Protect your data with Windows Defender Exploit Guard settings

This article applies to Microsoft 365 Business Premium.

You can set up policies to help protect the Windows 10 devices in your organization from malware attacks, ransomware, and malicious content on the internet.

Reduce the attack surface of devices

This setting targets specific behaviors that are typically used by malware and malicious apps to infect machines, such as:

  • Malware included as executable files and scripts in Office apps or email.

  • Scripts that are obfuscated or otherwise suspicious.

  • App behaviors that aren't usually initiated during normal day-to-day work.

For more information about this setting, read Reduce attack surfaces.

Protect folders from threats such as ransomware

When this setting is turned on, all apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus to determine if the app is malicious or safe. If an app is determined to be malicious or suspicious, then it won't be allowed to make changes to any files in any protected folder.

This setting is especially useful in helping to protect your documents and information from ransomware that can attempt to encrypt your files and hold them hostage.

For more information about this setting, read Protect important folders with controlled folder access.

Prevent network access to potentially malicious content on the internet

Network protection helps reduce the attack surface of your devices from internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet.

For more information about this setting, read Protect your network.