Microsoft Defender for Endpoint (MDE) Now Supports Network Protection on Windows Server

By /

Listen to this Post

Featured Image
Microsoft Defender for Endpoint (MDE) has introduced a critical security enhancement: Network Protection for Windows Servers is now generally available (GA). This eliminates the need for manual scripts or Group Policy Objects (GPOs) to enable this security feature.

Network Protection helps prevent users from accessing dangerous domains, IP addresses, and other malicious network locations. This feature was previously missing in Windows Server configurations, leaving servers more vulnerable to web-based threats.

Key Benefits of Network Protection in MDE

  • Blocks connections to malicious domains and IPs.
  • Reduces phishing and exploit kit risks.
  • Seamlessly integrates with Defender for Endpoint.
  • No need for custom scripts or GPOs.

Official Announcement: MDE Network Protection on Windows Server

You Should Know: How to Enable & Verify Network Protection

  1. Enable Network Protection via Microsoft Endpoint Manager (Intune) 
    Check if Network Protection is enabled (PowerShell) 
Get-MpPreference | Select-Object EnableNetworkProtection

Enable via Intune (Settings Catalog)</p></li>
<li>Go to Microsoft Endpoint Manager admin center. </li>
<li>Navigate to Devices > Configuration Profiles > Create Profile. </li>
<li>Select "Windows 10 and later" > "Settings Catalog". </li>
<li>Search for "Network Protection" and set it to "Enabled".

2. Verify Network Protection via Command Line

 Check Defender status 
Get-MpComputerStatus | Select-Object NetworkProtectionEnabled

Test Network Protection (simulate malicious domain) 
Invoke-WebRequest -Uri "http://malicious-test-url.com"

3. Using Registry (Alternative Method)

 Manually enable via Registry 
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "EnableNetworkProtection" -Value 1 -Type DWord

Restart Defender 
Restart-Service -Name WinDefend

4. Logging & Monitoring

 Check Defender logs for Network Protection events 
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.Id -eq 1121 }

What Undercode Say

This update is a significant step in securing Windows Servers against web-based attacks. Network Protection was a missing layer in server security, and its native integration into MDE simplifies deployment.

Additional Security Recommendations:

  • Enable Attack Surface Reduction (ASR) Rules: 
    Set-MpPreference -AttackSurfaceReductionRules_Ids <RuleID> -AttackSurfaceReductionRules_Actions Enabled
  • Monitor with KQL (Microsoft Sentinel): 
    DeviceEvents 
| where ActionType == "NetworkProtectionBlocked" 
| summarize count() by DeviceName
  • Harden Servers with CIS Benchmarks: 
    Apply CIS-recommended firewall rules 
netsh advfirewall set allprofiles state on

Prediction

As cloud and hybrid environments grow, expect more security features to shift from manual GPOs to cloud-based management (Intune, MDE). AI-driven threat blocking will likely integrate deeper into Network Protection.

Expected Output:

  • Network Protection logs in Defender.
  • Blocked connections logged in Microsoft Sentinel.
  • Reduced exposure to malicious domains.

References:

Reported By: Fabianbader Mde – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: