mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-24 23:03:42 +00:00
96 lines
4.3 KiB
Markdown
96 lines
4.3 KiB
Markdown
---
|
||
title: Turn on the protected folders feature in Windows 10
|
||
keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use
|
||
description: Learn how to protect your important files by enabling Controlled Folder Access
|
||
search.product: eADQiWindows 10XVcnh
|
||
ms.pagetype: security
|
||
ms.prod: w10
|
||
ms.mktglfcycl: manage
|
||
ms.sitesec: library
|
||
ms.pagetype: security
|
||
localizationpriority: medium
|
||
author: iaanw
|
||
ms.author: iawilt
|
||
---
|
||
|
||
|
||
|
||
# Import, export, and deploy Exploit Protection configurations
|
||
|
||
|
||
**Applies to:**
|
||
|
||
- Windows 10 Insider Preview
|
||
|
||
**Audience**
|
||
|
||
- Enterprise security administrators
|
||
|
||
|
||
**Manageability available with**
|
||
|
||
- Windows Defender Security Center app
|
||
- Group Policy
|
||
- PowerShell
|
||
- Configuration service providers for mobile device management
|
||
|
||
|
||
|
||
|
||
### Managing exploit protection through Group Policy
|
||
1. Launch Group Policy Management Console (gpmc.msc) and from within and existing or new GPO navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Exploit Guard\Exploit Protection** and open the policy named *Use a common set of exploit protection settings*.
|
||
2. Enable the setting as seen below and point to an accessible location for the client machines to the recently created XML.
|
||
3. Apply the new GP to targeted machines by direction OU membership, Security Group or WMI filter.
|
||
|
||
- Manually configure a device's system and application mitigation settings using the *Set-ProcessMitigation* PowerShell cmdlet, the *ConvertTo-ProcessMitigationPolicy* PowerShell cmdlet, or directly in the Windows Defender Security Center
|
||
>
|
||
> Note: Endpoints that have this GP setting set to **Enabled** must be able to access the XML file, otherwise the settings will not be applied.
|
||
- Generate an XML file with the settings from the device by running the *Get-ProcessMitigation* PowerShell cmdlet or using the **Export** button at the bottom of the **Exploit Protection** area in the Windows Defender Security Center.
|
||
- Place the generated XML file in a shared or local path.
|
||
|
||
|
||
### Converting and Applying an EMET config:
|
||
1. Export the existing EMET configuration. This can be done from the "Export" button in the GUI, or by running the command: **emet_conf.exe <20>export emetConfig.xml**
|
||
2. In an elevated PowerShell window, convert the exported configuration with: **ConvertTo-ProcessMitigationPolicy -EMETFilePath emetConfig.xml -OutputFilePath win10Config.xml**
|
||
3. Note that this may give you some warnings, but these should be safe to ignore.
|
||
4. Apply the new configuration: from an elevated PowerShell window run **Set-ProcessMitigation -RegistryConfigFilePath win10Config.xml **
|
||
5. From here you can check or edit the settings in the new interface in the Windows Defender Security Center or with **Get-ProcessMitigation** (this command by itself will output the entire current state of the mitigations to the shell), and **Set-ProcessMitigation** respectively.
|
||
|
||
#### Group policy
|
||
|
||
The Exploit Protection feature can be configured with the following Group Policy details:
|
||
- Location: \Microsoft\Windows Defender Exploit Guard\Exploit Protection
|
||
- Name: Use a common set of Exploit Protection settings
|
||
- Values: **Enabled**: Specify the location of the XML file in the Options section. You can use a local (or mapped) path, a UNC path, or a URL, such as the following:
|
||
-- C:\MitigationSettings\Config.XML
|
||
-- \\Server\Share\Config.xml
|
||
-- https://localhost:8080/Config.xml
|
||
|
||
The settings in the XML file will be applied to the endpoint.
|
||
|
||
**Disabled:** Common settings will not be applied, and the locally configured settings will be used instead.
|
||
|
||
**Not configured:** Same as **Disabled**.
|
||
|
||
### Export system-level mitigations
|
||
|
||
|
||
|
||
### Import system-level mitigations
|
||
|
||
**Use the Windows Defender Security app to import system-level mitigations:**
|
||
|
||
|
||
|
||
**Use Group Policy to import and deploy system-level mitigations:**
|
||
|
||
|
||
|
||
## Related topics
|
||
|
||
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
|
||
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
|
||
- [Evaluate Exploit Protection](evaluate-exploit-protection.md)
|
||
- [Enable Exploit Protection](enable-exploit-protection.md)
|
||
- [Configure and audit Exploit Protection mitigations](customize-exploit-protection.md)
|