Advanced Defender Features

Controlled Folder Access

Controlled Folder Access is a ransomware protection feature that prevents unauthorized applications from making changes to files in protected folders. When enabled, only applications on the allowed list can write to, modify, or delete files in designated directories.

This is one of the most effective defenses against ransomware. Even if malware manages to execute on your system, it cannot encrypt files in protected folders because the operating system blocks the write attempt at the kernel level.

Enabling Controlled Folder Access

Open Windows Security and navigate to Virus & threat protection.

Scroll down and click Manage ransomware protection.

Toggle Controlled folder access to On.

Via PowerShell (as Administrator):

# Enable Controlled Folder Access
Set-MpPreference -EnableControlledFolderAccess Enabled

# Check current status
Get-MpPreference | Select-Object EnableControlledFolderAccess

Managing Protected Folders

By default, Controlled Folder Access protects the Documents, Pictures, Videos, Music, Desktop, and Favorites folders. You can add additional folders:

# Add a custom protected folder
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\ImportantData"

# View all protected folders
Get-MpPreference | Select-Object -ExpandProperty ControlledFolderAccessProtectedFolders

Allowing Applications Through

Legitimate applications may be blocked from writing to protected folders. When this happens, you will receive a notification. To allow a specific application:

# Allow an application through Controlled Folder Access
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\MyApp\myapp.exe"

# View allowed applications
Get-MpPreference | Select-Object -ExpandProperty ControlledFolderAccessAllowedApplications

Only allow applications you trust.

Every application you add to the allowed list can modify files in all protected folders. If that application is compromised, the protection is bypassed. Only add applications that genuinely need write access to your protected directories.

Exploit Protection

Exploit Protection applies mitigation techniques to individual applications and to the operating system as a whole. These mitigations make it significantly harder for attackers to exploit software vulnerabilities, even when patches are not yet available (zero-day attacks).

System-Level Settings

Open Windows Security and go to App & browser control.

Click Exploit protection settings at the bottom of the page.

The System settings tab shows global mitigations. Each one can be set to On, Off, or Use default.

Key system-level mitigations and what they do:

Control Flow Guard (CFG) Validates indirect call targets at runtime, preventing attackers from redirecting code execution to malicious locations.

Data Execution Prevention (DEP) Marks memory pages as non-executable, preventing code injection attacks from running shellcode in data regions.

Mandatory ASLR Forces address space layout randomization for all processes, making it harder for exploits to predict memory locations.

SEHOP Structured Exception Handler Overwrite Protection prevents attackers from hijacking exception handling chains.

Heap integrity validation Detects heap corruption that could be used for code execution exploits.

Per-Application Settings

The Program settings tab lets you apply or override mitigations for specific executables. This is useful when a system-level mitigation causes compatibility issues with certain software.

# Export current exploit protection settings to XML
Get-ProcessMitigation -RegistryConfigFilePath settings.xml

# Import exploit protection settings from XML
Set-ProcessMitigation -PolicyFilePath settings.xml

# View mitigations for a specific process
Get-ProcessMitigation -Name "chrome.exe"

Export your configuration.

After configuring exploit protection settings, export them to an XML file. This allows you to quickly restore your configuration after a Windows reinstall or apply the same settings across multiple machines.

Network Protection

Network Protection extends SmartScreen filtering to all outbound HTTP and HTTPS traffic on the system, not just web browsers. It blocks connections to domains known to host phishing scams, malware distribution, exploit kits, and command-and-control servers.

This is particularly valuable because many malware families communicate with remote servers after initial infection. Network Protection can cut off this communication even if the malware itself evades detection.

Enabling Network Protection

Network Protection is not enabled by default on consumer editions of Windows. You must enable it through PowerShell or Group Policy:

# Enable Network Protection (Block mode)
Set-MpPreference -EnableNetworkProtection Enabled

# Enable in Audit mode (logs events without blocking - good for testing)
Set-MpPreference -EnableNetworkProtection AuditMode

# Disable Network Protection
Set-MpPreference -EnableNetworkProtection Disabled

# Check current status
Get-MpPreference | Select-Object EnableNetworkProtection

Enabled (Block) Actively blocks connections to malicious domains. Users see a notification when a connection is blocked.

AuditMode Logs connections that would have been blocked but does not interrupt them. Use this to test before enforcing.

Disabled No network-level filtering. Only browser-based SmartScreen remains active.

Start with Audit Mode.

Enable Audit Mode first and monitor the Windows Event Log for a few days. Check Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational for Event ID 1125 (audit) and 1126 (block). If legitimate applications are being flagged, investigate before switching to Block mode.

Attack Surface Reduction Rules

Attack Surface Reduction (ASR) rules target specific behaviors commonly used by malware and exploits. Unlike traditional antivirus which looks for known malicious files, ASR rules block suspicious behaviors regardless of whether the file itself is recognized as malicious.

For example, an ASR rule can block Microsoft Office applications from creating child processes. Legitimate Office usage rarely requires this, but macro-based malware relies on it to execute payloads. The rule stops the behavior without needing to know about the specific malware variant.

Important ASR Rules

Block Office apps from creating child processes Prevents malicious macros from launching PowerShell, cmd, or other executables. GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a

Block Office apps from injecting code into other processes Stops Office applications from using code injection techniques to hide malicious activity. GUID: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84

Block JavaScript or VBScript from launching downloaded content Prevents scripts from executing downloaded payloads, a common infection vector. GUID: d3e037e1-3eb8-44c8-a917-57927947596d

Block executable content from email and webmail Prevents execution of executable file types that arrive through email clients. GUID: be9ba2d9-53ea-4cdc-84e5-9b1eeee46550

Block credential stealing from LSASS Protects the Local Security Authority Subsystem Service from credential dumping tools. GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

Enabling ASR Rules via PowerShell

# Enable a single ASR rule in Block mode
# Example: Block Office apps from creating child processes
Set-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled

# Enable in Audit mode (recommended first)
Set-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions AuditMode

# Enable multiple rules at once
Set-MpPreference -AttackSurfaceReductionRules_Ids `
    d4f940ab-401b-4efc-aadc-ad5f3c50688a, `
    75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, `
    d3e037e1-3eb8-44c8-a917-57927947596d `
    -AttackSurfaceReductionRules_Actions Enabled, Enabled, Enabled

# View current ASR rule status
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

Always test ASR rules in Audit mode first.

ASR rules can block legitimate software behaviors. Enable rules in AuditMode, monitor event logs for a week, and only switch to Enabled (Block) once you confirm no false positives affect your workflow. Check Event IDs 1121 (blocked) and 1122 (audited) in the Defender Operational log.

SmartScreen Configuration

Microsoft Defender SmartScreen protects against phishing websites, malicious downloads, and potentially unwanted applications. It works by checking URLs and file hashes against Microsoft's cloud-based reputation database.

SmartScreen for Microsoft Edge

Open Windows Security and go to App & browser control.

Click Reputation-based protection settings.

Configure each SmartScreen option according to your needs.

Check apps and files Checks downloaded files and applications against the SmartScreen database before they run. Recommended: On.

SmartScreen for Microsoft Edge Warns about malicious websites and downloads within the Edge browser. Recommended: On.

Phishing protection Warns when you enter credentials on suspected phishing sites or reuse passwords. Recommended: On (Windows 11 22H2+).

Potentially unwanted app blocking Blocks applications with poor reputation that may include adware, bundleware, or other unwanted software. Recommended: On (both Block downloads and Block apps).

SmartScreen for Microsoft Store Checks content accessed by Microsoft Store apps. Recommended: On.

SmartScreen for Other Browsers

SmartScreen for Microsoft Edge is built in, but other browsers have their own protective systems. Google Chrome and Brave use Google Safe Browsing, and Firefox uses a combination of Google Safe Browsing and its own threat lists. The "Check apps and files" setting in Windows Security still applies system-wide to downloaded executables regardless of which browser downloaded them.

PowerShell Defender Management

PowerShell provides comprehensive access to every Defender setting. This is essential for automation, scripting consistent configurations across machines, and accessing settings not exposed in the Windows Security graphical interface.

Essential PowerShell Commands

# View complete Defender configuration
Get-MpPreference

# View current threat status and statistics
Get-MpComputerStatus

# View detected threats
Get-MpThreat

# View threat detection history
Get-MpThreatDetection

# Remove an active threat (by ThreatID from Get-MpThreat)
Remove-MpThreat

Configuring Protection Levels

# Set cloud protection level (0=Default, 1=Moderate, 2=High, 4=High+, 6=Zero tolerance)
Set-MpPreference -CloudBlockLevel 2

# Set cloud check timeout (seconds to wait for cloud verdict)
Set-MpPreference -CloudExtendedTimeout 50

# Enable Potentially Unwanted Application protection
Set-MpPreference -PUAProtection Enabled

# Enable behavior monitoring
Set-MpPreference -DisableBehaviorMonitoring $false

# Enable scanning of all downloaded files and attachments
Set-MpPreference -DisableIOAVProtection $false

Creating a Security Audit Script

The following script checks the status of all major Defender features and reports any that are not configured optimally:

# Defender Security Audit Script
$status = Get-MpComputerStatus
$prefs = Get-MpPreference

Write-Host "=== Windows Defender Security Audit ===" -ForegroundColor Cyan
Write-Host ""

# Core protection
$checks = @(
    @{ Name = "Antivirus Enabled"; Value = $status.AntivirusEnabled; Expected = $true },
    @{ Name = "Real-time Protection"; Value = $status.RealTimeProtectionEnabled; Expected = $true },
    @{ Name = "Behavior Monitoring"; Value = -not $prefs.DisableBehaviorMonitoring; Expected = $true },
    @{ Name = "IOAV Protection"; Value = -not $prefs.DisableIOAVProtection; Expected = $true },
    @{ Name = "Network Protection"; Value = ($prefs.EnableNetworkProtection -eq 1); Expected = $true },
    @{ Name = "PUA Protection"; Value = ($prefs.PUAProtection -eq 1); Expected = $true },
    @{ Name = "Controlled Folder Access"; Value = ($prefs.EnableControlledFolderAccess -eq 1); Expected = $true }
)

foreach ($check in $checks) {
    $icon = if ($check.Value -eq $check.Expected) { "[OK]" } else { "[!!]" }
    $color = if ($check.Value -eq $check.Expected) { "Green" } else { "Red" }
    Write-Host "$icon $($check.Name): $($check.Value)" -ForegroundColor $color
}

# Signature age
$sigAge = (Get-Date) - $status.AntivirusSignatureLastUpdated
Write-Host ""
if ($sigAge.TotalHours -gt 48) {
    Write-Host "[!!] Signatures are $([math]::Round($sigAge.TotalHours)) hours old" -ForegroundColor Red
} else {
    Write-Host "[OK] Signatures updated $([math]::Round($sigAge.TotalHours)) hours ago" -ForegroundColor Green
}

Save this as a scheduled script.

Save the audit script as defender-audit.ps1 and schedule it to run weekly via Task Scheduler. Redirect output to a log file so you can review your security posture over time and catch any settings that have been changed unexpectedly.

Summary

In this tutorial, you learned how to configure advanced Defender features:

Controlled Folder Access to protect against ransomware encrypting your files
Exploit Protection mitigations to harden the OS and individual applications
Network Protection to block malicious domain connections system-wide
Attack Surface Reduction rules to prevent common malware behaviors
SmartScreen configuration for reputation-based protection
PowerShell commands for comprehensive Defender management and auditing

Excellent work!

With these advanced features enabled, your Windows system has multiple layers of protection beyond basic antivirus scanning. Next, explore the Windows Firewall tutorials to learn how to control network access to and from your computer.