Windows Defender Exploit Guard
- Windows 10, version 1709 and later
- Windows Server 2016
- Enterprise security administrators
Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
There are four features in Windows Defender EG:
- Exploit protection can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
- Attack surface reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.
- Network protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV.
- Controlled folder access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.
Windows 10, version 1803 provides additional protections:
- New Attack surface reduction rules
- Controlled folder access can now block disk sectors
You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
You can also enable audit mode for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the features are working and see how each of them work.
Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
- The Windows Defender ATP console
- Windows Defender Antivirus in Windows 10
- Windows Defender SmartScreen
- Windows Defender Device Guard
- Windows Defender Application Guard
You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual alert investigation scenarios. You can sign up for a free trial of Windows Defender ATP to see how it works.
This section covers requirements for each feature in Windows Defender EG.
|Includes advanced exploit protection for the kernel mode via HVCI|
|Includes automated reporting into the Windows Defender ATP console|
|Feature||Windows 10 Home||Windows 10 Professional||Windows 10 E3||Windows 10 E5|
|Attack surface reduction|
|Controlled folder access|
The following table lists which features in Windows Defender EG require enabling real-time protection from Windows Defender Antivirus.
|Exploit protection||No requirement|
|Attack surface reduction||Must be enabled|
|Network protection||Must be enabled|
|Controlled folder access||Must be enabled|
In this library
|Protect devices from exploits with Windows Defender Exploit Guard||Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.|
|Protect your network with Windows Defender Exploit Guard||Minimize the exposure of your devices from network and web-based infection vectors.|
|Protect important folders with Controlled folder access||Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.|