Windows Windows Server

How to enable Exploit Protection on Windows using Windows Security App, Microsoft Endpoint Configuration Manager, and Group Policy Editor

Slide1
Exploit Protection

Exploit Protection according to the official reference by Microsoft provides advanced protections for applications that IT Pros can apply after the developer has compiled and distributed the software. This is on the premise that the struggle between the man-in-the-middle attack and IT Pros/Sysadmin has not always been easy as hackers are constantly exploring more options to infiltrate your devices and exploit your network to have access to your data. As an IT Admin, it’s expected of you to live up to the expectations of being able to apply all available measures to protect corporate or personal devices from any internal or external attacks.

Taking time to explore the Exploit Protection built-in feature in Windows 10 and above can save you from a lot of pending attacks. Hence this article is intended to take you through the step-by-step process of enabling the Exploit Protection feature on Windows using the Windows Security App, Microsoft Endpoint Configuration Manager and Group Policy. Before we proceed to the steps, let’s look at the meaning of Exploit Protection.  

Exploit Protection is a security feature that is available in windows (Windows Servers and normal Windows OS like Windows 10, & 11) as well as Microsoft 365 which helps protect against malware that uses exploits to infect devices and spread. It consists of many mitigations that can be applied to either the operating system or computer programs.

Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in Exploit Protection.

You may also be interested in the following posts; How to create and delete a custom AD DS partition with the NTDSUTIL.EXE Tool on Windows Server (Applies to 2012, 2016, 2019 and 2022 versions), What are the differences between vSphere, ESXi and vCenter, Windows Screen Resolution: How to fix HyperV Virtual Machine display taking over the entire screen, Hard Drive is Not Accessible: How to fix Cyclic Redundancy Check Data Error, and How to Activate and Press Ctrl+Alt+Del in Anydesk for Remote Access Connection to Windows system

There are various ways to enable Exploit Protection are:

  1. Windows Security App
  2. Microsoft Endpoint Configuration Manager
  3. Group Policy
  4. PowerShell

Enabling Exploit Protection using Windows Security app

  1. Open the Windows Security app by searching the Start menu for Security.
  2. Select the App & browser control tile (or the app icon on the left menu bar) and then select Exploit protection settings as shown in the screenshot below.

3. Go to Program settings and choose the app you want to apply mitigations to.

Things to do under program settings;

  • If the app you want to configure is already listed, select it, and then select Edit.
  • If the app is not listed, look the top and select Add program to customize and then choose how you want to add the app. There are two options here to choose from. It is either you select  Add by program name to have the mitigation applied to any running process with that name.
  • As shown in the screenshot above, the program or file must be specified with its extension e.g. adding a Zoom desktop application will follow by the .exe extension which you can enter a full path to limit the mitigation to only the app with that name in that location or use Choose exact file path to use the standard Windows Explorer file picker window to find and select the file or the program you want as shown in the screenshot below.

4. After selecting the app, you will see a list of all the mitigations that can be applied. Choosing Audit will apply the mitigation in audit mode only. Audit modely only will  allow you to test how mitigation works for certain apps in a test environment. This will help to know how it will work in a production environment when you finally enable it. This way, you can attest that exploit protection doesn’t have any negative impact on your line-of-business (LOB) apps. You will be notified if you need to restart the app, or if you need to restart Windows after applying it.

5.If you wish to apply mitigations for all your apps or files, repeat the same step processes in point 3 and 4 above, and select the mitigations you want to configure.

6. Under the System settings section, find the mitigation you want to configure and then specify one of the following settings. Apps that aren’t configured individually in the Program settings section use the settings that are configured here.

  • On by default: The mitigation is enabled for apps that don’t have this mitigation set in the app-specific Program settings section
  • Off by default: The mitigation is disabled for apps that don’t have this mitigation set in the app-specific Program settings section
  • Use default: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 or Windows 11 installation; the default value (On or Off) is always specified next to the Use default label for each mitigation

Repeat step 6 for all the system-level mitigations you want to configure. Select Apply when you’re done setting up your configuration.

Enable Exploit Protection using Microsoft Endpoint Configuration Manager

  1. Sign in to the Endpoint Configuration Manager portal 
  2. When you sign in, go to Endpoint Security > Attack surface reduction.
  3. Select Create Policy > Platform, and for Profile, choose Exploit Protection and then select Create.
Create-Exploit-Protection-using-Endpoint-Config-Mgr
Enable Exploit Protection in Microsoft Endpoint Configuration Manager

4. Specify a name and a description, and then choose Next. As shown in the screenshot below, we’re name is as win10ExploitPro and added a description as Demo. There is no fixed name for this. You’re free to name it with any name as long it meets the naming standard specifications.

Name-the-Exploit-Protection
Specify the Exploit Protection Profile Name

5. Choose Select XML File and browse to the location of the exploit protection XML file. Select the file, and then choose Next. We have created our XML file already with policy condtions defined as shown in the screenshot below:

6. Configure Scope tags and Assignments if necessary. Here we will leave the Scope tags as default but configure the Assignments so that it will assign to those we want it assign to at once. In the Assignments tab, we defined it to be assigned to groups, all users, and and devices. This is dependent on what you hope to achieve with your configuration.

define-assignments
Assignments of

7. Under Review + create, review your configuration settings, and then choose Create.

Created-successfully
Expoit Protection Policy Created

After creating the Exploit Protection Policy, you can double-click on the policy name to have an overview of the matrics of the policy for performance tracking as hown in the screenshot

Matrics-Overview
Policy Matrics

Enable Exploit Protection using Group Policy

  1. Press the Windows + R to open the Run dialogue box and type the gpedit.exe command. Then press Enter
Run-gpedit
Local Group Policy

2. In the Local Group Policy Editor management console,  go to Computer configuration and select Administrative templates.

3. Expand the tree to Windows components Windows Defender Exploit Guard > Exploit Protection > Right-click on the <Use a common set of exploit protection settings>

4. Select Enabled and type the file path to the XML file in the column provided, and then click OK. The path here is C:\Program Files\XMLFile. Your path may be different from what we have here.

Note: The above steps applies to both Windows 10, 11 and Windows Server. Group Policy Management Console on standalone Windows Operating System is in form of Local Group Policy beacause it's domiciled on your local system not on a Server with a Domain Controller 
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x