Troubleshoot exploit protection mitigations
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Defender for Endpoint? Sign up for a free trial.
When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
You can manually remove unwanted mitigations in Windows Security, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
Remove all process mitigations with this PowerShell script:
# Check if Admin-Privileges are available function Test-IsAdmin { ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") } # Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key, # the key is deleted as well function Remove-ProcessMitigations([Object] $Key, [string] $Name) { Try { if ($Key.GetValue("MitigationOptions")) { Write-Host "Removing MitigationOptions for: " $Name Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop; } if ($Key.GetValue("MitigationAuditOptions")) { Write-Host "Removing MitigationAuditOptions for: " $Name Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop; } if ($Key.GetValue("EAFModules")) { Write-Host "Removing EAFModules for: " $Name Remove-ItemProperty -Path $Key.PSPath -Name "EAFModules" -ErrorAction Stop; } # Remove the FilterFullPath value if there is nothing else if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) { Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop; } # If the key is empty now, delete it if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) { Write-Host "Removing empty Entry: " $Name Remove-Item -Path $Key.PSPath -ErrorAction Stop } } Catch { Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" } } # Delete all ExploitGuard ProcessMitigations function Remove-All-ProcessMitigations { if (!(Test-IsAdmin)) { throw "ERROR: No Administrator-Privileges detected!"; return } Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object { $MitigationItem = $_; $MitigationItemName = $MitigationItem.PSChildName Try { Remove-ProcessMitigations $MitigationItem $MitigationItemName # "UseFilter" indicate full path filters may be present if ($MitigationItem.GetValue("UseFilter")) { Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object { $FullPathItem = $_ if ($FullPathItem.GetValue("FilterFullPath")) { $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath") Write-Host "Removing FullPathEntry: " $Name Remove-ProcessMitigations $FullPathItem $Name } # If there are no subkeys now, we can delete the "UseFilter" value if ($MitigationItem.SubKeyCount -eq 0) { Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop } } } if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) { Write-Host "Removing empty Entry: " $MitigationItemName Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop } } Catch { Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)" } } } # Delete all ExploitGuard System-wide Mitigations function Remove-All-SystemMitigations { if (!(Test-IsAdmin)) { throw "ERROR: No Administrator-Privileges detected!"; return } $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" Try { if ($Kernel.GetValue("MitigationOptions")) { Write-Host "Removing System MitigationOptions" Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop; } if ($Kernel.GetValue("MitigationAuditOptions")) { Write-Host "Removing System MitigationAuditOptions" Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop; } } Catch { Write-Host "ERROR:" $_.Exception.Message "- System" } } Remove-All-ProcessMitigations Remove-All-SystemMitigationsCreate and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
<?xml version="1.0" encoding="UTF-8"?> <root> <SystemConfig/> <AppConfig Executable="ExtExport.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="ie4uinit.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="ieinstal.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="ielowutil.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="ieUnatt.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="iexplore.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="mscorsvw.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> <AppConfig Executable="msfeedssync.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="mshta.exe"> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true"/> </AppConfig> <AppConfig Executable="ngen.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> <AppConfig Executable="ngentask.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> <AppConfig Executable="PresentationHost.exe"> <DEP Enable="true" OverrideDEP="false" EmulateAtlThunks="false"/> <ASLR OverrideForceRelocateImages="false" ForceRelocateImages="false" Enable="true" OverrideBottomUp="false" HighEntropy="true" BottomUp="true"/> <SEHOP Enable="true" OverrideSEHOP="false" TelemetryOnly="false"/> <Heap OverrideHeap="false" TerminateOnError="true"/> </AppConfig> <AppConfig Executable="PrintDialog.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> <AppConfig Executable="PrintIsolationHost.exe"/> <AppConfig Executable="runtimebroker.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> <AppConfig Executable="splwow64.exe"/> <AppConfig Executable="spoolsv.exe"/> <AppConfig Executable="svchost.exe"/> <AppConfig Executable="SystemSettings.exe"> <ExtensionPoints OverrideExtensionPoint="false" DisableExtensionPoints="true"/> </AppConfig> </root>
If you haven't already, it's a good idea to download and use the Windows Security Baselines to complete your Exploit protection customization.
Related topics
- Protect devices from exploits
- Evaluate exploit protection
- Enable exploit protection
- Configure and audit exploit protection mitigations
- Import, export, and deploy exploit protection configurations
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for