Previously, we have talked about the Microsoft Defender Application Guard and how it can be used to keep your computer safe from cyber threats. Today, we will be discussing another safety feature of Microsoft Defender, which is the “Exploit Guard.”
Exploit Guard, as the name suggests, prevents your computer from being exploited by online threats and malware. Several components make up the Exploit Guard, but today we will be discussing “Network Protection,” which can be used to intimate a user when they are accessing a malicious or untrusted site/domain using a web browser or blocking it completely.
If you want your computer to be safe and do not want anyone who uses your computer to infect it with a virus, dive deep into the details and the configurations needed to configure Exploit Guard Network Protection.
Note: This article focuses on Windows client PCs, but Exploit Guard Network Protection can also be allowed to be configured on Windows Servers.
Table of Contents
This Page Covers
What is Microsoft Defender Exploit Guard
Microsoft Defender Exploit Guard uses a number of defense mechanisms to fend off malware and phishing scams. Controlled folder access, a smaller attack surface, and network protection are the three components of Microsoft Defender Exploit Guard.
One of the components of the Exploit Guard is Network Protection. This feature is somewhat similar to SmartScreen. Like Network Protection, SmartScreen also protects a user against phishing scams and potential IP addresses or websites with malware. However, SmartScreen is only limited to the Microsoft Edge browser.
On the other hand, Network Protection is capable of implementing system-wide protection status across all browsers and apps. Exploit Guard can be configured in one of two methods:
- Only prompt a user when a domain or IP address is malicious.
- Block the user from accessing it completely.
That said, Microsoft defender Exploit Guard cannot be configured from the Settings app, or the Windows Security app. Instead, it can only be configured using the Group Policies or Windows PowerShell.
Additionally, your system must meet the following requirements for the Exploit Guard to be configured:
- Windows edition must be Professional or Enterprise
- Windows 10 or 11 is required
- Windows Defender Antivirus real-time protection and cloud-based protection must be enabled
- PC must be able to communicate with “smartscreen.microsoft.com” and “smartscreen-prod.microsoft.com”
To check your OS version and edition, type in “winver” in the Run Command box.
You can enable real-time and cloud-delivered protection at the following location:
Settings app >> Privacy & security >> Windows Security >> Virus & threat protection >> Manage Settings (under Virus & thrat protection settings)
Once the requirements are met, let us discuss the two methods to configure Exploit Guard Network Protection.
Configure Exploit Guard Network Protection
Configure Exploit Guard Network Protection using Group Policy
Using the Windows Group Policies, you can configure Network Protection for both Windows client computers as well as Servers. Follow these steps to configure the feature for Windows client computers:
-
Open the Group Policy editor by typing in “gpedit.msc” in the Run Command box.
Open the Group Policy editor -
Navigate to the following from the left pane:
Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Micosoft Defender Exploit Guard >> Network Protection
-
Open the policy “Prevent users and apps from accessing dangerous websites.”
Open Network Protection policy for Windows client PC -
Select the “Enabled” radio button, and then select either of the following options from the drop-down menu in the Options section:
- Block -The user won’t be permitted to access the website
- Audit Mode – The user will be intimated of the danger where they can choose to exit or continue to the website
Configure the Network Protection policy to Audit or Block -
When selected, click Apply and Ok.
-
Now run the following cmdlet in an elevated Command Prompt to enforce the policy changes:
GPUpdate /Force
Enforce policy changes
Windows Defender Exploit Guard will now be configured for Network Protection. You will either be prompted when accessing a malicious website, or it will be blocked, depending on what you chose in Step 4 above.
If you want to configure Network Protection on Windows Server 2016 or later, then you must enable the policy “This setting controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server” instead.
Configure Exploit Guard Network Protection using PowerShell
Managing Network Protection using Windows PowerShell gives more control to the administrators as it allows them to manage the different features individually.
Note: All of the following commands and steps are to be performed in an elevated PowerShell instance.
Let us start by checking the current status of the Network Protection feature. This can be done by running the following cmdlet in PowerShell:
Get-MpPreference | select *NetworkProtection* | Format-List
The image above shows that Network Protection is disabled. More importantly, it also shows 4 different attributes. Here is what these different attributes stand for:
- AllowNetworkProtectionDownLevel – Used on Windows 10 1809 and older, is now obsolete
- AllowNetworkProtectionOnWinServer – Allows Network Protection to be configured on Windows Server
- DisableNetworkProtectionPerfTelemetry – sends anonymized performance data relating to the monitored connections to Microsoft
- EnableNetworkProtection – Tells the status of the Network Protection feature
Now that we understand what these attributes are, you can use the following command to configure Network Protection’s attributes for different behaviors:
-
To enable Network Protection and block malicious websites:
Set-MpPreference -EnableNetworkProtection Enabled -
To enable Network Protection in audit mode:
Set-MpPreference -EnableNetworkProtection AuditMode -
To disable Network Protection:
Set-MpPreference -EnableNetworkProtection Disabled -
To allow Network Protection to be configured on Windows Server:
Set-MpPreference -AllowNetworkProtectionOnWinServer $trueReplace “true” with “false” to disallow it.
-
To enable telemetry:
Set-MpPreference -DisableNetworkProtectionPerfTelemetry $trueReplace “true” with “false” to disable telemetry.
This is everything you need to know about what Microsoft Defender Exploit Guard is and how it can be used to keep you safe online.
Takeaway
Windows client operating systems as well as the Servers have identical security enhancements available (to some extent). However, one may be enabled by default on the Server while it is disabled by default on a client OS.
You can still take your own device’s security into your own hands and enable the Network Protection feature to make your device secure, regardless of who is using it. The Network Protection feature is similar to SmartScreen but is implemented across the whole system.
