This chapter covers network protection in Microsoft Defender for Endpoint, a critical capability that blocks outbound traffic to malicious IPs, domains, and URLs. Network protection is a core component of the attack surface reduction (ASR) suite and is frequently tested on the SC-200 exam, appearing in approximately 10-15% of questions related to Defender for Endpoint. You will learn how network protection works under the hood, how to configure it using Microsoft 365 Defender and Group Policy, and how to troubleshoot common issues. Mastery of this topic is essential for securing endpoints against network-based threats and for passing the SC-200 exam.
Jump to a section
Think of network protection in Microsoft Defender for Endpoint as a sophisticated airport security system for your organization's network traffic. Just as an airport has multiple layers—security checkpoints for passengers, baggage screening, ID verification, and behavior monitoring—Defender for Endpoint's network protection inspects all outbound and inbound traffic at multiple levels. The "security checkpoint" is the Windows Filtering Platform (WFP) that intercepts every network packet before it reaches the application. Network protection acts like a TSA agent who checks each passenger's boarding pass (the destination IP/domain) against a watchlist (Microsoft's threat intelligence). If a passenger matches a known terrorist (malicious domain), the agent blocks them and reports to central command (Microsoft 365 Defender). Unlike a simple firewall that only checks IP addresses and ports, network protection performs deep packet inspection and protocol analysis—like a baggage scanner that looks inside luggage for prohibited items. The agent also applies behavioral analytics: if a process that normally never makes network connections suddenly tries to connect to an external IP, it's flagged like a passenger trying to sneak through a restricted door. The system also uses TLS inspection to decrypt HTTPS traffic, similar to having a master key to check inside locked suitcases. Importantly, network protection is not a standalone product but a component that works with Microsoft Defender Antivirus and SmartScreen—just as airport security works with customs and border patrol. The entire system is managed via Microsoft 365 Defender policies, and alerts are generated in the unified security operations center.
What is Network Protection and Why Does It Exist?
Network protection is a feature within Microsoft Defender for Endpoint (MDE) that prevents users and applications from accessing dangerous domains, IP addresses, and URLs. It is part of the attack surface reduction (ASR) capabilities and works at the network layer to block connections to malicious endpoints identified by Microsoft's threat intelligence. The primary purpose is to stop malware, phishing, and command-and-control (C2) communications before they can reach their targets.
Network protection is distinct from traditional firewalls because it inspects traffic based on reputation and behavioral analysis, not just static rules. It uses the Windows Filtering Platform (WFP) to intercept all outbound traffic and checks each destination against a cloud-delivered threat intelligence feed. This allows it to block newly identified malicious sites in near real-time.
How Network Protection Works Internally
Network protection operates through a kernel-mode driver (mssecflt.sys) that registers with the Windows Filtering Platform (WFP) as a callout driver. The WFP is a set of API and system services that provide a platform for creating network filtering applications. The driver intercepts all outbound TCP/IP traffic at the network layer before it leaves the machine.
When an application attempts to connect to a remote host (e.g., via HTTP, HTTPS, or raw TCP), the following steps occur:
Packet Interception: The mssecflt.sys driver intercepts the outbound packet at the WFP ALE (Application Layer Enforcement) layer. This happens after the TCP three-way handshake for connection-oriented protocols or at the datagram level for UDP.
DNS Resolution: If the destination is a domain name, the system performs a DNS lookup. Network protection can also inspect the DNS query itself to block connections to known malicious domains even before the IP is resolved.
Reputation Check: The driver sends a request to the Microsoft Defender for Endpoint cloud service to check the reputation of the destination (IP, domain, or URL). This request includes metadata such as the process initiating the connection, the source IP, and the destination. The cloud service returns a verdict: allow, block, or warn.
Policy Enforcement: Based on the verdict, the driver either permits the connection to proceed or blocks it. If blocked, the user sees a notification (if configured) and the event is logged in Microsoft 365 Defender.
Inspection of HTTPS Traffic: For HTTPS connections, network protection can perform TLS inspection by decrypting the traffic using a man-in-the-middle certificate installed on the endpoint. This allows inspection of the encrypted payload to detect malicious content. By default, this is disabled and must be enabled via policy.
Key Components and Defaults
Windows Filtering Platform (WFP): The underlying framework for network traffic filtering. Network protection uses the ALE (Application Layer Enforcement) layer to intercept connections.
mssecflt.sys: The kernel-mode driver that performs the filtering.
Cloud-delivered protection: The intelligence feed that provides real-time reputation data. Default timeout for cloud check is 5 seconds; if the cloud is unreachable, the connection is allowed by default (fail-open).
SmartScreen: Shares reputation data with network protection. SmartScreen operates at the application layer (e.g., Microsoft Edge), while network protection operates at the network layer.
Group Policy and Microsoft 365 Defender: Configuration is done via Group Policy (Administrative Templates > Windows Components > Microsoft Defender Antivirus > Network Protection) or via Microsoft 365 Defender portal under Endpoint > Policies > Attack Surface Reduction.
Configuration and Verification Commands
To enable network protection via PowerShell:
Set-MpPreference -EnableNetworkProtection EnabledTo set it to audit mode:
Set-MpPreference -EnableNetworkProtection AuditModeTo verify the current state:
Get-MpPreference | Select-Object EnableNetworkProtectionTo view network protection events in the Windows Event Log:
Event ID 1125 (block) and 1126 (audit) under Microsoft-Windows-Windows Defender/Operational.
Interaction with Related Technologies
Network protection works alongside other MDE components: - Microsoft Defender Antivirus (MDAV): Provides real-time protection for files; network protection blocks the delivery mechanism. - Attack Surface Reduction (ASR) rules: Block specific behaviors like Office apps creating child processes; network protection blocks the network access that malware needs. - Web Protection: A broader category that includes network protection and also browser-based protections (SmartScreen). Network protection covers all applications, not just browsers. - Firewall: Windows Defender Firewall is a stateful firewall that controls traffic based on IP/port rules; network protection adds intelligence-based blocking.
Troubleshooting Common Issues
Blocking legitimate traffic: Check the network protection event logs to identify false positives. Submit the URL to Microsoft for analysis via the Microsoft 365 Defender portal.
Performance impact: Network protection can cause latency due to cloud reputation checks. The default timeout is 5 seconds; if the cloud is slow, connections may be delayed. Consider enabling audit mode first to measure impact.
Incompatibility with VPNs: Some VPN clients may interfere with WFP callouts. Ensure the VPN driver is compatible or exclude the VPN adapter from network protection via policy.
Exam-Relevant Details
Default state: Network protection is enabled by default on Windows 10/11 devices with Microsoft Defender for Endpoint onboarded.
Modes: Disabled (0), Enabled (1), Audit (2). On the exam, remember that Audit mode logs events but does not block.
Fail-open behavior: If the cloud service is unreachable, network protection allows traffic by default. This is a common exam trap: candidates think it blocks when offline; it does not.
Supported protocols: TCP, UDP, HTTP, HTTPS, DNS, and raw sockets.
Blocking mechanism: The connection is terminated with an RST packet for TCP, or the packet is dropped for UDP.
Notification: Users see a toast notification "Blocked by your IT administrator" when a connection is blocked. This can be disabled via policy.
Step-by-Step Flow
Application initiates connection - Application calls connect() or similar API.
WFP interception - mssecflt.sys captures the packet at ALE layer.
DNS resolution - If domain, DNS query is made; DNS response is inspected.
Reputation lookup - Cloud service queried with destination and process info.
Verdict returned - Allow, Block, or Warn. If Warn, user may be prompted.
Enforcement - Block sends RST; Allow passes packet; Warn shows dialog.
Logging - Event logged to Microsoft-Windows-Windows Defender/Operational and sent to Microsoft 365 Defender.
Application initiates connection
A user or process attempts to connect to a remote host, e.g., by navigating to a website in a browser or a malware trying to contact its C2 server. The application calls the Windows socket API (connect() for TCP, sendto() for UDP). This triggers the network stack to begin the connection establishment.
WFP interception at kernel level
The network protection driver (mssecflt.sys) intercepts the outbound packet at the Windows Filtering Platform (WFP) ALE (Application Layer Enforcement) layer. This happens after the TCP three-way handshake for TCP connections, at the connect call level. For UDP, it intercepts the first datagram. The driver extracts the destination IP, port, protocol, and the process ID (PID) initiating the connection.
DNS resolution and inspection
If the destination is a domain name, the system performs a DNS query to resolve it to an IP address. Network protection can also inspect the DNS query itself by registering a WFP callout for DNS traffic. If the domain is known malicious, the connection can be blocked even before the IP is resolved. The DNS response is also inspected to ensure it does not redirect to a malicious IP.
Cloud reputation check
The driver sends a reputation check request to the Microsoft Defender for Endpoint cloud service. The request includes the destination (domain, IP, URL), the process path, and other metadata. The cloud service returns a verdict (Allow, Block, Warn) based on threat intelligence. The default timeout for this check is 5 seconds. If the cloud is unreachable, the driver allows the connection (fail-open).
Enforcement and logging
Based on the verdict, the driver either allows the connection to proceed or blocks it. Blocking is done by sending a TCP RST packet for TCP connections or dropping the packet for UDP. An event is logged with Event ID 1125 (block) or 1126 (audit) in the Microsoft-Windows-Windows Defender/Operational log. The event includes the destination, process, and verdict. This event is also forwarded to Microsoft 365 Defender for alerting.
Enterprise Scenario 1: Blocking C2 Traffic for a Financial Institution
A large bank uses Defender for Endpoint to protect its 10,000 endpoints. The security team enables network protection in block mode to prevent malware from communicating with command-and-control (C2) servers. During a ransomware attack simulation, a test workstation attempts to connect to a known malicious domain. Network protection blocks the outbound TCP connection at the kernel level, preventing the ransomware from receiving encryption keys. The incident is logged and an alert is raised in Microsoft 365 Defender. The team uses the timeline to identify the affected process and remediate. Without network protection, the firewall rules would have allowed the connection because the C2 domain was previously unknown and not in any blocklist.
Enterprise Scenario 2: Phishing URL Blocking in a Retail Chain
A retail company with 5,000 endpoints deploys network protection to block access to phishing sites. An employee receives a phishing email with a link to a fake login page. When the employee clicks the link, the browser attempts to connect to the malicious URL. Network protection intercepts the HTTPS connection, performs TLS inspection (if enabled), and checks the URL reputation. The cloud service identifies the URL as a known phishing site and returns a block verdict. The user sees a notification "Blocked by your IT administrator" and the connection is terminated. The security team receives an alert and can investigate other users who may have clicked the same link.
Common Scale and Performance Considerations
At scale, network protection can introduce latency because every outbound connection triggers a cloud reputation check. The default timeout of 5 seconds can cause user-perceptible delays if the cloud service is slow. To mitigate, organizations can enable audit mode first to measure the impact, then adjust the timeout via registry (MaxCloudCheckTimeoutInMilliseconds) or use local cache to reduce cloud calls. Additionally, network protection may conflict with VPN clients that use WFP callouts; in such cases, the VPN adapter can be excluded from network protection via policy. Misconfiguration often occurs when fail-open is not understood: if the cloud is unreachable, traffic is allowed, which can lead to a false sense of security. The correct approach is to ensure high availability of the cloud service or use a local proxy for reputation checks.
What SC-200 Tests on Network Protection
The SC-200 exam covers network protection under objective "Manage attack surface reduction capabilities" (Domain 1: Manage a security operations environment). Specific subtopics include: configuring network protection modes (Disabled, Enabled, Audit), understanding the difference between network protection and SmartScreen, and troubleshooting network protection using event logs. The exam expects you to know that network protection is part of the attack surface reduction (ASR) suite and that it works at the network layer via WFP.
Common Wrong Answers and Why Candidates Choose Them
"Network protection blocks traffic when the cloud is unavailable." - This is false. Network protection defaults to fail-open (allow) if the cloud service is unreachable. Candidates often assume it fails closed like a firewall. Remember: Microsoft prioritizes availability over security in this context.
"Network protection is the same as SmartScreen." - SmartScreen operates at the application layer (browser) and checks URLs and downloads. Network protection operates at the network layer and blocks all outbound traffic, not just browser traffic. They are complementary, not identical.
"Network protection can block inbound traffic." - Network protection only inspects outbound traffic. Inbound traffic is handled by Windows Defender Firewall. Candidates confuse the two.
"Network protection uses local signatures only." - It relies on cloud-delivered intelligence, not local signatures. Local definitions are used for antivirus, not network protection.
Specific Numbers and Terms to Memorize
Event IDs: 1125 (block), 1126 (audit).
Default timeout: 5 seconds for cloud check.
Modes: 0=Disabled, 1=Enabled, 2=Audit.
Fail-open: Traffic allowed if cloud unreachable.
Driver: mssecflt.sys.
Protocols: TCP, UDP, HTTP, HTTPS, DNS.
Edge Cases and Exceptions
TLS inspection: Must be explicitly enabled via policy (EnableNetworkProtectionTLSInspection). By default, HTTPS traffic is not decrypted.
Local cache: Reputation results are cached locally for 30 minutes to reduce cloud calls.
Exclusions: Certain IPs, domains, or processes can be excluded via policy (e.g., for trusted applications).
Windows versions: Network protection is available on Windows 10/11, Windows Server 2016+ with MDE.
How to Eliminate Wrong Answers
When you see a question about network protection behavior during cloud outage, look for the keyword "allow" or "fail-open." If the answer says "block all traffic" or "fail closed," it is wrong. For questions about scope, remember that network protection works for all applications, not just browsers. Eliminate answers that mention SmartScreen or browser-specific features. For mode questions, remember that Audit mode does not block—it only logs. If the question asks about enabling network protection, the correct PowerShell command is Set-MpPreference -EnableNetworkProtection Enabled.
Network protection blocks outbound connections to malicious IPs, domains, and URLs using cloud reputation.
Default mode is Enabled on MDE onboarded devices; can be set to Audit (log only) or Disabled.
If cloud service is unreachable, network protection allows traffic (fail-open).
Network protection uses the Windows Filtering Platform (WFP) and driver mssecflt.sys.
Event IDs 1125 (block) and 1126 (audit) are logged in Microsoft-Windows-Windows Defender/Operational.
TLS inspection is optional and disabled by default; must be enabled via policy.
Network protection covers all applications, not just browsers (unlike SmartScreen).
Configuration via PowerShell: Set-MpPreference -EnableNetworkProtection Enabled.
Network protection is part of attack surface reduction (ASR) rules and managed in Microsoft 365 Defender.
Common exam trap: fail-open behavior during cloud outage.
These come up on the exam all the time. Here's how to tell them apart.
Network Protection
Works at network layer (WFP ALE) for outbound traffic only.
Uses cloud-based reputation to block malicious destinations.
Blocks based on domain, IP, URL reputation, not just IP/port.
Default fail-open if cloud unreachable.
Part of attack surface reduction (ASR) capabilities.
Windows Defender Firewall
Works at network layer for both inbound and outbound traffic.
Uses static rules based on IP, port, protocol.
Does not inspect application layer or URL reputation.
Default block inbound, allow outbound (unless rule created).
Standalone Windows service, not part of ASR.
Mistake
Network protection blocks inbound traffic like a firewall.
Correct
Network protection only inspects and blocks outbound traffic. Inbound traffic is handled by Windows Defender Firewall. Network protection uses WFP callouts for outbound connections only.
Mistake
Network protection relies solely on local signature files.
Correct
Network protection uses cloud-delivered reputation checks. It does not use local signature files. The cloud service provides real-time intelligence on malicious destinations.
Mistake
If the cloud service is unavailable, network protection blocks all traffic.
Correct
Network protection defaults to fail-open mode: if the cloud is unreachable, traffic is allowed. This is a design choice to avoid breaking connectivity during cloud outages.
Mistake
Network protection and SmartScreen are the same feature.
Correct
SmartScreen operates in the browser (application layer) and checks URLs and downloads. Network protection operates at the kernel (network layer) and blocks connections from any application, not just browsers.
Mistake
Network protection can decrypt all HTTPS traffic by default.
Correct
TLS inspection is disabled by default. It must be explicitly enabled via policy (EnableNetworkProtectionTLSInspection). Even then, it requires a trusted root certificate to be installed on endpoints.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You can enable network protection via Group Policy, Microsoft 365 Defender portal, or PowerShell. In PowerShell, use `Set-MpPreference -EnableNetworkProtection Enabled`. In Microsoft 365 Defender, go to Endpoints > Policies > Attack Surface Reduction and create or edit a policy. The available modes are Disabled (0), Enabled (1), and Audit (2). Audit mode logs events but does not block connections.
Event ID 1125 indicates a blocked connection, and Event ID 1126 indicates an audit (allowed but would have been blocked in enabled mode). These events are found in the Microsoft-Windows-Windows Defender/Operational event log. You can view them using Event Viewer or PowerShell with `Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational | Where-Object { $_.Id -eq 1125 -or $_.Id -eq 1126 }`.
Yes, but it defaults to fail-open: all traffic is allowed if the cloud reputation service is unreachable. This is by design to prevent network outages. The timeout for cloud checks is 5 seconds by default. If you need to block traffic during cloud outages, you must use a local proxy or configure network protection with a fallback to block (not supported natively).
Yes, but only if TLS inspection is enabled via policy. By default, network protection does not decrypt HTTPS traffic. When TLS inspection is enabled, a man-in-the-middle certificate is installed on endpoints, and the driver decrypts the traffic to inspect the payload. This can cause compatibility issues with certificate pinning.
Network protection operates at the network layer (kernel) and blocks connections from any application to malicious destinations. SmartScreen operates at the application layer (browser) and checks URLs, downloads, and files. Network protection is application-agnostic, while SmartScreen only protects Microsoft Edge and Internet Explorer. Both use Microsoft's threat intelligence but at different layers.
You can configure exclusions via Group Policy or Microsoft 365 Defender. In the network protection policy, specify allowed IP addresses, domains, or processes. For example, you can add "*.contoso.com" to the allowed domains list. Exclusions apply to all endpoints that receive the policy. Be careful not to exclude too broadly, as it reduces protection.
The user receives a toast notification saying "Blocked by your IT administrator" (if notifications are enabled). The TCP connection is terminated with a reset (RST) packet. For UDP, the packet is dropped. An event with ID 1125 is logged, and an alert appears in Microsoft 365 Defender. The process that attempted the connection is recorded for investigation.
You've just covered Defender for Endpoint Network Protection — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?