Exploit Protection

CMMC Control Mapping Matrix

While OIB handles Attack Surface Reduction (ASR) rules, NIST 3.14.1 requires system-wide flaw remediation protections like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Structured Exception Handling Overwrite Protection (SEHOP). These are enforced via an Exploit Protection XML file.

Step 1: Generate the Golden XML You must first generate an XML file from a securely configured "golden" Windows 11 machine.

1. On a secure test machine, open the Windows Security app.
2. Go to App & browser control > Exploit protection settings.
3. Ensure DEP, ASLR, and SEHOP are set to On by default in the System settings tab.
4. Open PowerShell as Administrator and run the following command to export the configuration: Export-ProcessMitigation -PolicyFilePath "C:\Temp\ExploitProtection.xml"

Step 2: Create the Intune Profile

1. In the Intune Admin Center, navigate to Endpoint Security > Attack Surface Reduction.
2. Click Create Profile.
3. Select Platform: Windows 10, later, and Windows Copilot+ PCs.
4. Select Profile: Exploit Protection, then click Create.
5. Name the profile Win - Custom - ES - Exploit Protection XML.
6. In the Configuration settings step, click the folder icon next to Upload XML and select the ExploitProtection.xml file you generated.
7. Click Review + save and assign to your deployment rings.