--- title: Apply mitigations to help prevent attacks through vulnerabilities keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET. search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic ms.date: 05/30/2018 --- # Protect devices from exploits with Windows Defender Exploit Guard **Applies to:** - Windows 10, version 1709 and later - Windows Server 2016 **Audience** - Enterprise security administrators **Manageability available with** - Windows Defender Security Center app - Group Policy - PowerShell Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once. When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit protection would impact your organization if it were enabled. Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See the [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard topic](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to Exploit protection on Windows 10. >[!IMPORTANT] >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. >[!WARNING] >Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network. ## Requirements Windows 10 version | Windows Defender Advanced Threat Protection -|- Windows 10 version 1709 or later | For full reporting, you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md) ## Review Exploit protection events in Windows Event Viewer You can review the Windows event log to see events that are created when Exploit protection blocks (or audits) an app: 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 3. On the left panel, under **Actions**, click **Import custom view...** ![Antimated GIF highlighting the import custom view button on the right pane ](images/events-import.gif) 4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 5. Click **OK**. 6. This will create a custom view that filters to only show the following events related to Exploit protection: Provider/source | Event ID | Description -|:-:|- Security-Mitigations | 1 | ACG audit Security-Mitigations | 2 | ACG enforce Security-Mitigations | 3 | Do not allow child processes audit Security-Mitigations | 4 | Do not allow child processes block Security-Mitigations | 5 | Block low integrity images audit Security-Mitigations | 6 | Block low integrity images block Security-Mitigations | 7 | Block remote images audit Security-Mitigations | 8 | Block remote images block Security-Mitigations | 9 | Disable win32k system calls audit Security-Mitigations | 10 | Disable win32k system calls block Security-Mitigations | 11 | Code integrity guard audit Security-Mitigations | 12 | Code integrity guard block Security-Mitigations | 13 | EAF audit Security-Mitigations | 14 | EAF enforce Security-Mitigations | 15 | EAF+ audit Security-Mitigations | 16 | EAF+ enforce Security-Mitigations | 17 | IAF audit Security-Mitigations | 18 | IAF enforce Security-Mitigations | 19 | ROP StackPivot audit Security-Mitigations | 20 | ROP StackPivot enforce Security-Mitigations | 21 | ROP CallerCheck audit Security-Mitigations | 22 | ROP CallerCheck enforce Security-Mitigations | 23 | ROP SimExec audit Security-Mitigations | 24 | ROP SimExec enforce WER-Diagnostics | 5 | CFG Block Win32K | 260 | Untrusted Font ## In this section Topic | Description ---|--- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit protection. This topic identifies those features and explains how the features have changed or evolved. [Evaluate Exploit protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit protection mitigations can protect your network from malicious and suspicious behavior. [Enable Exploit protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit protection in your network. [Customize and configure Exploit protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps. [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit protection.