From b922d5bd9d9cfdefdf59fe01a972c4100a77f690 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Wed, 6 Dec 2017 17:33:41 -0800
Subject: [PATCH 01/15] add emet compare topic

---
 ...hell-cmdlets-windows-defender-antivirus.md |  2 +-
 ...indows-defender-antivirus-compatibility.md |  2 +-
 .../customize-exploit-protection.md           |  1 +
 .../emet-exploit-protection-exploit-guard.md  | 73 ++++++++++++++++++-
 .../enable-exploit-protection.md              |  2 +
 .../event-views-exploit-guard.md              |  4 +-
 .../exploit-protection-exploit-guard.md       |  4 +-
 7 files changed, 80 insertions(+), 8 deletions(-)

diff --git a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index 6a3cb8e8bd..5a688a51ca 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -31,7 +31,7 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel
 
 Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. 
 
-You can [configure which settings can be overridden locally  with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
 
 PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
 
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index b2d2890d2b..d395ea83cb 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -68,7 +68,7 @@ This table indicates the functionality and features that are available in each s
 State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md)
 :-|:-|:-:|:-:|:-:|:-:|:-:
 Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service.  | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] 
+Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)]
 Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 
 Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 40aebba1d3..a09b089a0d 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -45,6 +45,7 @@ You configure these settings using the Windows Defender Security Center on an in
 
 It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
 
+>[!WARNING] Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
 
 ## Exploit protection mitigations
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 640893025c..1fe5771e2d 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -30,14 +30,83 @@ ms.date: 08/25/2017
 - Enterprise security administrators
 
 
+>[!IMPORTANT]
+ >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+
+ The Enhanced Mitigation Experience Toolkit (EMET) is a stand-alone product that is available on earlier versions of Windows and provides a number of system- and app-based mitigations against known exploit techniques.
+
+ After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made for it.
+
+ In Windows 10, version 1709 (also known as the Fall Creators Update), we released Windows Defender Exploit Guard, which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits. 
+ 
+ Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
 
 
 
-We're still working on this content and will have it published soon!
+ ## Feature comparison
+
+ The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.
+
+&nbsp; | Windows Defender Exploit Guard | EMET
+ -|:-:|:-:
+Windows versions | [!include[Check mark yes](images/svg/check-yes.md)] <br />All version of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.md)] <br />Windows 8.1; Windows 8; Windows 7
+Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup> | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
+Updates | [!include[Check mark yes](images/svg/check-yes.md)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.md)]<br />No planned updates or development
+Exploit protection | [!include[Check mark yes](images/svg/check-yes.md)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison)) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited set of mitigations
+[Attack surface reduction](attack-surface-reduction-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Configuration of individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />No rule configuration, limited ruleset
+[Network protection](network-protection-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+[Controlled folder access](controlled-folders-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available and [configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+Manageability with | [!include[Check mark yes](images/svg/check-yes.md)] <br />Group policy, Windows GUI, System Center Configuration Manager, Intune | [!include[Check mark yes](images/svg/check-yes.md)] <br />Group Policy, standalone GUI, System Center Configuration Manager
+Reporting | [!include[Check mark yes](images/svg/check-yes.md)] <br />[With Windows event logs](event-views-exploit-guard.md) and full [audit mode reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited Windows event log monitoring
+[Audit mode](audit-windows-defender-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+
+<span id="fn1"></span>([1](#ref1)) Support coming in December 2017. Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
 
 
 
-Check out the following topics for more information about Exploit protection:
+
+
+## Mitigation comparison
+
+The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md).
+
+The table in this section indicates the availability of mitigations between EMET and Exploit protection.
+
+Mitigation | Description | Available in Windows Defender Exploit Guard | Available in EMET
+-|-|:-:|:-:
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate heap integrity | Terminates a process when heap corruption is detected. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Block low integrity images | Prevents the loading of images marked with Low Integrity. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Block remote images | Prevents loading of images from remote devices. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable Win32k system calls | Prevents an app from using the Win32k system call table. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Do not allow child processes | Prevents an app from creating child processes. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate handle usage | Causes an exception to be raised on any invalid handle references. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+heap spray allocation? |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
+NullPage Security Mitigation |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
+Load Library Check – Return Oriented Programming (ROP) Security Mitigation |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
+Memory Protection Check – Return Oriented Programming (ROP) Security Mitigation |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
+Advanced ROP - Deep hooks |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
+Advanced ROP - Anti detours |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
+Advanced ROP - Banned functions |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning) |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
+
+
+## Related topics
 
 - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
 - [Evaluate Exploit protection](evaluate-exploit-protection.md)
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
index a461a35961..1344c3f94d 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -56,6 +56,8 @@ You can also set mitigations to audit mode. Audit mode allows you to test how th
 
 For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
 
+>[!WARNING] Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+
 You can also convert an existing EMET configuration file (in XML format) and import it into Exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
 
 See the following topics for instructions on configuring Exploit protection mitigations and importing, exporting, and converting configurations:
diff --git a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index 292c45961e..4d9b2ed7d8 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -29,13 +29,13 @@ ms.author: iawilt
 
 - Enterprise security administrators
 
-Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windos Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
+Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windows Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
 
 Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
 
 This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
 
-You can also get detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) in the Windows Defender Security Center console, which you gain access to if you have an E5 subsciption and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). 
+You can also get detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) in the Windows Defender Security Center console, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). 
 
 ## Use custom views to review Windows Defender Exploit Guard features
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index eb09cca9c9..567bc34127 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -50,12 +50,12 @@ Exploit protection works best with [Windows Defender Advanced Threat Protection]
 
   You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit protection would impact your organization if it were enabled.
 
- Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection.
+ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See the [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard topic](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to Exploit protection on Windows 10. 
 
  >[!IMPORTANT]
  >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
 
- 
+>[!WARNING] Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
 
 ## Requirements
 

From 0d76b9f4940d64d52a9deef748a37bd8b451b0f9 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 7 Dec 2017 13:06:16 -0800
Subject: [PATCH 02/15] updates based on fb

---
 .../emet-exploit-protection-exploit-guard.md  | 44 +++++++++++--------
 1 file changed, 25 insertions(+), 19 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 1fe5771e2d..7d8279bf82 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -22,6 +22,7 @@ ms.date: 08/25/2017
 **Applies to:**
 
 - Windows 10, version 1709
+- Enhanced Mitigation Experience Toolkit version 5.5 (latest version)
 
 
 
@@ -50,19 +51,27 @@ ms.date: 08/25/2017
 
 &nbsp; | Windows Defender Exploit Guard | EMET
  -|:-:|:-:
-Windows versions | [!include[Check mark yes](images/svg/check-yes.md)] <br />All version of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.md)] <br />Windows 8.1; Windows 8; Windows 7
-Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup> | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
+Windows versions | [!include[Check mark yes](images/svg/check-yes.md)] <br />All version of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.md)] <br />Windows 8.1; Windows 8; Windows 7<br />Cannot be installed on Windows 10, version 1709 and later
+Installation requirements | [Windows Defender Security Center in Windows 10](../windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md) (no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
+User interface | Modern interface integrated with the [Windows Defender Security Center](../windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
+Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br /><!-- [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup> -->Throughout Windows 10 support lifecycle | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
 Updates | [!include[Check mark yes](images/svg/check-yes.md)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.md)]<br />No planned updates or development
 Exploit protection | [!include[Check mark yes](images/svg/check-yes.md)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison)) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited set of mitigations
-[Attack surface reduction](attack-surface-reduction-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Configuration of individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />No rule configuration, limited ruleset
+[Attack surface reduction](attack-surface-reduction-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Configuration of individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited ruleset configuration only for modules (no processes)
 [Network protection](network-protection-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
 [Controlled folder access](controlled-folders-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available and [configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-Manageability with | [!include[Check mark yes](images/svg/check-yes.md)] <br />Group policy, Windows GUI, System Center Configuration Manager, Intune | [!include[Check mark yes](images/svg/check-yes.md)] <br />Group Policy, standalone GUI, System Center Configuration Manager
-Reporting | [!include[Check mark yes](images/svg/check-yes.md)] <br />[With Windows event logs](event-views-exploit-guard.md) and full [audit mode reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited Windows event log monitoring
-[Audit mode](audit-windows-defender-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark yes](images/svg/check-yes.md)]<br />Available
+Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Windows-based configuration | [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires installation and use of EMET tool
+Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.md)] <br />PowerShell| [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires use of EMET tool (EMET_CONF)
+System Center Configuration Manager |  [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+Reporting | [!include[Check mark yes](images/svg/check-yes.md)] <br />[With Windows event logs](event-views-exploit-guard.md) and full [audit mode reporting](audit-windows-defender-exploit-guard.md) <br />[Full integration with Windows Defender Advanced Threat Protection](../windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited Windows event log monitoring
+[Audit mode](audit-windows-defender-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Limited to EAF, EAF+, and anti-ROP mitigations
 
+
+<!--
 <span id="fn1"></span>([1](#ref1)) Support coming in December 2017. Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
-
+-->
 
 
 
@@ -71,19 +80,18 @@ Reporting | [!include[Check mark yes](images/svg/check-yes.md)] <br />[With Wind
 
 The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md).
 
-The table in this section indicates the availability of mitigations between EMET and Exploit protection.
+The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
 
 Mitigation | Description | Available in Windows Defender Exploit Guard | Available in EMET
 -|-|:-:|:-:
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
 Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Validate heap integrity | Terminates a process when heap corruption is detected. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
 Block low integrity images | Prevents the loading of images marked with Low Integrity. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Block remote images | Prevents loading of images from remote devices. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Block remote images | Prevents loading of images from remote devices. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
 Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
 Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
@@ -96,16 +104,14 @@ Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked
 Validate handle usage | Causes an exception to be raised on any invalid handle references. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
 Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
 Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-heap spray allocation? |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
-NullPage Security Mitigation |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
-Load Library Check – Return Oriented Programming (ROP) Security Mitigation |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
-Memory Protection Check – Return Oriented Programming (ROP) Security Mitigation |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
-Advanced ROP - Deep hooks |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
-Advanced ROP - Anti detours |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
-Advanced ROP - Banned functions |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning) |  |  | [!include[Check mark yes](images/svg/check-yes.md)]
+Heap spray allocation |  | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
+NullPage Security Mitigation |  | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10  | [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning) |  | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
 
 
+
+>[!NOTE] The Advanced ROP mitigations that are available in EMET refer to additional configuration options for other mitigations, such as "Memory protection checks" and "Load library checks". These mitigations have been included in Windows Defender Exploit Guard with enhancements that natively increase the protection beyond those options in EMET.
+
 ## Related topics
 
 - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)

From 509cda4f9808d96efa0d0bcfc1dabe994c8fcc66 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 7 Dec 2017 13:45:06 -0800
Subject: [PATCH 03/15] format fixes

---
 .../emet-exploit-protection-exploit-guard.md  | 136 +++++++++++++-----
 1 file changed, 102 insertions(+), 34 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 7d8279bf82..52e865f5d8 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -32,12 +32,14 @@ ms.date: 08/25/2017
 
 
 >[!IMPORTANT]
- >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+ >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. 
+>  
+>You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
 
 
  The Enhanced Mitigation Experience Toolkit (EMET) is a stand-alone product that is available on earlier versions of Windows and provides a number of system- and app-based mitigations against known exploit techniques.
 
- After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made for it.
+ After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made on it.
 
  In Windows 10, version 1709 (also known as the Fall Creators Update), we released Windows Defender Exploit Guard, which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits. 
  
@@ -51,10 +53,10 @@ ms.date: 08/25/2017
 
 &nbsp; | Windows Defender Exploit Guard | EMET
  -|:-:|:-:
-Windows versions | [!include[Check mark yes](images/svg/check-yes.md)] <br />All version of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.md)] <br />Windows 8.1; Windows 8; Windows 7<br />Cannot be installed on Windows 10, version 1709 and later
-Installation requirements | [Windows Defender Security Center in Windows 10](../windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md) (no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
-User interface | Modern interface integrated with the [Windows Defender Security Center](../windows/threat-protection/windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
-Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br /><!-- [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup> -->Throughout Windows 10 support lifecycle | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
+Windows versions | [!include[Check mark yes](images/svg/check-yes.md)] <br />All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.md)] <br />Windows 8.1; Windows 8; Windows 7<br />Cannot be installed on Windows 10, version 1709 and later
+Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) <br />(no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
+User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
+Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br /><!-- [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup> -->Throughout the [Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
 Updates | [!include[Check mark yes](images/svg/check-yes.md)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.md)]<br />No planned updates or development
 Exploit protection | [!include[Check mark yes](images/svg/check-yes.md)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison)) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited set of mitigations
 [Attack surface reduction](attack-surface-reduction-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Configuration of individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited ruleset configuration only for modules (no processes)
@@ -65,7 +67,7 @@ Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/c
 Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.md)] <br />PowerShell| [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires use of EMET tool (EMET_CONF)
 System Center Configuration Manager |  [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
 Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-Reporting | [!include[Check mark yes](images/svg/check-yes.md)] <br />[With Windows event logs](event-views-exploit-guard.md) and full [audit mode reporting](audit-windows-defender-exploit-guard.md) <br />[Full integration with Windows Defender Advanced Threat Protection](../windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited Windows event log monitoring
+Reporting | [!include[Check mark yes](images/svg/check-yes.md)] <br />[With Windows event logs](event-views-exploit-guard.md) and full [audit mode reporting](audit-windows-defender-exploit-guard.md) <br />[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited Windows event log monitoring
 [Audit mode](audit-windows-defender-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Limited to EAF, EAF+, and anti-ROP mitigations
 
 
@@ -80,37 +82,45 @@ Reporting | [!include[Check mark yes](images/svg/check-yes.md)] <br />[With Wind
 
 The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md).
 
-The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
+The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.  
 
-Mitigation | Description | Available in Windows Defender Exploit Guard | Available in EMET
--|-|:-:|:-:
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
-Block low integrity images | Prevents the loading of images marked with Low Integrity. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Block remote images | Prevents loading of images from remote devices. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
-Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls | Prevents an app from using the Win32k system call table. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Do not allow child processes | Prevents an app from creating child processes. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate handle usage | Causes an exception to be raised on any invalid handle references. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Heap spray allocation |  | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
-NullPage Security Mitigation |  | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10  | [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning) |  | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
+Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
+-|:-:|:-:
+Arbitrary code guard (ACG)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
+Block remote images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
+Block untrusted fonts  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Data Execution Prevention (DEP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Export address filtering (EAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Force randomization for images (Mandatory ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+NullPage Security Mitigation  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10   |  [!include[Check mark yes](images/svg/check-yes.md)]
+Randomize memory allocations (Bottom-Up ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Simulate execution (SimExec)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Validate API invocation (CallerCheck)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Validate exception chains (SEHOP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Validate stack integrity (StackPivot)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning)  |  No longer supported by the industry as newer mitigations provide better protection with fewer errors  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Heap spray allocation  |  Ineffective against modern browser exploits, newer mitigations provide better protection  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Block low integrity images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Code integrity guard  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Disable extension points  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Disable Win32k system calls  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Do not allow child processes  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Import address filtering (IAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Validate handle usage  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Validate image dependency integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
 
 
 
->[!NOTE] The Advanced ROP mitigations that are available in EMET refer to additional configuration options for other mitigations, such as "Memory protection checks" and "Load library checks". These mitigations have been included in Windows Defender Exploit Guard with enhancements that natively increase the protection beyond those options in EMET.
+
+
+
+
+
+
+
+>[!NOTE] 
+>The Advanced ROP mitigations that are available in EMET refer to additional configuration options for other mitigations, such as "Memory protection checks" and "Load library checks". These mitigations have been included in Windows Defender Exploit Guard with enhancements that natively increase the protection beyond those options in EMET.
 
 ## Related topics
 
@@ -119,3 +129,61 @@ Certificate trust (configurable certificate pinning) |  | No longer supported by
 - [Enable Exploit protection](enable-exploit-protection.md)
 - [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
 - [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+
+
+## Table A-Z mitigations
+
+Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
+-|:-:|:-:
+Arbitrary code guard (ACG)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
+Block low integrity images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Block remote images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
+Block untrusted fonts  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning)  |  No longer supported by the industry as newer mitigations provide better protection with fewer errors  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Code integrity guard  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Data Execution Prevention (DEP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Disable extension points  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Disable Win32k system calls  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Do not allow child processes  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Export address filtering (EAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Force randomization for images (Mandatory ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Heap spray allocation  |  Ineffective against modern browser exploits, newer mitigations provide better protection  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Import address filtering (IAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+NullPage Security Mitigation  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10   |  [!include[Check mark yes](images/svg/check-yes.md)]
+Randomize memory allocations (Bottom-Up ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Simulate execution (SimExec)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Validate API invocation (CallerCheck)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Validate exception chains (SEHOP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Validate handle usage  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Validate image dependency integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Validate stack integrity (StackPivot)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+
+
+# Table WDEG yes > EMET no > Emet > yes
+
+Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
+-|:-:|:-:
+Block low integrity images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Code integrity guard  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Disable extension points  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Disable Win32k system calls  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Do not allow child processes  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Import address filtering (IAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Validate handle usage  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Validate image dependency integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Heap spray allocation  |  Ineffective against modern browser exploits, newer mitigations provide better protection  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning)  |  No longer supported by the industry as newer mitigations provide better protection with fewer errors  |  [!include[Check mark yes](images/svg/check-yes.md)]
+NullPage Security Mitigation  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10   |  [!include[Check mark yes](images/svg/check-yes.md)]
+Block untrusted fonts  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Data Execution Prevention (DEP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Export address filtering (EAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Force randomization for images (Mandatory ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Randomize memory allocations (Bottom-Up ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Simulate execution (SimExec)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Validate API invocation (CallerCheck)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Validate exception chains (SEHOP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Validate stack integrity (StackPivot)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Arbitrary code guard (ACG)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
+Block remote images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"

From a685cfa876f711ba8e5465a9959ca94f20f5a891 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 7 Dec 2017 14:24:01 -0800
Subject: [PATCH 04/15] fix layout issues

---
 .../emet-exploit-protection-exploit-guard.md  | 138 +++++++++---------
 1 file changed, 69 insertions(+), 69 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 52e865f5d8..65f3182ac1 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -86,29 +86,29 @@ The table in this section indicates the availability and support of native mitig
 
 Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
 -|:-:|:-:
-Arbitrary code guard (ACG)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
-Block remote images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
-Block untrusted fonts  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Data Execution Prevention (DEP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Export address filtering (EAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Force randomization for images (Mandatory ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-NullPage Security Mitigation  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10   |  [!include[Check mark yes](images/svg/check-yes.md)]
-Randomize memory allocations (Bottom-Up ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Validate exception chains (SEHOP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Validate stack integrity (StackPivot)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning)  |  No longer supported by the industry as newer mitigations provide better protection with fewer errors  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Heap spray allocation  |  Ineffective against modern browser exploits, newer mitigations provide better protection  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Block low integrity images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Code integrity guard  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Disable extension points  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Do not allow child processes  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Import address filtering (IAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Validate handle usage  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
+Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
+Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
+Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
 
 
 
@@ -135,55 +135,55 @@ Validate
 
 Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
 -|:-:|:-:
-Arbitrary code guard (ACG)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
-Block low integrity images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Block remote images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
-Block untrusted fonts  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning)  |  No longer supported by the industry as newer mitigations provide better protection with fewer errors  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Code integrity guard  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Data Execution Prevention (DEP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Disable extension points  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Do not allow child processes  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Export address filtering (EAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Force randomization for images (Mandatory ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Heap spray allocation  |  Ineffective against modern browser exploits, newer mitigations provide better protection  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Import address filtering (IAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-NullPage Security Mitigation  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10   |  [!include[Check mark yes](images/svg/check-yes.md)]
-Randomize memory allocations (Bottom-Up ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Validate exception chains (SEHOP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Validate handle usage  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Validate stack integrity (StackPivot)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
+Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
+Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
+Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
+Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 
 
 # Table WDEG yes > EMET no > Emet > yes
 
 Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
 -|:-:|:-:
-Block low integrity images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Code integrity guard  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Disable extension points  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Do not allow child processes  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Import address filtering (IAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Validate handle usage  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark no](images/svg/check-no.md)]
-Heap spray allocation  |  Ineffective against modern browser exploits, newer mitigations provide better protection  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning)  |  No longer supported by the industry as newer mitigations provide better protection with fewer errors  |  [!include[Check mark yes](images/svg/check-yes.md)]
-NullPage Security Mitigation  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10   |  [!include[Check mark yes](images/svg/check-yes.md)]
-Block untrusted fonts  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Data Execution Prevention (DEP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Export address filtering (EAF)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Force randomization for images (Mandatory ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Randomize memory allocations (Bottom-Up ASLR)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Validate exception chains (SEHOP)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Validate stack integrity (StackPivot)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]
-Arbitrary code guard (ACG)  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
-Block remote images  |  [!include[Check mark yes](images/svg/check-yes.md)]  |  [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
+Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
+NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
+Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"

From a3c256b17590e6da89514e0a45d06a2177704bed Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 7 Dec 2017 14:38:32 -0800
Subject: [PATCH 05/15] space characters

---
 .../emet-exploit-protection-exploit-guard.md  | 138 +++++++++---------
 1 file changed, 69 insertions(+), 69 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 65f3182ac1..8157efc2fa 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -86,29 +86,29 @@ The table in this section indicates the availability and support of native mitig
 
 Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
 -|:-:|:-:
-Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
-Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
-Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
+Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
+Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
 
 
 
@@ -135,55 +135,55 @@ Validate
 
 Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
 -|:-:|:-:
-Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
-Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
-Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
-Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
+Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
+Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
+Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 
 
 # Table WDEG yes > EMET no > Emet > yes
 
 Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
 -|:-:|:-:
-Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
-Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
+Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
+NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
+Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"

From f948c791f276bf4b15a5354267906011f36630b6 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 7 Dec 2017 18:25:33 -0800
Subject: [PATCH 06/15] minor formatting updates

---
 .../emet-exploit-protection-exploit-guard.md                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 8157efc2fa..5d6e4f6de6 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -32,7 +32,7 @@ ms.date: 08/25/2017
 
 
 >[!IMPORTANT]
- >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. 
+>If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. 
 >  
 >You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
 

From 70102f6016c49fd617e3753eb80cc2c2f79929bf Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Tue, 12 Dec 2017 11:49:43 -0800
Subject: [PATCH 07/15] updates

---
 ...es-baselines-windows-defender-antivirus.md |   2 +-
 .../emet-exploit-protection-exploit-guard.md  | 115 +++++-------------
 2 files changed, 34 insertions(+), 83 deletions(-)

diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 77c6833644..4d07119caa 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -40,7 +40,7 @@ The cloud-delivered protection is always on and requires an active connection to
 
 ## Product updates
 
-Windows Defender AV requires monthly updates (known as "engine updates"), and will receive major feature updates alongside Windows 10 releases.
+Windows Defender AV requires [monthly updates](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
 
 You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 5d6e4f6de6..7c30cde7a7 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -36,14 +36,22 @@ ms.date: 08/25/2017
 >  
 >You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
 
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and its replacement in Windows 10: Windows Defender Exploit Guard. 
 
- The Enhanced Mitigation Experience Toolkit (EMET) is a stand-alone product that is available on earlier versions of Windows and provides a number of system- and app-based mitigations against known exploit techniques.
+ In Windows 10, version 1709 (also known as the Fall Creators Update), we released [Windows Defender Exploit Guard](windows-defender-exploit-guard.md), which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits. 
+ 
+ Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
+
+ EMET is a stand-alone product that is available on earlier versions of Windows and provides a number of system- and app-based mitigations against known exploit techniques.
 
  After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made on it.
 
- In Windows 10, version 1709 (also known as the Fall Creators Update), we released Windows Defender Exploit Guard, which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits. 
- 
- Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
+ For more information about the individual features and mitigations available in Windows Defender Exploit Guard, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
+
+- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
+- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+
 
 
 
@@ -56,24 +64,24 @@ ms.date: 08/25/2017
 Windows versions | [!include[Check mark yes](images/svg/check-yes.md)] <br />All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.md)] <br />Windows 8.1; Windows 8; Windows 7<br />Cannot be installed on Windows 10, version 1709 and later
 Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) <br />(no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
 User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
-Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br /><!-- [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup> -->Throughout the [Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
+Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup><br />[Throughout the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
 Updates | [!include[Check mark yes](images/svg/check-yes.md)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.md)]<br />No planned updates or development
-Exploit protection | [!include[Check mark yes](images/svg/check-yes.md)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison)) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited set of mitigations
-[Attack surface reduction](attack-surface-reduction-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Configuration of individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited ruleset configuration only for modules (no processes)
-[Network protection](network-protection-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-[Controlled folder access](controlled-folders-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available and [configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark yes](images/svg/check-yes.md)]<br />Available
-Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Windows-based configuration | [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires installation and use of EMET tool
-Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.md)] <br />PowerShell| [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires use of EMET tool (EMET_CONF)
-System Center Configuration Manager |  [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-Reporting | [!include[Check mark yes](images/svg/check-yes.md)] <br />[With Windows event logs](event-views-exploit-guard.md) and full [audit mode reporting](audit-windows-defender-exploit-guard.md) <br />[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited Windows event log monitoring
-[Audit mode](audit-windows-defender-exploit-guard.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Available | [!include[Check mark no](images/svg/check-no.md)]<br />Limited to EAF, EAF+, and anti-ROP mitigations
+Exploit protection | [!include[Check mark yes](images/svg/check-yes.md)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))<br />[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited set of mitigations
+Attack surface reduction | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)<br />[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited ruleset configuration only for modules (no processes)
+Network protection | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+Controlled folder access | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps protect important folders](controlled-folders-exploit-guard.md)<br/>[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires installation and use of EMET tool
+Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.md)]<br />Available
+Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires use of EMET tool (EMET_CONF)
+System Center Configuration Manager |  [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+Reporting | [!include[Check mark yes](images/svg/check-yes.md)] <br />With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) <br />[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited Windows event log monitoring
+Audit mode | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Limited to EAF, EAF+, and anti-ROP mitigations
+
 
 
-<!--
 <span id="fn1"></span>([1](#ref1)) Support coming in December 2017. Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
--->
+
 
 
 
@@ -92,14 +100,14 @@ Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!
 Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
+NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.md)]
 Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
-Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.md)]
+Heap spray allocation | Ineffective against newer browser-based exploits, newer mitigations provide better protection<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.md)]
 Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
 Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
 Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
@@ -115,12 +123,11 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check
 
 
 
-
-
-
-
 >[!NOTE] 
->The Advanced ROP mitigations that are available in EMET refer to additional configuration options for other mitigations, such as "Memory protection checks" and "Load library checks". These mitigations have been included in Windows Defender Exploit Guard with enhancements that natively increase the protection beyond those options in EMET.
+>The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
+> 
+>See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
 
 ## Related topics
 
@@ -131,59 +138,3 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check
 - [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
 
 
-## Table A-Z mitigations
-
-Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
--|:-:|:-:
-Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
-Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
-Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
-Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-
-
-# Table WDEG yes > EMET no > Emet > yes
-
-Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
--|:-:|:-:
-Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Heap spray allocation | Ineffective against modern browser exploits, newer mitigations provide better protection | [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning) | No longer supported by the industry as newer mitigations provide better protection with fewer errors | [!include[Check mark yes](images/svg/check-yes.md)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10 | [!include[Check mark yes](images/svg/check-yes.md)]
-Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"

From 20620bd6491bce01e66343755b60b7d7a76461aa Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Tue, 12 Dec 2017 12:55:49 -0800
Subject: [PATCH 08/15] tweaks

---
 .../deploy-windows-defender-antivirus.md               |  2 +-
 .../emet-exploit-protection-exploit-guard.md           | 10 +++++-----
 .../windows-defender-exploit-guard.md                  |  2 ++
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index adf719ad5b..870f520d63 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -33,7 +33,7 @@ See the table in the [Deploy, manage, and report on Windows Defender AV](deploy-
 
 Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender AV protection, such as Virtual Desktop Infrastructure (VDI) environments.
 
-The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender AV ion virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
+The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender AV on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
 
 ## Related topics
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 7c30cde7a7..84c67be1f8 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -67,9 +67,9 @@ User interface | Modern interface integrated with the [Windows Defender Security
 Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup><br />[Throughout the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
 Updates | [!include[Check mark yes](images/svg/check-yes.md)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.md)]<br />No planned updates or development
 Exploit protection | [!include[Check mark yes](images/svg/check-yes.md)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))<br />[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited set of mitigations
-Attack surface reduction | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)<br />[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited ruleset configuration only for modules (no processes)
-Network protection | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-Controlled folder access | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps protect important folders](controlled-folders-exploit-guard.md)<br/>[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+Attack surface reduction<sup id="ref2-1">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)<br />[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited ruleset configuration only for modules (no processes)
+Network protection<sup id="ref2-2">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
+Controlled folder access<sup id="ref2-3">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps protect important folders](controlled-folders-exploit-guard.md)<br/>[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
 Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires installation and use of EMET tool
 Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.md)]<br />Available
 Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires use of EMET tool (EMET_CONF)
@@ -80,9 +80,9 @@ Audit mode | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Full aud
 
 
 
-<span id="fn1"></span>([1](#ref1)) Support coming in December 2017. Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
-
+<span id="fn1"></span>([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
 
+<span id="fn2"></span>([1](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
 
 
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index 29fbde030a..0384bb51f1 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -54,6 +54,8 @@ Windows Defender EG can be managed and reported on in the Windows Defender Secur
 
 You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
 
+## Requirements
+
 Each of the features in Windows Defender EG have slightly different requirements:
 
 Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) 

From e1936c2ec38d9f1e7a093bf190580a0912a3d2b8 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Tue, 12 Dec 2017 13:29:47 -0800
Subject: [PATCH 09/15] sln add

---
 .gitignore | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index a39f55da7b..f774b7e22a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,5 +11,8 @@ Tools/NuGet/
 .openpublishing.buildcore.ps1
 packages.config
 
-# User-specific files  
+# User-specific files
 .vs/
+wdav-pm-sln.csproj
+wdav-pm-sln.csproj.user
+wdav-pm-sln.sln

From e560ebc59aece91ebb45e63aad872bcc942f4ae2 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Tue, 12 Dec 2017 14:03:11 -0800
Subject: [PATCH 10/15] flight updates

---
 .../emet-exploit-protection-exploit-guard.md       | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index c57d33a887..3132ef677b 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -1,6 +1,6 @@
 ---
 title: Compare the features in Exploit protection with EMET
-keywords: emet, enhanced mitigation experience toolkit, configuration, exploit
+keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert
 description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 10/16/2017
+ms.date: 12/12/2017
 ---
 
 
@@ -38,11 +38,11 @@ ms.date: 10/16/2017
 
 This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and its replacement in Windows 10: Windows Defender Exploit Guard. 
 
- In Windows 10, version 1709 (also known as the Fall Creators Update), we released [Windows Defender Exploit Guard](windows-defender-exploit-guard.md), which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits. 
+ In Windows 10, version 1709 (also known as the Fall Creators Update) we released [Windows Defender Exploit Guard](windows-defender-exploit-guard.md), which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits. 
  
  Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
 
- EMET is a stand-alone product that is available on earlier versions of Windows and provides a number of system- and app-based mitigations against known exploit techniques.
+ EMET is a stand-alone product that is available on earlier versions of Windows and provides some mitigation against older, known exploit techniques.
 
  After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made on it.
 
@@ -64,7 +64,7 @@ This topic describes the differences between the Enhance Mitigation Experience T
 Windows versions | [!include[Check mark yes](images/svg/check-yes.md)] <br />All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.md)] <br />Windows 8.1; Windows 8; Windows 7<br />Cannot be installed on Windows 10, version 1709 and later
 Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) <br />(no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
 User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
-Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup><br />[Throughout the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
+Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup><br />[Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
 Updates | [!include[Check mark yes](images/svg/check-yes.md)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.md)]<br />No planned updates or development
 Exploit protection | [!include[Check mark yes](images/svg/check-yes.md)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))<br />[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited set of mitigations
 Attack surface reduction<sup id="ref2-1">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)<br />[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited ruleset configuration only for modules (no processes)
@@ -82,7 +82,7 @@ Audit mode | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Full aud
 
 <span id="fn1"></span>([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
 
-<span id="fn2"></span>([1](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
+<span id="fn2"></span>([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
 
 
 
@@ -107,7 +107,7 @@ Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/che
 Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.md)]
-Heap spray allocation | Ineffective against newer browser-based exploits, newer mitigations provide better protection<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.md)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.md)]
 Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
 Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
 Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]

From fed56eb9512b5a0cc7401eea875bfb95ad420d75 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Tue, 12 Dec 2017 14:08:22 -0800
Subject: [PATCH 11/15] update dates

---
 .../deploy-windows-defender-antivirus.md                        | 2 +-
 .../manage-updates-baselines-windows-defender-antivirus.md      | 2 +-
 .../use-powershell-cmdlets-windows-defender-antivirus.md        | 2 +-
 .../customize-exploit-protection.md                             | 2 +-
 .../windows-defender-exploit-guard/enable-exploit-protection.md | 2 +-
 .../windows-defender-exploit-guard/event-views-exploit-guard.md | 2 +-
 .../exploit-protection-exploit-guard.md                         | 2 +-
 .../windows-defender-exploit-guard.md                           | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index fdcdcb97ec..9984525b5e 100644
--- a/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 08/26/2017
+ms.date: 12/12/2017
 ---
 
 # Deploy and enable Windows Defender Antivirus
diff --git a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index c55f4f356f..d282a66fb9 100644
--- a/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 08/26/2017
+ms.date: 12/12/2017
 ---
 
 # Manage Windows Defender Antivirus updates and apply baselines
diff --git a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index 68b10f1053..7f32a7cfe9 100644
--- a/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 08/26/2017
+ms.date: 12/12/2017
 ---
 
 # Use PowerShell cmdlets to configure and manage Windows Defender AV
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 54601705d6..e90bca3ad4 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 11/30/2017
+ms.date: 12/12/2017
 ---
 
 # Customize Exploit protection
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
index 033343f294..5202626b3f 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 10/16/2017
+ms.date: 12/12/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index 46c5d188bb..687dea2866 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -8,7 +8,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-ms.date: 10/16/2017
+ms.date: 12/12/2017
 localizationpriority: medium
 author: iaanw
 ms.author: iawilt
diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index 8123d72d9e..2f006c0140 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 11/20/2017
+ms.date: 12/12/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index 92202f1307..29e9b9c68f 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 11/20/2017
+ms.date: 12/12/2017
 ---
 
 

From 723cf1580d4c67d3f68ae39cd4d0355cfb8fc45c Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Tue, 12 Dec 2017 14:12:38 -0800
Subject: [PATCH 12/15] update dates

---
 .../audit-windows-defender-exploit-guard.md                     | 2 +-
 .../collect-cab-files-exploit-guard-submission.md               | 2 +-
 .../windows-defender-exploit-guard/troubleshoot-asr.md          | 2 +-
 .../windows-defender-exploit-guard/troubleshoot-np.md           | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index f6f7ed7354..f3646e3018 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 11/20/2017
+ms.date: 12/12/2017
 ---
 
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
index c1370393e5..f63116481c 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 11/01/2017
+ms.date: 12/12/2017
 ---
 
 # Collect diagnostic data for Windows Defender Exploit Guard file submissions
diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
index cf7916a5c3..17d4105837 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 11/01/2017
+ms.date: 12/12/2017
 ---
 
 # Troubleshoot Attack surface reduction rules
diff --git a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
index 2616bba67b..bb99de7665 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 11/02/2017
+ms.date: 12/12/2017
 ---
 
 # Troubleshoot Network protection

From 60c07e01b8575bcf923c1a583ebb3e51721e2874 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Tue, 12 Dec 2017 14:20:25 -0800
Subject: [PATCH 13/15] policheck changes

---
 .../customize-controlled-folders-exploit-guard.md    | 12 ++++++------
 .../windows-defender-exploit-guard.md                |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
index 8f3c3bfd49..0d8c59314c 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -130,9 +130,9 @@ You can specify if certain apps should always be considered safe and given write
 
 You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
 
-When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the whitelist and may be blocked by Controlled folder access.
+When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by Controlled folder access.
 
-### Use the Windows Defender Security app to whitelist specific apps
+### Use the Windows Defender Security app to allow specific apps
 
 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
@@ -146,7 +146,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
 
     ![Screenshot of the add an allowed app button](images/cfa-allow-app.png)
 
-### Use Group Policy to whitelist specific apps
+### Use Group Policy to allow specific apps
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -160,13 +160,13 @@ When you add an app, you have to specify the app's location. Only the app in tha
 
 
 
-### Use PowerShell to whitelist specific apps
+### Use PowerShell to allow specific apps
 
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
 
     ```PowerShell
-    Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be whitelisted, including the path>"
+    Add-MpPreference -ControlledFolderAccessAllowedApplications "<the app that should be allowed, including the path>"
     ```
 
     For example, to add the executable *test.exe*, located in the folder *C:\apps*, the cmdlet would be as follows:
@@ -186,7 +186,7 @@ Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to
 
 
 
-### Use MDM CSPs to whitelist specific apps
+### Use MDM CSPs to allow specific apps
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. 
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index 29e9b9c68f..817038ca1c 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -35,7 +35,7 @@ There are four features in Windows Defender EG:
 
 - [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps
 - [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-,  script- and mail-based malware 
-- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization's devices
+- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices
 - [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
 
 

From 1101b45212bbbe5e64a2282e31048d8c4cadfb09 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Tue, 12 Dec 2017 14:22:27 -0800
Subject: [PATCH 14/15] update to svg (instead of md)

---
 .../emet-exploit-protection-exploit-guard.md  | 74 +++++++++----------
 1 file changed, 37 insertions(+), 37 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index 3132ef677b..6c15c1d3d2 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -61,22 +61,22 @@ This topic describes the differences between the Enhance Mitigation Experience T
 
 &nbsp; | Windows Defender Exploit Guard | EMET
  -|:-:|:-:
-Windows versions | [!include[Check mark yes](images/svg/check-yes.md)] <br />All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.md)] <br />Windows 8.1; Windows 8; Windows 7<br />Cannot be installed on Windows 10, version 1709 and later
+Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] <br />All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Windows 8.1; Windows 8; Windows 7<br />Cannot be installed on Windows 10, version 1709 and later
 Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) <br />(no additional installation required)<br />Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
 User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
-Supportability | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup><br />[Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.md)]<br />Ends after July 31, 2018
-Updates | [!include[Check mark yes](images/svg/check-yes.md)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.md)]<br />No planned updates or development
-Exploit protection | [!include[Check mark yes](images/svg/check-yes.md)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))<br />[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited set of mitigations
-Attack surface reduction<sup id="ref2-1">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)<br />[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited ruleset configuration only for modules (no processes)
-Network protection<sup id="ref2-2">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-Controlled folder access<sup id="ref2-3">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Helps protect important folders](controlled-folders-exploit-guard.md)<br/>[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires installation and use of EMET tool
-Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.md)]<br />Available
-Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.md)]<br />Requires use of EMET tool (EMET_CONF)
-System Center Configuration Manager |  [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.md)]<br />Not available
-Reporting | [!include[Check mark yes](images/svg/check-yes.md)] <br />With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) <br />[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.md)] <br />Limited Windows event log monitoring
-Audit mode | [!include[Check mark yes](images/svg/check-yes.md)] <br />[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.md)]<br />Limited to EAF, EAF+, and anti-ROP mitigations
+Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)<sup id="ref1">[[1](#fn1)]</sup><br />[Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]<br />Ends after July 31, 2018
+Updates | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]<br />No planned updates or development
+Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] <br />All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))<br />[Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited set of mitigations
+Attack surface reduction<sup id="ref2-1">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)<br />[Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited ruleset configuration only for modules (no processes)
+Network protection<sup id="ref2-2">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
+Controlled folder access<sup id="ref2-3">[[2](#fn2)]</sup> | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Helps protect important folders](controlled-folders-exploit-guard.md)<br/>[Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
+Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Requires installation and use of EMET tool
+Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Available
+Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Requires use of EMET tool (EMET_CONF)
+System Center Configuration Manager |  [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
+Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]<br />Not available
+Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] <br />With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) <br />[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited Windows event log monitoring
+Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Limited to EAF, EAF+, and anti-ROP mitigations
 
 
 
@@ -94,29 +94,29 @@ The table in this section indicates the availability and support of native mitig
 
 Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
 -|:-:|:-:
-Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br />As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]<br/>As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.md)]<br />Included natively in Windows 10<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.md)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.md)]
-Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.md)]
-Block low integrity images | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Code integrity guard | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable extension points | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate handle usage | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)]
+Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br />As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]<br/>As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)]<br />Included natively in Windows 10<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
 
 
 

From e77fb78655938d15d531a7d15a684eba2cba775f Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Tue, 12 Dec 2017 14:23:47 -0800
Subject: [PATCH 15/15] fix build errors (note lines)

---
 .../customize-exploit-protection.md                            | 3 ++-
 .../enable-exploit-protection.md                               | 3 ++-
 .../exploit-protection-exploit-guard.md                        | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index e90bca3ad4..1aba2357ef 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -45,7 +45,8 @@ You configure these settings using the Windows Defender Security Center on an in
 
 It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
 
->[!WARNING] Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+>[!WARNING] 
+>Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
 
 ## Exploit protection mitigations
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
index 5202626b3f..1f24f048fe 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -56,7 +56,8 @@ You can also set mitigations to audit mode. Audit mode allows you to test how th
 
 For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
 
->[!WARNING] Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+>[!WARNING] 
+>Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
 
 You can also convert an existing EMET configuration file (in XML format) and import it into Exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index 2f006c0140..a260bf90d4 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -58,7 +58,8 @@ Exploit protection works best with [Windows Defender Advanced Threat Protection]
  >[!IMPORTANT]
  >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
 
->[!WARNING] Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+>[!WARNING] 
+>Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
 
 ## Requirements