edits

2025-05-14 06:17:22 +00:00 · 2019-03-26 16:37:09 -07:00 · 2019-03-26 16:37:09 -07:00 · e58007cd1c
commit e58007cd1c
parent 5aaeac3787
4 changed files with 190 additions and 32 deletions
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -139,7 +139,6 @@
 ######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
 ######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
 ##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
 ###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md)
 ###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 ##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
 ##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@ -136,7 +136,6 @@
 ####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
 ####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
 #### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
 ##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
 ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 #### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
 #### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@ -106,7 +106,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-3.	Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
    - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
    - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
    - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
@ -114,32 +114,23 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
    >[!NOTE]
    >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
-    Changing some settings may required a restart, which will be indicated in red text underneath the setting.	  
+    Changing some settings may require a restart.	  
 4. Repeat this for all the system-level mitigations you want to configure.
-You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. 
+3. Go to the **Program settings** section and choose the app you want to apply mitigations to:
-Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
+   1. If the app you want to configure is already listed, click it and then click **Edit**
-
+   2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
 ### Configure app-specific mitigations with the Windows Security app
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings** at the bottom of the screen.
 3.	Go to the **Program settings** section and choose the app you want to apply mitigations to:
    1. If the app you want to configure is already listed, click it and then click **Edit**
    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
-    
+
-You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. 
+
 You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. 
 Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@ -24,20 +24,192 @@ ms.date: 03/26/2019
 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. 
 ## Enable exploit protection
 You enable and configure each exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. 
 The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. You can customize the configuration to suit your organization and then deploy that configuration across your network. 
 You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
-You can also convert an existing EMET configuration file (in XML format) and import it into exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
+## Enable exploit protection
 You enable and configure each exploit protection mitigation separately either by using the Windows Security app or PowerShell.
 They are configured by default in Windows 10. 
 You can set each mitigation to on, off, or to its default value. 
 Some mitigations have additional options.
 You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy it to other machines by using Group Policy. 
 ### Windows Security app
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
 3.	Go to **Program settings** and choose the app you want to apply mitigations to:
    1. If the app you want to configure is already listed, click it and then click **Edit**
    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 5. Repeat this for all the apps and mitigations you want to configure. 
 3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
    - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
    - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
    - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
 5. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
 Enabled in **Program settings** | Enabled in **System settings** | Behavior
 :-: | :-: | :-:
 [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
 [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
 [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
 [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
 **Example 1**  
 Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
 Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
 The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
 **Example 2**
 Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
 Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. 
 Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
 The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. 
 CFG will be enabled for *miles.exe*.
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
 3.	Go to **Program settings** and choose the app you want to apply mitigations to:
    1. If the app you want to configure is already listed, click it and then click **Edit**
    2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
        - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 ### PowerShell
 You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
 ```PowerShell
 Get-ProcessMitigation -Name processName.exe 
 ```
 >[!IMPORTANT]
 >System-level mitigations that have not been configured will show a status of `NOTSET`. 
 >
 >For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. 
 >
 >For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. 
 >
 >The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
 Use `Set` to configure each mitigation in the following format:
 ```PowerShell
 Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
 ```
 Where:
 - \<Scope>:
    - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
    - `-System` to indicate the mitigation should be applied at the system level
 - \<Action>:
    - `-Enable` to enable the mitigation
    - `-Disable` to disable the mitigation
 - \<Mitigation>:
    - The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
 For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
 ```PowerShell
 Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
 ```
 >[!IMPORTANT]
 >Separate each mitigation option with commas.
 If you wanted to apply DEP at the system level, you'd use the following command:
 ```PowerShell
 Set-Processmitigation -System -Enable DEP
 ```
 To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app.
 If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example:
 ```PowerShell
 Set-Processmitigation -Name test.exe -Remove -Disable DEP
 ```
 This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. 
 Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
 - | - | - | -
 Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available
 Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available
 Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocateImages  | Audit not available
 Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
 Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
 Validate heap integrity | System and app-level |   TerminateOnHeapError  | Audit not available
 Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode 
 Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad 
 Block remote images | App-level only |   BlockRemoteImages  | Audit not available 
 Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly 
 Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned 
 Disable extension points | App-level only |   ExtensionPoint  | Audit not available
 Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall
 Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
 Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available 
 Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available 
 Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available 
 Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available 
 Validate handle usage | App-level only |   StrictHandle  | Audit not available
 Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available 
 Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available 
 <a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
 ```PowerShell
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll 
 ```
 ## Customize the notification
 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 See the following topics for instructions on configuring exploit protection mitigations and importing, exporting, and converting configurations:
 1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md)
 2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md).
 ## Related topics
@ -45,6 +217,3 @@ See the following topics for instructions on configuring exploit protection miti
 - [Evaluate exploit protection](evaluate-exploit-protection.md)
 - [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
 - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)