From 76236dc81bb1d0f4736591c7bcd0e1b7c0544196 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 1 May 2018 10:55:21 -0700 Subject: [PATCH 1/5] revised requirements --- .../attack-surface-reduction-exploit-guard.md | 5 +--- .../windows-defender-exploit-guard.md | 24 +++++++++---------- 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index ad413e8016..f2d3e4c2f8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -194,15 +194,12 @@ With this rule, admins can prevent unsigned or untrusted executable files from r ## Requirements -The following requirements must be met before Attack surface reduction will work: +Attack surface reduction requires Microsoft 365 E5 and Windows Defender AV real-time protection. Windows 10 version | Windows Defender Antivirus - | - Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled - - - ## Review Attack surface reduction events in Windows Event Viewer You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited): diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index eac14b3d74..f2f958ce4d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -59,7 +59,13 @@ You can use the Windows Defender ATP console to obtain detailed reporting into e ## Requirements -Each of the features in Windows Defender EG have slightly different requirements: +The following table lists requirements for each feature in Windows Defender EG. + +**Legend**
+![not supported](./images/ball_empty.png) Not supported
+![supported](./images/ball_50.png) Supported
+![supported, enhanced](./images/ball_75.png) Includes advanced exploit protection for the kernel mode via [HVCI] (https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity)
+![supported, full reporting](./images/ball_full.png) Includes automated reporting into the Windows Defender ATP console
| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | @@ -68,20 +74,14 @@ Each of the features in Windows Defender EG have slightly different requirements | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | -> [!NOTE] -> ![supported, enhanced](./images/ball_75.png) Exploit Protection - On Windows 10 E3, includes advanced exploit protection for the kernel mode via [HVCI] (https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
-> ![supported, full reporting](./images/ball_full.png) On Windows 10 E5, includes automated reporting into the Windows Defender ATP console. +The following table lists which features in Windows Defender EG require enabling [real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) from Windows Defender Antivirus. - -| Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +| Feature | Real-time protection | |-----------------| ------------------------------------ | | Exploit protection | No requirement | -| Attack surface reduction | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | -| Network protection | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | -| Controlled folder access | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | - -> [!NOTE] -> Each feature's requirements are further described in the individual topics in this library. +| Attack surface reduction | Must be enabled | +| Network protection | Must be enabled | +| Controlled folder access | Must be enabled | ## In this library From 4438fb2b85ea06241d5fbc32243b243bcd9e164f Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 1 May 2018 11:34:40 -0700 Subject: [PATCH 2/5] fixed table --- .../windows-defender-exploit-guard.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index f2f958ce4d..d108b26c1a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -59,13 +59,15 @@ You can use the Windows Defender ATP console to obtain detailed reporting into e ## Requirements -The following table lists requirements for each feature in Windows Defender EG. +This section covers requirements for each feature in Windows Defender EG. + +| Symbol | Support | +|--------|---------| +| ![not supported](./images/ball_empty.png) | Not supported | +| ![supported](./images/ball_50.png) | Supported | +| ![supported, enhanced](./images/ball_75.png) | Includes advanced exploit protection for the kernel mode via [HVCI](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity) | +| ![supported, full reporting](./images/ball_full.png) | Includes automated reporting into the Windows Defender ATP console| -**Legend**
-![not supported](./images/ball_empty.png) Not supported
-![supported](./images/ball_50.png) Supported
-![supported, enhanced](./images/ball_75.png) Includes advanced exploit protection for the kernel mode via [HVCI] (https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity)
-![supported, full reporting](./images/ball_full.png) Includes automated reporting into the Windows Defender ATP console
| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | From e38c1a1ccf8b608e055670da3c423d276ae1f0c0 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 1 May 2018 12:52:06 -0700 Subject: [PATCH 3/5] added Win 10 version 1709 requirement --- .../attack-surface-reduction-exploit-guard.md | 16 ++++++++-------- .../controlled-folders-exploit-guard.md | 4 +--- .../exploit-protection-exploit-guard.md | 4 +--- .../network-protection-exploit-guard.md | 4 +--- 4 files changed, 11 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index f2d3e4c2f8..b390b8e956 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -63,6 +63,14 @@ When a rule is triggered, a notification will be displayed from the Action Cente You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled. +## Requirements + +Attack surface reduction requires Microsoft 365 E5 and Windows Defender AV real-time protection. + +Windows 10 version | Windows Defender Antivirus +- | - +Windows 10 version 1709 or later [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled + ## Attack surface reduction rules Windows 10, version 1803 has five new Attack surface reduction rules: @@ -192,14 +200,6 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -## Requirements - -Attack surface reduction requires Microsoft 365 E5 and Windows Defender AV real-time protection. - -Windows 10 version | Windows Defender Antivirus -- | - -Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled - ## Review Attack surface reduction events in Windows Event Viewer You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited): diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index 4a24317f84..2ce348a33d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -61,11 +61,9 @@ As with other features of Windows Defender Exploit Guard, you can use [audit mod ## Requirements -The following requirements must be met before Controlled folder access will work: - Windows 10 version | Windows Defender Antivirus -|- -Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled +Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled ## Review Controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 0d2f55a6c5..f573d338cc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -63,11 +63,9 @@ Exploit protection works best with [Windows Defender Advanced Threat Protection] ## Requirements -The following requirements must be met before Exploit protection will work: - Windows 10 version | Windows Defender Advanced Threat Protection -|- -Insider Preview build 16232 or later (dated July 1, 2017 or later) | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md) +Windows 10 version 1709 or later | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md) ## Review Exploit protection events in Windows Event Viewer diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 16b940a5e4..293abeeeeb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -56,11 +56,9 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua ## Requirements -The following requirements must be met before Network protection will work: - Windows 10 version | Windows Defender Antivirus - | - -Insider Preview build 16232 or later (dated July 1, 2017 or later) | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled +Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled ## Review Network protection events in Windows Event Viewer From b28c16127d07b090f2e98e56e9cd71915c8b6b4c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 1 May 2018 14:32:44 -0700 Subject: [PATCH 4/5] added Win 10 version 1709 requirement --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index b390b8e956..73de2ed469 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -69,7 +69,7 @@ Attack surface reduction requires Microsoft 365 E5 and Windows Defender AV real- Windows 10 version | Windows Defender Antivirus - | - -Windows 10 version 1709 or later [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled +Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled ## Attack surface reduction rules From acedae7cf6d1731f8c2f9c29d9cc9706186e1708 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 1 May 2018 17:34:13 -0700 Subject: [PATCH 5/5] fixed Windows 10 references --- .../attack-surface-reduction-exploit-guard.md | 2 +- .../exploit-protection-exploit-guard.md | 2 ++ .../network-protection-exploit-guard.md | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 73de2ed469..74a07d5588 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -65,7 +65,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua ## Requirements -Attack surface reduction requires Microsoft 365 E5 and Windows Defender AV real-time protection. +Attack surface reduction requires Windows 10 Enterprise E5 and Windows Defender AV real-time protection. Windows 10 version | Windows Defender Antivirus - | - diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index f573d338cc..3c95ea7702 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -63,6 +63,8 @@ Exploit protection works best with [Windows Defender Advanced Threat Protection] ## Requirements +Exploit protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection. + Windows 10 version | Windows Defender Advanced Threat Protection -|- Windows 10 version 1709 or later | For full reporting you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 293abeeeeb..f9d89fb5e5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -56,6 +56,8 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua ## Requirements +Network protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection. + Windows 10 version | Windows Defender Antivirus - | - Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled