Policy CSP - ExploitGuard


ExploitGuard policies

ExploitGuard/ExploitProtectionSettings

ExploitGuard/ExploitProtectionSettings

Windows Edition Supported?
Home check mark3
Pro check mark3
Business check mark3
Enterprise check mark3
Education check mark3

Scope:

  • Device

Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see Enable Exploit Protection on Devices and Import, export, and deploy Exploit Protection configurations.

The system settings require a reboot; the application settings do not require a reboot.

ADMX Info:

  • GP English name: Use a common set of exploit protection settings
  • GP name: ExploitProtection_Name
  • GP element: ExploitProtection_Name
  • GP path: Windows Components/Windows Defender Exploit Guard/Exploit Protection
  • GP ADMX file name: ExploitGuard.admx

Here is an example:

<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
  <SyncBody>
    <Replace>
      <CmdID>$CmdId$</CmdID>
      <Item>
        <Meta>
          <Format>chr</Format>
          <Type>text/plain</Type>
       </Meta>
        <Target>
          <LocURI>./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings</LocURI>
        </Target>
        <Data><![CDATA[<?xml version="1.0" encoding="UTF-8"?><MitigationPolicy><SystemConfig><SEHOP Audit="true" /></SystemConfig><AppConfig Executable="iexplore.exe"><ImageLoad AuditImageLoad="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="wordpad.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><ImageLoad AuditImageLoad="true"  /><ChildProcess  Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="notepad.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="outlook.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="winword.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="excel.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="powerpnt.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="AcroRd32.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="Acrobat.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="fltldr.exe"><DynamicCode Audit="true" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="RuntimeBroker.exe"><ImageLoad AuditImageLoad="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="SearchIndexer.exe"><DynamicCode Audit="true" /><SignedBinaries Audit="true" AuditStoreSigned="false" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="java.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="javaws.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="javaw.exe"><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig><AppConfig Executable="EpSelfhostV1.exe"><DynamicCode Audit="true" /><ImageLoad AuditImageLoad="true" /><ChildProcess Audit="true" /><Payload AuditEnableExportAddressFilter="true"AuditEnableExportAddressFilterPlus="true"AuditEnableImportAddressFilter="true"AuditEnableRopStackPivot="true"AuditEnableRopCallerCheck="true"AuditEnableRopSimExec="true"/></AppConfig></MitigationPolicy>]]></Data>
      </Item>
    </Replace>
    <Final/>
  </SyncBody>
</SyncML>


Footnotes:

  • 1 - Available in Windows 10, version 1607.
  • 2 - Available in Windows 10, version 1703.
  • 3 - Available in Windows 10, version 1709.
  • 4 - Available in Windows 10, version 1803.
  • 5 - Available in Windows 10, version 1809.
  • 6 - Available in Windows 10, version 1903.
  • 7 - Available in Windows 10, version 1909.
  • 8 - Available in Windows 10, version 2004.