How to Enable Exploit Protection Settings in Windows Security

What Causes This?

Exploit Protection may be turned off, left at weaker defaults, or changed by another app, a previous tweak, or an organization policy. In some cases, users disable mitigations to fix compatibility problems with older software and forget to turn them back on. Windows can also have per-program override settings that weaken protection for specific apps without making it obvious.

Common Symptoms

• Windows Security shows exploit protection settings that are disabled or customized
• You want stronger protection against memory-based attacks and app exploits
• A security guide or IT admin recommends enabling DEP, ASLR, or other mitigations
• Certain apps have custom exploit settings that may reduce system hardening
• You are unsure whether your current exploit mitigation settings are the Windows defaults

How to Fix It Manually

1. Open Windows Security.

   • Press Windows + I to open Settings.
   • Go to Privacy & security > Windows Security.
   • Click Open Windows Security.

2. Open Exploit Protection settings.

   • In Windows Security, click App & browser control.
   • Scroll down and select Exploit protection settings.

3. Review the system-wide protections.

   • Under the System settings tab, check protections such as:
     • Control flow guard (CFG)
     • Data Execution Prevention (DEP)
     • Force randomization for images (Mandatory ASLR)
     • Randomize memory allocations (Bottom-up ASLR)
     • Validate exception chains (SEHOP)
     • Validate heap integrity
   • For most home users, the safest option is to keep these at On by default or Use default unless a trusted app specifically requires a change.

4. Restore recommended defaults if needed.

   • If many settings were changed and you want to undo customizations, look for a Restore defaults option in the Exploit protection window.
   • Apply the reset for System settings if available.
   • This is often the quickest way to re-enable Microsoft’s recommended baseline protections.

5. Check per-program overrides.

   • Click the Program settings tab.
   • Review any listed apps with custom exploit settings.
   • Select an app, choose Edit, and check whether protections were manually disabled.
   • If you do not need the custom override, remove it or set the options back to Use default.

6. Restart your PC.

   • Click Start > Power > Restart.
   • Some mitigation changes apply fully only after a restart.

7. Confirm the settings stayed enabled.

   • Reopen Windows Security > App & browser control > Exploit protection settings.
   • Verify the system protections still show the expected default or enabled state.
   • If settings keep changing back, your PC may be managed by Group Policy, a security tool, or a corporate IT profile.

8. If the settings are grayed out or won’t save, check for policy restrictions.

   • On work or school PCs, these settings may be controlled by your administrator.
   • On personal PCs, third-party security or “tweaking” tools may be overriding Windows Security settings. Temporarily remove conflicting tools or return their security settings to default before trying again.

Fix It Automatically with Kudu

Kudu can help review Windows hardening settings, spot weak or unusual security configurations, and guide you toward safer defaults without digging through multiple Windows menus. It’s a simpler way to check for misconfigurations, especially if exploit protection settings were changed by older tweaks, third-party tools, or app-specific overrides.

Download Kudu Free →