diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index ea057afc07..4cc8d86d0a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,6 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic +ms.date: 03/29/2019 --- # Enable controlled folder access @@ -21,11 +22,15 @@ ms.author: v-anbic [Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. -This topic describes how to enable Controlled folder access with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). +You can enable controlled folder access by using any of the these methods: -## Enable and audit controlled folder access +- Windows Security app +- Intune +- MDM +- Group Policy +- PowerShell cmdlets -You can enable controlled folder access with the Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. + Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. >[!NOTE] >The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**. @@ -38,7 +43,7 @@ You can enable controlled folder access with the Security Center app, Group Poli >- System Center Endpoint Protection **Allow users to add exclusions and overrides** >For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). -## Windows Security app to enable controlled folder access +## Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -46,8 +51,23 @@ You can enable controlled folder access with the Security Center app, Group Poli 3. Set the switch for **Controlled folder access** to **On**. +## Intune -### Use Group Policy to enable Controlled folder access +1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. +1. Click **Device configuration** > **Profiles** > **Create profile**. +1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) +1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. +1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. + ![Enable controlled folder access in Intune](images/enable-cfa-intune.png) +1. Click **OK** to save each open blade and click **Create**. +1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. + +## MDM + +Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. + +## Group Policy 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -65,7 +85,7 @@ You can enable controlled folder access with the Security Center app, Group Poli >[!IMPORTANT] >To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. -### Use PowerShell to enable controlled folder access +## PowerShell 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. @@ -79,10 +99,6 @@ You can enable the feature in audit mode by specifying `AuditMode` instead of `E Use `Disabled` to turn the feature off. -### Use MDM CSPs to enable controlled folder access - -Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders. - ## Related topics - [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index 735512dd8a..86f640ad6f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 03/26/2019 +ms.date: 03/29/2019 --- # Enable exploit protection @@ -126,6 +126,14 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt ## Group Policy +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. + +6. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. + ## PowerShell You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png index 6b078ec9d5..d3978e90d9 100644 Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png and b/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png new file mode 100644 index 0000000000..ddf0ca23e9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png new file mode 100644 index 0000000000..7401e1e87f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png differ diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png new file mode 100644 index 0000000000..f8e4dc98d1 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png differ