This guide upgrades Microsoft Defender from “default AV” to a layered endpoint defense. You’ll enable network-level blocking, stop junkware, lock down data folders from ransomware, apply exploit & attack-surface mitigations, and turn on modern identity protections. Everything here is safe, reversible, and aligned with current Microsoft documentation.
0) Audience & Objectives
Who: Security-minded Windows 10/11 users, power users, and small teams (with optional GPO/Intune notes).
Goals:
1) Quick Start (10 Minutes, Safe Defaults)
1.1 Reputation & Real-time Protections
Windows Security → App & browser control → Reputation-based protection settings → turn ON:
1.2 Network Protection (blocks malicious domains/URLs OS-wide)
PowerShell (Admin):
(Optional preflight) Audit first:
Verify later in Section 9.
1.3 Controlled Folder Access (CFA)
Windows Security → Virus & threat protection → Ransomware protection → Manage ransomware protection → Controlled folder access = ON. Add your key data folders (D:\Projects, etc.).
2) Attack Surface Reduction (ASR) Rules — High-Value Add
ASR rules shut down common initial access & post-exploitation tricks (malicious Office child processes, obfuscated scripts, credential stealing, etc.). Configure via PowerShell (Admin).
Important: Use
to append;
overwrites lists.
Recommended baseline (examples)
Start in AuditMode if you’re cautious: replace Enabled with AuditMode for each rule, then review events before enforcing. Full rule catalog in Microsoft’s reference.
3) PUA Blocking & Network Protection — Details
PUA Blocking reduces junkware, bundlers, ad injectors. Keep it ON even if you use a different browser—Defender scans all incoming files.
Network Protection extends SmartScreen reputation checks to all processes (not just Edge). Use AuditMode to measure impact, then switch to Enabled. Defender must be in active mode for NP to work.
4) Controlled Folder Access (CFA) — Practical Tips
5) Exploit Protection — Keep System Defaults, Add App Overrides
Use Windows Security → App & browser control → Exploit protection. Keep system defaults; add Program settings for high-risk apps (readers, media tools, legacy line-of-business). Export your policy XML and reuse it across devices:
6) Platform Protections: Credential Guard, LSA Protection, Core Isolation
Credential Guard (CG) isolates secrets using VBS. On Windows 11 22H2+ it’s enabled by default on devices that meet requirements (licensing & hardware); admins can still enforce via GPO/Intune.
How to enable (GPO path):
Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization-Based Security → Enable, then choose a Credential Guard option (with/without UEFI lock).
LSA Protection (RunAsPPL) helps defend credential material in LSASS. On Windows 11 22H2+, audit mode is on by default; automatic enablement depends on install type and HVCI capability. Follow Microsoft’s guidance if you want to enforce it.
Core isolation / Memory integrity (HVCI) protects kernel memory and blocks vulnerable drivers. Turn it on in Windows Security → Device security → Core isolation details → Memory integrity.
7) Exclusions: When You Truly Need Them (And How)
Exclusions weaken protection—avoid unless necessary (e.g., performance on known-good build folders). If required, scope as narrowly as possible (specific process or path), and review quarterly. Configure via Intune, GPO, or PowerShell as documented.
8) Verification, Logs & Safe Testing
Status checks (PowerShell, Admin):
Network Protection test: enable AuditMode, visit Microsoft’s test URLs (non-malicious) to generate events; then switch to Block mode.
Eventing & troubleshooting:
9) Enterprise/Pro: Policy Mappings (GPO/Intune)
Microsoft Defender Antivirus (GPO):
Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Configure PUA: Block, Cloud protection ON, and Exploit Guard → Attack Surface Reduction (set rule GUIDs to Block/Audit).
Network Protection: Enable Block or Audit, ensure Defender is active. Server scenarios may also require allowing NP via the relevant CSP/policy on down-level SKUs.
Exploit Protection: Export XML from a reference machine and deploy via GPO/MDM.
Credential Guard: Enforce via GPO/Intune (VBS required). Prefer “Enabled without lock” if you need the option to disable remotely.
10) Monthly Maintenance (10 Minutes)
11) Copy-Paste Admin Commands (Reference)
Minimal Hardened Baseline (Summary)
Conclusion
With NP, PUA blocking, CFA, Exploit Protection, ASR rules, and platform hardening (CG/LSA/HVCI), Defender becomes a **multi-layer control set**—stopping bad domains, blocking risky files, denying unauthorized writes, raising exploit friction, and isolating credentials. Roll changes in audit, measure events, then enforce. Keep exceptions narrow, document them, and review monthly.
0) Audience & Objectives
Who: Security-minded Windows 10/11 users, power users, and small teams (with optional GPO/Intune notes).
Goals:
- Block malicious connections across all apps (Network Protection).
- Stop adware and bundlers (PUA blocking).
- Prevent unauthorized encryption of your files (Controlled Folder Access).
- Add exploit mitigations & reduce attack surface (Exploit Protection + ASR rules).
- Turn on modern platform protections (Credential Guard, LSA Protection, Core isolation/Memory integrity).
1) Quick Start (10 Minutes, Safe Defaults)
1.1 Reputation & Real-time Protections
Windows Security → App & browser control → Reputation-based protection settings → turn ON:
- Potentially unwanted app (PUA) blocking
- SmartScreen for Microsoft Edge + Microsoft Store apps
1.2 Network Protection (blocks malicious domains/URLs OS-wide)
PowerShell (Admin):
Code:
Set-MpPreference -EnableNetworkProtection Enabled
Code:
Set-MpPreference -EnableNetworkProtection AuditMode1.3 Controlled Folder Access (CFA)
Windows Security → Virus & threat protection → Ransomware protection → Manage ransomware protection → Controlled folder access = ON. Add your key data folders (D:\Projects, etc.).
2) Attack Surface Reduction (ASR) Rules — High-Value Add
ASR rules shut down common initial access & post-exploitation tricks (malicious Office child processes, obfuscated scripts, credential stealing, etc.). Configure via PowerShell (Admin).
Important: Use
Code:
Add-MpPreference
Code:
Set-MpPreferenceRecommended baseline (examples)
Code:
# Block Office from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
# Block Office apps from injecting code into other processes
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
# Block executable content from email/client and webmail
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
# Block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 -AttackSurfaceReductionRules_Actions Enabled
# Block JavaScript/VBScript launching downloaded executables
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions EnabledStart in AuditMode if you’re cautious: replace Enabled with AuditMode for each rule, then review events before enforcing. Full rule catalog in Microsoft’s reference.
3) PUA Blocking & Network Protection — Details
PUA Blocking reduces junkware, bundlers, ad injectors. Keep it ON even if you use a different browser—Defender scans all incoming files.
Network Protection extends SmartScreen reputation checks to all processes (not just Edge). Use AuditMode to measure impact, then switch to Enabled. Defender must be in active mode for NP to work.
4) Controlled Folder Access (CFA) — Practical Tips
- Defaults (Documents, Pictures, Desktop, etc.) are protected; add work folders on other drives.
- Allow only the exact executable path if CFA blocks a trusted app. After allowing, restart the app/service to apply.
Code:
# Enable CFA
Set-MpPreference -EnableControlledFolderAccess Enabled
# Add protected folders
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Projects"
Add-MpPreference -ControlledFolderAccessProtectedFolders "E:\Media\Photos"
# Allow a specific app
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\Vendor\App\App.exe"5) Exploit Protection — Keep System Defaults, Add App Overrides
Use Windows Security → App & browser control → Exploit protection. Keep system defaults; add Program settings for high-risk apps (readers, media tools, legacy line-of-business). Export your policy XML and reuse it across devices:
Code:
# Import an XML you exported earlier
Set-ProcessMitigation -PolicyFilePath "C:\ExploitConfig.xml"6) Platform Protections: Credential Guard, LSA Protection, Core Isolation
Credential Guard (CG) isolates secrets using VBS. On Windows 11 22H2+ it’s enabled by default on devices that meet requirements (licensing & hardware); admins can still enforce via GPO/Intune.
How to enable (GPO path):
Computer Configuration → Administrative Templates → System → Device Guard → Turn On Virtualization-Based Security → Enable, then choose a Credential Guard option (with/without UEFI lock).
LSA Protection (RunAsPPL) helps defend credential material in LSASS. On Windows 11 22H2+, audit mode is on by default; automatic enablement depends on install type and HVCI capability. Follow Microsoft’s guidance if you want to enforce it.
Core isolation / Memory integrity (HVCI) protects kernel memory and blocks vulnerable drivers. Turn it on in Windows Security → Device security → Core isolation details → Memory integrity.
7) Exclusions: When You Truly Need Them (And How)
Exclusions weaken protection—avoid unless necessary (e.g., performance on known-good build folders). If required, scope as narrowly as possible (specific process or path), and review quarterly. Configure via Intune, GPO, or PowerShell as documented.
8) Verification, Logs & Safe Testing
Status checks (PowerShell, Admin):
Code:
Get-MpPreference | Select PUAProtection,EnableNetworkProtection,EnableControlledFolderAccess,MAPSReporting,SubmitSamplesConsentNetwork Protection test: enable AuditMode, visit Microsoft’s test URLs (non-malicious) to generate events; then switch to Block mode.
Eventing & troubleshooting:
- Network Protection requirements/modes & troubleshooting flow.
- CFA evaluation & audit before broad rollout.
- ASR rule events (AuditMode first, then Enabled).
9) Enterprise/Pro: Policy Mappings (GPO/Intune)
Microsoft Defender Antivirus (GPO):
Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Configure PUA: Block, Cloud protection ON, and Exploit Guard → Attack Surface Reduction (set rule GUIDs to Block/Audit).
Network Protection: Enable Block or Audit, ensure Defender is active. Server scenarios may also require allowing NP via the relevant CSP/policy on down-level SKUs.
Exploit Protection: Export XML from a reference machine and deploy via GPO/MDM.
Credential Guard: Enforce via GPO/Intune (VBS required). Prefer “Enabled without lock” if you need the option to disable remotely.
10) Monthly Maintenance (10 Minutes)
- Windows Update + Defender signatures.
- Windows Security → Protection history: resolve false positives, tighten allow-lists.
- Review CFA allowed apps & protected folders; remove stale entries after app updates.
- Re-export Exploit Protection XML after changes.
- Spot-check NP/ASR events; keep NP in Block mode once stable.
11) Copy-Paste Admin Commands (Reference)
Code:
# PUA block
Set-MpPreference -PUAProtection 1
# Network Protection (Audit → Block)
Set-MpPreference -EnableNetworkProtection AuditMode
# ... after testing:
Set-MpPreference -EnableNetworkProtection Enabled
# Controlled Folder Access
Set-MpPreference -EnableControlledFolderAccess Enabled
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Data"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Tools\App\App.exe"
# Sample ASR rule (append; see Section 2 for more)
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions EnabledMinimal Hardened Baseline (Summary)
- PUA = On; Cloud protection = On; Tamper Protection = On.
- Network Protection = Enabled (Block) after brief audit.
- Controlled Folder Access = On; allow only required executables.
- Exploit Protection = System defaults + per-app overrides; export XML.
- ASR rules = Enabled (start in AuditMode if unsure).
- Credential Guard + LSA Protection + Memory integrity = On where supported.
Conclusion
With NP, PUA blocking, CFA, Exploit Protection, ASR rules, and platform hardening (CG/LSA/HVCI), Defender becomes a **multi-layer control set**—stopping bad domains, blocking risky files, denying unauthorized writes, raising exploit friction, and isolating credentials. Roll changes in audit, measure events, then enforce. Keep exceptions narrow, document them, and review monthly.
