How to Change Windows Defender Exploit Protection Settings in Windows

,
  • Last updated
How to Change Windows Defender Exploit Protection Settings in Windows blog banner image
,
  • Last updated

Data protection has become a basic practice today, where most information has become digitized. A system is only susceptible to threats if not protected against risks, leading to data loss, theft, or compromise. The good thing is most major operating systems, such as Windows, have built-in security features that can help with data protection. For Windows specifically, Windows Defender Exploit Protection settings prevents exploits from successfully executing on your device. This article will explore the feature, its configurations, Windows Defender Exploit Protection’s use cases, and more.

An Overview of Windows Defender Exploit Protection

What is Windows Defender Exploit Protection?

Windows Defender Exploit Protection is a feature built into the Windows operating system designed to mitigate vulnerabilities and protect devices from harmful security threats and sophisticated attacks. The feature applies advanced exploit mitigation techniques, adding an extra layer of protection to defend against malware and cyberattacks that exploit software vulnerabilities.

The importance of Windows Defender Exploit Protection

Windows Defender Exploit Protection plays a vital role in mitigating vulnerabilities. Configuring the features may be necessary for the following:

  • Enhancing protection in high-risk environments.
  • Resolving compatibility issues with specific applications.
  • Customizing security configurations for enterprise requirements.

Windows Defender Exploit Protection’s role in the Windows security ecosystem

Exploit Protection complements antivirus and firewall solutions, addressing threats that exploit vulnerabilities rather than relying solely on malicious files. It is crucial for:

  • Defending against zero-day vulnerabilities.
  • Protecting high-value assets in corporate environments.

How to Access Windows Defender Exploit Protection Settings

You can access the Windows Defender Exploit Protection settings through Windows Security App and Group Policy or PowerShell for advanced users. Here’s how:

A. Using Windows Windows Security App

  1. Open Settings and go to Update & Security > Windows Security.
  2. Select App & browser control.
  3. Under the “Exploit protection” section, click Exploit protection settings.

B. Using Group Policy or PowerShell

1. Using Group Policy:
    • Open the Group Policy Management Console (GPMC) by pressing Win + R. Type gpmc.msc and hit Enter.
    • In the Group Policy Management window, navigate to the Group Policy Object (GPO) you want to modify or create a new one by right-clicking Group Policy Objects and selecting New. Name the new GPO and click OK.
    • Right-click the newly created GPO and select Edit.
    • In the Group Policy Management Editor window, go to:
      • Computer Configuration > Administrative Templates > Windows Components > Windows Defender Exploit Guard > Exploit Protection.
    • Here, you can view and configure the Exploit Protection settings.
2. Using PowerShell:
    • Open PowerShell as an Administrator by right-clicking the Start menu and selecting Windows PowerShell (Admin).
    • To view the current exploit protection settings for a process, use the following command:
      • Get-ProcessMitigation -Name <process_name>
      • Replace <process_name> with the desired process (e.g., notepad).
    • To view global exploit protection settings, use the following command:
      • Get-MpPreference
      • NOTE: The Get-MpPreference command is used to view Microsoft Defender Antivirus preferences. While this command provides insight into Defender’s overall configuration, it is not directly tied to viewing or managing fine-grained Exploit Protection settings. For detailed exploit mitigation configurations, use the Windows Security UI or other dedicated tools.
    • To configure global exploit protection settings, use the Get-MpPreference cmdlet to view the current settings:
      • Get-MpPreference

How to Change Exploit Protection Settings

Through Windows Security settings

A. Customize System Settings for Exploit Protection

1. Access Exploit Protection Settings
      • Open Windows Security.
      • Click on the App & browser control icon.
      • Scroll to the bottom and click on the Exploit protection settings link.
2. Modify System Settings
      • Under the System settings tab, adjust each protection setting as needed.
        • Example settings include DEP, CFG, and Randomized Memory Allocation.
      • After making changes, click Apply.
      • Some changes may require you to restart your computer.
3. Save and Exit
      • Once finished, close the Windows Security window.

B. Add Programs for Custom Settings

1. Add a Program to Exploit Protection
      • Open Windows Security and navigate to the App & browser control icon.
      • Click the Exploit protection settings link.
      • Under Program settings, click Add program to customize and choose Choose exact file path.
      • Browse to the .exe file of the program (e.g., notepad.exe) and select it.
2. Customize Program Settings
      • Select the added program from the list.
      • Click Edit and modify the available settings based on your requirements.
      • Click Apply to save changes.

C. Remove a Program from Exploit Protection

1. Access Program Settings
      • Open Windows Security and go to the App & browser control icon.
      • Click Exploit protection settings and navigate to the Program settings tab.
2. Remove a Program
      • Select the program you want to remove.
      • Click Remove and confirm by clicking Yes when prompted.

D. Customize Specific Program Settings

1. Access Specific Program Settings
      • Open Windows Security and click on the App & browser control icon.
      • Click Exploit protection settings and navigate to Program settings.
2. Edit Program Settings
      • Select a listed program and click Edit.
      • Customize individual settings like DEP, CFG, or ASLR based on your security needs.
      • Click Apply to save changes.

Using PowerShell Commands

You can also use PowerShell to manage Windows Defender Exploit Protection settings. But remember that not all settings are directly available via PowerShell commands. The available options through PowerShell are more limited than what you can do via the graphical interface in Windows Security. Here are the settings you can and cannot manage using PowerShell.

A. Customize System Settings for Exploit Protection using PowerShell

1. Access Exploit Protection Settings
      • PowerShell does not launch the Windows Security UI directly, but you can modify some settings via cmdlets.
      • To access and modify Exploit Protection settings, use the Set-MpPreference cmdlet to adjust some system-wide settings. For example, to enable or disable certain protections, such as Data Execution Prevention (DEP), you can use specific commands. (NOTE: These commands don’t offer the fine-grained control available in the Windows Security UI, but they modify basic security settings.)
        • Set-MpPreference -EnableControlledFolderAccess Disabled # Disable Controlled Folder Access 
        • Set-MpPreference -DisableIntrusionPreventionSystem $true # Disable Intrusion Prevention
2. Modify System Settings
      • To enable or disable mitigations like DEP, Control Flow Guard (CFG), or Randomized Memory Allocation, PowerShell can be used for certain aspects.
        • Example to disable Data Execution Prevention (DEP):
          • bcdedit /set nx AlwaysOff
        • Example to enable DEP:
          • bcdedit /set nx AlwaysOn
      • NOTE: There’s no direct PowerShell command to toggle each individual setting under System settings in Exploit Protection via the UI (e.g., CFG, ASLR). Using the UI is the most straightforward approach for those unfamiliar with it.

B. Remove a Program from Exploit Protection using PowerShell

1. Add a Program to Exploit Protection
      • PowerShell does not have a specific cmdlet to add an application directly to the Program settings list in Exploit Protection. However, you can use Windows Defender’s cmdlets to configure broader settings for applications.
2. Customize Program Settings via PowerShell
      • Again, PowerShell lacks granular control over individual program settings in Exploit Protection. Customization, such as enabling DEP for a specific program, is typically done through the UI.
      • However, if you need to modify settings at a system-wide level for specific application categories (e.g., blocking all scripts), PowerShell can be used by running the following command:
        • Set-MpPreference -ThreatsAllowed “Script” # For example, blocking scripts
        • NOTE: The Set-MpPreference commands, such as Set-MpPreference -EnableControlledFolderAccess Disabled, are control settings related to Microsoft Defender’s Controlled Folder Access feature, not Exploit Protection. Controlled Folder Access is a distinct security feature that protects specific folders from unauthorized access, while Exploit Protection focuses on mitigating vulnerabilities at the process and system levels. Be cautious not to conflate these features when adjusting security configurations.

There is no direct PowerShell command to remove a program from the Exploit Protection Program settings. You must manually remove programs from the list via the Windows Security UI. Similarly, PowerShell is not ideal for directly customizing program-specific Exploit Protection settings, but it can be used to disable certain protections globally (such as ASLR) through registry edits or Set-MpPreference cmdlets for broader control.

Best Practices for Adjusting Exploit Protection Settings

Modifying Exploit Protection Settings is a crucial task. This is why it needs proper handling by IT administrators who know how to carry out this operation. Aside from that, they should also follow some recommended best practices for adjusting these settings.

  • Test changes before applying them globally. Testing changes you made in Exploit Protection Settings can ensure that no modifications can affect the system or create other issues in application functionalities. Before implementing the changes across your managed network or system, thoroughly test the changes on a single program or, perhaps, a virtual machine.
  • Document changes. As an IT administrator, you should know the importance of keeping track of the configurations you did in Exploit Protection Settings. Your documentation should include details like the date, rationale, and any affected programs or systems. This will give you comprehensive information that you can later use for troubleshooting, audit references for compliance requirements, or even settings to replicate or revert.
  • Apply recommended settings. While custom configurations may be necessary to accommodate specific applications or environments, it’s always best to start with Microsoft’s recommended default settings. These defaults are designed to offer a balanced level of security while ensuring maximum compatibility across various systems and applications.
  • Restart as needed. Certain adjustments you made in Exploit Protection Settings will only be applied when you restart the affected programs or system. Initiating a restart ensures that modifications are correctly deployed and any in-memory settings are reset accordingly, especially for configurations that modify system-wide settings or when protection is added to/removed from specific programs. Additionally, always communicate to end-users the need for a restart if it affects their workflow, and plan for downtime to avoid disruptions.

Common Use Cases for Adjusting Exploit Protection Settings

1. Enhanced security

Strict exploit protection settings can benefit organizations that deal with sensitive data or those at high risk of encountering cyber threats. These high-risk environments can leverage advanced mitigations like Control Flow Guard (CFG) and Address Space Layout Randomization (ASLR), which can help reduce common exploits by obstructing attackers from predicting memory locations or taking control over program execution. By enabling these protections universally, you create an additional layer of security against various threats.

2. Compatibility issues

Compatibility issues may arise when some applications are not functioning properly under the default Exploit Protection settings. This typically happens when certain mitigations do not properly interact with their code. In these cases, disabling specific restrictions may be necessary to allow the affected software to run smoothly. IT administrators should understand the implications of enabling specific settings to tailor protections based on the needs of individual programs without compromising overall system security.

Troubleshooting and FAQs

IT administrators may encounter issues or questions when changing Windows Defender Exploit Protection settings. Here are common issues you may encounter, their resolutions, and some of the most frequently asked questions.

Common issues and troubleshooting

1. Programs stopped working properly after the changes. As outlined above, compatibility issues may occur when there’s a conflict between the application’s code and the active security protections, resulting in applications not functioning correctly. Here’s what you can do:

    • Revert to default settings for the affected programs or adjust compatibility settings to allow them to function correctly. This can give you an idea of which certain settings are affecting the programs that are not functioning correctly post-configuration. It can also help balance protection settings, security, and application functionality, preventing disruptions.

2. System performance has degraded. There are times that you may notice a significant drop in system performance after modifying Exploit Protection settings. This could result from increased resource consumption due to the security features you set. Here’s what you can do:

    • Identify which programs or protection settings are causing the slowdown. Adjust or disable them temporarily.
    • Test the setting in isolation to pinpoint which configuration is responsible for the performance issues.
    • If necessary, fine-tune the settings to balance security and system performance.

3. Protection across applications is not consistent. When using Exploit Protection, users may notice that some applications are still susceptible to vulnerabilities, causing failure to protect them fully. This may be due to misconfiguration or exclusions that are intentional or not. The problem could occur if a program wasn’t properly added to the list of customized settings or if the protection profiles are not uniformly applied. Here’s what you can do:

    • Thoroughly check all necessary programs and see if they are properly added to the list.
    • Verify if settings are consistently applied across all relevant software.
    • Additionally, you can conduct a scheduled regular review of the settings and see if their uniform settings are enforced across relevant programs and systems.

Frequently Asked Questions

  • What happens if I disable a protection setting?

Since Windows Defender Exploit Protection serves as a proactive defense against threats, disabling some protection settings may increase the risk of exposing your system or certain applications to vulnerabilities. However, there are instances where disabling them could be necessary, like when they affect the functionalities of certain programs.

  • How can I verify the changes?

You can use tools like PowerShell to check your changes to Exploit Protection settings. Specific commands or scripts can be run on PowerShell to confirm if the current settings are properly configured.

  • Can these settings be managed centrally?

Yes. IT administrators can use tools like Group Policy or Microsoft Intune to centrally manage Exploit Protection settings. This is typically done in enterprise environments where IT administrators manage multiple devices and ensure that Exploit Protection settings are enforced uniformly across systems and/or necessary programs.

Enhancing Security Posture Through Exploit Protection Settings

Windows Defender Exploit Protection is a critical component of any robust security strategy for Windows systems. Properly configuring Exploit Protection settings can help organizations and individuals enhance their defenses against sophisticated cyberattacks. The comprehensive steps outlined above should enable you to understand and manage Exploit Protection settings and empower you to take necessary actions to strengthen your system’s security posture.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.
Learn more about NinjaOne Protect, check out a live tour, or start your free trial of the NinjaOne platform.
Start your Free Trial

You might also like

How to Configure Protected Folders for Controlled Folder Access blog banner image

How to Configure Protected Folders for Controlled Folder Access in Windows 10

How to Use the Program Install and Uninstall Troubleshooter in Windows blog banner image

How to Use the Program Install and Uninstall Troubleshooter in Windows

How to Convert GPT Disk to MBR Disk in Windows blog banner image

How to Convert GPT Disk to MBR Disk in Windows 10 and Windows 11

How to Convert NTFS to FAT32 without Data Loss blog banner image

How to Convert NTFS to FAT32 without Data Loss in Windows

How to Change User Rights Assignment Security Policy in Windows blog banner image

How to Change User Rights Assignment Security Policy Settings in Windows 10

How to Configure Narrator in Windows 10 blog banner image

How to Configure Narrator in Windows 10

Ready to simplify the hardest parts of IT?
Start a Free Trial
Get a demo
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept