Understanding Windows Defender Network Protection
Windows Defender Network Protection is a critical security feature in Windows 11 that helps safeguard devices from various internet-based threats. This capability, part of the broader Microsoft Defender for Endpoint solution, expands the scope of Microsoft Defender SmartScreen to block outbound HTTP(S) traffic attempting to connect to low-reputation sources, such as domains known to host phishing scams, exploits, and other malicious content.
Network protection operates at the operating system level, providing web protection functionality beyond just the Microsoft Edge browser. It can secure connections for other supported browsers and non-browser applications, helping to reduce the attack surface of your devices.
One of the key aspects of network protection is its ability to work in tandem with Endpoint Detection and Response (EDR) capabilities. By leveraging indicators of compromise (IOCs), network protection can block specific domains or hostnames, effectively disrupting the connection between compromised devices and command-and-control (C2) infrastructures used in sophisticated, human-operated ransomware attacks.
Enabling and Configuring Network Protection
Network protection can be enabled in either audit mode or block mode. Audit mode allows you to evaluate the impact of enabling network protection without actually blocking any connections, providing valuable insights into which URLs and IP addresses would be blocked if the feature were in active enforcement.
To enable network protection, you can use various management methods, such as Group Policy, PowerShell, or mobile device management (MDM) configuration service providers (CSPs). It’s important to note that network protection requires Microsoft Defender Antivirus with real-time protection enabled, as it is part of the attack surface reduction group of solutions in Microsoft Defender for Endpoint.
When network protection is enabled in block mode, it can be extended to cover a wider range of scenarios, including:
- Blocking connections to known malicious URLs using the SmartScreen feed
- Allowing administrators to create custom indicators for IPs, URLs, and domains to block
- Integrating with web content filtering (WCF) policies to provide comprehensive web protection
Addressing Windows Defender Endpoint Detection and Response (EDR) in Block Mode
While network protection focuses on the network layer, Windows Defender Endpoint Detection and Response (EDR) in block mode provides an additional layer of protection when Microsoft Defender Antivirus is not the primary antivirus solution and is running in passive mode.
EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities but may have been missed by the primary, non-Microsoft antivirus product. This allows Microsoft Defender Antivirus to take action on post-breach, behavioral EDR detections, integrating with the threat and vulnerability management capabilities of Microsoft Defender for Endpoint.
To enable EDR in block mode, you can navigate to the Microsoft Defender portal, go to the Settings > Endpoints > General > Advanced features section, and turn on the “Enable EDR in block mode” option. This feature requires your organization to be using Microsoft Defender for Endpoint Plan 2.
It’s important to note that when EDR in block mode is enabled, and a malicious artifact is detected, Microsoft Defender for Endpoint will remediate that artifact, and your security operations team will see the detection status as “Blocked” or “Prevented” in the Action center, listed as completed actions.
Ensuring Optimal Protection with Microsoft Defender for Endpoint
To get the best protection value when using EDR in block mode, it’s crucial to ensure that your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are properly configured. EDR in block mode respects the exclusions defined for Microsoft Defender Antivirus, but not the indicators defined for Microsoft Defender for Endpoint.
Microsoft recommends using roles with the fewest permissions to improve security for your organization. The Global Administrator role is a highly privileged role that should be limited to emergency scenarios when you can’t use an existing role.
Troubleshooting Network Protection and EDR Challenges
Network Connectivity Issues with Network Protection
In some cases, due to the environment where network protection runs, the feature might not be able to detect operating system proxy settings, and network protection clients may be unable to reach the cloud service. To resolve this, you can configure a static proxy for Microsoft Defender Antivirus.
Additionally, if the QUIC protocol is not supported by the servers you’re trying to access, you may need to disable the QUIC protocol in Windows Firewall or at the web browser level to ensure that network protection can function correctly.
Optimization and Compatibility Considerations
Network protection includes performance optimization that allows block mode to asynchronously inspect long-lived connections, which can provide a performance improvement and help with app compatibility problems. This capability is enabled by default, but you can turn it off using the following PowerShell cmdlet:
powershell
Set-MpPreference -AllowSwitchToAsyncInspection $false
Monitoring and Auditing Network Protection and EDR Events
To monitor network protection events, you can use advanced hunting in the Microsoft Defender portal. The following query can help you view network protection events for non-Microsoft browsers:
DeviceEvents
| where ActionType == "ExploitGuardNetworkProtectionAudited" or ActionType == "ExploitGuardNetworkProtectionBlocked"
| extend IsAudit = iff(ActionType == "ExploitGuardNetworkProtectionAudited", 1, 0)
| extend ResponseCategory = iff(ActionType == "ExploitGuardNetworkProtectionAudited", "Audit", "Block")
| project Timestamp, DeviceName, RemoteUrl, IsAudit, ResponseCategory, DisplayName
For Microsoft Edge browser events, you can use the following query:
DeviceEvents
| where ActionType == "MicrosoftDefenderSmartScreenStateChanged"
| project Timestamp, DeviceName, RemoteUrl, ResultStatus, DisplayName
These queries can help you identify the URLs and IPs that would be blocked if network protection is set to block mode, as well as which features would be responsible for the blocks.
Integrating Network Protection and EDR with Microsoft Defender for Endpoint
Microsoft Defender for Endpoint provides comprehensive endpoint protection, including network protection and EDR capabilities. By integrating these features, organizations can benefit from a unified approach to endpoint security, with centralized visibility, threat detection, and response capabilities.
Network protection and EDR in block mode are critical components of the Microsoft Defender for Endpoint solution, working in tandem to safeguard devices and disrupt sophisticated attacks, such as human-operated ransomware. By leveraging the broad threat intelligence and advanced analytics capabilities of Microsoft Defender for Endpoint, IT professionals can proactively identify and mitigate risks, while also ensuring a seamless user experience and high levels of productivity.
To learn more about Microsoft Defender for Endpoint and how it can enhance your organization’s security posture, visit the IT Fix website or reach out to our team of experienced IT professionals.
Conclusion
Windows Defender Network Protection and Endpoint Detection and Response (EDR) in block mode are powerful security features that can significantly enhance the protection of your Windows 11 devices. By understanding how to enable, configure, and troubleshoot these capabilities, IT professionals can effectively safeguard their organizations from a wide range of internet-based threats, including sophisticated ransomware attacks.
By integrating these features with the comprehensive Microsoft Defender for Endpoint solution, businesses can benefit from a unified approach to endpoint security, leveraging advanced analytics, threat intelligence, and centralized management to maintain a strong security posture. With the guidance provided in this article, IT professionals can take proactive steps to implement and optimize these security solutions, ensuring their organizations remain safe and resilient in the face of evolving cyber threats.
