---
title: Apply mitigations to help prevent attacks through vulnerabilities
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Protect devices against exploits with Windows 10. Windows 10 has advanced exploit protection capabilities, building upon and improving the settings available in Enhanced Mitigation Experience Toolkit (EMET).
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.date: 10/21/2020
ms.reviewer: 
manager: dansimp
ms.custom: asr
---

# Protect devices from exploits

[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]


**Applies to:**

- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)

Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803.

> [!TIP]
> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.

Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).

You can [enable exploit protection](enable-exploit-protection.md) on an individual device, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once.

When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.

Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. In fact, you can convert and import existing your EMET configuration profiles into exploit protection. To learn more, see [Import, export, and deploy exploit protection configurations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml).

> [!IMPORTANT]
> If you are currently using EMET you should be aware that [EMET reached end of support on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). Consider replacing EMET with exploit protection in Windows 10.

> [!WARNING]
> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender.md) before deploying the configuration across a production environment or the rest of your network.

## Review exploit protection events in the Microsoft Security Center

Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.

You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how exploit protection settings could affect your environment.

Here is an example query:

```kusto
DeviceEvents
| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
```

## Review exploit protection events in Windows Event Viewer

You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:

|Provider/source | Event ID | Description|
|:---|:---|:---|
|Security-Mitigations | 1 | ACG audit |
|Security-Mitigations | 2 | ACG enforce |
|Security-Mitigations | 3 | Do not allow child processes audit |
|Security-Mitigations | 4 | Do not allow child processes block |
|Security-Mitigations | 5 | Block low integrity images audit |
|Security-Mitigations | 6 | Block low integrity images block |
|Security-Mitigations | 7 | Block remote images audit |
|Security-Mitigations | 8 | Block remote images block |
|Security-Mitigations | 9 | Disable win32k system calls audit |
|Security-Mitigations | 10 | Disable win32k system calls block |
|Security-Mitigations | 11 | Code integrity guard audit |
|Security-Mitigations | 12 | Code integrity guard block |
|Security-Mitigations | 13 | EAF audit |
|Security-Mitigations | 14 | EAF enforce |
|Security-Mitigations | 15 | EAF+ audit |
|Security-Mitigations | 16 | EAF+ enforce |
|Security-Mitigations | 17 | IAF audit |
|Security-Mitigations | 18 | IAF enforce |
|Security-Mitigations | 19 | ROP StackPivot audit |
|Security-Mitigations | 20 | ROP StackPivot enforce |
|Security-Mitigations | 21 | ROP CallerCheck audit |
|Security-Mitigations | 22 | ROP CallerCheck enforce |
|Security-Mitigations | 23 | ROP SimExec audit |
|Security-Mitigations | 24 | ROP SimExec enforce |
|WER-Diagnostics | 5 | CFG Block |
|Win32K | 260 | Untrusted Font |

## Mitigation comparison

The mitigations available in EMET are included natively in Windows 10 (starting with version 1709) and Windows Server (starting with version 1803), under [Exploit protection](exploit-protection.md).

The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.

|Mitigation | Available under exploit protection | Available in EMET |
|:---|:---|:---|
|Arbitrary code guard (ACG) | yes | yes<br />As "Memory Protection Check" |
|Block remote images | yes | yes<br/>As "Load Library Check" |
|Block untrusted fonts | yes | yes |
|Data Execution Prevention (DEP) | yes | yes |
|Export address filtering (EAF) | yes | yes |
|Force randomization for images (Mandatory ASLR) | yes | yes |
|NullPage Security Mitigation | yes<br />Included natively in Windows 10<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
|Randomize memory allocations (Bottom-Up ASLR) | yes | yes |
|Simulate execution (SimExec) | yes | yes |
|Validate API invocation (CallerCheck) | yes | yes |
|Validate exception chains (SEHOP) | yes | yes |
|Validate stack integrity (StackPivot) | yes | yes |
|Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | yes |
|Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
|Block low integrity images | yes | no |
|Code integrity guard | yes | no |
|Disable extension points | yes | no |
|Disable Win32k system calls | yes | no |
|Do not allow child processes | yes | no |
|Import address filtering (IAF) | yes | no |
|Validate handle usage | yes | no |
|Validate heap integrity | yes | no |
|Validate image dependency integrity | yes | no |

> [!NOTE]
> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.

## See also

- [Protect devices from exploits](exploit-protection.md)
- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
- [Optimize ASR rule deployment and detections](configure-machines-asr.md)