Create and deploy an Exploit Guard policy

Applies to: Configuration Manager (current branch)

You can configure and deploy Configuration Manager policies that manage all four components of Windows Defender Exploit Guard. These components include:

  • Attack Surface Reduction
  • Controlled folder access
  • Exploit protection
  • Network protection

Compliance data for Exploit Guard policy deployment is available from within the Configuration Manager console.

Note

Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see Enable optional features from updates.

Prerequisites

Managed devices must run Windows 10 1709 or later; the minimum Windows Server build is version 1809 or later until Server 2019 only. The following requirements must also be satisfied, depending on the components and rules configured:

Exploit Guard component Additional prerequisites
Attack Surface Reduction Devices must have Microsoft Defender for Endpoint always-on protection enabled.
Controlled folder access Devices must have Microsoft Defender for Endpoint always-on protection enabled.
Exploit protection None
Network protection Devices must have Microsoft Defender for Endpoint always-on protection enabled.

Create an Exploit Guard policy

  1. In the Configuration Manager console, go to Assets and compliance > Endpoint Protection, and then click Windows Defender Exploit Guard.

  2. On the Home tab, in the Create group, click Create Exploit Policy.

  3. On the General page of the Create Configuration Item Wizard, specify a name, and optional description for the configuration item.

  4. Next, select the Exploit Guard components you want to manage with this policy. For each component you select, you can then configure additional details.

    • Attack Surface Reduction: Configure the Office threat, scripting threats, and email threats you want to block or audit. You can also exclude specific files or folders from this rule.
    • Controlled folder access: Configure blocking or auditing, and then add Apps that can bypass this policy. You can also specify additional folders that are not protected by default.
    • Exploit protection: Specify an XML file that contains settings for mitigating exploits of system processes and apps. You can export these settings from the Windows Defender Security Center app on a Windows 10 or later device.
    • Network protection: Set network protection to block or audit access to suspicious domains.
  5. Complete the wizard to create the policy, which you can later deploy to devices.

    Warning

    The XML file for exploit protection should be kept secure when transferring it between machines. The file should be deleted after import or kept in a secure location.

Deploy an Exploit Guard policy

After you create Exploit Guard policies, use the Deploy Exploit Guard Policy wizard to deploy them. To do so, open the Configuration Manager console to Assets and compliance > Endpoint Protection, and then click Deploy Exploit Guard Policy.

Important

Once you deploy an Exploit Guard policy, such as Attack Surface Reduction or Controlled folder access, the Exploit Guard settings will not removed from the clients if you remove the deployment. Delete not supported is recorded in the client's ExploitGuardHandler.log if you remove the client's Exploit Guard deployment. The following PowerShell script can be run under SYSTEM context to remove these settings:

$defenderObject = Get-WmiObject -Namespace "root/cimv2/mdm/dmmap" -Class "MDM_Policy_Config01_Defender02" -Filter "InstanceID='Defender' and ParentID='./Vendor/MSFT/Policy/Config'"
$defenderObject.AttackSurfaceReductionRules = $null
$defenderObject.AttackSurfaceReductionOnlyExclusions = $null
$defenderObject.EnableControlledFolderAccess = $null
$defenderObject.ControlledFolderAccessAllowedApplications = $null
$defenderObject.ControlledFolderAccessProtectedFolders = $null
$defenderObject.EnableNetworkProtection = $null
$defenderObject.Put()

$exploitGuardObject = Get-WmiObject -Namespace "root/cimv2/mdm/dmmap" -Class "MDM_Policy_Config01_ExploitGuard02" -Filter "InstanceID='ExploitGuard' and ParentID='./Vendor/MSFT/Policy/Config'"
$exploitGuardObject.ExploitProtectionSettings = $null
$exploitGuardObject.Put()

Windows Defender Exploit Guard policy settings

Attack Surface Reduction policies and options

Attack Surface Reduction can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office, script, and mail-based malware. Learn more about Attack Surface Reduction and the Event IDs used for it.

  • Files and Folders to exclude from Attack Surface Reduction rules - Click on Set and specify any files or folders to exclude.

  • Email Threats:

    • Block executable content from email client and webmail.
      • Not configured
      • Block
      • Audit
  • Office Threats:

    • Block Office application from creating child processes.
      • Not configured
      • Block
      • Audit
    • Block Office applications from creating executable content.
      • Not configured
      • Block
      • Audit
    • Block Office applications from injecting code into other processes.
      • Not configured
      • Block
      • Audit
    • Block Win32 API calls from Office macros.
      • Not configured
      • Block
      • Audit
  • Scripting Threats:

    • Block JavaScript or VBScript from launching downloaded executable content.
      • Not configured
      • Block
      • Audit
    • Block execution of potentially obfuscated scripts.
      • Not Configured
      • Block
      • Audit
  • Ransomware threats: (starting in Configuration Manager version 1802)

    • Use advanced protection against ransomware.
      • Not configured
      • Block
      • Audit
  • Operating system threats: (starting in Configuration Manager version 1802)

    • Block credential stealing from the Windows local security authority subsystem.
      • Not configured
      • Block
      • Audit
    • Block executable files from running unless they meet a prevalence, age, or trusted list criteria.
      • Not configured
      • Block
      • Audit
  • External device threats: (starting in Configuration Manager version 1802)

    • Block untrusted and unsigned processes that run from USB.
      • Not configured
      • Block
      • Audit

Controlled folder access policies and options

Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. For more information, see Controlled folder access and the Event IDs it uses.

  • Configure Controlled folder access:
    • Block
    • Block disk sectors only (starting in Configuration Manager version 1802)
      • Allows Controlled folder access to be enabled for boot sectors only and does not enable the protection of specific folders or the default protected folders.
    • Audit
    • Audit disk sectors only (starting in Configuration Manager version 1802)
      • Allows Controlled folder access to be enabled for boot sectors only and does not enable the protection of specific folders or the default protected folders.
    • Disabled
  • Allow apps through Controlled folder access -Click on Set and specify apps.
  • Additional protected folders -Click on Set and specify additional protected folders.

Exploit protection policies

Applies exploit mitigation techniques to operating system processes and apps your organization uses. These settings can be exported from the Windows Defender Security Center app on Windows 10 or later devices. For more information, see Exploit protection.

  • Exploit protection XML: -Click on Browse and specify the XML file to import.

    Warning

    The XML file for exploit protection should be kept secure when transferring it between machines. The file should be deleted after import or kept in a secure location.

Network protection policy

Helps minimize the attack surface on devices from internet-based attacks. The service restricts access to suspicious domains that might host phishing scams, exploits, and malicious content. For more information, see Network protection.

  • Configure network protection:
    • Block
    • Audit
    • Disabled