further updates to using add/set mppref PS for ASR rules

windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md

@@ -53,48 +53,9 @@ All mitigations can be configured for individual apps. Some mitigations can also
 
 You can set each of the mitigations to on, off, or to their default value as indicated in the table below. Some mitigations have additional options, these are indicated in the description in the table.
 
->[!IMPORTANT]
->If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
->
->
->Enabled in **Program settings** | Enabled in **System settings** | Behavior
->:-: | :-: | :-:
-><svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | <svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg> | As defined in **Program settings**
-><svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | As defined in **Program settings**
-><svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg> | <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | As defined in **System settings**
-><svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg> | <svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg> | Default as defined in **Use default** option
->![](images/check-no.png)|XX|XX
->
->
->  
->- **Example 1**  
->    
->    You configure **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
->    
->    You then add the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)** you enable the **Override system settings** option and set the switch to **On**. You don't have any other apps listed in the **Program settings** section.
->    
->The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
->  
->  
->- **Example 2**
->  
->    You configure **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
->
->    You then add the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)** you enable the **Override system settings** option and set the switch to **On**. 
->
->    You also add the app *miles.exe* to the **Program settings** section and configure **Control flow guard (CFG)** to **On**. You don't enable the **Override system settings** option for DEP or any other mitigation for that app.
->
->The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
 
 Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". 
 
-
-
-<svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg>
-
-<svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg>
-
-
 ![](images/ep-default.png)
 
 The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
@@ -103,12 +64,12 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r
 
 Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
 - | - | - | -
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On** | No
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On** | No
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off** | No
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On** | No
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On** | No
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off** | No
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On**) | No
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On**) | No
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off**) | No
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On**) | No
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On**) | No
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off**) | No
 Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | Yes
 Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | Yes
 Block remote images | Prevents loading of images from remote devices. | App-level only | Yes
@@ -125,6 +86,38 @@ Validate handle usage | Causes an exception to be raised on any invalid handle r
 Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | Yes
 Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | Yes
 
+>[!IMPORTANT]
+>If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
+>
+>
+>Enabled in **Program settings** | Enabled in **System settings** | Behavior
+>:-: | :-: | :-:
+><svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | <svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg> | As defined in **Program settings**
+><svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | As defined in **Program settings**
+><svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg> | <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | As defined in **System settings**
+>![](images/untitled-1.png) | ![](images/untitled-1.png) | Default as defined in **Use default** option
+>
+>
+>  
+>- **Example 1**  
+>    
+>    Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
+>    
+>    Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
+>    
+>The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
+>  
+>  
+>- **Example 2**
+>  
+>    Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
+>
+>    Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**. 
+>
+>    Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
+>
+>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. 
+>CFG will be enabled for *miles.exe*.
 
 
 
@@ -139,7 +132,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 3.	Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
     - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
     - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
-    - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration for Windows 10; the default value (**On** or **Off**) is always specified next to the **Use default** label for each of the mitigations
+    - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
 
     >[!NOTE]
     >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.

windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -92,7 +92,9 @@ See the [Attack Surface Reduction](attack-surface-reduction-exploit-guard.md) to
     ```PowerShell
     Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
     ```
-    
+
+
+
 You can enable the feature in audit mode using the following cmdlet:
 
 ```PowerShell
@@ -101,6 +103,21 @@ Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReduct
 
 Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
 
+>[!IMPORTANT>
+>You must specify the state individually for each rule, but you can combine rules and states in a comma seperated list. 
+>
+>In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
+>
+>```PowerShell
+>Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
+>```
+
+
+You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list. 
+
+>[!WARNING]
+>`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
+>You can obtain a list of rules and their current state by using `Get-MpPreference`
 
 
 ### Use MDM CSPs to enable Attack Surface Reduction rules