Configure Windows Defender Network protection in Windows 10

Martin Brinkmann
Oct 26, 2017

Network Protection is a new security feature of Windows Defender that Microsoft introduced in the Fall Creators Update for its Windows 10 operating system.

It extends Windows Defender SmartScreen by blocking outbound (HTTP and HTTPS) traffic connecting to resources that have a low reputation.

The feature is part of Windows Defender Exploit Guard, and it requires that Windows Defender is turned on, and that the security program's real-time protection feature is enabled as well.

Tip: check out our previews guides on Controlled Folder Access, Exploit Protection and Attack Surface Reduction for a complete overview of the new security features.

Windows Defender Network protection

System administrators and users may configure the Network protection feature of Windows Defender using policies, PowerShell or MDM CSPs.

Group Policy

network protection group policy

You can use the Group Policy to enable the Network protection feature on Windows 10 Fall Creators Update (or newer) PCs.

Note: The Group Policy Editor is not available on Home editions of Windows 10.

  1. Tap on the Windows-key, type gpedit.msc and hit the Enter-key to load the Group Policy Editor.
  2. Navigate to Computer Configuration > Administrative Templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection.
  3. Load "Prevent users and apps from accessing dangerous websites" with a double-click.
  4. Set the policy to enabled, and assign it one of the available modes:
    1. Block -- Malicious IP addresses and domains are blocked.
    2. Disabled (default) -- The feature is not active.
    3. Audit Mode -- This records blocked events but won't block the events.

Using PowerShell

You may use the PowerShell instead to manage the Network protection feature. The following commands are available:

  • Set-MpPreference -EnableNetworkProtection Enabled
  • Set-MpPreference -EnableNetworkProtection AuditMode
  • Set-MpPreference -EnableNetworkProtection Disabled

You need to open an elevated PowerShell prompt to run these commands:

  1. Tap on the Windows-key, type PowerShell, hold down the Shift-key and the Ctrl-key, and select PowerShell from the results to open a PowerShell interface with administrative privileges.

Network protection events

Events are recorded when the feature is enabled. Microsoft published a resource package that includes custom views for Event Viewer to make things easier for administrators.

  1. Download the Exploit Guard Evaluation Package from Microsoft.
  2. Extract the package to the local system.
  3. It contains custom XML views for all Exploit Guard events. You need the file np-events.xml for the custom network protection event view.
  4. Tap on the Windows-key, type Event Viewer, and select the entry that is returned by search.
  5. Select Action > Import Custom View.
  6. Load np-events.xml and select ok to add the view to the Event Viewer.

The following events are written to the log when the security feature is enabled on Windows 10 machines:

  • Event 1125 -- Audit-mode events.
  • Event 1126 -- Block-mode events.
  • Event 5007 -- Settings modification events


Configure Windows Defender Network protection in Windows 10
Article Name
Configure Windows Defender Network protection in Windows 10
Network Protection is a new security feature of Windows Defender that Microsoft introduced in the Fall Creators Update for its Windows 10 operating system.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Denis said on July 28, 2020 at 5:01 pm

    when network protection is enabled there is a problem with uploading files to FTP – the speed is unrealistic and the files are broken

  2. Anonymous said on October 8, 2018 at 8:26 pm

    Exploit Gueard Network Protection is a problem. Powershell commands to add an exception for a trusted server IP do not work. Logging does not work. Action center alerts do not work. The only thing that allows my software to access my server As it has in every version of Windows for the past 20 years is completely disabling this “Network Protection”. But that breaks security policy sooo… now the software is useless in Windows 10 unless we get a waiver based on the fact that the policy prevents the system from working properly. Unfortunately, it is difficult to explain how Network Protection is blocking us because there is no information available about how it works. What criteria does it use to determine if a connection is untrusted? Why can I not add a trusted IP manually? Why do the logs not show that anything is being blocked when clearly it is?

  3. Arcionquad said on May 7, 2018 at 1:43 am

    Easy and done. Thanks, Martin.

  4. Erit said on December 3, 2017 at 11:04 am

    I installed ADMX of windows 10 1709 and these policies are not existing over there

  5. coakl said on November 1, 2017 at 12:42 am

    AdBlock Plus and Ublock Origin will provide FAR, FAR more protection than these half-baked Microsoft efforts.
    And using a non-Microsoft web browser, too.

    These are the #1 and #2 security measures you NEVER see mentioned by MS.

  6. jasray said on October 28, 2017 at 1:21 am

    “Best way to configure it is to uninstall it and install some good antivirus product.”

    Poor pauper–doesn’t realize he’s receiving sage advice in making some software more effective.

  7. exrelayman said on October 27, 2017 at 6:26 am

    Heh- I thought more protection sounded good and used the powershell commands of this article and the controlled folder access article. Could no longer save any documents I created. Could not make any change to any existing document. Could not scan with my canon printer. Took a while and some hair pulling before I figured out these ‘protections’ were killing me. All is fixed now. Thanks ever so much for including the ‘disable’ command in your articles.

    You have some very skilled readers and then you have some like me!

  8. patrick said on October 26, 2017 at 9:46 pm

    I prefer Heimdal Pro for network protection. Antivirus is blind to the malware that’s on the web today.

  9. TelV said on October 26, 2017 at 11:27 am

    It’s a pity that the additional protection measures aren’t available in other versions of Windows which are still supported such as Windows 7 and 8.1

    1. RedImpala said on October 26, 2017 at 5:05 pm

      Protection you say?
      If anything it’s more like 10% protection and 90% users data collection.

  10. LUL said on October 26, 2017 at 8:42 am

    Best way to configure it is to uninstall it and install some good antivirus product.

    1. CHEF-KOCH said on October 26, 2017 at 9:32 pm

      I call bull, MS never needed any AV because since I don’t know how many years exactly you can restrict everything better with GPO/secpol/AS/.. all given by MS and it works without any external software. Why people trust other company’s when they using a OS which they distrust is beyond me. If you distrust the OS then switch it, if you need another spying product to protect against ‘OS spying’ then the entire point becomes useless.

      None of the integrated MS mechanism are weak and most are easy to configure. Besides the thing that nothing is anymore about destroying you files like in the 90’s it’s more to obtain your private data which simply requires a good firewall and some brain.

    2. PanamaVet said on October 26, 2017 at 6:11 pm

      In fact, earlier this year a FoxPro developer working to make FoxPro more secure discovered A/V software injecting vulnerabilities into FoxPro.

      Vulnerabilities have been discovered this year in major A/V products. Installing them creates vulnerabilities on
      your machine.

      Assumptions about A/V software should be discarded. They don’t quarantine themselves.

      Telling people to install vulnerabilities to catch other vulnerabilities is bad advice.

      The developer’s recommendation? The A/V should be built into the O/S. His choice based on what he was observing was Defender running in Windows 10.

      The Windows Creators update is focusing on leveraging this advantage to our benefit.

      1. said on October 30, 2017 at 2:41 am

        That’s pretty good M$ spin for their weak-ass Defender. And yes, I’ve used Defender in the past. It hardly ever detects anything after using it for a year.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.