Understanding Windows Defender Network Protection
Windows Defender Network Protection is a critical security feature in Windows 11 that helps shield your devices from malicious online threats. By blocking connections to known malicious websites and IP addresses, this capability serves as a crucial layer of defense against phishing scams, exploits, and other harmful content on the internet.
At its core, Windows Defender Network Protection expands the scope of Microsoft Defender SmartScreen to monitor and control all outbound HTTP(S) traffic from your system, not just within the Microsoft Edge browser. This allows the feature to provide web protection functionality across a wide range of supported applications, browsers, and network connections.
One key aspect of Network Protection is its tight integration with Endpoint Detection and Response (EDR) in Microsoft Defender for Endpoint. By leveraging EDR’s advanced threat detection and response capabilities, Network Protection can identify and block connections to command-and-control (C2) servers used in sophisticated, human-operated ransomware attacks. This helps disrupt the attack chain and prevent further escalation.
Configuring Network Protection in Windows 11
To enable and manage Network Protection in your Windows 11 environment, you have several options:
Group Policy Configuration
For centralized management, you can use Group Policy to configure Network Protection settings across your organization. The relevant policy settings are located under Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Network Protection.
Here, you can enable Network Protection in either audit mode or block mode, depending on your security requirements and the impact assessment you want to perform. Audit mode allows you to observe the would-be blocked connections without actually enforcing the blocks, while block mode actively prevents access to identified malicious sites and IP addresses.
PowerShell Configuration
Alternatively, you can use PowerShell cmdlets to enable and configure Network Protection. The following commands demonstrate how to turn on the feature in block mode:
powershell
Set-MpPreference -EnableNetworkProtection Enabled
Set-MpPreference -EnableNetworkProtectionOnWinServer 1
Set-MpPreference -AllowNetworkProtectionOnWinServer 1
Set-MpPreference -AllowNetworkProtectionDownLevel 1
For Windows Server environments, including Windows 10 Enterprise Multi-Session, you’ll need to enable a few additional registry keys to ensure proper functionality:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
EnableNetworkProtection = 1
AllowNetworkProtectionOnWinServer = 1
AllowNetworkProtectionDownLevel = 1
Intune Configuration
If you’re managing your Windows 11 devices through Microsoft Intune, you can create a custom OMA-URI policy to enable and configure Network Protection. The relevant OMA-URI path is ./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection, which you can set to the desired value (0 for disabled, 1 for audit mode, 2 for block mode).
Optimizing Network Protection Performance
In some cases, you may encounter performance or compatibility issues with Network Protection, particularly on Windows Server environments or in high-traffic scenarios. Microsoft has introduced a performance optimization feature that can help address these challenges.
This optimization allows Network Protection to asynchronously inspect long-lived network connections, which can improve overall performance. To enable this feature, you can use the following PowerShell cmdlet:
powershell
Set-MpPreference -AllowSwitchToAsyncInspection $true
Conversely, if you’re experiencing any issues with this optimization, you can turn it off by setting the parameter to $false.
Troubleshooting Network Protection Errors
One common issue that has been reported is the “Enable Network Protection – Error -2147467259” error on Windows Server 2016 environments. This error can occur when attempting to assign an antivirus policy with Network Protection enabled in Intune.
To address this problem, you can try the following steps:
-
Verify Registry Settings: Ensure that the required registry keys for Network Protection are properly configured on the affected Windows Server 2016 machines. Refer to the earlier Windows Server configuration section for the necessary registry settings.
-
Check Proxy Settings: Due to the environment in which Network Protection runs, the feature may not be able to detect operating system proxy settings. Configure a static proxy for Microsoft Defender Antivirus to resolve any connectivity issues.
-
Disable QUIC Protocol: The QUIC protocol, which is not currently supported by Network Protection, can cause compatibility problems. Disable QUIC in Windows Firewall or at the web browser level to see if this resolves the error.
-
Use Audit Mode First: If you’re still encountering issues, consider enabling Network Protection in audit mode first. This allows you to observe the would-be blocked connections without enforcing the blocks, giving you a better understanding of the potential impact before switching to block mode.
By addressing these common troubleshooting steps, you should be able to resolve the “Error -2147467259” and successfully enable Network Protection on your Windows Server 2016 environments.
Integrating Network Protection with Microsoft Defender for Endpoint
To gain the full benefits of Windows Defender Network Protection, it’s highly recommended to integrate it with Microsoft Defender for Endpoint. This powerful security platform provides advanced threat detection, investigation, and response capabilities that work seamlessly with Network Protection.
When used together, Network Protection can leverage Defender for Endpoint’s Endpoint Detection and Response (EDR) functionality to identify and block connections to malicious command-and-control (C2) infrastructure. This helps disrupt the attack chain and prevent further escalation of sophisticated, human-operated threats like ransomware.
Moreover, Defender for Endpoint offers detailed reporting and visibility into Network Protection events and blocks, allowing your security operations team to investigate and respond to potential threats more effectively. You can view these details in the Microsoft Defender portal or by using the advanced hunting capabilities within the platform.
Conclusion
Windows Defender Network Protection is a crucial security feature in Windows 11 that helps safeguard your devices from a wide range of online threats. By blocking connections to known malicious websites and IP addresses, this capability serves as a vital layer of defense against phishing, exploits, and other harmful content.
To effectively configure and manage Network Protection in your Windows 11 environment, you can leverage Group Policy, PowerShell, or Intune-based approaches, depending on your organization’s needs and infrastructure. Additionally, integrating Network Protection with Microsoft Defender for Endpoint can provide enhanced threat detection, investigation, and response capabilities, further strengthening your overall security posture.
By following the guidance and troubleshooting steps outlined in this article, you’ll be well-equipped to solve any Windows Defender Network Protection and Endpoint Detection policy configuration challenges, ensuring your Windows 11 devices are protected from the latest cyber threats. For more information and updates on Microsoft security solutions, be sure to visit the IT Fix blog.
