Merge pull request #8930 from illfated/patch-5

Update enable-exploit-protection.md
2025-06-15 18:33:43 +00:00 · 2021-01-08 09:46:55 -08:00
parent 91d1516915 f556d65b44
commit f2dbe084b5
1 changed files with 38 additions and 41 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@ -31,13 +31,12 @@ manager: dansimp
 Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.

 You can enable each mitigation separately by using any of these methods:   
-
-* [Windows Security app](#windows-security-app)
-* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
-* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
-* [Group Policy](#group-policy)
-* [PowerShell](#powershell)
+- [Windows Security app](#windows-security-app)
+- [Microsoft Intune](#intune)
+- [Mobile Device Management (MDM)](#mdm)
+- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)

 Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.

@ -47,7 +46,7 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au

 ## Windows Security app

-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Security**.

 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.

@ -160,11 +159,8 @@ Get-ProcessMitigation -Name processName.exe

 > [!IMPORTANT]
 > System-level mitigations that have not been configured will show a status of `NOTSET`.
->
-> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
->
-> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
->
+> - For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
+> - For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
 > The default setting for each system-level mitigation can be seen in the Windows Security.

 Use `Set` to configure each mitigation in the following format:
@ -207,31 +203,31 @@ If you need to restore the mitigation back to the system default, you need to in
 Set-Processmitigation -Name test.exe -Remove -Disable DEP
 ```

-This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
+This table lists the individual **Mitigations** (and **Audits**, when available) to be used with the `-Enable` or `-Disable` cmdlet parameters.

-|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet |
-|:---|:---|:---|:---|
-|Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available |
-|Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available |
-|Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocateImages  | Audit not available |
-|Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
-|Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available
-|Validate heap integrity | System and app-level |   TerminateOnHeapError  | Audit not available
-|Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode
-|Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad
-|Block remote images | App-level only |   BlockRemoteImages  | Audit not available
-|Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly
-|Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned
-|Disable extension points | App-level only |   ExtensionPoint  | Audit not available
-|Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall
-|Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess
-|Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
-|Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
-|Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
-|Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
-|Validate handle usage | App-level only |   StrictHandle  | Audit not available |
-|Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available |
-|Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+| Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter |
+| :-------------- | :--------- | :---------------------------------- | :-------------------------- |
+| Control flow guard (CFG) | System and app-level |   CFG,   StrictCFG,   SuppressExports  | Audit not available |
+| Data Execution Prevention (DEP) | System and app-level |   DEP,   EmulateAtlThunks  | Audit not available |
+| Force randomization for images (Mandatory ASLR) | System and app-level |   ForceRelocateImages  | Audit not available |
+| Randomize memory allocations (Bottom-Up ASLR) | System and app-level |   BottomUp,   HighEntropy  | Audit not available
+| Validate exception chains (SEHOP) | System and app-level |   SEHOP,   SEHOPTelemetry  | Audit not available |
+| Validate heap integrity | System and app-level |   TerminateOnError  | Audit not available |
+| Arbitrary code guard (ACG) | App-level only |   DynamicCode  |   AuditDynamicCode |
+| Block low integrity images | App-level only |   BlockLowLabel  |   AuditImageLoad |
+| Block remote images | App-level only |   BlockRemoteImages  | Audit not available |
+| Block untrusted fonts | App-level only |   DisableNonSystemFonts  |   AuditFont,   FontAuditOnly |
+| Code integrity guard | App-level only |   BlockNonMicrosoftSigned,   AllowStoreSigned  |   AuditMicrosoftSigned,   AuditStoreSigned |
+| Disable extension points | App-level only |   ExtensionPoint  | Audit not available |
+| Disable Win32k system calls | App-level only |   DisableWin32kSystemCalls  |   AuditSystemCall |
+| Do not allow child processes | App-level only |   DisallowChildProcessCreation  |   AuditChildProcess |
+| Export address filtering (EAF) | App-level only |   EnableExportAddressFilterPlus,   EnableExportAddressFilter  <a href="#r1" id="t1">\[1\]</a> | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+| Import address filtering (IAF) | App-level only |   EnableImportAddressFilter  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+| Simulate execution (SimExec) | App-level only |   EnableRopSimExec  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+| Validate API invocation (CallerCheck) | App-level only |   EnableRopCallerCheck  | Audit not available<a href="#r2" id="t2">\[2\]</a> |
+| Validate handle usage | App-level only |   StrictHandle  | Audit not available |
+| Validate image dependency integrity | App-level only |   EnforceModuleDepencySigning  | Audit not available |
+| Validate stack integrity (StackPivot) | App-level only |   EnableRopStackPivot  | Audit not available<a href="#r2" id="t2">\[2\]</a> |

 <a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:

@ -239,6 +235,7 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that
 Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
 ```
 <a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via Powershell cmdlets.
+
 ## Customize the notification

 See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.