diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index 248f33fb..05936f06 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -4853,7 +4853,8 @@ actions: function: DisableService parameters: serviceName: PcaSvc # Check: (Get-Service -Name 'PcaSvc').StartType - defaultStartupMode: Automatic # Allowed values: Automatic | Manual + # Windows 10 21H1: Manual | Windows 11 22H2: Automatic + defaultStartupMode: Automatic # Allowed values: Automatic | Manual | Boot - category: Disable Windows telemetry and data collection children: @@ -4876,7 +4877,7 @@ actions: function: DisableService parameters: serviceName: DiagTrack # Check: (Get-Service -Name DiagTrack).StartType - defaultStartupMode: Automatic # Allowed values: Automatic | Manual + defaultStartupMode: Automatic # Allowed values: Automatic | Manual | Boot - name: Disable WAP push notification routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service recommend: standard @@ -4893,7 +4894,7 @@ actions: function: DisableService parameters: serviceName: dmwappushservice # Check: (Get-Service -Name dmwappushservice).StartType - defaultStartupMode: Manual # Allowed values: Automatic | Manual + defaultStartupMode: Manual # Allowed values: Automatic | Manual | Boot - name: Disable "Diagnostics Hub Standard Collector" service docs: |- @@ -4909,7 +4910,7 @@ actions: function: DisableService parameters: serviceName: diagnosticshub.standardcollector.service # Check: (Get-Service -Name diagnosticshub.standardcollector.service).StartType - defaultStartupMode: Manual # Allowed values: Automatic | Manual + defaultStartupMode: Manual # Allowed values: Automatic | Manual | Boot - name: Disable "Diagnostic Execution Service" (`diagsvc`) docs: |- @@ -4925,7 +4926,7 @@ actions: function: DisableService parameters: serviceName: diagsvc # Check: (Get-Service -Name diagsvc).StartType - defaultStartupMode: Manual # Allowed values: Automatic | Manual + defaultStartupMode: Manual # Allowed values: Automatic | Manual | Boot - category: Disable census data collection docs: |- @@ -5372,6 +5373,9 @@ actions: [3]: https://web.archive.org/web/20231018135918/https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493 "The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent. | stigviewer.com" [4]: https://web.archive.org/web/20231018135930/https://batcmd.com/windows/10/services/wersvc/ "Windows Error Reporting Service - Windows 10 Service - batcmd.com" [5]: https://web.archive.org/web/20231019222221/https://batcmd.com/windows/10/services/wercplsupport/ "Problem Reports Control Panel Support - Windows 10 Service - batcmd.com" + + # TODO: Windows Error Reporting Service sends error back to Microsoft: + - https://web.archive.org/web/20210926064024/https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide call: - function: Comment @@ -5452,12 +5456,12 @@ actions: function: DisableService parameters: serviceName: wersvc # Check: (Get-Service -Name wersvc).StartType - defaultStartupMode: Manual # Allowed values: Automatic | Manual + defaultStartupMode: Manual # Allowed values: Automatic | Manual | Boot - # Problem Reports Control Panel Support function: DisableService parameters: serviceName: wercplsupport # Check: (Get-Service -Name wercplsupport).StartType - defaultStartupMode: Manual # Allowed values: Automatic | Manual + defaultStartupMode: Manual # Allowed values: Automatic | Manual | Boot - category: Disable connectivity checks docs: |- # refactor-with-variables: Same • NCSI caution @@ -6169,7 +6173,7 @@ actions: # "Set-Service" returns "Access is denied" since Windows 10 1809. parameters: serviceName: DoSvc # Check: (Get-Service -Name 'DoSvc').StartType - defaultStartupMode: Automatic # Allowed values: Automatic | Manual + defaultStartupMode: Automatic # Allowed values: Automatic | Manual | Boot - name: Disable cloud-based speech recognition recommend: standard @@ -7305,7 +7309,7 @@ actions: function: DisableService parameters: serviceName: WbioSrvc # Check: (Get-Service -Name WbioSrvc).StartType - defaultStartupMode: Manual # Allowed values: Automatic | Manual + defaultStartupMode: Manual # Allowed values: Automatic | Manual | Boot - name: Disable Wi-Fi Sense recommend: standard @@ -7466,7 +7470,7 @@ actions: function: DisableService parameters: serviceName: wisvc # Check: (Get-Service -Name wisvc).StartType - defaultStartupMode: Manual # Allowed values: Automatic | Manual + defaultStartupMode: Manual # Allowed values: Automatic | Manual | Boot - name: Disable Microsoft feature trials docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation @@ -8729,7 +8733,7 @@ actions: # function: DisableService # parameters: # serviceName: ClickToRunSvc # Check: (Get-Service -Name ClickToRunSvc).StartType - # defaultStartupMode: Automatic # Allowed values: Automatic | Manual + # defaultStartupMode: Automatic # Allowed values: Automatic | Manual | Boot - name: Disable "Microsoft Office Subscription Heartbeat" task docs: |- @@ -11665,7 +11669,7 @@ actions: function: DisableService parameters: serviceName: LogiRegistryService # Check: (Get-Service -Name 'LogiRegistryService').StartType - defaultStartupMode: Automatic # Allowed values: Automatic | Manual + defaultStartupMode: Automatic # Allowed values: Automatic | Manual | Boot - category: Disable Dropbox background automatic updates docs: |- @@ -11819,7 +11823,7 @@ actions: function: DisableService parameters: serviceName: WMPNetworkSvc # Check: (Get-Service -Name 'WMPNetworkSvc').StartType - defaultStartupMode: Manual # Allowed values: Automatic | Manual + defaultStartupMode: Manual # Allowed values: Automatic | Manual | Boot - name: Disable CCleaner data collection call: @@ -14947,6 +14951,13 @@ actions: [11]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn" # See defender status: Get-MpComputerStatus children: + # TODO: + # - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock!AllowDevelopmentWithoutDevLicense` > 1 + # - `HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx!AllowDevelopmentWithoutDevLicense` > 1 + # - `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy!VerifiedAndReputablePolicyState` > 1 + # - `Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAHealth" Remove the Security and Maintenance icon + # TODO: serach for `Policies\Microsoft\Windows Defender\Features`, theres stuff not added here + # TODO: Check values under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\*!Enabled - category: Disable Defender data collection docs: |- @@ -15711,6 +15722,26 @@ actions: grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - function: ShowComputerRestartSuggestion + - + name: Disable Windows Filtering Platform (WFP) and Base Filtering Engine (BFE) + docs: |- + Windows Filtering Platform + + A service that controls the operation of the **Windows Filtering Platform** [1]. + Windows Filtering Platform (WFP) is a network traffic processing platform designed + to replace the Windows XP and Windows Server 2003 network traffic filtering interfaces [1]. + WFP consists of a set of hooks into the network stack and a filtering engine that + coordinates network stack interactions [1]. + + It performs the following tasks: + + - Accepts filters and other configuration settings for the platform [1]. + - Reports the current state of the system, including statistics [1]. + - Enforces the security model for accepting configuration in the platform [1]. + For example, a local administrator can add filters but other users can only view them [1]. + . Plumbs configuration settings to other modules in the system [1] + For example, IPsec negotiation polices go to IKE/AuthIP keying modules, filters go to the filter engine [1]. + code: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE # TODO: not tested - name: Disable firewall via command-line utility # ❗️ Following must be enabled and in running state: @@ -15852,17 +15883,221 @@ actions: deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903 - docs: + docs: |- # TODO: - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender call: - function: SetRegistryValue + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender + valueName: DisableAntiSpyware + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + # Disable Firewall through PowerShell cmdled # TODO: same as CLI? + function: RunPowerShell + parameters: + code: Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True + - + # TODO: IsPassiveMode" and "ForcePassiveMode + # Seen: [5]: https://github.com/privacysexy-forks/10_0_22000_1165/blob/92680a67167c80bd9f2c8e58bd304b801a18860d/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpDlpCmd.exe.strings "10_0_22000_1165/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22000.1_none_1be9c0745b95a762/MpDlpCmd.exe.strings at 92680a67167c80bd9f2c8e58bd304b801a18860d · WinDLLsExports/10_0_22000_1165 | github.com" + name: Disable Defender Antivirus active mode + docs: |- #TODO: Revise docs, Resarch DONE + This script.. + + It improves your privacy by.. + It improves your performance by.. + However it may reduce your security by.. + + This script sets the Defender Antivirus to passive mode [1] [2] [3] [4]. + By default, Defender Antivirus runs in active mode [2]. + It can run in passive mode if you are running a non-Microsoft antivirus/antimalware solution [2]. + On older versions of Windows, Defender Antivirus doesn't enter passive mode automatically when you install a + non-Microsoft antivirus product [3]. + By configuring Defender Antivirus to be in passive mode, this script.. + + > **Caution:** + > This script may reduce your security by.. + > Consider... + + ### Technical Details + + This script configures the following registry values: + + - `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection!ForceDefenderPassiveMode` [1] [2] [3] [4] + Modifying this data, requires Tamper Protection to be disabled as tamper protection prevents it from + going back into passive mode even when this data is set [3] [4]. + - `HKLM\SOFTWARE\Microsoft\Windows Defender!PassiveMode` [5] [7]: + According to tests, on Windows 11 Pro 23H2, when a third party antivirus is installed + Windows sets its data to `1`. + Configuring this key disables Limited Periodic Scanning [5] [7]. + Limited periodic scanning is a special type of threat detection and remediation that can + be enabled when another antivirus product is installed on a Windows device [6]. + + [1]: https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server + [2]: https://learn.microsoft.com/en-us/defender-endpoint/configure-server-endpoints#options-to-install-the-microsoft-defender-for-endpoint-packages + [3]: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-compatibility + [4]: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows + [5]: https://community.spiceworks.com/t/windows-defender-limited-periodic-scanning/654744/3 + [6]: https://learn.microsoft.com/en-us/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus + [7]: https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a-2.html + call: + - + function: SetRegistryValue # TODO: Access Denied, test as TI? + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: PassiveMode + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + - #TODO: Doc this + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection + valueName: ForceDefenderPassiveMode + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + - # TODO: Doc this + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Microsoft\Windows Defender\Miscellaneous Configuration + valueName: EnableDlpInPassiveMode + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 21H2) + - + name: Disable Defender Antivirus via state configuration + docs: |- + This script configures: + + - `HKLM\SOFTWARE\Microsoft\Windows Defender!DisableAntiSpyware` + - `HKLM\SOFTWARE\Microsoft\Windows Defender!DisableAntiVirus` + + By default, these values do not exists since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2). + According to tests, installing a third-party antivirus application configures their data to `1` on Windows 10 Pro 22H2, + however this value is not configured after installing an AV on Windows 11 Pro 23H2. + call: + - #TODO: Test permissions and doc this: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: DisableAntiSpyware + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - #TODO: Test permissions and doc this: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender + valueName: DisableAntiVirus + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Defender Antivirus via outdated policy # Deprecated since Windows 10 version 1903 + docs: |- + This script deactivates Microsoft Defender Antivirus on Windows versions before the + August 2020 update (version 4.18.2007.8) [1] [2]. + Newer versions of Microsoft Defender Antivirus, especially from Windows 10 version 1903 + onwards [1], do not support deactivation through system policy [1] [2]. + + Microsoft Defender Antivirus offers protection against malware, including spyware. The **DisableAntiSpyware** setting, when set to `false` (i.e., `1`), + previously disabled Microsoft Defender Antivirus and other non-Microsoft antivirus solutions [1]. However, this setting is now obsolete for devices running + platform version 4.18.2108.4 or newer [1]. Additionally, Microsoft Defender for Endpoint ignores this setting [1]. Tamper protection, introduced in Windows + 10 version 1903, prevents unauthorized changes to this setting [1]. The related registry key is + `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender!DisableAntiSpyware` [2] [3]. + + Similarly, the **DisableAntiVirus** policy, intended to deactivate Microsoft Defender Antivirus [2], is applicable only to versions before the + August 2020 update [2]. Post-update, this policy cannot turn off Microsoft Defender Antivirus on client devices [2]. Its associated registry key + is `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender!DisableAntiVirus` [2]. + + > **Caution**: Disabling antivirus can increase privacy by reducing data collection from Microsoft and may enhance system performance. + > However, it poses a significant security risk by reducing protection against malware and other threats. Users should consider the + > trade-offs between privacy, system performance, and security before disabling antivirus protection. + + [1]: https://web.archive.org/web/20231126024121/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware "DisableAntiSpyware | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20231126024330/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20210926064024/https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide "Microsoft Defender Antivirus on Windows Server | Microsoft Docs | docs.microsoft.com" + call: + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f 2>nul + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d 1 /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /f 2>nul + # TODO: Soft-delete defender directory. + # TODO: Make above category + # name: Remove Windows Defender Definition FilesPermalink + # docs: |- + # https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ + # Removing definition files would cause ATP to not fire for AntiMalware. + # https://atomicredteam.io/defense-evasion/T1562.001/#atomic-test-20---remove-windows-defender-definition-files + # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide + # code: "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All + # revertCode: "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate + # TODO: MpDlpService https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide + # MDDlpSvc + # TODO: + # - Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows Defender\Scan" /v "AutomaticallyCleanAfterScan" /t REG_DWORD /d "0" /f + - + name: Disable Defender Antivirus special running modes + docs: |- + This script... + + Defender Antivirus can run in three modes (explain) [1] [3]. + + Standard operational states of Defender Antivirus include: + + - **Active Mode**: + Default mode of Defender Antivirus when it is the primary antivirus solution on the system [1]. + Files are scanned, threats are remediated, and detected threats are listed in your organization's security reports and in your Windows Security app [1]. + All Defender features are turned off [3]. + - **Disabled Mode**: + Microsoft Defender Antivirus isn't used. Files aren't scanned, and threats aren't remediated [1]. + All Defender features are turned off [3]. + + Special modes (where Defender Antivirus is partially turned on) include: + + - **Passive Mode**: + Defender Antivirus remains active in terms of scanning and detecting threats, but it is not the primary antivirus solution [1]. + Passive mode is only available for devices that are onboarded to Microsoft Defender for Endpoint and that meet certain requirements [1]. + Defender features are partially turned off [3]. + - **EDR Block Mode**: + Defender remains functional even when Microsoft Defender Antivirus isn't the primary antivirus solution [1]. + This mode allows **EDR** (Endpoint Detection and Response) to detect and block malicious artifacts post-breach, + functioning in the background even if another antivirus product is in use [1]. + - **SxS Passive Mode**: + Defender Antivirus is running alongside another antivirus/antimalware product, and limited periodic scanning is used [1]. + + This setting is used by Defender Antivirus service [2]. + + By disabling special running modes, this script attempts to disable Defender by restricting it to "Disabled" mode. + + this may improve privacy by.. + it may also improve security by.. + However, it may reduce securit by.. + + > **Caution:** TODO: Explain for non-tech savvy in single sentence what implication of running this script can be. + + ### Technical Details + + This script configures `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender!DisableSpecialRunningModes` [2] group policy. + + [1]: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows#comparing-active-mode-passive-mode-and-disabled-mode + [2]: https://github.com/WinDLLsExports/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/amd64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431/MpSvc.dll.strings#L3413 + [3]: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-compatibility + call: + function: RunInlineCode parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender - valueName: DisableAntiSpyware - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d 1 /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /f 2>nul - category: Disable Defender features # Status: Get-MpPreference @@ -15902,7 +16137,7 @@ actions: data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable Tamper Protection + name: Disable Tamper Protection # TODO: Part of Windows Security docs: |- This script disables Tamper Protection in Microsoft Defender Antivirus. @@ -15999,42 +16234,80 @@ actions: - https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 + # Managing with MpPreference module: + - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine - valueName: EnableFileHashComputation - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine + valueName: EnableFileHashComputation + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: EnableFileHashComputation # Status: Get-MpPreference | Select-Object -Property EnableFileHashComputation + value: $True # Set: Set-MpPreference -Force -EnableFileHashComputation $True + default: $False # Default: False (Enabled) | Remove-MpPreference -Force -EnableFileHashComputation | Set-MpPreference -Force -EnableFileHashComputation $False - category: Disable "Windows Defender Exploit Guard" docs: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ children: - name: Disable prevention of users and apps from accessing dangerous websites - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection + - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-using-powershell#advanced-threat-and-exploit-mitigation-and-prevention-controlled-folder-access + - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-enablenetworkprotection call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - valueName: EnableNetworkProtection - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + valueName: EnableNetworkProtection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: EnableNetworkProtection # Status: Get-MpPreference | Select-Object -Property EnableNetworkProtection + value: 'Disabled' # Set: Set-MpPreference -Force -EnableNetworkProtection 'Enabled' + default: 'Disabled' # Default: Disabled | Remove-MpPreference -Force -EnableNetworkProtection | Set-MpPreference -Force -EnableNetworkProtection $False - name: Disable controlled folder access - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide + docs: |- + This script turns of controlled folder access feature. + + Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware [1]. + + This feature is disabled by default [2]. + + It can be controlled using PowerShell MpPreference module using `EnableControlledFolderAccess` key [2] [1] [4], the feature is disabled using `Disabled` value. + + It can also be disabled using `Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access` registry key [3]. + + [1]: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders + [2]: https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-enablecontrolledfolderaccess + [3]: https://web.archive.org/web/20230422135736/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess + [4]: https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-using-powershell#advanced-threat-and-exploit-mitigation-and-prevention-controlled-folder-access call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access - valueName: EnableControlledFolderAccess - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: EnableControlledFolderAccess # Status: Get-MpPreference | Select-Object -Property EnableControlledFolderAccess + value: 'Disabled' # Set: Set-MpPreference -Force -EnableControlledFolderAccess 'Enabled' + default: 'Disabled' # Default: Disabled | Remove-MpPreference -Force -EnableControlledFolderAccess | Set-MpPreference -Force -EnableControlledFolderAccess $False + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access + valueName: EnableControlledFolderAccess + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable network inspection system features children: @@ -16092,7 +16365,6 @@ actions: value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False - - function: SetRegistryValue parameters: @@ -16101,6 +16373,11 @@ actions: dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # TODO: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/migrating-asr-rules?view=o365-worldwide + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "AllowRealTimeMonitoring" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager" /v "AllowRealTimeMonitoring" /f 2>nul - name: Disable intrusion prevention system (IPS) docs: @@ -16222,7 +16499,7 @@ actions: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableWindowsSpotlightFeatures + valueName: DisableOnAccessProtection dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) @@ -16264,6 +16541,75 @@ actions: dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable antivirus scanning of dev drive # TODO: TBD + docs: https://learn.microsoft.com/en-us/windows/dev-drive/group-policy + code: |- + Set-RegistryKeyValue -KeyPath "HKLM:\System\CurrentControlSet\Policies\" -ValueName "FsEnableDevDrive" -Value "1" -PropertyType "Dword" -LogFile $LogFile + Set-RegistryKeyValue -KeyPath "HKLM:\System\CurrentControlSet\Policies\" -ValueName "FltmgrDevDriveAllowAntivirusFilter" -Value "1" -PropertyType "Dword" -LogFile $LogFile + Set-RegistryKeyValue -KeyPath "HKLM:\System\CurrentControlSet\Policies\" -ValueName "FltmgrDevDriveAttachPolicy" -Value "PrjFlt, MsSecFlt, WdFilter, bindFlt, wcifs, FileInfo" -PropertyType "MultiString" -LogFile $LogFile + TODO: disable WdDevFlt + + name: Disable synchronous real-time scanning of Dev Drive + docs: |- + This script disables synchronous real-time scanning in Dev Drive on Windows 11. + This way, it enables a performance mode in Defender [1]. + + Dev Drive, a new storage volume type, is designed for developers to improve performance using ReFS technology [1] [2]. + By default, Dev Drive operates in asynchronous scan mode, balancing threat protection and performance [1]. + This script switches scanning from synchronous (real-time protection) to asynchronous (scanning after file operations), + resulting in faster performance but potentially reduced security [1]. + + Synchronous scanning initiates a real-time protection scan when opening a file, while asynchronous scanning defers the + security scan until after the file operation [1]. Disabling synchronous scanning can impact performance, especially in + development environments with frequent file operations [2]. + + To enable performance mode, real-time protection must be active, and Dev Drive must be designated as trusted [1]. + + This script uses `SetMpPreference` command [1] and `HKLM\Software\Microsoft\Windows Defender\Real-Time Protection!DisableAsyncScanOnOpen` + registry key modification [3] to alter the scanning behavior. + + > **Caution**: Changing these settings can lower security by prioritizing performance over immediate threat scanning. + > It is recommended to understand the security implications before proceeding. + + [1]: https://web.archive.org/web/20231126014947/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-antivirus-performance-mode?view=o365-worldwide "Protect Dev Drive using performance mode | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20231126014908/https://blogs.windows.com/windowsdeveloper/2023/09/26/new-experiences-designed-to-make-every-developer-more-productive-on-windows-11/ "New experiences designed to make every developer more productive on Windows 11 - Windows Developer Blog | blogs.windows.com" + [3]: https://www.elevenforum.com/t/enable-or-disable-performance-mode-for-dev-drive-protection-in-windows-11.17215/ "Enable or Disable Performance Mode for Dev Drive Protection in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" + call: + - + function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 22H2) + parameters: + code: reg add "HKLM\Software\Microsoft\Windows Defender\Real-Time Protection" /v "DisableAsyncScanOnOpen" /t REG_DWORD /d "0" /f + revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableAsyncScanOnOpen" /f 2>nul + - + function: SetMpPreference + parameters: + property: PerformanceModeStatus # Status: Get-MpPreference | Select-Object -Property PerformanceModeStatus + value: 'Enabled' # Set: Set-MpPreference -Force -PerformanceModeStatus 'Enabled' + default: 'Disabled' # Default: Disabled | Remove-MpPreference -Force -PerformanceModeStatus | Set-MpPreference -Force -PerformanceModeStatus 'Disabled' + + - + name: Disable Dynamic Protection Analysis (DPA) feature + docs: |- + This script disables the Dynamic Protection Analysis (DPA) feature in Microsoft Defender. + DPA, part of Microsoft Defender's real-time protection conducts continuous behavioral analysis to identify potential threats. + However, this monitoring may lead to increased data collection by Microsoft, raising privacy concerns. + + Disabling DPA aims to mitigate this data collection, enhancing user privacy by reducing the scope of Microsoft Defender's surveillance. + Additionally, this action may yield performance improvements, particularly in scenarios where real-time scanning imposes a significant + burden on system resources. Yet, users should be aware that disabling DPA reduces the system's security and defensive capabilities against + threats, as it limits the efficacy of Microsoft Defender's real-time response. + + The script modifies the `HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection!DpaDisabled` registry key to achieve this. + + > **Caution:** Users need to weigh the privacy advantages against the potential decrease in security effectiveness. + > This setting change is significant for systems with modern versions of Windows, where DPA is a default-enabled feature. + call: + function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 22H2) + parameters: + code: reg add "HKLM\Software\Microsoft\Windows Defender\Real-Time Protection" /v "DpaDisabled" /t REG_DWORD /d "1" /f + revertCode: |- # This value exists with value `0` by default since Windows 10 >= 22H2 and Windows 11 >= 22H2 + reg add "HKLM\Software\Microsoft\Windows Defender\Real-Time Protection" /v "DpaDisabled" /t REG_DWORD /d "0" /f 2>nul - category: Disable Defender remediation children: @@ -16411,7 +16757,7 @@ actions: dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - # Too good to disable + # - Too good to disable, also no reported privacy issues # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 # children: @@ -17580,6 +17926,22 @@ actions: dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable non-administrator access to user interface + docs: |- + TODO: Add docs + + This increase privacy by limiting security information (which can be sensitive) to only + privileged users. + call: + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: ❌ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2) + parameters: + keyPath: HKLM\Software\Microsoft\Windows Defender\UX Configuration + valueName: "AllowNonAdminFunctionality" + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable sections in "Windows Security" docs: |- @@ -17737,6 +18099,12 @@ actions: - category: Disable Defender notifications children: + # TODO: Disable Firewall notifications + # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile!DisableNotifications + # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile!DisableNotifications + # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile!DisableNotifications + # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile!DisableNotifications + # Polciy existS, research? HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DisableNotifications or not? - category: Disable Windows Security notifications docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications @@ -18014,13 +18382,15 @@ actions: # 3. Try `DisableServiceInRegistryAsTrustedInstaller` as last effort. children: - - name: Disable "Microsoft Defender Antivirus Service" + name: Disable "Microsoft Defender Antivirus service" service # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` docs: |- - https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ + It is a service used by Microsoft Defender [2] [3]. + + It's named as "Microsoft Defender Antivirus service", "Antimalware Service Executable" and "Microsoft Defender Antivirus" [3]. ### Overview of default service statuses @@ -18028,6 +18398,14 @@ actions: | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + + [2]: https://web.archive.org/web/20231126024330/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues | Microsoft Learn | learn.microsoft.com" + [3]: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide + + TODO: + - https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ + # Microsoft Defender Antivirus service, source: + - https://web.archive.org/web/20210926064024/https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide call: - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` @@ -18042,13 +18420,22 @@ actions: # fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - category: Disable Defender kernel-level drivers + category: Disable kernel-level Microsoft Defender drivers children: - # - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only + # Commented out drivers: + # - `wdnsfltr`: "Windows Defender Network Stream Filter Driver" as it's Windows 1709 only - - name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service + name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" driver docs: |- - https://web.archive.org/web/20240314062056/https://batcmd.com/windows/10/services/wdnisdrv/ + This script disables `WdNisDrv` service, known as "Microsoft Defender Antivirus Network Inspection System Driver" [1]. + + It's a service used by Windows Defender [2]. + + This service helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in + network protocols [1]. + + [1]: https://web.archive.org/web/20240314062056/https://batcmd.com/windows/10/services/wdnisdrv/ + [2]: https://web.archive.org/web/20231126024330/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues | Microsoft Learn | learn.microsoft.com" ### Overview of default service statuses @@ -18073,8 +18460,14 @@ actions: fileGlob: '%SYSTEMROOT%\System32\drivers\WdNisDrv.sys' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - name: Disable "Microsoft Defender Antivirus Mini-Filter Driver" service + name: Disable "Microsoft Defender Antivirus Mini-Filter Driver" driver docs: |- + It is a service used by Windows Defender [2] + + [2]: https://web.archive.org/web/20231126024330/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues | Microsoft Learn | learn.microsoft.com" + + TODO: + - https://web.archive.org/web/20240314091638/https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - https://web.archive.org/web/20240314062047/https://batcmd.com/windows/10/services/wdfilter/ @@ -18095,15 +18488,20 @@ actions: serviceName: WdFilter # Check: (Get-Service -Name 'WdFilter').StartType defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual # notStoppable: true # See `sc queryex WdFilter`, tested since Windows 10 22H2, Windows 11 22H2. + # TODO: Stopping this service does not work, fails with: + # The requested control is not valid for this service. - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - name: Disable "Microsoft Defender Antivirus Boot Driver" service + name: Disable "Microsoft Defender Antivirus Boot Driver" driver docs: |- - https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ + It is a service used by Windows Defender [2]. + + [1]: https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ + [2]: https://web.archive.org/web/20231126024330/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide "Troubleshoot Microsoft Defender for Endpoint onboarding issues | Microsoft Learn | learn.microsoft.com" ### Overview of default service statuses @@ -18212,6 +18610,80 @@ actions: parameters: fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + category: Disable Defender Windows features + docs: |- + `Get-WindowsOptionalFeature -Online -FeatureName "*Defender*"` to see related features. + children: + - + name: Disable "Windows-Defender" feature + docs: |- + Windows 10 > 22H2: Feature does not exist + + https://github.com/MicrosoftDocs/microsoft-365-docs/blob/b3c6d838ad6c823c5e541a556761ab5faa240bfd/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws.md?plain=1#L76 + https://github.com/Ariantor/microsoft-365-docs/blob/cba6edb3bf31d3d9f86ef2271dbd78133dcd8118/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2.md?plain=1#L84 + https://github.com/isabella232/microsoft-365-docs-pr.it-IT/blob/d3a567aa6c70fd7ef8b400bf24b52632794041e3/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md?plain=1#L101 + https://web.archive.org/web/20210926064024/https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide + call: + function: DisableWindowsFeature + parameters: + featureName: Windows-Defender # TODO: Access is denied. + - + name: Disable "Windows-Defender-Gui" feature + docs: |- + Windows 10 > 22H2: Feature does not exist + + https://github.com/MicrosoftDocs/microsoft-365-docs/blob/b3c6d838ad6c823c5e541a556761ab5faa240bfd/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws.md?plain=1#L76 + https://github.com/Ariantor/microsoft-365-docs/blob/cba6edb3bf31d3d9f86ef2271dbd78133dcd8118/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2.md?plain=1#L84 + https://github.com/isabella232/microsoft-365-docs-pr.it-IT/blob/d3a567aa6c70fd7ef8b400bf24b52632794041e3/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md?plain=1#L101 + https://web.archive.org/web/20210926064024/https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide + call: + function: DisableWindowsFeature + parameters: + featureName: Windows-Defender-Gui # TODO: Access is denied. + - + name: Disable "Windows-Defender-Features" feature + docs: |- + Windows 10 > 22H2: Feature does not exist + + https://learn.microsoft.com/en-sg/answers/questions/1778162/how-to-fully-uninstall-clean-up-microsoft-defender + https://github.com/MicrosoftDocs/microsoft-365-docs/blob/b3c6d838ad6c823c5e541a556761ab5faa240bfd/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws.md?plain=1#L76 + https://github.com/Ariantor/microsoft-365-docs/blob/cba6edb3bf31d3d9f86ef2271dbd78133dcd8118/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2.md?plain=1#L84 + https://github.com/isabella232/microsoft-365-docs-pr.it-IT/blob/d3a567aa6c70fd7ef8b400bf24b52632794041e3/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md?plain=1#L101 + call: + function: DisableWindowsFeature + parameters: + featureName: Windows-Defender-Features # TODO: Access is denied. + - + name: Disable "Application Guard" feature + docs: |- + FeatureName : Windows-Defender-ApplicationGuard + DisplayName : Microsoft Defender Application Guard + Description : Offers a secure container for internet browsing + RestartRequired : Possible + State : Disabled + CustomProperties : + call: + function: DisableWindowsFeature + parameters: + featureName: Windows-Defender-ApplicationGuard # Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" + # TODO: Should disable on revert too + - + name: Disable "Windows-Defender-Default-Definitions" feature + docs: |- + FeatureName : Windows-Defender-Default-Definitions + DisplayName : + Description : + RestartRequired : Possible + State : Enabled + CustomProperties : + call: + function: DisableWindowsFeature + parameters: + featureName: Windows-Defender-Default-Definitions # Get-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Default-Definitions" + - + name: DisallowExploitProtectionOverride # TODO: Fix + code: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection!DisallowExploitProtectionOverride - category: Disable SmartScreen docs: |- # refactor-with-variables: • SmartScreen Caution @@ -19443,7 +19915,7 @@ actions: function: DisableService parameters: serviceName: wuauserv # Check: (Get-Service -Name 'wuauserv').StartType - defaultStartupMode: Manual # Allowed values: Automatic | Manual + defaultStartupMode: Manual # Allowed values: Automatic | Manual | Boot - name: Disable "Update Orchestrator Service" (`UsoSvc`) docs: |- @@ -19478,7 +19950,7 @@ actions: function: DisableService parameters: serviceName: UsoSvc # Check: (Get-Service -Name 'UsoSvc').StartType - defaultStartupMode: Automatic # Allowed values: Automatic | Manual + defaultStartupMode: Automatic # Allowed values: Automatic | Manual | Boot - name: Disable "Windows Update Medic Service" (`WaaSMedicSvc`) docs: |- diff --git a/test.ps1 b/test.ps1 new file mode 100644 index 00000000..bd7d29b8 --- /dev/null +++ b/test.ps1 @@ -0,0 +1,16 @@ + + + +# (Command only avalable in Windows Server) +# name: Uninstall Windows Defender from Windows Server +# docs: https://web.archive.org/web/20210926064024/https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide + +# Do +Uninstall-WindowsFeature -Name Windows-Defender +Uninstall-WindowsFeature -Name Windows-Defender-GUI + +# Revert: +Install-WindowsFeature -Name Windows-Defender +Install-WindowsFeature -Name Windows-Defender-GUI + +