Advanced ⏱ 120 min 📋 12 Steps

Network Protection and Custom Indicators for IP/URL/Domain

Deploy network protection and build custom IP/URL/domain indicators in Microsoft Defender for Endpoint. Understand SmartScreen dependencies, disable QUIC and Encrypted Client Hello for non-Microsoft browsers, configure warn and block modes, manage policy precedence conflicts, troubleshoot common implementation failures, and hunt for network protection events with KQL.

📋 Overview

About This Lab

Network protection is a core component of Microsoft Defender for Endpoint's web protection stack. It extends SmartScreen capabilities beyond Microsoft Edge to block outbound HTTP/HTTPS connections to malicious or suspicious domains and IP addresses across all browsers and non-browser processes. However, network protection implementation is one of the most commonly misconfigured features in MDE deployments. Organizations frequently enable custom indicators for IPs, URLs, and domains without understanding the critical prerequisites: SmartScreen must be enabled for Edge, network protection must be in block mode for non-Edge browsers, QUIC and Encrypted Client Hello (ECH) must be disabled for FQDN blocking in Chrome and Firefox, and policy conflict precedence rules must be carefully understood. This lab walks through every aspect of the implementation, including the common pitfalls that cause indicators to silently fail.

🏢 Enterprise Use Case

Scenario: A mid-size healthcare organization (3,000 endpoints) receives threat intelligence indicating that a known APT group is using specific domains and IP addresses for C2 communication. The SOC team needs to immediately block these indicators across all endpoints and browsers - not just Microsoft Edge.

After creating custom indicators in the Defender portal, the team discovers that blocking works in Edge but fails silently in Chrome and Firefox. Users on those browsers can still reach the malicious domains. The root cause: network protection was set to audit mode instead of block mode, QUIC was not disabled, and Encrypted Client Hello was preventing TLS inspection. This lab addresses exactly this class of implementation failure.

Success criteria: all custom indicators enforced across all browsers, QUIC/ECH disabled via policy, warn mode configured for uncertain URLs, and a KQL-based monitoring dashboard for ongoing validation.

🎯 What You Will Learn

  1. How network protection extends SmartScreen to non-Microsoft browsers and processes
  2. The critical prerequisites that cause custom indicators to silently fail
  3. How to enable network protection in block mode via Intune, Group Policy, and PowerShell
  4. How to disable QUIC and Encrypted Client Hello in Chrome and Firefox via policy
  5. How to create and manage custom indicators for IPs, URLs, and domains
  6. How warn mode, block mode, and allow mode interact with policy precedence
  7. How to troubleshoot network protection when blocking does not work
  8. How to use advanced hunting (KQL) to monitor and validate network protection events
  9. How the TCP three-way handshake creates confusing ConnectionSuccess events for blocked sites
  10. How to configure network protection on Windows Server and Windows Virtual Desktop

🔑 Why This Matters

Network protection misconfiguration is one of the most common and dangerous gaps in MDE deployments. When custom indicators fail silently, the SOC team believes they have blocked malicious infrastructure - but users on non-Edge browsers can still reach C2 domains, phishing sites, and malware download servers. The gap between "indicator created" and "indicator enforced" is where breaches happen. Understanding the full implementation chain - SmartScreen, network protection mode, browser protocol requirements, and policy precedence - is essential for any security team operating MDE at enterprise scale.

⚙️ Prerequisites

  • Licensing: Microsoft Defender for Endpoint Plan 1 or Plan 2 (or Microsoft 365 E5 / E5 Security / E3 with MDE P1 add-on)
  • Devices: Windows 10/11 (Pro or Enterprise), Windows Server 2012 R2+ with modern unified agent, macOS 12+, or supported Linux
  • Microsoft Defender Antivirus: Active mode with real-time protection, behavior monitoring, and cloud-delivered protection enabled
  • Anti-malware client version: 4.18.1906.x or later
  • Cloud connectivity: Outbound HTTPS to .smartscreen.microsoft.com and .smartscreen-prod.microsoft.com
  • Portal Access: Security Administrator role in security.microsoft.com
  • Custom Network Indicators: Feature enabled in Settings > Endpoints > General > Advanced features
  • Browsers for testing: Microsoft Edge, Google Chrome, and Mozilla Firefox installed on test devices
  • Prior Labs: Completion of MDE Lab 01 (Onboarding) and Lab 04 (Detection Policies) is recommended
⚠️ Critical: Network protection in block mode will actively prevent connections to malicious domains across all browsers and processes. Always deploy in audit mode first during testing, validate with advanced hunting, then switch to block mode. Incorrect configuration can disrupt legitimate business applications.

Step 1 - Understand the Network Protection Architecture

Network protection is the enforcement engine that makes custom indicators work outside of Microsoft Edge. Understanding how it fits into the web protection stack is essential before any configuration.

Web Protection Coverage Matrix

The enforcement mechanism depends on the browser and the type of protection:

Feature Microsoft Edge Non-Microsoft Browsers Non-Browser Processes
Web Threat ProtectionSmartScreen must be enabledNetwork protection must be in block modeNetwork protection must be in block mode
Custom IndicatorsSmartScreen must be enabledNetwork protection must be in block modeNetwork protection must be in block mode
Web Content FilteringSmartScreen must be enabledNetwork protection must be in block modeNot supported
🚨 The #1 Implementation Failure: Organizations create custom IP/URL indicators in the Defender portal and assume they are enforced everywhere. In reality, those indicators ONLY work in Edge (via SmartScreen). For Chrome, Firefox, and all non-browser processes, network protection must be explicitly enabled in block mode. If it is in audit mode or disabled, indicators are logged but NOT enforced.

Step 2 - Verify Current Network Protection State

Before changing anything, audit the current network protection configuration on your devices. Most implementation failures start with assumptions about what is already enabled.

Check Network Protection with PowerShell

# ---------------------------------------------------------
# WHAT: Check the current network protection state on a device
# WHY:  Network protection is the enforcement layer for custom
#       indicators in non-Edge browsers. If it's off or in
#       audit mode, your indicators are NOT being enforced.
# ---------------------------------------------------------

# Check network protection mode
# EnableNetworkProtection values:
#   0 = Disabled (indicators NOT enforced outside Edge)
#   1 = Block mode (indicators enforced - REQUIRED)
#   2 = Audit mode (indicators logged but NOT enforced)
$npState = (Get-MpPreference).EnableNetworkProtection
switch ($npState) {
    0 { Write-Host "CRITICAL: Network Protection is DISABLED" -ForegroundColor Red }
    1 { Write-Host "Network Protection is in BLOCK mode (correct)" -ForegroundColor Green }
    2 { Write-Host "WARNING: Network Protection is in AUDIT mode - indicators NOT enforced" -ForegroundColor Yellow }
}

# Check all prerequisite settings
# ALL of these must be true for network protection to function
Get-MpPreference | Select-Object `
    EnableNetworkProtection,
    DisableRealtimeMonitoring,
    DisableBehaviorMonitoring,
    MAPSReporting,
    SubmitSamplesConsent | Format-List

# Verify real-time protection is active (not just configured)
Get-MpComputerStatus | Select-Object `
    RealTimeProtectionEnabled,
    BehaviorMonitorEnabled,
    IoavProtectionEnabled,
    NISEnabled,
    AMProductVersion

Check via Registry

# ---------------------------------------------------------
# WHAT: Verify network protection state via registry
# WHY:  Group Policy or Intune may have set the value differently
#       than what PowerShell reports (policy wins over local config)
# ---------------------------------------------------------

# Primary location (policy-managed)
$policyPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection"
if (Test-Path $policyPath) {
    $val = (Get-ItemProperty $policyPath -ErrorAction SilentlyContinue).EnableNetworkProtection
    Write-Host "Policy-managed value: $val (0=Off, 1=Block, 2=Audit)"
} else {
    Write-Host "No policy-managed network protection setting found"
}

# Secondary location (local preference)
$localPath = "HKLM:\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection"
if (Test-Path $localPath) {
    $val = (Get-ItemProperty $localPath -ErrorAction SilentlyContinue).EnableNetworkProtection
    Write-Host "Local preference value: $val"
}
💡 Pro Tip: Run these checks on multiple devices across different device groups. It is common to find network protection disabled on some devices due to conflicting Intune profiles, stale Group Policy, or devices that were onboarded after the policy was deployed.

Step 3 - Enable Network Protection in Block Mode

Enable network protection in block mode to enforce custom indicators across all browsers and processes. Start with audit mode for testing, then switch to block mode after validation.

Option A: Enable via Microsoft Intune (Recommended)

  1. Navigate to intune.microsoft.com > Endpoint security > Attack surface reduction
  2. Click + Create policy, select Platform: Windows 10, Windows 11, and Windows Server
  3. Select profile type Attack Surface Reduction Rules
  4. Under Network protection, set to Enable (block mode) for production or Audit for testing
  5. Assign to your target device group (start with a pilot group)
  6. Click Create

Option B: Enable via PowerShell

# ---------------------------------------------------------
# WHAT: Enable network protection via PowerShell
# WHY:  Quick testing on individual devices before applying
#       via Intune or Group Policy at scale
# ---------------------------------------------------------

# Enable in audit mode first (recommended for initial deployment)
# Audit mode logs events but does NOT block connections
Set-MpPreference -EnableNetworkProtection AuditMode

# After validation, switch to block mode
# Block mode actively prevents connections to indicators
Set-MpPreference -EnableNetworkProtection Enabled

# Verify the change took effect
(Get-MpPreference).EnableNetworkProtection
# Expected output: 1 (Block) or 2 (Audit)

Option C: Enable via Group Policy

  1. Open Group Policy Management Console and edit the target GPO
  2. Navigate to: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection
  3. Double-click Prevent users and apps from accessing dangerous websites
  4. Set to Enabled and select Block (or Audit for testing)
  5. Click OK and run gpupdate /force on target devices
⚠️ Important: Network protection is a device-wide setting - it cannot be targeted to specific user sessions. On Windows Virtual Desktop multi-session environments, it applies to all users on that host. Always test in audit mode first to identify any legitimate business applications that may be blocked.

Step 4 - Disable QUIC and Encrypted Client Hello for Non-Microsoft Browsers

This is the second most common reason custom indicators fail. Network protection inspects TLS handshakes to determine the FQDN being accessed. If the browser uses QUIC (UDP-based HTTP/3) or Encrypted Client Hello, network protection cannot read the hostname and the indicator is bypassed.

Why This Is Critical

  • QUIC protocol: Uses UDP instead of TCP, bypassing network protection's TCP/IP inspection entirely
  • Encrypted Client Hello (ECH): Encrypts the SNI field in the TLS handshake, preventing network protection from reading the target domain
  • Result: HTTPS FQDN-based indicators (domain blocking) silently fail in Chrome and Firefox if these are not disabled
  • IP indicators: Still work because they operate at the TCP layer, but most organizations block by domain, not IP

Disable QUIC and ECH in Google Chrome via Group Policy

# ---------------------------------------------------------
# WHAT: Disable QUIC and ECH in Chrome via registry (GPO equivalent)
# WHY:  Without this, Chrome uses UDP/QUIC for HTTPS connections,
#       completely bypassing network protection's TLS inspection.
#       ECH encrypts the SNI, hiding the target domain.
# ---------------------------------------------------------

# Disable QUIC in Chrome (forces TCP/TLS connections)
# QuicAllowed = 0 means QUIC is disabled
New-Item -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Name "QuicAllowed" -Value 0 -Type DWord

# Disable Encrypted Client Hello in Chrome
# EncryptedClientHelloEnabled = 0 means ECH is disabled
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Name "EncryptedClientHelloEnabled" -Value 0 -Type DWord

Write-Host "Chrome QUIC and ECH disabled via policy"

Disable QUIC and ECH in Mozilla Firefox via Group Policy

# ---------------------------------------------------------
# WHAT: Disable QUIC (HTTP/3) and ECH in Firefox via registry
# WHY:  Same reason as Chrome - Firefox supports HTTP/3 and ECH
#       which bypass network protection TLS inspection
# ---------------------------------------------------------

# Disable HTTP/3 (QUIC) in Firefox
New-Item -Path "HKLM:\SOFTWARE\Policies\Mozilla\Firefox" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Mozilla\Firefox" -Name "DisableEncryptedClientHello" -Value 1 -Type DWord

# Note: For HTTP/3 in Firefox, you may also need to set:
# network.http.http3.enable = false via about:config or enterprise policy
# This can be done via the policies.json file in Firefox installation directory

Write-Host "Firefox ECH disabled via policy"

Disable QUIC via Windows Firewall (All Applications)

# ---------------------------------------------------------
# WHAT: Block QUIC traffic at the Windows Firewall level
# WHY:  This is the nuclear option - blocks QUIC (UDP 443) for
#       ALL applications, not just browsers. Forces everything
#       to use TCP/TLS where network protection can inspect it.
#       Use this when you cannot manage individual browser policies.
# ---------------------------------------------------------

$ruleParams = @{
    DisplayName = "Block QUIC (UDP 443) for Network Protection"
    Direction   = "Outbound"
    Action      = "Block"
    RemoteAddress = "0.0.0.0/0"
    Protocol    = "UDP"
    RemotePort  = 443
}
New-NetFirewallRule @ruleParams

Write-Host "QUIC blocked at Windows Firewall level"
🚨 Common Mistake: Many SOC teams skip this step because they are not aware that Chrome defaults to QUIC and newer versions of both Chrome and Firefox support ECH. The indicators appear to be created correctly in the portal, but the browsers silently bypass them. Always verify with a test indicator and check in both Edge (should be blocked by SmartScreen) and Chrome/Firefox (requires network protection + QUIC/ECH disabled).

Step 5 - Enable SmartScreen for Microsoft Edge

SmartScreen is the enforcement engine for custom indicators inside Microsoft Edge. On Windows, network protection does NOT monitor Edge - SmartScreen handles it directly.

Enable SmartScreen via Edge Policy

# ---------------------------------------------------------
# WHAT: Ensure SmartScreen is enabled for Microsoft Edge
# WHY:  Custom indicators for URLs/domains in Edge require
#       SmartScreen to be active. Network protection does NOT
#       handle Edge - SmartScreen does.
# ---------------------------------------------------------

# Enable SmartScreen in Edge via registry (GPO equivalent)
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" -Name "SmartScreenEnabled" -Value 1 -Type DWord

# Prevent users from overriding SmartScreen warnings
# WHY: Without this, users can click through block pages
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge" -Name "PreventSmartScreenPromptOverride" -Value 1 -Type DWord

Write-Host "Edge SmartScreen enabled and override prevention configured"
💡 Key Insight: On Windows, network protection does NOT monitor Microsoft Edge. Edge uses SmartScreen directly. This means you need BOTH SmartScreen (for Edge) AND network protection in block mode (for everything else). On Mac and Linux, network protection must be enabled in block mode to support custom indicators and web content filtering in Edge and other browsers.

Step 6 - Create Custom Indicators for IPs, URLs, and Domains

With the infrastructure configured, create custom indicators to block, warn, or allow specific IPs, URLs, and domains.

Create an Indicator in the Defender Portal

  1. Navigate to security.microsoft.com > Settings > Endpoints > Indicators (under Rules)
  2. Select the IP addresses or URLs/Domains tab
  3. Click Add item
  4. Enter the indicator (IP, URL, or domain)
  5. Select the action: Allow, Warn, or Block and remediate
  6. Set the scope (which device groups should enforce this indicator)
  7. Optionally set an expiration date and add a description referencing the threat intelligence source
  8. Review and click Save

Indicator Types and Limitations

  • IP addresses: Supported for TCP, HTTP, and HTTPS. Only single IPs - no CIDR blocks or IP ranges
  • HTTP URLs: Full URL path blocking works in any browser or process
  • HTTPS FQDNs: Domain-level blocking in non-Microsoft browsers (full URL path only in Edge)
  • External IPs only: Indicators cannot be created for internal/private IP addresses
  • Network protection blocks on ALL ports: Not just 80 and 443
  • Propagation delay: Up to 2 hours (usually less) between creation and enforcement
⚠️ Important: FQDNs loaded via HTTP/2 connection coalescing can only be blocked in Microsoft Edge. If a malicious domain shares an HTTP/2 connection with a legitimate domain, blocking may not work in non-Edge browsers. Also, blocking FQDNs in non-Microsoft browsers requires that QUIC and ECH be disabled (Step 4).

Step 7 - Understand Policy Precedence and Conflict Resolution

When multiple indicators or policies apply to the same URL/IP/domain, understanding the precedence order prevents unintended blocks or allows.

Indicator Action Precedence

When conflicting action types exist for the same indicator:

  1. Allow (highest priority - overrides everything)
  2. Warn (overrides block)
  3. Block (lowest priority)

For example, if you have three indicators for microsoft.com with actions Block, Warn, and Allow, the effective action is Allow.

URL Path Specificity

When conflicting URL indicator policies exist, the longer (more specific) path takes precedence. For example:

  • https://support.microsoft.com/office takes precedence over https://support.microsoft.com

MDE vs. Defender AV Precedence

Microsoft Defender for Endpoint policy has precedence over Microsoft Defender Antivirus policy. If MDE is set to Allow but Defender AV is set to Block, the effective result is Allow.

Defender for Cloud Apps Integration

  • Unsanctioned apps: Automatically create block indicators in MDE
  • Monitored apps: Create warn indicators (bypassable block)
  • Sanctioned apps: Do NOT automatically create allow indicators
  • These follow the same precedence rules as manual indicators
🚨 Watch Out: The Allow > Warn > Block precedence means that a single misplaced Allow indicator can completely neutralize a critical block. Audit your indicator list regularly and remove stale Allow indicators. Also check for Defender for Cloud Apps auto-generated indicators that may conflict with your custom blocks.

Step 8 - Configure Warn Mode and Toast Notifications

Warn mode presents users with a notification when they visit a site with an unknown or uncertain reputation. Users can choose to bypass the warning for 24 hours.

Warn Mode Controls

  • Bypass ability: Allow button in Edge, allow button on toast for non-Microsoft browsers
  • Bypass duration: Configurable per indicator (default 24 hours)
  • Bypass enforcement: Consistent across Microsoft and non-Microsoft browsers
  • Redirect URL: Configurable redirect on the indicator, works in Edge and on toast for non-Edge browsers

Convert Warn to Block (Prevent Override)

# ---------------------------------------------------------
# WHAT: Convert SmartScreen warn verdicts to block
# WHY:  By default, users can click through SmartScreen warnings
#       for malicious sites. This converts all warnings to hard
#       blocks that cannot be overridden.
# ---------------------------------------------------------

# Via Group Policy:
# Computer Configuration > Administrative Templates >
# Windows Components > Microsoft Defender Antivirus >
# Network inspection system > "Convert warn verdict to block"
# Set to: Enabled

# Via PowerShell (for testing):
# This requires setting the CSP via Intune or MDM:
# Defender CSP: Configuration/EnableConvertWarnToBlock

Enable Toast Notifications for Blocks

# ---------------------------------------------------------
# WHAT: Ensure users see block notifications
# WHY:  If toast notifications are disabled, users see a
#       connection timeout instead of an informative block page.
#       This makes troubleshooting impossible.
# ---------------------------------------------------------

# Ensure the FilesBlockedNotificationDisabled key is set to 0
$path = "HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection"
if (-not (Test-Path $path)) { New-Item -Path $path -Force | Out-Null }
Set-ItemProperty -Path $path -Name "FilesBlockedNotificationDisabled" -Value 0 -Type DWord

Write-Host "Block notifications enabled"

Notification Types

Threat Type Category Source
PhishingPhishingSmartScreen
MaliciousMaliciousSmartScreen
Command and ControlC2 / COCOSmartScreen
UntrustedUntrustedSmartScreen
Admin-defined blockCustomBlockList / CustomPolicyCustom Indicator

Step 9 - Understand the TCP Three-Way Handshake Confusion

A common source of confusion when investigating network protection events: you may see ConnectionSuccess events in DeviceNetworkEvents for sites that were actually blocked. This is by design.

How It Works

  1. User attempts to access a malicious website
  2. The TCP three-way handshake (SYN, SYN-ACK, ACK) completes successfully
  3. A DeviceNetworkEvents entry is logged with ActionType = ConnectionSuccess
  4. Network protection then inspects the TLS handshake to determine the FQDN
  5. Network protection blocks the connection after the TCP handshake but before any application data is transferred
  6. An alert appears with both the ConnectionSuccess event and the block event
💡 Key Insight: Seeing ConnectionSuccess in DeviceNetworkEvents does NOT mean the site was accessible. DeviceNetworkEvents reports from the TCP layer. Network protection operates after the TCP handshake completes. The site was still blocked - no application data was exchanged. Always check for the corresponding ExploitGuardNetworkProtectionBlocked event in DeviceEvents to confirm the block.

Step 10 - Hunt for Network Protection Events with KQL

Use advanced hunting to validate that network protection is working, identify audit events, and monitor custom indicator enforcement.

Query 1: All Network Protection Events (Block and Audit)

// ---------------------------------------------------------
// WHAT: View all network protection events
// WHY:  See both blocked and audited connections to validate
//       that network protection is detecting threats
// ---------------------------------------------------------
DeviceEvents
| where ActionType in ('ExploitGuardNetworkProtectionAudited',
                        'ExploitGuardNetworkProtectionBlocked')
| extend ParsedFields = parse_json(AdditionalFields)
| project
    Timestamp,
    DeviceName,
    ActionType,
    RemoteUrl,
    InitiatingProcessFileName,
    IsAudit = tostring(ParsedFields.IsAudit),
    ResponseCategory = tostring(ParsedFields.ResponseCategory),
    DisplayName = tostring(ParsedFields.DisplayName)
| sort by Timestamp desc

Query 2: Identify What Caused Each Block

// ---------------------------------------------------------
// WHAT: Categorize network protection events by source
// WHY:  Understand whether blocks come from SmartScreen,
//       custom indicators, web content filtering, or MCAS
//
// ResponseCategory mapping:
//   CustomPolicy     = Web Content Filtering (WCF)
//   CustomBlockList  = Custom Indicators (your IoCs)
//   CasbPolicy       = Defender for Cloud Apps
//   Malicious        = SmartScreen web threats
//   Phishing         = SmartScreen phishing detection
// ---------------------------------------------------------
DeviceEvents
| where ActionType in ('ExploitGuardNetworkProtectionAudited',
                        'ExploitGuardNetworkProtectionBlocked')
| extend ParsedFields = parse_json(AdditionalFields)
| extend ResponseCategory = tostring(ParsedFields.ResponseCategory)
| summarize EventCount = count() by ResponseCategory, ActionType
| sort by EventCount desc

Query 3: SmartScreen Events in Microsoft Edge

// ---------------------------------------------------------
// WHAT: View SmartScreen warning/block events in Edge
// WHY:  Edge uses SmartScreen instead of network protection.
//       This query shows what SmartScreen is catching.
// ---------------------------------------------------------
DeviceEvents
| where ActionType == "SmartScreenUrlWarning"
| extend ParsedFields = parse_json(AdditionalFields)
| project
    Timestamp,
    DeviceName,
    ActionType,
    RemoteUrl,
    InitiatingProcessFileName
| sort by Timestamp desc

Query 4: Custom Indicator Validation

// ---------------------------------------------------------
// WHAT: Verify that your custom indicators are being enforced
// WHY:  After creating indicators, use this to confirm they
//       are actually blocking or warning as expected
// ---------------------------------------------------------
DeviceEvents
| where ActionType in ('ExploitGuardNetworkProtectionAudited',
                        'ExploitGuardNetworkProtectionBlocked')
| extend ParsedFields = parse_json(AdditionalFields)
| where tostring(ParsedFields.ResponseCategory) == "CustomBlockList"
| project
    Timestamp,
    DeviceName,
    RemoteUrl,
    ActionType,
    InitiatingProcessFileName,
    IsAudit = tostring(ParsedFields.IsAudit)
| sort by Timestamp desc

Query 5: Audit Mode Impact Assessment

// ---------------------------------------------------------
// WHAT: Assess what would be blocked if you switch from
//       audit mode to block mode
// WHY:  Before switching to block mode, review all audited
//       events to identify potential false positives
// ---------------------------------------------------------
DeviceEvents
| where ActionType == "ExploitGuardNetworkProtectionAudited"
| extend ParsedFields = parse_json(AdditionalFields)
| summarize
    HitCount = count(),
    Devices = dcount(DeviceName),
    LastSeen = max(Timestamp)
    by RemoteUrl,
       ResponseCategory = tostring(ParsedFields.ResponseCategory)
| sort by HitCount desc
// Review this list - any legitimate URLs should be added
// as Allow indicators before switching to block mode

Step 11 - Troubleshoot Network Protection Failures

When network protection appears to not work, follow this systematic troubleshooting checklist.

Troubleshooting Checklist

  1. Is network protection enabled? Run Get-MpPreference | Select EnableNetworkProtection - must be 1 (block mode)
  2. Is Defender AV in active mode? Network protection requires active mode, not passive. Run Get-MpComputerStatus | Select AMRunningMode
  3. Is real-time protection on? Get-MpComputerStatus | Select RealTimeProtectionEnabled must be True
  4. Is behavior monitoring on? Get-MpComputerStatus | Select BehaviorMonitorEnabled must be True
  5. Is cloud-delivered protection on? Get-MpPreference | Select MAPSReporting must be 1 or 2
  6. Is QUIC disabled? Check Chrome/Firefox policies or Windows Firewall rule
  7. Is Encrypted Client Hello disabled? Check Chrome/Firefox policies
  8. Is SmartScreen enabled for Edge? Check Edge policies at edge://settings/privacy
  9. Is the Custom Network Indicators feature enabled? Settings > Endpoints > Advanced features
  10. Has the indicator propagated? Allow up to 2 hours after creation
  11. Are there conflicting Allow indicators? Allow overrides Block
  12. Can the device reach SmartScreen? Test connectivity to .smartscreen.microsoft.com

Proxy and Connectivity Issues

# ---------------------------------------------------------
# WHAT: Test SmartScreen cloud connectivity
# WHY:  Network protection needs to reach SmartScreen cloud
#       services. Proxies that intercept or block this traffic
#       will break network protection.
# ---------------------------------------------------------

# Test SmartScreen connectivity
$urls = @(
    "https://smartscreen.microsoft.com",
    "https://smartscreen-prod.microsoft.com"
)

foreach ($url in $urls) {
    try {
        $response = Invoke-WebRequest -Uri $url -UseBasicParsing -TimeoutSec 10
        Write-Host "OK: $url (Status: $($response.StatusCode))" -ForegroundColor Green
    } catch {
        Write-Host "FAILED: $url - $($_.Exception.Message)" -ForegroundColor Red
    }
}

# If behind a proxy, configure static proxy for Defender AV:
# https://learn.microsoft.com/en-us/defender-endpoint/configure-proxy-internet

Windows Event Log Verification

# ---------------------------------------------------------
# WHAT: Check Windows Event Log for network protection events
# WHY:  Event logs provide local evidence of network protection
#       activity when advanced hunting is not available
#
# Event IDs:
#   5007 = Settings changed
#   1125 = Network protection fired in AUDIT mode
#   1126 = Network protection fired in BLOCK mode
# ---------------------------------------------------------

# Check for recent network protection events
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" `
    -MaxEvents 50 | Where-Object {
        $_.Id -in @(5007, 1125, 1126)
    } | Select-Object TimeCreated, Id, Message | Format-List

Step 12 - Configure Network Protection on Windows Server and VDI

Windows Server and Windows Virtual Desktop (WVD) multi-session environments require additional configuration beyond standard Windows 10/11 deployments.

Enable on Windows Server 2012 R2, 2016, 2019, 2022

# ---------------------------------------------------------
# WHAT: Enable network protection on Windows Server
# WHY:  Windows Server requires additional settings that are
#       not needed on Windows 10/11 client SKUs
# ---------------------------------------------------------

# Step 1: Enable network protection (same as client)
Set-MpPreference -EnableNetworkProtection Enabled

# Step 2: Allow network protection on Windows Server
# This setting is REQUIRED - without it, network protection
# will not function on server SKUs
Set-MpPreference -AllowNetworkProtectionOnWinServer 1

# Step 3: Allow network protection on downlevel OS (Server 2012 R2 / 2016)
# Only needed for Server 2012 R2 and 2016 with modern unified agent
Set-MpPreference -AllowNetworkProtectionDownLevel 1

# Step 4: Allow datagram processing on Windows Server
# WARNING: This may affect network performance depending on
# infrastructure, traffic volume, and server workload
Set-MpPreference -AllowDatagramProcessingOnWinServer 1

Write-Host "Network protection configured for Windows Server"

Registry Keys for Server (Alternative to PowerShell)

# ---------------------------------------------------------
# WHAT: Configure network protection on Server via registry
# WHY:  Some deployment tools prefer direct registry manipulation
#       over PowerShell cmdlets
# ---------------------------------------------------------

$basePath = "HKLM:\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection"

# Create the key if it doesn't exist
if (-not (Test-Path $basePath)) {
    New-Item -Path $basePath -Force | Out-Null
}

# Required settings
Set-ItemProperty -Path $basePath -Name "EnableNetworkProtection" -Value 1 -Type DWord
Set-ItemProperty -Path $basePath -Name "AllowNetworkProtectionOnWinServer" -Value 1 -Type DWord

# For Server 2012 R2 and 2016 only
Set-ItemProperty -Path $basePath -Name "AllowNetworkProtectionDownLevel" -Value 1 -Type DWord

Write-Host "Server registry keys configured"

Windows Virtual Desktop Considerations

  • Network protection is device-wide and cannot be targeted to individual user sessions
  • If different user groups need different policies, create separate WVD host pools with different assignments
  • Always test in audit mode first on multi-session hosts to assess behavior
  • Consider resizing deployment if you have a large number of concurrent users or sessions
  • Monitor performance impact - AllowDatagramProcessingOnWinServer can affect network throughput

Performance Optimization: Async Inspection

# ---------------------------------------------------------
# WHAT: Enable asynchronous inspection for network protection
# WHY:  Long-lived connections (streaming, large downloads)
#       may cause performance issues with synchronous inspection.
#       Async inspection improves performance and app compatibility.
#       This is enabled by default but can be explicitly set.
# ---------------------------------------------------------

Set-MpPreference -AllowSwitchToAsyncInspection $true

# Via Group Policy:
# Computer Configuration > Administrative Templates >
# Windows Components > Microsoft Defender Antivirus >
# Network inspection system > "Turn on asynchronous inspection"
# Set to: Enabled

Summary

What You Accomplished

  • Understood the network protection architecture and the web protection coverage matrix (SmartScreen for Edge, network protection for everything else)
  • Verified the current network protection state on devices using PowerShell and registry checks
  • Enabled network protection in block mode via Intune, Group Policy, and PowerShell
  • Disabled QUIC and Encrypted Client Hello in Chrome and Firefox to enable FQDN-based blocking
  • Configured SmartScreen and override prevention for Microsoft Edge
  • Created custom indicators for IPs, URLs, and domains with appropriate actions (block, warn, allow)
  • Understood policy precedence rules (Allow > Warn > Block) and conflict resolution
  • Configured warn mode, toast notifications, and convert-warn-to-block policies
  • Understood why ConnectionSuccess events appear for blocked sites (TCP three-way handshake)
  • Built KQL queries to monitor, validate, and categorize network protection events
  • Applied a 12-point troubleshooting checklist for network protection failures
  • Configured network protection on Windows Server and Windows Virtual Desktop environments

Cost Considerations

  • Network protection and custom indicators are included in MDE Plan 1 and Plan 2 (no additional cost)
  • SmartScreen is included in Windows and Microsoft Edge at no extra cost
  • Web content filtering requires MDE Plan 2 or the web content filtering add-on
  • Advanced hunting queries run against 30 days of retained data; forwarding to Sentinel for longer retention incurs data ingestion costs
  • Defender for Cloud Apps integration (unsanctioned app blocking) requires a separate MCAS or Microsoft 365 E5 license

Cleanup (Lab Environment Only)

  • Delete test custom indicators (IPs, URLs, domains) created during the lab
  • Revert network protection to audit mode if you do not want active blocking in the lab: Set-MpPreference -EnableNetworkProtection AuditMode
  • Remove the QUIC-blocking Windows Firewall rule if it impacts lab connectivity: Remove-NetFirewallRule -DisplayName "Block QUIC (UDP 443) for Network Protection"
  • Remove Chrome and Firefox policy registry keys if no longer needed
  • Resolve any test alerts generated by blocked indicators

Next Steps

  • Integrate network protection events with Microsoft Sentinel for cross-product correlation with firewall and proxy logs
  • Build Sentinel playbooks that automatically create MDE block indicators from threat intelligence feeds
  • Deploy web content filtering policies to block categories of websites (gambling, adult content, high-risk)
  • Explore Defender for Cloud Apps integration to automatically block unsanctioned SaaS applications
  • Use Security Copilot to analyze network protection events and recommend indicator tuning

📚 Documentation Resources

ResourceDescription
Use network protection to help prevent connections to bad sitesComprehensive guide to network protection architecture, configuration, and troubleshooting
Create indicators for IPs and URLs/domainsHow to create custom network indicators with prerequisites and limitations
Turn on network protectionEnable network protection via Group Policy, PowerShell, or MDM CSPs
Evaluate network protectionQuick test scenario to demonstrate network protection in action
Web protection overviewHow web protection, network protection, and SmartScreen work together
Web content filteringCategory-based URL blocking that depends on network protection
Network protection for LinuxLinux-specific network protection configuration
Network protection for macOSmacOS-specific network protection configuration
← Previous Lab Next Lab →