Share via

How to set Control Flow Guard on Windows 2016?

ANDREA NAPOLEONI 0 Reputation points
2024-07-02T07:23:14.3033333+00:00

Hi,

I'm having some issues on Windows Server 2016 on getting/setting the runtime enablement of Control Flow Guard. The exploit protections are not available on 2016 and also the powershell does not correctly work on it.

I found an empirical way of enabling/disabling CFG for an application by the "MitigationOptions" value of registry KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MyProgram.exe

In that case, the GetProcessMitigationPolicy windows API added to the executable code reports the correct state.

Do you know an official documented way to enable/disable CFG at runtime on Windows server 2016 programs?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,434 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Neuvi Jiang 765 Reputation points Microsoft Vendor
    2024-07-03T07:28:53.2466667+00:00

    Hi ANDREA NAPOLEONI,

    Thank you for posting in the Q&A Forums.

    Setting up Control Flow Guard (CFG) on Windows Server 2016 typically involves enhancing the security of applications and operating systems against certain types of memory corruption attacks. However, it is important to note that Windows Server 2016 itself may not directly provide a switch or setting called Control Flow Guard, as CFG is more commonly found in Windows 10 and later operating systems as part of Windows Defender Application Control (WDAC) or Exploit Protection.

    Therefore, it is not possible to set up Control Flow Guard on Windows Server 2016, so there is no official documentation on how to set up CFG.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments