Configuring Windows Defender Exploit Guard Network Protection in Windows

In the face of phishing scams and other malicious online content, Windows Defender Exploit Guard Network Protection can establish a layer of security over endpoints. This guide will walk you through different ways to configure Windows Defender Network Protection and help your IT infrastructure withstand cyberattacks.

Steps to configure Windows Defender Network Protection

• Use the Local Group Policy Editor:

  • Press the Windows key + R, type gpedit.msc, and press Enter.
  • Under the Network Protection folder, enable the “Prevent users and apps from accessing dangerous websites” policy.

• Use an elevated PowerShell:

  • Press the Windows key + S and type powershell. Click Run as administrator under the Windows PowerShell icon.
  • Input the cmdlet Set-MpPreference -EnableNetworkProtection Enabled and press Enter.

• Use the WindowsSecurity App:

  • Open Windows Security by launching the Start menu, typing security, and pressing Enter.
  • Select App & browser control, Exploit protection settings, and Program settings. Choose the apps you want to apply exploit protection mitigations to.

• Verify your settings through the Registry Editor:

  • Press the Windows key + R, type regedit, and press Enter. Navigate to the Network Protection registry key via this path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection\EnableNetworkProtection.
  • After selecting the EnableNetworkProtection policy in the Network Protection folder, check the corresponding value to see if Network Protection is disabled (0), enabled (1), or in audit mode (2).

• Manually audit web pages via the Windows Event Viewer:

  • Open the Start menu, type event viewer, and click on Event Viewer.
  • While in the Windows Defender (Operational) folder, refer to event ID 1125 to review logs of web pages flagged by Network Protection.

Understanding Network Protection in Windows 10/11

Before we get into setting up Network Protection, let’s first define what Network Protection in Windows 10/11 is and how it defends your devices from online threats.

What is Windows Defender Exploit Guard Network Protection?

Exploit Guard has been an integral part of Windows Defender’s operations. It first appeared on Windows 10 version 1709. Windows Defender Exploit Guard Network Protection uses the Intelligent Security Graph (ISG), a vast database comprising insights on security intelligence across all Microsoft products and services, in determining and analyzing common patterns and practices among rampant cyberattacks.

Windows Defender Exploit Guard operates through four components:

• Attack surface reduction: This focuses on blocking threats originating from Microsoft Office, scripts, and email-based.
• Controlled folder access: This involves limiting access to sensitive data in your computer’s files and folders.
• Exploit protection: This entails configuring exploit mitigations for your system and applications.
• Network protection: This focuses on protecting the device from web-based threats, usually by deceptive domains and IPs.

For this guide, we’ll focus on Exploit Guard’s network protection component.

How Windows Defender Network Protection helps prevent access to potentially dangerous domains and phishing sites

Despite strengthening cybersecurity measures, internet-based attackers have learned to adapt by enhancing strategies to steal information. They do so through methods such as phishing, scams, social engineering, unauthorized access to a command-and-control (C&C) center, and more.

Network Protection in Windows 10/11 aims to spot and terminate outbound connections to potentially dangerous domains. It uses information the ISG collates and reputation checks based on domains’ IP addresses. This filtering capability blocks and suspends the connection, once it recognizes a domain as a potential host to attacks.

Comparison between Windows Defender Network Protection and other security features in Microsoft Defender

Windows Defender’s Network Protection shares numerous similarities with Microsoft Defender SmartScreen, an anti-malware tool built into Microsoft Edge. The tools help protect computers from phishing attacks and suspected malicious files and programs. Additionally, both tools use the ISG to identify possible cyberattacks.

While they both aim to protect your system, they differ in mechanism. SmartScreen analyzes suspicious web pages, checks recent downloads, and notifies the user of a potential online threat through an early warning system. On the other hand, Network Protection promptly terminates the outbound connection at the first sign of danger, keeping attackers from establishing contact with vulnerable users.

Prerequisites and system requirements for Network Protection

Supported Windows versions of Exploit Guard Network Protection

Listed below are the versions of Windows that support Windows Defender and, by extension, Network Protection under Exploit Guard:

Windows 10	Windows 11	Windows Server
Windows 10 Enterprise Windows 10 Enterprise LTSC 2016 (or later) Windows 10 IoT Enterprise (including LTSC) Windows 10 Education Windows 10 Pro Windows 10 Pro Education Windows 10 on Arm	Windows 11 Enterprise Windows 11 IoT Enterprise Windows 11 Education Windows 11 Pro Windows 11 Pro Education Windows 11 on Arm	Windows Server 2012 R2 Windows Server 2016 Windows Server (version 1803 or later) Windows Server 2019 (and later) Windows Server 2019 (core edition) Windows Server 2022 Windows Server 2022 (core edition) Windows Server 2025

Licensing requirements for Windows Defender Network Protection

If your computer uses an enterprise-grade security platform called Microsoft Defender for Endpoint, the following licensing requirements for Windows Defender Network Protection should be met:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender for Business

The first two can be standalone licenses or as part of other Microsoft 365 plans, while the last one is usually reserved for small and medium-sized businesses.

Necessary permissions for Windows Defender Network Protection

To enable Network Protection on your device, you will need administrator-level permissions to configure settings in Windows Defender. If your computer is privately owned, you should already have such permissions by default. However, if your device is enterprise-owned, you may need to ask your IT team for administrator access.

Through Microsoft Defender for Endpoint, an administrator can use role-based access control (RBAC) to manage permissions and assign roles to different users or user groups. With RBAC, you can modify other users’ access to the Defender for Endpoint portal. The users can then enable Network Protection on their own devices.

Methods to enable Windows Defender Exploit Guard Network Protection

Now that we’ve discussed everything you need to know about Network Protection, let’s walk you through enabling the feature.

Using the Group Policy Editor to enable Windows Defender Network Protection

1. Open the Local Group Policy Editor by pressing the Windows key + R. Type gpedit.msc and click OK.
2. In the left section of the window, navigate to the Network Protection folder using the steps below:

Computer Configuration → Administrative Templates → Windows Components → Windows Defender Antivirus → Windows Defender Exploit Guard → Network Protection

3. In the right section of the window, double-click on Prevent users and apps from accessing dangerous websites. This enables you to edit the policy.
4. Select Enabled, select Block under Options, and click OK.

If you’re managing several endpoints in an enterprise environment and you want to deploy Network Protection to them, follow these steps:

1. Open the Group Policy Management Console (GPMC) by pressing the Windows key + R. Type gpmc.msc and click OK.
2. Double-click Group Policy Objects and look for the group policy object (GPO) you want to edit. Right-click this GPO and click Edit.
3. Repeat steps 2–4 in the previous section.

Enabling Windows Defender Network Protection via PowerShell

1. Open an elevated PowerShell by pressing the Windows key + S. Type powershell and click Run as administrator under the Windows PowerShell icon.
2. Type Set-MpPreference -EnableNetworkProtection Enabled and press Enter.
3. Close the elevated PowerShell and restart your computer.

You can also verify whether Network Protection has been enabled by using the “Get-MpPreference” cmdlet. The number next to the “EnableNetworkProtection” property signifies one of the following states:

• 0 — Disabled
• 1 — Enabled
• 2 — Audit Mode

Enabling exploit protection mitigations via the WindowsSecurity app

1. Open the Windows Security app by launching the Start menu, typing security in the search bar, and pressing Enter.
2. Click on the App & browser control tile and then select Exploit protection settings.
3. Navigate to Program settings and choose the app/s to which you want to apply exploit protection mitigations.

• • Select the app and then Edit if the app is already listed.
  • Otherwise, select Add program to customize to add the app.

4. Choose which mitigations you want to enable for your selected app. Repeat this process until you’ve applied all your preferred configurations. Note that you may be prompted to restart the process, app, or even Windows.
5. To configure a specific exploit protection mitigation, navigate to System settings and specify one of the following settings:

• • On by default 
  • Off by default
  • Use default (this depends on the default configuration during Windows 10/11 installation)

6. Finally, once you’ve made all the changes you want, click on Apply.

Verifying and testing Network Protection in Windows 10/11

Methods to confirm that Windows Defender Network Protection is active

In the PowerShell section, we briefly explained how to confirm whether Network Protection is enabled on the device. This can also be done through the Registry Editor. Here’s how:

1. Open Registry Editor by clicking on the Start button. Type regedit and press Enter. On the left panel, select HKEY_LOCAL_MACHINE.
2. Navigate to Network Protection. You can follow either of these paths:
   1. SOFTWARE → Policies → Microsoft → Windows Defender → Windows Defender Exploit Guard → Network Protection
   2. SOFTWARE → Microsoft → Windows Defender → Windows Defender Exploit Guard → Network Protection
3. Click on EnableNetworkProtection and confirm whether Network Protection is enabled, disabled, or on audit mode using the following values:
   • 0 — Disabled
   • 1 — Enabled
   • 2 — Audit Mode

Testing blocked URLs and logs in the Microsoft Defender Security Center

To check on specific URLs and logs to which you have blocked access for multiple endpoints under Network Protection, observe the steps below:

1. Log into the Microsoft Defender portal.
2. Click on Settings in the left panel, and then click on Endpoints.
3. Under Rules, select Indicators.
4. The blocked URLs should be listed under URLs/Domains.

Troubleshooting issues while configuring Network Protection

Common problems when enabling Windows Defender Network Protection

As your device uses Network Protection to log the web pages you access in real-time, there’s a chance that it will tag a safe website as a threat (false positive) or a malicious website as safe (false negative).

When this scenario occurs, you can report the tagged website as a false positive/negative via this Windows Defender Security Intelligence form.

In addition, Network Protection can slow your computer’s performance or internet connectivity as it actively functions to monitor and block potential online threats. If this problem persists despite an up-to-date Windows Defender, try switching to Network Protection’s audit mode by doing the following:

1. Open an elevated PowerShell.
2. Type Set-MpPreference -EnableNetworkProtection AuditMode and press Enter.

In audit mode, Network Protection allows all connections but still alerts you to possible risks, leaving you to manage these risks directly. All logs can be viewed in Windows Event Viewer, which we’ll discuss in the next section.

Logs and event viewer insights for debugging in Network Protection

To view Network Protection events logged in audit mode, perform these steps:

1. Open Windows Event Viewer by clicking the Start button, typing event viewer, and selecting Event Viewer.
2. Navigate to the Windows Defender (Operational) folder using this path:

Applications and Services Logs → Microsoft → Windows → Windows Defender (Operational)

3. Use Event ID 1125 to filter events triggered by Network Protection in audit mode. From here, you can address the web pages flagged by Network Protection and mark them as threats.

Disabling Windows Defender Network Protection if needed

While we usually advise against turning off Windows Defender, remember that Windows Defender is automatically disabled when you use a third-party antivirus program. Using the two security tools simultaneously can lead to compatibility issues and may slow down your endpoint’s performance.

If you prefer using a non-Windows antivirus tool and wish to disable Windows Defender:

1. Open an elevated PowerShell.
2. Type Set-MpPreference -EnableNetworkProtection Disabled and press Enter.

Best practices for IT administrators when enabling Network Protection in Windows

Combining Network Protection with other Windows security features

To further optimize the protection of your device from cyberattacks, we recommend enabling Network Protection alongside these Windows security features:

• Web Protection: As part of Microsoft Defender for Endpoint, Web Protection provides content filtering as support for custom compromise indicators.
• Exploit Protection: Built into the operating system as a Windows Defender Exploit Guard component, Exploit Protection combats malware (in the form of programs and applications).
• Windows Firewall: Enabled by default on every Windows device, this restricts access between your device and online domains it deems untrustworthy (usually based on your installed software and preapproved permissions).

Configuring exclusions for trusted domains in Network Protection

Creating a list of trusted domains and IPs through Network Protection lowers the occurrence of false positives and reduces unnecessary disruptions for end users. You can allow access to a specific domain via these steps:

1. Log into the Microsoft Defender portal.
2. Click on Settings and then Endpoints.
3. Under Rules, select Indicators.
4. Click on URL/Domain, followed by Add Item.
5. Type in the domain of the site and set the policy action to Allow.

Monitoring security logs for threat insights in Network Protection

For a more direct approach to viewing and acting on security logs, you can either use Network Protection’s audit mode or Windows Event Viewer, or both. Regularly updating your list of allowed and blocked domains also helps minimize steps in barring access from potentially dangerous domains.

On the overall importance of Windows Defender Network Protection

Enabling Windows Defender’s Network Protection offers various advantages in terms of safeguarding personal or enterprise devices and data. It can strengthen precise online security measures for personal computers. Additionally, it can help bar access between an unsafe domain and enterprise-managed endpoints.

Users can enable Windows Defender Network Protection in different ways. The feature can complement other Windows-based anti-malware tools to strengthen defenses against the latest cyberattacks and viruses. Just remember to update Windows Defender Exploit Guard regularly for more robust and up-to-date protection against emerging threats.