What Is Microsoft Defender Exploit Guard And How To Configure It

Windows Defender Exploit GuardWindows Defender Exploit Guard

Previously, we have talked about the Microsoft Defender Application Guard and how it can be used to keep your computer safe from cyber threats. Today, we will be discussing another safety feature of Microsoft Defender, which is the “Exploit Guard.”

Exploit Guard, as the name suggests, prevents your computer from being exploited by online threats and malware. Several components make up the Exploit Guard, but today we will be discussing “Network Protection,” which can be used to intimate a user when they are accessing a malicious or untrusted site/domain using a web browser or blocking it completely.

If you want your computer to be safe and do not want anyone who uses your computer to infect it with a virus, dive deep into the details and the configurations needed to configure Exploit Guard Network Protection.

Note: This article focuses on Windows client PCs, but Exploit Guard Network Protection can also be allowed to be configured on Windows Servers.

What is Microsoft Defender Exploit Guard

Microsoft Defender Exploit Guard uses a number of defense mechanisms to fend off malware and phishing scams. Controlled folder access, a smaller attack surface, and network protection are the three components of Microsoft Defender Exploit Guard.

One of the components of the Exploit Guard is Network Protection. This feature is somewhat similar to SmartScreen. Like Network Protection, SmartScreen also protects a user against phishing scams and potential IP addresses or websites with malware. However, SmartScreen is only limited to the Microsoft Edge browser.

On the other hand, Network Protection is capable of implementing system-wide protection status across all browsers and apps. Exploit Guard can be configured in one of two methods:

  • Only prompt a user when a domain or IP address is malicious.
  • Block the user from accessing it completely.

That said, Microsoft defender Exploit Guard cannot be configured from the Settings app, or the Windows Security app. Instead, it can only be configured using the Group Policies or Windows PowerShell.

Additionally, your system must meet the following requirements for the Exploit Guard to be configured:

  • Windows edition must be Professional or Enterprise
  • Windows 10 or 11 is required
  • Windows Defender Antivirus real-time protection and cloud-based protection must be enabled
  • PC must be able to communicate with “smartscreen.microsoft.com” and “smartscreen-prod.microsoft.com”

To check your OS version and edition, type in “winver” in the Run Command box.

You can enable real-time and cloud-delivered protection at the following location:

Settings app >> Privacy & security >> Windows Security >> Virus & threat protection >> Manage Settings (under Virus & thrat protection settings)
Enable real time and cloud delivered protection
Enable real-time and cloud-delivered protection

Once the requirements are met, let us discuss the two methods to configure Exploit Guard Network Protection.

Configure Exploit Guard Network Protection

Configure Exploit Guard Network Protection using Group Policy

Using the Windows Group Policies, you can configure Network Protection for both Windows client computers as well as Servers. Follow these steps to configure the feature for Windows client computers:

  1. Open the Group Policy editor by typing in “gpedit.msc” in the Run Command box.

    Open the Group Policy editor
    Open the Group Policy editor
  2. Navigate to the following from the left pane:

    Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Micosoft Defender Exploit Guard >> Network Protection
  3. Open the policy “Prevent users and apps from accessing dangerous websites.”

    Open Network Protection policy for Windows client PC
    Open Network Protection policy for Windows client PC
  4. Select the “Enabled” radio button, and then select either of the following options from the drop-down menu in the Options section:

    • Block -The user won’t be permitted to access the website
    • Audit Mode – The user will be intimated of the danger where they can choose to exit or continue to the website
    Configure the Network Protection policy to Audit or Block
    Configure the Network Protection policy to Audit or Block
  5. When selected, click Apply and Ok.

  6. Now run the following cmdlet in an elevated Command Prompt to enforce the policy changes:

    GPUpdate /Force
    Enforce policy changes
    Enforce policy changes

Windows Defender Exploit Guard will now be configured for Network Protection. You will either be prompted when accessing a malicious website, or it will be blocked, depending on what you chose in Step 4 above.

If you want to configure Network Protection on Windows Server 2016 or later, then you must enable the policy “This setting controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server” instead.

Policy to configure Network Protection on Windows Server
Policy to allow configuration of Network Protection on Windows Server

Configure Exploit Guard Network Protection using PowerShell

Managing Network Protection using Windows PowerShell gives more control to the administrators as it allows them to manage the different features individually.

Note: All of the following commands and steps are to be performed in an elevated PowerShell instance.

Let us start by checking the current status of the Network Protection feature. This can be done by running the following cmdlet in PowerShell:

Get-MpPreference | select *NetworkProtection* | Format-List
Check Exploit Guards status using PowerShell
Check Exploit Guard’s status using PowerShell

The image above shows that Network Protection is disabled. More importantly, it also shows 4 different attributes. Here is what these different attributes stand for:

  • AllowNetworkProtectionDownLevel – Used on Windows 10 1809 and older, is now obsolete
  • AllowNetworkProtectionOnWinServer – Allows Network Protection to be configured on Windows Server
  • DisableNetworkProtectionPerfTelemetry – sends anonymized performance data relating to the monitored connections to Microsoft
  • EnableNetworkProtection – Tells the status of the Network Protection feature

Now that we understand what these attributes are, you can use the following command to configure Network Protection’s attributes for different behaviors:

  • To enable Network Protection and block malicious websites:

    Set-MpPreference -EnableNetworkProtection Enabled
  • To enable Network Protection in audit mode:

    Set-MpPreference -EnableNetworkProtection AuditMode
  • To disable Network Protection:

    Set-MpPreference -EnableNetworkProtection Disabled
  • To allow Network Protection to be configured on Windows Server:

    Set-MpPreference -AllowNetworkProtectionOnWinServer $true

    Replace “true” with “false” to disallow it.

  • To enable telemetry:

    Set-MpPreference -DisableNetworkProtectionPerfTelemetry $true

    Replace “true” with “false” to disable telemetry.

Configure Exploit Guard Network Protection using PowerShell
Configure Exploit Guard Network Protection using PowerShell

This is everything you need to know about what Microsoft Defender Exploit Guard is and how it can be used to keep you safe online.

Takeaway

Windows client operating systems as well as the Servers have identical security enhancements available (to some extent). However, one may be enabled by default on the Server while it is disabled by default on a client OS.

You can still take your own device’s security into your own hands and enable the Network Protection feature to make your device secure, regardless of who is using it. The Network Protection feature is similar to SmartScreen but is implemented across the whole system.

If you liked this post, Share it on:
Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

Get Updates in Your Inbox

Sign up for the regular updates and be the first to know about the latest tech information

Talk to us now

Talk to us straight and get your questions answered right away

Tell Us About Your Project
Web Dev Service Contact Form (Popup)