This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Applies to:
Exploit protection automatically applies many exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709, Windows 11, and Windows Server, version 1803.
Exploit protection works best with Defender for Endpoint - which gives you detailed reporting into exploit protection events and blocks as part of the usual alert investigation scenarios.
You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices at once.
When a mitigation is found on the device, a notification is displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use audit mode to evaluate how exploit protection would affect your organization if it were enabled.
Many of the features in the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. In fact, you can convert and import existing your EMET configuration profiles into exploit protection. To learn more, see Import, export, and deploy exploit protection configurations.
Important
If you're currently using EMET, it's important to note thatEMET reached end of support on July 31, 2018. Consider replacing EMET with exploit protection in Windows 10.
Warning
Some security mitigation technologies might have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying the configuration across a production environment or the rest of your network.
Defender for Endpoint provides detailed reporting into events and blocks as part of its alert investigation scenarios.
You can query Defender for Endpoint data by using Advanced hunting. If you're using audit mode, you can use advanced hunting to see how exploit protection settings could affect your environment.
Here's an example query:
DeviceEvents
| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
The advanced hunting actiontypes available for Exploit Protection are as follows:
| Exploit Protection mitigation name | Exploit Protection - Advanced Hunting - ActionTypes |
|---|---|
| Arbitrary code guard | ExploitGuardAcgAudited ExploitGuardAcgEnforced |
| Don't allow child processes | ExploitGuardChildProcessAudited ExploitGuardChildProcessBlocked |
| Export address filtering (EAF) | ExploitGuardEafViolationAudited ExploitGuardEafViolationBlocked |
| Import address filtering (IAF) | ExploitGuardIafViolationAudited ExploitGuardIafViolationBlocked |
| Block low integrity images | ExploitGuardLowIntegrityImageAudited ExploitGuardLowIntegrityImageBlocked |
| Code integrity guard | ExploitGuardNonMicrosoftSignedAudited ExploitGuardNonMicrosoftSignedBlocked |
| • Simulate execution (SimExec) • Validate API invocation (CallerCheck) • Validate stack integrity (StackPivot) |
ExploitGuardRopExploitAudited ExploitGuardRopExploitBlocked |
| Block remote images | ExploitGuardSharedBinaryAudited ExploitGuardSharedBinaryBlocked |
| Disable Win32k system calls | ExploitGuardWin32SystemCallAudited ExploitGuardWin32SystemCallBlocked |
You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
| Provider/source | Event ID | Description |
|---|---|---|
| Security-Mitigations | 1 | ACG audit |
| Security-Mitigations | 2 | ACG enforce |
| Security-Mitigations | 3 | Don't allow child processes audit |
| Security-Mitigations | 4 | Don't allow child processes block |
| Security-Mitigations | 5 | Block low integrity images audit |
| Security-Mitigations | 6 | Block low integrity images block |
| Security-Mitigations | 7 | Block remote images audit |
| Security-Mitigations | 8 | Block remote images block |
| Security-Mitigations | 9 | Disable win32k system calls audit |
| Security-Mitigations | 10 | Disable win32k system calls block |
| Security-Mitigations | 11 | Code integrity guard audit |
| Security-Mitigations | 12 | Code integrity guard block |
| Security-Mitigations | 13 | EAF audit |
| Security-Mitigations | 14 | EAF enforce |
| Security-Mitigations | 15 | EAF+ audit |
| Security-Mitigations | 16 | EAF+ enforce |
| Security-Mitigations | 17 | IAF audit |
| Security-Mitigations | 18 | IAF enforce |
| Security-Mitigations | 19 | ROP StackPivot audit |
| Security-Mitigations | 20 | ROP StackPivot enforce |
| Security-Mitigations | 21 | ROP CallerCheck audit |
| Security-Mitigations | 22 | ROP CallerCheck enforce |
| Security-Mitigations | 23 | ROP SimExec audit |
| Security-Mitigations | 24 | ROP SimExec enforce |
| WER-Diagnostics | 5 | CFG Block |
| Win32K | 260 | Untrusted Font |
The mitigations available in EMET are included natively in Windows 10 (starting with version 1709), Windows 11, and Windows Server (starting with version 1803), under Exploit protection.
The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
| Mitigation | Available under exploit protection | Available in EMET |
|---|---|---|
| Arbitrary code guard (ACG) | Yes | Yes As "Memory Protection Check" |
| Block remote images | Yes | Yes As "Load Library Check" |
| Block untrusted fonts | Yes | Yes |
| Data Execution Prevention (DEP) | Yes | Yes |
| Export address filtering (EAF) | Yes | Yes |
| Force randomization for images (Mandatory ASLR) | Yes | Yes |
| NullPage Security Mitigation | Yes Included natively in Windows 10 and Windows 11 For more information, see Mitigate threats by using Windows 10 security features |
Yes |
| Randomize memory allocations (Bottom-Up ASLR) | Yes | Yes |
| Simulate execution (SimExec) | Yes | Yes |
| Validate API invocation (CallerCheck) | Yes | Yes |
| Validate exception chains (SEHOP) | Yes | Yes |
| Validate stack integrity (StackPivot) | Yes | Yes |
| Certificate trust (configurable certificate pinning) | Windows 10 and Windows 11 provide enterprise certificate pinning | Yes |
| Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection For more information, see Mitigate threats by using Windows 10 security features |
Yes |
| Block low integrity images | Yes | No |
| Code integrity guard | Yes | No |
| Disable extension points | Yes | No |
| Disable Win32k system calls | Yes | No |
| Don't allow child processes | Yes | No |
| Import address filtering (IAF) | Yes | No |
| Validate handle usage | Yes | No |
| Validate heap integrity | Yes | No |
| Validate image dependency integrity | Yes | No |
Note
The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10 and Windows 11, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. For more information on how Windows 10 employs existing EMET technology, see the Mitigation threats by using Windows 10 security features.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Training
Module
Explore advanced protection methods - Training
This module explores additional tools used to provide additional layers of security within an organization.
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.