deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/mdm/policy-csp-exploitguard.md

7.7 KiB
Raw Blame History

title, description, ms.author, ms.topic, ms.prod, ms.technology, author, ms.date
title description ms.author ms.topic ms.prod ms.technology author ms.date
Policy CSP - ExploitGuard Policy CSP - ExploitGuard maricia article w10 windows nickbrower 08/29/2017

Policy CSP - ExploitGuard

Warning

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

ExploitGuard/ExploitProtectionSettings

Home Pro Business Enterprise Education Mobile Mobile Enterprise
check mark3 check mark3 check mark3 check mark3 check mark3 cross mark cross mark

Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).

The system settings require a reboot; the application settings do not require a reboot.

Here is an example: 

<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
  <SyncBody>
    <Replace>
      <CmdID>$CmdId$</CmdID>
      <Item>
        <Meta>
          <Format>chr</Format>
          <Type>text/plain</Type>
       </Meta>
        <Target>
          <LocURI>./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings</LocURI>
        </Target>
        <Data><![CDATA[<?xml version="1.0" encoding="UTF-8"?><MitigationPolicy><SystemConfig><SEHOP Audit="true" /></SystemConfig><AppConfig Executable="iexplore.exe"><ImageLoad AuditImageLoad="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="wordpad.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><ImageLoad AuditImageLoad="true"  /><ChildProcess  Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="notepad.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="outlook.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="winword.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="excel.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="powerpnt.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="AcroRd32.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="Acrobat.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="fltldr.exe"><DynamicCode Audit="true" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="RuntimeBroker.exe"><ImageLoad AuditImageLoad="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="SearchIndexer.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="java.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="javaws.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="javaw.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="EpSelfhostV1.exe"><DynamicCode Audit="true" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig></MitigationPolicy>]]></Data>
      </Item>
    </Replace>
    <Final/>
  </SyncBody>
</SyncML>

Footnote:

  • 1 - Added in Windows 10, version 1607.
  • 2 - Added in Windows 10, version 1703.
  • 3 - Added in Windows 10, version 1709.