Windows Defender Exploit Guard: native EMET in Windows 10

Martin Brinkmann
Jun 28, 2017
Updated • May 22, 2018
Windows, Windows 10

Microsoft revealed new security features of the upcoming Windows 10 Fall Creators Update yesterday to improve Windows 10 device security.

The company revealed a new set of tools, all build around Windows Defender Advanced Threat Protection: Windows Defender Exploit Guard, Windows Defender Application Guard, and improvements to Windows Defender Device Guard and Windows Defender Antivirus Protection.

Note: It is unclear right now if any of the new features will be made available to consumer machines running the Windows 10 Fall Creators Update, or if they are all reserved to the Volume Licensing offers Windows 10 Enterprise E5, Windows 10 Education E5, or Secure Productive Enterprise E5 as referenced on the Windows Defender Advanced Threat Protection system requirements page. The articles are clearly aimed at a business audience.

EMET's development was put on ice by Microsoft, with the company claiming that Windows 10 made EMET something that users of the operating system would not need anymore. This was rebuked, but it did not stop Microsoft from announcing July 2018 as the month in which support for EMET would be dropped.

Windows Defender Exploit Guard

windows defender atp exploit guard

Microsoft built some Exploit Mitigation Experience Toolkit protections into Windows 10 natively already. Windows Defender Exploit Guard is a native implementation of EMET that has been improved by Microsoft to include new vulnerability mitigations that are not part of EMET.

Exploit Guard furthermore uses intelligence from ISG for intrusion rules and policies.

Using intelligence from the Microsoft Intelligent Security Graph (ISG), Exploit Guard comes with a rich set of intrusion rules and policies to protect organizations from advanced threats, including zero day exploits.

Microsoft confirms that companies will be able to apply vulnerability mitigations to classic Win32 applications on Windows 10, just like it has been the case with EMET. Additionally, capabilities are added to block websites that host known malicious code automatically.

With the addition of EMET technology, companies will be able to apply advanced vulnerability mitigations on legacy apps running on Windows 10 without the need to recompile them. Another powerful Windows Defender Exploit Guard capability will allow automatic blocking of websites known to host malicious code, by leveraging Windows Defender SmartScreen knowledge base.

Windows Defender Application Guard

microsoft edge application guard

Microsoft announced Windows Defender Application Guard for Microsoft Edge back in September 2016. The company planned to integrate it in the Creators Update, but did not go through with the plan at that time.

Application Guard is a virtualization technology designed to "stop attackers from establishing a foothold on the local machine or from expanding out into the rest of the corporate network".

Basically, what Application Guard does is distinguish between a set of trusted resources and anything else that is opened in Edge. Trusted resources work like they have done before; untrusted resources on the other hand have Application Guard create a new "instance of Windows" with a copy of the kernel and minimum Windows Platform Service to run Microsoft Edge.

Application Guard blocks access to memory, local storage, installed applications, corporate network endpoints, and other resources according to Microsoft. This means as well that this virtual copy of Windows has no access to credentials or user data.

Microsoft notes that untrusted sites that are not malicious will work for the most part just like users would expect them to work. Users may print sites, use the clipboard for copy and paste operations, and perform many of the other operations that are commonly executed.

Administrators may restrict some of the functionality however.

Other security changes

Microsoft plans to integrate Windows Defender Device Guard into Windows Defender ATP to improve manageability and control.

Device Guard offers a set of features designed to protect against common threats such as exposure to new malware or unsigned code. Administrators may set up a list of whitelisted software that is allowed to run, or use code integrity policies to block unsigned code execution.

Windows Defender Antivirus and Windows Defender ATP uses new intelligence in combination with data science and machine learning according to Microsoft that improves the protection of Windows 10 devices.

Microsoft plans to add new Security Analytics capabilities for administrators on top of that in the Fall Creators Update.

Here is a promotional video that Microsoft published that provides explanation of the new features in less than 5 minutes.

Closing Words

Microsoft plans to introduce several new security technologies in the Windows 10 Fall Creators Update. I'm most excited about the native integration of EMET and Application Guard, and hope that these will become available for all users of Windows 10 and not just Enterprise customers.

Now You: What's your take on these new features?

Windows Defender Exploit Guard: native EMET in Windows 10
Article Name
Windows Defender Exploit Guard: native EMET in Windows 10
Microsoft revealed new security features of the upcoming Windows 10 Fall Creators Update yesterday to improve Windows 10 device security.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Dave said on June 28, 2017 at 8:21 pm

    >I must have missed when Microsoft said they’d like to turn stuff off and all the people who complain when they have, maybe you’d like to provide a citation.

    How about you look at Ricoh and damn near every other Office copier/scanner/mfc device mfg. I know IT Admins from all across the city (including myself) who are facing the problem that these lazy companies ONLY support SMBv1 (on devices that were sold new just in the past year or two). So you are faced with the situation of breaking 500 people’s scan-to-folder capabilities or you have to leave SMBv1 enabled. Lovely choice that.

    This is a concrete example of IT admins are having to go to their managers and tell them that they can’t implement the security settings that Microsoft and others (like US CERT) recommend because it breaks users everyday workflow.


    1. Corky said on June 29, 2017 at 8:04 am

      Then those people who complain can take it upon themselves to reinstall that functionality and the risk that comes with doing so, why put every person who uses Windows at risk just because Microsoft can’t design an OS in a modular fashion with a proper package management system so features can be added or removed.

  2. CHEF-KOCH said on June 28, 2017 at 7:11 pm

    Some comments here are wrong. This has nothing much to do that Windows is ‘a open door’ or that SMB got attacked. Microsoft warned people using outdated software, hell even XP got now updates because people won’t listen…..

    Some people still have no clue that this entire telemetry thing isn’t spying in fact it helps developers to fix things faster and this helps to make more changes faster, which are necessary to stay on the same line like the hackers because they’re also not lazy.

    Also some people really thinking it’s like in the movies that an exploit automatically means that the OS is ‘hackable’ most if not all things need additional bypasses to work and at the end there is still the user which mostly ‘approve’ that and then people wondering.

    I can’t blame MS for their efforts to harden the OS, I see it more problematically that some components are still presents due backwards compatibility and then we not need to wonder. In fact Windows 10 is the most secure OS ever (default settings) cause it got several mechanism which are app to developers to support or not (like CF Guard). But people always picking up an attack and then the ‘oh look MS is insecure’ BS started instantly. I can’t tell how wrong this is. Most attacks (again) require several other things to be turned off (by the user).

    Yeah better don’t upgrade because MS ‘spy’ and then you get shit like Ransomware. Oh better turn of all security mechanism like SmartScreen, UAC, logging and shit because it sends stuff back … That is so wrong. It’s cancer on the internet to interpret everything so negative without mention the good things.

    I really like the new Defender it’s good enough for most users and I like to see EMET integrated it seems the next logical step. But my fear is that people disable everything because they see it as ‘annoying’ or even more worse they tell they have no ‘control’ over the OS.

  3. Corky said on June 28, 2017 at 10:52 am

    FWIW my take on these new features is they’re like all the security features of Windows 10, utterly pointless.

    It’s the equivalent of trying to secure a house made of nothing but doors and windows, Microsoft’s standard approach is to enable everything to make it easier for customers resulting in an OS with a huge attack surface, one of the first rules of securing a system is to only enable the features and/or service you need but Microsoft takes the exact opposite approach, as could be seen in the recent WannaCry ransomware that targeted the 10+ year old SMBv1 protocol that Microsoft included and enabled in their OS just to make life easier.

    With Windows 10 they took it to the next level as there’s way more superfluous stuff than previous versions of Windows and with forced updates it’s all but impossible to permanently disable all those superfluous features and/or services.

    1. Gwstas said on June 28, 2017 at 6:42 pm

      You know better than Microsoft? All those years on the internet/job of yours and you know more than Microsoft! /s

      1. Tim said on July 7, 2017 at 11:02 pm


        Their message doesn’t get much clearer than this:
        “Stop using SMB1. Stop using SMB1. STOP USING SMB1!”

        Meanwhile, Google have just released a Samba Client for Android, which supports SMBv1 only. And we all know who people will blame when they can’t get it to work after the RS3 update.

    2. Tim said on June 28, 2017 at 2:19 pm

      Microsoft themselves would like to turn stuff off by default too, the problem is that they get it in the neck for doing that as well. They can’t win.

      SMBv1 was superseded by SMBv2 over a decade ago, when Vista was released. SMBv1 is now fully deprecated and Microsoft have literally been begging vendors to stop using it, but despite that I can guarantee that when they disable SMBv1 by default in RS3, they will get it in the neck from companies when their network printers, NAS, IDS, etc. stop working. One of the vendors (Sophos from memory) was telling people only a month or so ago to just install the Windows Update patch and carry on using SMBv1 as normal. With 1.5 Billion machines worldwide, something as ‘simple’ as just disabling SMBv1 is still going to effect a lot of people and so needs to be handled carefully because people get upset when an update stops something from working.

      The SMBv1 vulnerability used by Wannacry to spread was also patched before Wannacry hit, so that highlighted another problem. How quickly organisations are able to roll out Windows updates to patch vulnerabilities. That time needs to be brought down too and company directors need to budget for it in the same way that fleet and leasing companies have a responsibility to be proactive in trying to get vehicle safety recalls carried out on their vehicles in a timely manner.

      1. Corky said on June 28, 2017 at 3:35 pm

        I must have missed when Microsoft said they’d like to turn stuff off and all the people who complain when they have, maybe you’d like to provide a citation.

        Also being superseded, deprecated or anything other than removing something means diddly squat if you leave it hanging around for years afterwards, the whole point is to remove it from the OS and let customers who may need it for whatever reason add it back themselves.

        It’s also not organisations responsibility to roll out Windows updates with next to no testing, if Microsoft had removed SMBv1 when it was superseded a decade ago Wannacry would’ve only effected organisations who re-enabled SMBv1 and any organisations would have know what the security risk of doing so would be.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.