
|
||||
@ -132,21 +125,19 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
|
||||
## SCCM
|
||||
|
||||
1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
|
||||
1. Click **Home** > **Create Exploit Guard Policy**.
|
||||
1. Enter a name and a description, click **Exploit protection**, and click **Next**.
|
||||
1. Browse to the location of the exploit protection XML file and click **Next**.
|
||||
1. Review the settings and click **Next** to create the policy.
|
||||
1. After the policy is created, click **Close**.
|
||||
2. Click **Home** > **Create Exploit Guard Policy**.
|
||||
3. Enter a name and a description, click **Exploit protection**, and click **Next**.
|
||||
4. Browse to the location of the exploit protection XML file and click **Next**.
|
||||
5. Review the settings and click **Next** to create the policy.
|
||||
6. After the policy is created, click **Close**.
|
||||
|
||||
## Group Policy
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
|
||||
|
||||
1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
|
||||
2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
|
||||
3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
|
||||
|
||||
## PowerShell
|
||||
|
||||
|
||||
Reference in New Issue
Block a user