Exploit Guard, as the name suggests, prevents your computer from being exploited by online threats and malware. Several components make up the Exploit Guard, but today we will be discussing “Network Protection,” which can be used to intimate a user when they are accessing a malicious or untrusted site/domain using a web browser or blocking it completely. If you want your computer to be safe and do not want anyone who uses your computer to infect it with a virus, dive deep into the details and the configurations needed to configure Exploit Guard Network Protection. Note: This article focuses on Windows client PCs, but Exploit Guard Network Protection can also be allowed to be configured on Windows Servers.
What is Microsoft Defender Exploit Guard
Microsoft Defender Exploit Guard uses a number of defense mechanisms to fend off malware and phishing scams. Controlled folder access, a smaller attack surface, and network protection are the three components of Microsoft Defender Exploit Guard. One of the components of the Exploit Guard is Network Protection. This feature is somewhat similar to SmartScreen. Like Network Protection, SmartScreen also protects a user against phishing scams and potential IP addresses or websites with malware. However, SmartScreen is only limited to the Microsoft Edge browser. On the other hand, Network Protection is capable of implementing system-wide protection status across all browsers and apps. Exploit Guard can be configured in one of two methods:
Only prompt a user when a domain or IP address is malicious. Block the user from accessing it completely.
That said, Microsoft defender Exploit Guard cannot be configured from the Settings app, or the Windows Security app. Instead, it can only be configured using the Group Policies or Windows PowerShell. Additionally, your system must meet the following requirements for the Exploit Guard to be configured:
Windows edition must be Professional or Enterprise Windows 10 or 11 is required Windows Defender Antivirus real-time protection and cloud-based protection must be enabled PC must be able to communicate with “smartscreen.microsoft.com” and “smartscreen-prod.microsoft.com”
To check your OS version and edition, type in “winver” in the Run Command box. You can enable real-time and cloud-delivered protection at the following location: Once the requirements are met, let us discuss the two methods to configure Exploit Guard Network Protection.
Configure Exploit Guard Network Protection
Configure Exploit Guard Network Protection using Group Policy
Using the Windows Group Policies, you can configure Network Protection for both Windows client computers as well as Servers. Follow these steps to configure the feature for Windows client computers: Windows Defender Exploit Guard will now be configured for Network Protection. You will either be prompted when accessing a malicious website, or it will be blocked, depending on what you chose in Step 4 above.
Block -The user won’t be permitted to access the website Audit Mode – The user will be intimated of the danger where they can choose to exit or continue to the website
If you want to configure Network Protection on Windows Server 2016 or later, then you must enable the policy “This setting controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server” instead.
Configure Exploit Guard Network Protection using PowerShell
Managing Network Protection using Windows PowerShell gives more control to the administrators as it allows them to manage the different features individually. Note: All of the following commands and steps are to be performed in an elevated PowerShell instance. Let us start by checking the current status of the Network Protection feature. This can be done by running the following cmdlet in PowerShell: The image above shows that Network Protection is disabled. More importantly, it also shows 4 different attributes. Here is what these different attributes stand for:
AllowNetworkProtectionDownLevel – Used on Windows 10 1809 and older, is now obsolete AllowNetworkProtectionOnWinServer – Allows Network Protection to be configured on Windows Server DisableNetworkProtectionPerfTelemetry – sends anonymized performance data relating to the monitored connections to Microsoft EnableNetworkProtection – Tells the status of the Network Protection feature
Now that we understand what these attributes are, you can use the following command to configure Network Protection’s attributes for different behaviors:
To enable Network Protection and block malicious websites: Set-MpPreference -EnableNetworkProtection Enabled To enable Network Protection in audit mode: Set-MpPreference -EnableNetworkProtection AuditMode To disable Network Protection: Set-MpPreference -EnableNetworkProtection Disabled To allow Network Protection to be configured on Windows Server: Set-MpPreference -AllowNetworkProtectionOnWinServer $true Replace “true” with “false” to disallow it. To enable telemetry: Set-MpPreference -DisableNetworkProtectionPerfTelemetry $true Replace “true” with “false” to disable telemetry.
This is everything you need to know about what Microsoft Defender Exploit Guard is and how it can be used to keep you safe online. Replace “true” with “false” to disallow it. Replace “true” with “false” to disable telemetry.
Takeaway
Windows client operating systems as well as the Servers have identical security enhancements available (to some extent). However, one may be enabled by default on the Server while it is disabled by default on a client OS. You can still take your own device’s security into your own hands and enable the Network Protection feature to make your device secure, regardless of who is using it. The Network Protection feature is similar to SmartScreen but is implemented across the whole system.
