Information
Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer.
The recommended state for this setting is: Disabled.
Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plug-in/software.
Rationale:
Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off Data Execution Prevention for Explorer
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Impact:
None - this is the default behavior.
Default Value:
Disabled. (Data Execution Prevention will block certain types of malware from exploiting Explorer.)
References:
1. CCE-33608-1