From 77792a17aef5ecf965ed9d595e67415d5bf4acfb Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Wed, 21 Aug 2024 11:58:40 +0200 Subject: [PATCH] win: categorize disabling Defender components This commit restructures disabling Defender components. This improves organization and clarity for users by grouping related scripts together. It also updates names and docs to match latest Defender branding. Changes: - Add new parent categories for disabling Defender Antivirus, user interface, Exploit Guard and Defender for Endpoint. - Move relevant scripts under new categories. - Update script names for clarity and consistency - Add more documentation explaining Defender components. - Reorder subcategories based on impact - Simplify naming, e.g. "Defender" instead of "Microsoft Defender" --- src/application/collections/windows.yaml | 3064 ++++++++++++---------- 1 file changed, 1643 insertions(+), 1421 deletions(-) diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index 248f33fb..b99d57b6 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -14909,43 +14909,46 @@ actions: category: Privacy over security children: - - category: Disable Microsoft Defender + category: Disable Defender docs: |- - This category offers scripts to disable Windows security components known as *Microsoft Defender*. + This category offers scripts to disable Windows security components related to **Defender** + (referred to also as **Microsoft Defender** [1] [2] [3] [4] [5] [6] [7] [8] or **Windows Defender** [3] [6] [7] [8]). Although designed to protect you, these features may compromise your privacy and decrease computer performance. Privacy concerns include: - - Sending personal data to Microsoft for analysis [1] [2] [3]. - - The labeling of efforts to block telemetry (data collection by Microsoft) as security threats [4] [5]. - - The incorrect flagging of privacy-enhancing scripts from privacy.sexy as malicious software [6]. + - Sending personal data to Microsoft for analysis [1] [2] [9]. + This allows Microsoft to collect and potentially access your sensitive information. + - Flagging attempts to block Microsoft's telemetry (data collection) as security threats [3] [10]. + This prevents users from controlling what data Microsoft collects about them. + - Incorrectly identifying privacy-enhancing scripts from privacy.sexy as malicious software [4]. + This discourages users from using tools designed to protect their privacy. - Turning off Microsoft Defender improves your computer's speed by freeing up system resources [7]. + Turning off Microsoft Defender improves your computer's speed by freeing up system resources [5]. - However, disabling these features could result in: + However, disabling these features may result in: - - Potential program malfunctions [8], as these security features are integral to Windows [9]. + - Potential program malfunctions [11], as these security features are integral to Windows [6]. - Lowered defenses against malware and other online threats. - These scripts target only the Defender features built into Windows and do not impact other Defender services available - with Microsoft 365 subscriptions [10] [11]. + These scripts are designed to disable Defender features built into Windows. + They may not impact all other Defender services available with Microsoft 365 subscriptions [7] [8]. > **Caution**: > These scripts **may reduce your security** and **cause issues with software** relying on them. - > Consider an alternative security solutions to maintain protection. + > Consider an alternative security solution or careful security practices to maintain protection. [1]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240409170815/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide "Microsoft Defender for Endpoint data storage and privacy | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" - [4]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" - [5]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" - [6]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" - [7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" - [8]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [9]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" - [10]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" - [11]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn" - # See defender status: Get-MpComputerStatus + [3]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" + [4]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" + [5]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" + [6]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" + [7]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [8]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn" + [9]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" + [10]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" + [11]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" children: - category: Disable Defender data collection @@ -15500,373 +15503,178 @@ actions: data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable Microsoft Defender firewall + category: Disable Defender Antivirus docs: |- - This category provides scripts to disable the Microsoft Defender Firewall. + This category provides scripts to disable Defender Antivirus. - This firewall serves as a security gate for your computer. - It controls network traffic to and from a computer [1] [2] [3] [4] [5]. - It blocks all incoming traffic by default and allows outgoing traffic [1]. - It enables users to block connections [1] [3] [5] [6] [7]. - For enhanced security, users can require a VPN for all connections with IPSec rules [1] [3] [7]. - This can protect your computer from unauthorized access [1] [4] [6] [8]. - - Microsoft has renamed the firewall several times to reflect branding changes: - - 1. **Internet Connection Firewall** initially [3]. - 2. **Windows Firewall** with the release of Windows XP Service Pack 2 [3]. - 3. **Windows Defender Firewall** starting with Windows 10 build 1709 (September 2017) [4] [5]. - 4. **Microsoft Defender Firewall** from Windows 10 version 2004 onwards [5] [6]. - 5. **Windows Firewall** again in 2023 [9]. - - Considerations: - - - Malware or unauthorized users can bypass it if they gain direct access to the computer [10]. - - Default firewall settings often provide limited security unless properly configured [10]. - This is the case for most users. - - The firewall is enabled by default [1] [2] [4] [5]. - It still operates in the background when turned off [7]. - This can compromise privacy. - - Firewall logs detail user behavior [11]. - They fall under [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement). - This allows Microsoft to access and analyze these logs to study your behavior. - - Turning off this firewall may optimize system performance by reducing background tasks [7]. - It enhances privacy by preventing the collection of firewall logs [11]. - However, this could increase security risks by exposing your system to more threats [1] [4] [6] [8]. + Defender Antivirus, integrated into Windows, provides protection against viruses, ransomware, and other + types of malware [1] [2] [3]. + + Disabling Defender Antivirus may improve system performance and privacy by stopping related data collection + However, disabling it may severely compromise your system's security if not complemented by proper security practices. + Carefully consider the trade-off before proceeding. + + **Defender Antivirus** comes with following concerns: + + - It sends files and personal data [4] to **Microsoft's Cloud Protection Service (MAPS)** + (also known as **Microsoft Active Protection Service** or **Microsoft SpyNet**) for analysis [5] [6]. + - Recent Windows versions deeply integrate Defender with mechanisms like **Early Boot Anti-Malware**, + **Tamper Protection**, making it extremely difficult to remove or uninstall [7] [8]. + This means that even if you want to stop using Defender for privacy reasons, these features make it + very difficult to do so using standard methods, keeping Microsoft's security and data collection systems + in place on your device. + - In 2020, Defender began flagging modifications to the hosts file that block Microsoft telemetry + as a security risk [8] [9]. + This prevents you from easily stopping Microsoft's data collection on your device. + - It flags privacy scripts as malicious, even though their purpose is to enhance privacy [8] [9]. + This discourages the use of tools designed to protect your personal data. + - Some reports suggest that Defender may consume significant system resources [10]. + + **Defender Antivirus** comes with significant privacy concerns: + + - Originally launched as **Windows AntiSpyware**, later renamed to **Windows Defender** [11]. + - Replaced **Microsoft Security Essentials** in Windows 8 [12]. + - **Windows Defender** is renamed to **Windows Defender Antivirus** in Windows 10 version 1703 [13]. + - First included in **Windows Security Center (WSC)** in the 1809 update [14]. + Later, it became part of the **Windows Security** suite [4] [5] [6]. + - Renamed to **Microsoft Defender Antivirus** in the 2004 update [15]. + However, it's still frequently referred to as Windows Defender, even by Microsoft in its current + documentation [1]. + + To check if Defender Antivirus is active, you can use the following commands in a PowerShell prompt: + + - `Get-MpComputerStatus`: Displays the current state of Defender Antivirus [18]. + - `Get-MpPreference`: Shows the current configuration settings of Defender Antivirus [19]. - > **Caution**: - > Turning off the Microsoft Defender Firewall **may reduce your security**. - > Consider an alternative security solution to maintain protection. + > **Caution:** + > Disabling antivirus protection may significantly reduce your system's security. + > Ensure you have alternative security measures in place and practice safe computing habits. - [1]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240408093812/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20041020065757/http://support.microsoft.com/kb/875357 "Troubleshooting Windows Firewall settings in Windows XP Service Pack 2 | support.microsoft.com" - [4]: https://web.archive.org/web/20240408093959/https://microsoft.fandom.com/wiki/Windows_Firewall "Windows Firewall | Microsoft Wiki | Fandom | microsoft.fandom.com" - [5]: https://web.archive.org/web/20240408094033/https://www.tenforums.com/tutorials/70699-how-turn-off-microsoft-defender-firewall-windows-10-a.html "How to Turn On or Off Microsoft Defender Firewall in Windows 10 | Tutorials | www.tenforums.com" - [6]: https://web.archive.org/web/20240408094038/https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f "Turn Microsoft Defender Firewall on or off - Microsoft Support | support.microsoft.com" - [7]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [8]: https://web.archive.org/web/20240408094004/https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-defender-firewall-windows "Enable Windows Defender Firewall | Microsoft Learn | learn.microsoft.com" - [9]: https://web.archive.org/web/20240408093851/https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#microsoft-defender-firewall-profiles-are-renamed-to-windows-firewall "What's new in Microsoft Intune | Microsoft Learn | learn.microsoft.com" - [10]: https://web.archive.org/web/20240408101037/https://softwareg.com.au/blogs/internet-security/what-is-a-major-weakness-with-a-network-host-based-firewall "What Is A Major Weakness With A Network Host-Based Firewall | softwareg.com.au" - [11]: https://web.archive.org/web/20240409085528/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune "Configure Windows Firewall logging - Windows Security | Microsoft Learn | learn.microsoft.com" + [1]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240819080500/https://support.microsoft.com/en-us/office/stay-protected-with-windows-security-ae70cc96-a9cd-4443-a210-e41cb973d3a6 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" + [5]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240409170815/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide "Microsoft Defender for Endpoint data storage and privacy | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" + [8]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" + [9]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks "privacy-script" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" + [10]: https://web.archive.org/web/20240819092823/https://www.dell.com/support/kbdoc/en-us/000128249/windows-defender-resolving-high-hard-disk-drive-and-cpu-usage-during-scans "Resolving High Hard Disk Drive and CPU Usage During Scans by Windows Defender | Dell US | www.dell.com" + [11]: https://web.archive.org/web/20051123220536/https://blogs.technet.com/antimalware/archive/2005/11/04/413700.aspx "Anti-Malware Engineering Team : What's in a name?? A lot!! Announcing Windows Defender! | blogs.technet.com" + [12]: https://web.archive.org/web/20200812011954/http://answers.microsoft.com/en-us/protect/forum/protect_start/windows-defender-and-microsoft-security-essentials/5309cb8d-02e1-40e8-974f-0dcedb9ab9fd + [13]: https://web.archive.org/web/20170602091134/https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1703 "What's in Windows 10, version 1703 | Microsoft Docs | docs.microsoft.com" + [14]: https://web.archive.org/web/20240819081301/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1809#windows-security-center "What's new in Windows 10, version 1809 - Windows 10 | Microsoft Learn | learn.microsoft.com" + [15]: https://web.archive.org/web/20240819092635/https://blogs.windows.com/windows-insider/2019/07/26/announcing-windows-10-insider-preview-build-18945/ "Announcing Windows 10 Insider Preview Build 18945 | Windows Insider Blog | blogs.windows.com" + [16]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" + [17]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" + [18]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com" + [19]: https://web.archive.org/web/20240819105412/https://learn.microsoft.com/en-us/powershell/module/defender/get-mppreference?view=windowsserver2022-ps "Get-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" children: - - - category: Disable Microsoft Defender Firewall services and drivers + - + name: Disable Tamper Protection docs: |- - This section contains scripts to disable the essential services and drivers of Microsoft Defender Firewall. - - Microsoft Defender Firewall uses services and drivers to operate. - Services run background tasks, while drivers help hardware and software communicate. - - Even with the firewall disabled in settings, its services and drivers continue running [1], - potentially monitoring network traffic and consuming resources. - These scripts directly disable these components, bypassing standard Windows settings and their limitations. - - Disabling these firewall services and drivers can enhance privacy by preventing potential network traffic monitoring by Microsoft. - Additionally, it may improve system performance by freeing up system resources otherwise consumed by these components. - - However, this can pose security risks and disrupt other software. - Microsoft Defender Firewall blocks unauthorized network access to protect against malicious attacks [2]. - Disabling it can leave your system vulnerable to such threats. - Additionally, this could affect software relying on the firewall [1]. - - > **Caution**: These scripts **may reduce your security** and **cause issues with software** relying on the firewall [1]. + This script disables Tamper Protection in Microsoft Defender Antivirus. - [1]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" - children: - - - name: >- - Disable "Windows Defender Firewall Authorization Driver" service - (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) - docs: |- # refactor-with-variables: Same • Firewall Service Caution - This script disables the **Windows Defender Firewall Authorization Driver** service. + Tamper Protection is a security feature that blocks unauthorized changes to key Microsoft Defender Antivirus settings [1] [2]. + These settings include real-time protection [1] [2], behavior monitoring [2], and cloud-delivered protection [1]. + By default, Tamper Protection is enabled [1]. + It is available in all editions of Windows since Windows 10, version 1903 [3]. - This service is a kernel mode driver crucial for inspecting network traffic entering and exiting your computer [1] [2]. + Disabling Tamper Protection may increase privacy and control over your system by allowing you to: - Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. - It also improves system performance by decreasing background resource consumption. + - Change protected Microsoft Defender Antivirus settings to enhance privacy [1] [3] + - Disable Microsoft Defender Antivirus entirely [1] [3] to increase privacy + - Improve system performance by adjusting or disabling certain security features - The driver is identified by the file `mpsdrv.sys` [1] [2] [3]. - This file is a component of **Microsoft Protection Service** [3]. - This service encompasses the **Windows Defender Firewall** (`mpssvc`) [4] [5]. - Disabling this driver disables **Windows Defender Firewall** [1] [2]. - This action can significantly increase security risks [6]. + However, turning off Tamper Protection may reduce your system's security by: - Restart your computer after running this script to ensure all changes take effect [7]. + - Making your device more vulnerable to malware that attempts to disable security features + - Allowing potentially harmful changes to important security settings - > **Caution**: Disabling this service causes problems with software that depends on it [8] such as: - > - Prevents **Microsoft Store** app downloads [9] [10], impacting **winget** CLI functionality [11]. - > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [8]. - > - Disables **Windows Sandbox** [7] [12], an isolated environment for safely running applications [13]. - > - Disables **Docker** [14], a platform for developing and running applications in isolated environments [15]. - > - Disables **Windows Subsystem for Linux (WSL)** [14], which lets Linux programs run directly on Windows [16]. + With Tamper Protection enabled, users can modify protected settings through the Windows Security app [1]. + Disabling Tamper Protection allows changes through scripts and third-party apps such as privacy.sexy [1]. - ### Overview of default service statuses + ### Technical Details - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🟢 Running | Manual | + This script modifies the following registry keys: - [1]: https://web.archive.org/web/20240314091039/https://batcmd.com/windows/10/services/mpsdrv/ "Windows Defender Firewall Authorization Driver - Windows 10 Service - batcmd.com | batcmd.com" - [2]: https://web.archive.org/web/20240406223537/https://revertservice.com/10/mpsdrv/ "Windows Defender Firewall Authorization Driver (mpsdrv) Service Defaults in Windows 10 | revertservice.com" - [3]: https://web.archive.org/web/20240406223542/https://www.file.net/process/mpsdrv.sys.html "mpsdrv.sys Windows process - What is it? | www.file.net" - [4]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" - [5]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" - [6]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" - [7]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" - [8]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" - [9]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" - [10]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" - [11]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" - [12]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" - [13]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" - [14]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" - [15]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" - [16]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" - [17]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - call: - - - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config - parameters: - serviceName: mpsdrv # Check: (Get-Service -Name 'mpsdrv').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\mpsdrv.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - function: ShowComputerRestartSuggestion - - - name: >- - Disable "Windows Defender Firewall" service - (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) - docs: |- # refactor-with-variables: Same • Firewall Service Caution - This script disables the **Windows Defender Firewall** service (identified as `MpsSvc` [1] [2] [3] [4]). - This component acts as a gatekeeper for your computer, filtering incoming and outgoing network traffic based on - established security rules [1] [5] to prevent unauthorized access [3] [4]. + - `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtection` [4] [5] [6]. + - `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtectionSource` [7] + + These keys interact with the `MpClient.dll` library within Microsoft Defender Antivirus [8]. + The script sets values to replicate changes made through the Windows Security interface [5]. - This service runs the firewall component of Windows [4]. - It starts automatically [3] and runs the `%WINDIR%\System32\MPSSVC.dll` driver [3]. - This file is also referred to as **Microsoft Protection Service** [6]. + Tests reveal the following values for various Windows versions: - Beyond firewall functionality, it plays an important role in **Windows Service Hardening** to protect Windows services - [7] [8]. It also enforces **network isolation** in virtualized environments [7] [9]. + | Key | Opearting System | Default | After toggling ON | After toggling OFF | + | --- | ------- | ------- | -------------------- | --------------------- | + | `TamperProtection` | Windows 10 Pro (>= 22H2) | 1 | 5 [4] [6] | 4 [4] [6] [7] | + | `TamperProtection` | Windows 11 Pro (>= 23H2) | 1 | 5 [4] [5] | 4 [4] [5] | + | `TamperProtectionSource` | Windows 10 Pro (>= 22H2) | No value | No value | No value (Or 2 [7]) | + | `TamperProtectionSource` | Windows 11 Pro (>= 23H2) | 5 | 2 | 2 | - Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. - It also improves system performance by decreasing background resource consumption. - However, it may expose the system to substantial security threats [10]. - This risk is partly mitigated by boot-time filters that are triggered to protect the computer during startup or when the - firewall service stops unexpectedly [2]. + `TamperProtectionSource` value `2` means that the tamper protection is based on signatures. + Other recorded values in various installations include `ATP` [9], `Service Init` [10], `Intune` [11], + and `E5 transition` [12]. + However, these values lack official public documentation [13]. - Restart your computer after running this script to ensure all changes take effect [11]. + To check the current Tamper Protection source, use this command: - > **Caution**: Disabling this service causes problems with software that depends on it [12] such as: - > - Prevents **Microsoft Store** app downloads (error code `0x80073D0A` [7] [13]), impacting **winget** CLI functionality [14]. - > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [15]. - > - Disables **Windows Sandbox** [11] [16], an isolated environment for safely running applications [17]. - > - Disables **Docker** [18], a platform for developing and running applications in isolated environments [19]. - > - Disables **Windows Subsystem for Linux (WSL)** [18], which lets Linux programs run directly on Windows [20]. + ```batchfile + wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list | findstr "TamperProtectionSource" + ```` - ### Overview of default service statuses + Or this PowerShell command: - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | - | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + ```ps1 + Get-MpComputerStatus | Select-Object -ExpandProperty TamperProtectionSource + ``` - [1]: https://web.archive.org/web/20231206185904/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd349801%28v=ws.10%29 "Windows Firewall Service | learn.microsoft.com" - [2]: https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx "Stopping the Windows Authenticating Firewall Service and the boot time policy - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com" - [3]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" - [4]: https://web.archive.org/web/20240406233529/https://en.wikipedia.org/wiki/Windows_Firewall "Windows Firewall - Wikipedia | wikipedia.org" - [5]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" - [6]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" - [7]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" - [8]: https://web.archive.org/web/20240406232832/https://techcommunity.microsoft.com/t5/ask-the-performance-team/ws2008-windows-service-hardening/ba-p/372702 "WS2008: Windows Service Hardening - Microsoft Community Hub | techcommunity.microsoft." - [9]: https://web.archive.org/web/20240406232844/https://learn.microsoft.com/en-us/virtualization/windowscontainers/container-networking/network-isolation-security "Network isolation and security | Microsoft Learn | learn.microsoft.com" - [10]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" - [11]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" - [12]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [13]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" - [14]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" - [15]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" - [16]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" - [17]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" - [18]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" - [19]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" - [20]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" - call: - - - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config - parameters: - serviceName: MpsSvc # Check: (Get-Service -Name 'MpsSvc').StartType - defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\mpssvc.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - function: ShowComputerRestartSuggestion - - - name: Disable firewall via command-line utility - # ❗️ Following must be enabled and in running state: - # - mpsdrv ("Windows Defender Firewall Authorization Driver") - # - bfe (Base Filtering Engine) - # - mpssvc ("Windows Defender Firewall") - # If the dependent services are not running, the script fails with: - # "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again." - # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc - docs: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior + [1]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support" + [2]: https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationtamperprotection "Defender CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware "DisableAntiSpyware | Microsoft Learn" + [4]: https://web.archive.org/web/20240725101722/https://www.alteredsecurity.com/post/disabling-tamper-protection-and-other-defender-mde-components?ref=news.risky.biz "Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components | www.alteredsecurity.com" + [5]: https://web.archive.org/web/20240523053136/https://www.elevenforum.com/t/turn-on-or-off-tamper-protection-for-microsoft-defender-antivirus-in-windows-11.3973/ "Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" + [6]: https://web.archive.org/web/20240725111337/https://www.ghacks.net/2019/10/14/microsoft-enables-tamper-protection-on-windows-10-for-all-home-users/ "Microsoft enables Tamper Protection on Windows 10 for all Home users - gHacks Tech News | ghacks.net" + [7]: https://web.archive.org/web/20240725111606/https://wirediver.com/disable-windows-defender-in-powershell/ "Disable Windows Defender in powershell - a script to finally get rid of itWireDiver | wirediver.com" + [8]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings#L4520-L4521 "10_0_22623_1020/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com" + [9]: https://web.archive.org/web/20240725111557/https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-validate-defender-protection-and-additional-troubleshooting-part6/ "Validate Defender for Endpoint protection and additional troubleshooting | jeffreyappel.nl" + [10]: https://web.archive.org/web/20240725111814/https://blog.51sec.org/2022/03/microsoft-defender-for-endpoint.html "Microsoft Defender for Endpoint Configurations and Training Resources - NETSEC | blog.51sec.org" + [11]: https://github.com/privacysexy-forks/ClientInspectorV2/blob/main/README.md "ClientInspectorV2/README.md at main · privacysexy-forks/ClientInspectorV2 | github.com" + [12]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com" + [13]: https://web.archive.org/web/20240725111550/https://247tech.co.uk/intune-disables-tamper-protection-by-default/ "Intune disables Tamper Protection by default – 247 TECH | 247tech.co.uk" call: - function: RunPowerShell - parameters: - code: |- - if(!(Get-Command 'netsh' -ErrorAction Ignore)) { - throw '"netsh" does not exist, is system installed correctly?' - } - $message=netsh advfirewall set allprofiles state off 2>&1 - if($?) { - Write-Host "Successfully disabled firewall." - } else { - if($message -like '*Firewall service*') { - Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' - } else { - throw "Cannot disable: $message" - } - } - revertCode: |- - if(!(Get-Command 'netsh' -ErrorAction Ignore)) { - throw '"netsh" does not exist, is system installed correctly?' - } - $message=netsh advfirewall set allprofiles state on 2>&1 - if($?) { - Write-Host "Successfully enabled firewall." - } else { - if($message -like '*Firewall service*') { - Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' - } else { - throw "Cannot enable: $message" - } - } - - - name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning - docs: - - https://web.archive.org/web/20240314124804/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 - - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 - - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416 - - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - function: SetRegistryValue + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: ✅ Windows 10 Pro (20H2) | ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 21H2) parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile - valueName: EnableFirewall + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features + valueName: "TamperProtection" dataType: REG_DWORD - data: "0" + data: "4" dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - function: SetRegistryValue + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: ✅ Windows 10 Pro (>= 20H2) | ✅ Windows 11 Pro (>= 23H2) parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile - valueName: EnableFirewall + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features + valueName: "TamperProtectionSource" dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + data: "2" + dataOnRevert: "5" # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) - - name: Disable "Firewall & network protection" section in "Windows Security" - docs: |- - This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was - called "Windows Defender Security Center" [1]. - - The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status - of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see - this section in the "Windows Security" interface [3]. - - This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry - key to hide the Firewall and network protection area [3]. - - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn" - [3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn" + name: Disable outdated Defender Antivirus # Deprecated since Windows 10 version 1903 + docs: + - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender call: function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection - valueName: UILockdown + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender + valueName: DisableAntiSpyware dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903 - docs: - - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender - valueName: DisableAntiSpyware - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender features - # Status: Get-MpPreference - children: - name: Disable Potentially Unwanted Application (PUA) feature # Already disabled as default docs: @@ -15901,98 +15709,6 @@ actions: dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable Tamper Protection - docs: |- - This script disables Tamper Protection in Microsoft Defender Antivirus. - - Tamper Protection is a security feature that blocks unauthorized changes to key Microsoft Defender Antivirus settings [1] [2]. - These settings include real-time protection [1] [2], behavior monitoring [2], and cloud-delivered protection [1]. - By default, Tamper Protection is enabled [1]. - It is available in all editions of Windows since Windows 10, version 1903 [3]. - - Disabling Tamper Protection may increase privacy and control over your system by allowing you to: - - - Change protected Microsoft Defender Antivirus settings to enhance privacy [1] [3] - - Disable Microsoft Defender Antivirus entirely [1] [3] to increase privacy - - Improve system performance by adjusting or disabling certain security features - - However, turning off Tamper Protection may reduce your system's security by: - - - Making your device more vulnerable to malware that attempts to disable security features - - Allowing potentially harmful changes to important security settings - - With Tamper Protection enabled, users can modify protected settings through the Windows Security app [1]. - Disabling Tamper Protection allows changes through scripts and third-party apps such as privacy.sexy [1]. - - ### Technical Details - - This script modifies the following registry keys: - - - `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtection` [4] [5] [6]. - - `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtectionSource` [7] - - These keys interact with the `MpClient.dll` library within Microsoft Defender Antivirus [8]. - The script sets values to replicate changes made through the Windows Security interface [5]. - - Tests reveal the following values for various Windows versions: - - | Key | Opearting System | Default | After toggling ON | After toggling OFF | - | --- | ------- | ------- | -------------------- | --------------------- | - | `TamperProtection` | Windows 10 Pro (>= 22H2) | 1 | 5 [4] [6] | 4 [4] [6] [7] | - | `TamperProtection` | Windows 11 Pro (>= 23H2) | 1 | 5 [4] [5] | 4 [4] [5] | - | `TamperProtectionSource` | Windows 10 Pro (>= 22H2) | No value | No value | No value (Or 2 [7]) | - | `TamperProtectionSource` | Windows 11 Pro (>= 23H2) | 5 | 2 | 2 | - - `TamperProtectionSource` value `2` means that the tamper protection is based on signatures. - Other recorded values in various installations include `ATP` [9], `Service Init` [10], `Intune` [11], - and `E5 transition` [12]. - However, these values lack official public documentation [13]. - - To check the current Tamper Protection source, use this command: - - ```batchfile - wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list | findstr "TamperProtectionSource" - ```` - - Or this PowerShell command: - - ```ps1 - Get-MpComputerStatus | Select-Object -ExpandProperty TamperProtectionSource - ``` - - [1]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support" - [2]: https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationtamperprotection "Defender CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware "DisableAntiSpyware | Microsoft Learn" - [4]: https://web.archive.org/web/20240725101722/https://www.alteredsecurity.com/post/disabling-tamper-protection-and-other-defender-mde-components?ref=news.risky.biz "Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components | www.alteredsecurity.com" - [5]: https://web.archive.org/web/20240523053136/https://www.elevenforum.com/t/turn-on-or-off-tamper-protection-for-microsoft-defender-antivirus-in-windows-11.3973/ "Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" - [6]: https://web.archive.org/web/20240725111337/https://www.ghacks.net/2019/10/14/microsoft-enables-tamper-protection-on-windows-10-for-all-home-users/ "Microsoft enables Tamper Protection on Windows 10 for all Home users - gHacks Tech News | ghacks.net" - [7]: https://web.archive.org/web/20240725111606/https://wirediver.com/disable-windows-defender-in-powershell/ "Disable Windows Defender in powershell - a script to finally get rid of itWireDiver | wirediver.com" - [8]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings#L4520-L4521 "10_0_22623_1020/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com" - [9]: https://web.archive.org/web/20240725111557/https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-validate-defender-protection-and-additional-troubleshooting-part6/ "Validate Defender for Endpoint protection and additional troubleshooting | jeffreyappel.nl" - [10]: https://web.archive.org/web/20240725111814/https://blog.51sec.org/2022/03/microsoft-defender-for-endpoint.html "Microsoft Defender for Endpoint Configurations and Training Resources - NETSEC | blog.51sec.org" - [11]: https://github.com/privacysexy-forks/ClientInspectorV2/blob/main/README.md "ClientInspectorV2/README.md at main · privacysexy-forks/ClientInspectorV2 | github.com" - [12]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com" - [13]: https://web.archive.org/web/20240725111550/https://247tech.co.uk/intune-disables-tamper-protection-by-default/ "Intune disables Tamper Protection by default – 247 TECH | 247tech.co.uk" - call: - - - function: SetRegistryValueAsTrustedInstaller - # Without TrustedInstaller: ✅ Windows 10 Pro (20H2) | ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 21H2) - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features - valueName: "TamperProtection" - dataType: REG_DWORD - data: "4" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValueAsTrustedInstaller - # Without TrustedInstaller: ✅ Windows 10 Pro (>= 20H2) | ✅ Windows 11 Pro (>= 23H2) - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features - valueName: "TamperProtectionSource" - dataType: REG_DWORD - data: "2" - dataOnRevert: "5" # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) - name: Disable file hash computation feature # Added in Windows 10, version 2004 docs: @@ -16007,34 +15723,6 @@ actions: dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable "Windows Defender Exploit Guard" - docs: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ - children: - - - name: Disable prevention of users and apps from accessing dangerous websites - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - valueName: EnableNetworkProtection - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable controlled folder access - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access - valueName: EnableControlledFolderAccess - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable network inspection system features children: @@ -17322,10 +17010,10 @@ actions: # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" - - category: Disable Microsoft Defender reporting + category: Disable Defender reporting children: - - name: Disable Microsoft Defender logging + name: Disable Defender logging call: - function: SetRegistryValue @@ -17344,7 +17032,7 @@ actions: data: "0" dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - name: Disable Microsoft Defender ETW provider (Windows Event Logs) + name: Disable Defender ETW provider (Windows Event Logs) docs: - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - https://web.archive.org/web/20240314124054/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide @@ -17379,7 +17067,7 @@ actions: data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable auditing events in Microsoft Defender Application Guard + name: Disable auditing events in Defender Application Guard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview @@ -17392,643 +17080,158 @@ actions: data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable Defender user interface + category: Disable Defender scheduled tasks children: - - name: Remove "Windows Security" system tray icon - docs: |- - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray - valueName: HideSystray - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Remove "Scan with Microsoft Defender" from context menu + name: Disable "Windows Defender Cache Maintenance" task docs: |- - This script removes the **Scan with Microsoft Defender** option from the right-click context menu. - - This script enhances user privacy by limiting engagement with Microsoft Defender's data collection processes. - Defender may collect data during scans and at regular intervals, which some users may find unnecessary or unwanted. + This script disables the "Windows Defender Cache Maintenance" scheduled task. - Removing this option only affects the context menu appearance and does not disable Microsoft Defender or its other functions. + The task is scheduled to periodically maintain the cache used by Microsoft Defender Antivirus [1]. + It runs the command `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance` [1]. + The `MpCmdRun.exe` is a command-line tool used to perform various Microsoft Defender Antivirus functions [2]. - > **Caution**: This may reduce system security by making it less convenient to perform on-demand scans of specific files or folders. + Cache maintenance involves managing temporary files that Microsoft Defender is either scanning or has quarantined [3] + Disabling this task prevents the system from automatically clearing the Defender cache [3]. - ### Technical Details + This is particularly useful if you want to ensure that files are not removed from quarantine or the cache without your explicit action. + Disabling this task is reported to optimize system boot speed [4] but it could potentially lead to increased storage use by temporary files. - The script functions by altering specific registry keys that correspond to the Defender context menu option. - It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. - The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` (HKEY_CLASSES_ROOT) view [3]. + ### Overview of default task statuses - The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. - This feature is provided by `shellext.dll` file located in Defender's program files [1]. + `\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance`: - [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" - [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | + + [1]: https://web.archive.org/web/20231102111550/http://windows.fyicenter.com/4439_Windows_Defender_Cache_Maintenance_Scheduled_Task_on_Windows_8.html '"Windows Defender Cache Maintenance" Scheduled Task on Windows 8 | windows.fyicenter.com' + [2]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" + [4]: https://web.archive.org/web/20231102111645/https://discussions.citrix.com/topic/417772-very-slow-boot-times/ "Very slow boot times - Provisioning Server for Datacenters - Discussions | discussions.citrix.com" call: - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name '(Default)' - # Windows 10 (≥ 22H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) - # Windows 11 (≥ 23H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '%ProgramFiles%\Windows Defender\shellext.dll' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' - valueName: ThreadingModel - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name 'ThreadingModel' - # Windows 10 (≥ 22H2) : Apartment (REG_SZ) - # Windows 11 (≥ 23H2) : Apartment (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: 'Apartment' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)' - # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)' - # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + function: DisableScheduledTask + parameters: + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cache Maintenance' + taskPathPattern: \Microsoft\Windows\Windows Defender\ + taskNamePattern: Windows Defender Cache Maintenance - - name: Remove "Windows Security" icon from taskbar + name: Disable "Windows Defender Cleanup" task docs: |- - This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 - and was originally named "Windows Defender Security Center" [1]. + This script disables the "Windows Defender Cleanup" scheduled task. - The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. + This task is used by Defender to remove unnecessary files, such as corrupted or quarantined items [1]. + The task is described in the Task Scheduler as "Periodic cleanup task" [2] [3]. + This task executes the following command: + `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup` [2] [3]. - The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 - and Windows 10 22H2) with default value of `%WINDIR%\system32\SecurityHealthSystray.exe`. + ### Overview of default task statuses - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" - [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" + `\Microsoft\Windows\Windows Defender\Windows Defender Cleanup`: + + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | + + [1]: https://web.archive.org/web/20231103171411/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" + [2]: https://web.archive.org/web/20231103171352/http://windows.fyicenter.com/4440_Windows_Defender_Cleanup_Scheduled_Task_on_Windows_8.html '"Windows Defender Cleanup" Scheduled Task on Windows 8 | windows.fyicenter.com' + [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" call: - function: DeleteRegistryValue + function: DisableScheduledTask parameters: - keyPath: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' - valueName: SecurityHealth - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth' - # Windows 10 (≥ 22H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) - # Windows 11 (≥ 23H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) - dataTypeOnRevert: REG_EXPAND_SZ - dataOnRevert: '%WINDIR%\system32\SecurityHealthSystray.exe' + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cleanup' + taskPathPattern: \Microsoft\Windows\Windows Defender\ + taskNamePattern: Windows Defender Cleanup - - name: Disable Microsoft Defender Antimalware (AM) user interface + name: Disable "Windows Defender Scheduled Scan" task docs: |- - This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially - preventing user interactions with the Microsoft Defender Antivirus interface. + This script disables the "Windows Defender Scheduled Scan" scheduled task. - Several reasons to hide the antivirus interface: + This scheduled task is responsible for performing automatic regular scans [1] [2]. + By disabling this task, users can control the scheduling and frequency of antivirus scans, according to their needs, thus balancing + security with system resource management [1] [2]. + + The task is known as "Periodic scan task" in the Task Scheduler [1] [3] [4]. + It executes the following command: + `C:\Program Files\Windows Defender\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55` [3] [4]. - 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing - its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more - in control of their data when they aren't constantly reminded of a running security service. - 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. - Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share - more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. - 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender - Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to - a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently - triggering options that might share data. - 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface - but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that - access has been restricted by the system administrator [2]. + ### Overview of default task statuses - The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the - `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. + `\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan`: - [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" - [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | + + [1]: https://web.archive.org/web/20231103171744/https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d "Schedule a scan in Microsoft Defender Antivirus - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" + [4]: https://web.archive.org/web/20231103171825/http://windows.fyicenter.com/4441_Windows_Defender_Scheduled_Scan_Scheduled_Task_on_Windows_8.html '"Windows Defender Scheduled Scan" Scheduled Task on Windows 8 | windows.fyicenter.com' call: - function: SetRegistryValue + function: DisableScheduledTask parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Scheduled Scan' + taskPathPattern: \Microsoft\Windows\Windows Defender\ + taskNamePattern: Windows Defender Scheduled Scan - - name: Disable non-administrator access to threat history + name: Disable "Windows Defender Verification" task docs: |- - This script disables privacy mode for Defender scans, limiting threat history access to administrators. - - By default, privacy mode is enabled [1]. - When active, it restricts the display of spyware and potentially dangerous programs to administrators only, - instead of all users on the computer [2]. - It blocks non-administrators from viewing threat history [1]. + This script disables the "Windows Defender Verification" scheduled task. - This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1]. - It has no impact on current platforms [1]. + This task checks for issues with Defender, such as update problems or system file errors [1]. + It is also linked to the creation of daily system restore points [2]. + Disabling this task can prevent unnecessary system slowdowns and restore point creation, conserving disk space and system resources. + It improves privacy by reducing the system state data stored on the device. - Limiting threat history to administrators has both benefits and drawbacks. - It improves security and privacy by limiting access to sensitive threat information. - However, it may reduce transparency and hinder security efforts for users without admin access who need this data. + The task is known as "Periodic verification task" in the Task Scheduler [3] [4]. + It executes the following command: + `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification` [3] [4]. - The script configures: + ### Overview of default task statuses - 1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. - It sets the value to `$True`, effectively disabling privacy mode [1]. + `\Microsoft\Windows\Windows Defender\Windows Defender Verification`: - 2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. - This undocumented registry key has been verified to work on older Windows versions by the community [2]. + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | - [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "Софт | Секреты Windows 7 | www.win7help.ru" - [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" + [1]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" + [2]: https://web.archive.org/web/20231103172413/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 "Windows Defender / System Restore Points - Microsoft Community | answers.microsoft.com" + [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" + [4]: https://web.archive.org/web/20231103172432/http://windows.fyicenter.com/4442_Windows_Defender_Verification_Scheduled_Task_on_Windows_8.html '"Windows Defender Verification" Scheduled Task on Windows 8 | windows.fyicenter.com' call: - - - function: SetMpPreference - parameters: - property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode - value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True - default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - - - function: SetRegistryValueAsTrustedInstaller - # Without TrustedInstaller: ❌ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2) - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration - valueName: "DisablePrivacyMode" - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + function: DisableScheduledTask + parameters: + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Verification' + taskPathPattern: \Microsoft\Windows\Windows Defender\ + taskNamePattern: Windows Defender Verification + - + category: Disable Defender services and drivers + # Windows Defender services are protected, requiring escalated methods to disable them: + # 1. Try `DisableService` first, as this is the standard method recommended for disabling services. + # 2. Try `DisableServiceInRegistry` if the first attempt fails due to access errors. + # 3. Try `DisableServiceInRegistryAsTrustedInstaller` as last effort. + children: - - category: Disable sections in "Windows Security" + name: Disable "Microsoft Defender Antivirus Service" + # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender + # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: + # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` + # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` docs: |- - This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in - Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. + https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ - "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display - in a restricted mode [1]. + ### Overview of default service statuses - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - children: - - - name: Disable "Virus and threat protection" section in "Windows Security" - docs: |- - - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) - - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Ransomware data recovery" section in "Windows Security" - docs: |- - [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: HideRansomwareRecovery - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Family options" section in "Windows Security" - docs: |- - - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) - - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Device performance and health" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) - - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Account protection" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) - - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "App and browser control" section in "Windows Security" - docs: |- - - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) - - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable device security sections - children: - - - name: Disable "Device security" section in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) - - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Clear TPM" button in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) - - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableClearTpmButton - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Secure boot" button in "Windows Security" - docs: |- - [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideSecureBoot - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" - docs: |- - [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideTPMTroubleshooting - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "TPM Firmware Update" recommendation in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) - - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableTpmFirmwareUpdateWarning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender notifications - children: - - - category: Disable Windows Security notifications - docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications - children: - - - name: Disable all Defender notifications - docs: - - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable non-critical Defender notifications - docs: - - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above - docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ - call: - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance - valueName: Enabled - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable all Defender Antivirus notifications - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress - call: - - - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration - valueName: Notification_Suppress - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration - valueName: Notification_Suppress - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable Defender reboot notifications - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration - valueName: SuppressRebootNotification - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable OS components for Defender # Hackers way of disabling Defender - children: - - - category: Disable Defender scheduled tasks - children: - - - name: Disable "ExploitGuard MDM policy Refresh" task - docs: |- - This script disables the "ExploitGuard MDM policy Refresh" scheduled task. - - The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings". - - Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1]. - It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1]. - - Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2]. - MDM offers a method to remotely adjust the ExploitGuard settings on a device [2]. - - Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4]. - - Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3]. - - ### Overview of default task statuses - - `\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog" - [2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn" - [3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov" - [4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' - taskPathPattern: \Microsoft\Windows\ExploitGuard\ - taskNamePattern: ExploitGuard MDM policy Refresh - - - name: Disable "Windows Defender Cache Maintenance" task - docs: |- - This script disables the "Windows Defender Cache Maintenance" scheduled task. - - The task is scheduled to periodically maintain the cache used by Microsoft Defender Antivirus [1]. - It runs the command `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance` [1]. - The `MpCmdRun.exe` is a command-line tool used to perform various Microsoft Defender Antivirus functions [2]. - - Cache maintenance involves managing temporary files that Microsoft Defender is either scanning or has quarantined [3] - Disabling this task prevents the system from automatically clearing the Defender cache [3]. - - This is particularly useful if you want to ensure that files are not removed from quarantine or the cache without your explicit action. - Disabling this task is reported to optimize system boot speed [4] but it could potentially lead to increased storage use by temporary files. - - ### Overview of default task statuses - - `\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231102111550/http://windows.fyicenter.com/4439_Windows_Defender_Cache_Maintenance_Scheduled_Task_on_Windows_8.html '"Windows Defender Cache Maintenance" Scheduled Task on Windows 8 | windows.fyicenter.com' - [2]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" - [4]: https://web.archive.org/web/20231102111645/https://discussions.citrix.com/topic/417772-very-slow-boot-times/ "Very slow boot times - Provisioning Server for Datacenters - Discussions | discussions.citrix.com" - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cache Maintenance' - taskPathPattern: \Microsoft\Windows\Windows Defender\ - taskNamePattern: Windows Defender Cache Maintenance - - - name: Disable "Windows Defender Cleanup" task - docs: |- - This script disables the "Windows Defender Cleanup" scheduled task. - - This task is used by Defender to remove unnecessary files, such as corrupted or quarantined items [1]. - The task is described in the Task Scheduler as "Periodic cleanup task" [2] [3]. - This task executes the following command: - `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup` [2] [3]. - - ### Overview of default task statuses - - `\Microsoft\Windows\Windows Defender\Windows Defender Cleanup`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231103171411/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" - [2]: https://web.archive.org/web/20231103171352/http://windows.fyicenter.com/4440_Windows_Defender_Cleanup_Scheduled_Task_on_Windows_8.html '"Windows Defender Cleanup" Scheduled Task on Windows 8 | windows.fyicenter.com' - [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cleanup' - taskPathPattern: \Microsoft\Windows\Windows Defender\ - taskNamePattern: Windows Defender Cleanup - - - name: Disable "Windows Defender Scheduled Scan" task - docs: |- - This script disables the "Windows Defender Scheduled Scan" scheduled task. - - This scheduled task is responsible for performing automatic regular scans [1] [2]. - By disabling this task, users can control the scheduling and frequency of antivirus scans, according to their needs, thus balancing - security with system resource management [1] [2]. - - The task is known as "Periodic scan task" in the Task Scheduler [1] [3] [4]. - It executes the following command: - `C:\Program Files\Windows Defender\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55` [3] [4]. - - ### Overview of default task statuses - - `\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231103171744/https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d "Schedule a scan in Microsoft Defender Antivirus - Microsoft Support | support.microsoft.com" - [2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" - [4]: https://web.archive.org/web/20231103171825/http://windows.fyicenter.com/4441_Windows_Defender_Scheduled_Scan_Scheduled_Task_on_Windows_8.html '"Windows Defender Scheduled Scan" Scheduled Task on Windows 8 | windows.fyicenter.com' - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Scheduled Scan' - taskPathPattern: \Microsoft\Windows\Windows Defender\ - taskNamePattern: Windows Defender Scheduled Scan - - - name: Disable "Windows Defender Verification" task - docs: |- - This script disables the "Windows Defender Verification" scheduled task. - - This task checks for issues with Defender, such as update problems or system file errors [1]. - It is also linked to the creation of daily system restore points [2]. - Disabling this task can prevent unnecessary system slowdowns and restore point creation, conserving disk space and system resources. - It improves privacy by reducing the system state data stored on the device. - - The task is known as "Periodic verification task" in the Task Scheduler [3] [4]. - It executes the following command: - `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification` [3] [4]. - - ### Overview of default task statuses - - `\Microsoft\Windows\Windows Defender\Windows Defender Verification`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" - [2]: https://web.archive.org/web/20231103172413/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 "Windows Defender / System Restore Points - Microsoft Community | answers.microsoft.com" - [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" - [4]: https://web.archive.org/web/20231103172432/http://windows.fyicenter.com/4442_Windows_Defender_Verification_Scheduled_Task_on_Windows_8.html '"Windows Defender Verification" Scheduled Task on Windows 8 | windows.fyicenter.com' - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Verification' - taskPathPattern: \Microsoft\Windows\Windows Defender\ - taskNamePattern: Windows Defender Verification - - - category: Disable Defender services and drivers - # Windows Defender services are protected, requiring escalated methods to disable them: - # 1. Try `DisableService` first, as this is the standard method recommended for disabling services. - # 2. Try `DisableServiceInRegistry` if the first attempt fails due to access errors. - # 3. Try `DisableServiceInRegistryAsTrustedInstaller` as last effort. - children: - - - name: Disable "Microsoft Defender Antivirus Service" - # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender - # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: - # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` - # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` - docs: |- - https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | - | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | - call: + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + call: - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` @@ -18078,140 +17281,491 @@ actions: - https://web.archive.org/web/20240314091638/https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - https://web.archive.org/web/20240314062047/https://batcmd.com/windows/10/services/wdfilter/ - ### Overview of default service statuses + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Boot | + | Windows 11 (≥ 23H2) | 🟢 Running | Boot | + call: + # Excluding: + # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: WdFilter # Check: (Get-Service -Name 'WdFilter').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + # notStoppable: true # See `sc queryex WdFilter`, tested since Windows 10 22H2, Windows 11 22H2. + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender Antivirus Boot Driver" service + docs: |- + https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Boot | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Boot | + call: + # Excluding: + # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: WdBoot # Check: (Get-Service -Name 'WdBoot').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender Antivirus Network Inspection" service + docs: |- + - https://web.archive.org/web/20240314091310/https://batcmd.com/windows/10/services/wdnissvc/ + - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + call: + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... + # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + category: Disable Defender Firewall + docs: |- + This category provides scripts to disable the Defender Firewall. + + This firewall serves as a security gate for your computer. + It controls network traffic to and from a computer [1] [2] [3] [4] [5]. + It blocks all incoming traffic by default and allows outgoing traffic [1]. + It enables users to block connections [1] [3] [5] [6] [7]. + For enhanced security, users can require a VPN for all connections with IPSec rules [1] [3] [7]. + This can protect your computer from unauthorized access [1] [4] [6] [8]. + + Microsoft has renamed the firewall several times to reflect branding changes: + + 1. **Internet Connection Firewall** initially [3]. + 2. **Windows Firewall** with the release of Windows XP Service Pack 2 [3]. + 3. **Windows Defender Firewall** starting with Windows 10 build 1709 (September 2017) [4] [5]. + 4. **Microsoft Defender Firewall** from Windows 10 version 2004 onwards [5] [6]. + 5. **Windows Firewall** again in 2023 [9]. + + Considerations: + + - Malware or unauthorized users can bypass it if they gain direct access to the computer [10]. + - Default firewall settings often provide limited security unless properly configured [10]. + This is the case for most users. + - The firewall is enabled by default [1] [2] [4] [5]. + It still operates in the background when turned off [7]. + This can compromise privacy. + - Firewall logs detail user behavior [11]. + They fall under [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement). + This allows Microsoft to access and analyze these logs to study your behavior. + + Turning off this firewall may optimize system performance by reducing background tasks [7]. + It enhances privacy by preventing the collection of firewall logs [11]. + However, this could increase security risks by exposing your system to more threats [1] [4] [6] [8]. + + > **Caution**: + > Turning off the Defender Firewall **may reduce your security**. + > Consider an alternative security solution to maintain protection. + + [1]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240408093812/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20041020065757/http://support.microsoft.com/kb/875357 "Troubleshooting Windows Firewall settings in Windows XP Service Pack 2 | support.microsoft.com" + [4]: https://web.archive.org/web/20240408093959/https://microsoft.fandom.com/wiki/Windows_Firewall "Windows Firewall | Microsoft Wiki | Fandom | microsoft.fandom.com" + [5]: https://web.archive.org/web/20240408094033/https://www.tenforums.com/tutorials/70699-how-turn-off-microsoft-defender-firewall-windows-10-a.html "How to Turn On or Off Microsoft Defender Firewall in Windows 10 | Tutorials | www.tenforums.com" + [6]: https://web.archive.org/web/20240408094038/https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f "Turn Microsoft Defender Firewall on or off - Microsoft Support | support.microsoft.com" + [7]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [8]: https://web.archive.org/web/20240408094004/https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-defender-firewall-windows "Enable Windows Defender Firewall | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20240408093851/https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#microsoft-defender-firewall-profiles-are-renamed-to-windows-firewall "What's new in Microsoft Intune | Microsoft Learn | learn.microsoft.com" + [10]: https://web.archive.org/web/20240408101037/https://softwareg.com.au/blogs/internet-security/what-is-a-major-weakness-with-a-network-host-based-firewall "What Is A Major Weakness With A Network Host-Based Firewall | softwareg.com.au" + [11]: https://web.archive.org/web/20240409085528/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune "Configure Windows Firewall logging - Windows Security | Microsoft Learn | learn.microsoft.com" + children: + - + category: Disable Defender Firewall services and drivers + docs: |- + This section contains scripts to disable the essential services and drivers of Defender Firewall. + + Defender Firewall uses services and drivers to operate. + Services run background tasks, while drivers help hardware and software communicate. + + Even with the firewall disabled in settings, its services and drivers continue running [1], + potentially monitoring network traffic and consuming resources. + These scripts directly disable these components, bypassing standard Windows settings and their limitations. + + Disabling these firewall services and drivers can enhance privacy by preventing potential network traffic monitoring by Microsoft. + Additionally, it may improve system performance by freeing up system resources otherwise consumed by these components. + + However, this can pose security risks and disrupt other software. + Defender Firewall blocks unauthorized network access to protect against malicious attacks [2]. + Disabling it can leave your system vulnerable to such threats. + Additionally, this could affect software relying on the firewall [1]. + + > **Caution**: These scripts **may reduce your security** and **cause issues with software** relying on the firewall [1]. + + [1]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" + children: + - + name: >- + Disable "Windows Defender Firewall Authorization Driver" service + (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) + docs: |- # refactor-with-variables: Same • Firewall Service Caution + This script disables the **Windows Defender Firewall Authorization Driver** service. + + This service is a kernel mode driver crucial for inspecting network traffic entering and exiting your computer [1] [2]. + + Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. + It also improves system performance by decreasing background resource consumption. + + The driver is identified by the file `mpsdrv.sys` [1] [2] [3]. + This file is a component of **Microsoft Protection Service** [3]. + This service encompasses the **Windows Defender Firewall** (`mpssvc`) [4] [5]. + Disabling this driver disables **Windows Defender Firewall** [1] [2]. + This action can significantly increase security risks [6]. + + Restart your computer after running this script to ensure all changes take effect [7]. + + > **Caution**: Disabling this service causes problems with software that depends on it [8] such as: + > - Prevents **Microsoft Store** app downloads [9] [10], impacting **winget** CLI functionality [11]. + > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [8]. + > - Disables **Windows Sandbox** [7] [12], an isolated environment for safely running applications [13]. + > - Disables **Docker** [14], a platform for developing and running applications in isolated environments [15]. + > - Disables **Windows Subsystem for Linux (WSL)** [14], which lets Linux programs run directly on Windows [16]. + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🟢 Running | Manual | + + [1]: https://web.archive.org/web/20240314091039/https://batcmd.com/windows/10/services/mpsdrv/ "Windows Defender Firewall Authorization Driver - Windows 10 Service - batcmd.com | batcmd.com" + [2]: https://web.archive.org/web/20240406223537/https://revertservice.com/10/mpsdrv/ "Windows Defender Firewall Authorization Driver (mpsdrv) Service Defaults in Windows 10 | revertservice.com" + [3]: https://web.archive.org/web/20240406223542/https://www.file.net/process/mpsdrv.sys.html "mpsdrv.sys Windows process - What is it? | www.file.net" + [4]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" + [6]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" + [7]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" + [8]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" + [10]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" + [11]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" + [12]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" + [13]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" + [14]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" + [15]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" + [16]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" + [17]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + call: + - + function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config + parameters: + serviceName: mpsdrv # Check: (Get-Service -Name 'mpsdrv').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\mpsdrv.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + function: ShowComputerRestartSuggestion + - + name: >- + Disable "Windows Defender Firewall" service + (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) + docs: |- # refactor-with-variables: Same • Firewall Service Caution + This script disables the **Windows Defender Firewall** service (identified as `MpsSvc` [1] [2] [3] [4]). + This component acts as a gatekeeper for your computer, filtering incoming and outgoing network traffic based on + established security rules [1] [5] to prevent unauthorized access [3] [4]. + + This service runs the firewall component of Windows [4]. + It starts automatically [3] and runs the `%WINDIR%\System32\MPSSVC.dll` driver [3]. + This file is also referred to as **Microsoft Protection Service** [6]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Boot | - | Windows 11 (≥ 23H2) | 🟢 Running | Boot | - call: - # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller - parameters: - serviceName: WdFilter # Check: (Get-Service -Name 'WdFilter').StartType - defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual - # notStoppable: true # See `sc queryex WdFilter`, tested since Windows 10 22H2, Windows 11 22H2. - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - name: Disable "Microsoft Defender Antivirus Boot Driver" service - docs: |- - https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ + Beyond firewall functionality, it plays an important role in **Windows Service Hardening** to protect Windows services + [7] [8]. It also enforces **network isolation** in virtualized environments [7] [9]. - ### Overview of default service statuses + Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. + It also improves system performance by decreasing background resource consumption. + However, it may expose the system to substantial security threats [10]. + This risk is partly mitigated by boot-time filters that are triggered to protect the computer during startup or when the + firewall service stops unexpectedly [2]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🔴 Stopped | Boot | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Boot | - call: - # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller - parameters: - serviceName: WdBoot # Check: (Get-Service -Name 'WdBoot').StartType - defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - name: Disable "Microsoft Defender Antivirus Network Inspection" service - docs: |- - - https://web.archive.org/web/20240314091310/https://batcmd.com/windows/10/services/wdnissvc/ - - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ + Restart your computer after running this script to ensure all changes take effect [11]. + + > **Caution**: Disabling this service causes problems with software that depends on it [12] such as: + > - Prevents **Microsoft Store** app downloads (error code `0x80073D0A` [7] [13]), impacting **winget** CLI functionality [14]. + > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [15]. + > - Disables **Windows Sandbox** [11] [16], an isolated environment for safely running applications [17]. + > - Disables **Docker** [18], a platform for developing and running applications in isolated environments [19]. + > - Disables **Windows Subsystem for Linux (WSL)** [18], which lets Linux programs run directly on Windows [20]. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + + [1]: https://web.archive.org/web/20231206185904/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd349801%28v=ws.10%29 "Windows Firewall Service | learn.microsoft.com" + [2]: https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx "Stopping the Windows Authenticating Firewall Service and the boot time policy - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com" + [3]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" + [4]: https://web.archive.org/web/20240406233529/https://en.wikipedia.org/wiki/Windows_Firewall "Windows Firewall - Wikipedia | wikipedia.org" + [5]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" + [8]: https://web.archive.org/web/20240406232832/https://techcommunity.microsoft.com/t5/ask-the-performance-team/ws2008-windows-service-hardening/ba-p/372702 "WS2008: Windows Service Hardening - Microsoft Community Hub | techcommunity.microsoft." + [9]: https://web.archive.org/web/20240406232844/https://learn.microsoft.com/en-us/virtualization/windowscontainers/container-networking/network-isolation-security "Network isolation and security | Microsoft Learn | learn.microsoft.com" + [10]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" + [11]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" + [12]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [13]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" + [14]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" + [15]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" + [16]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" + [17]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" + [18]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" + [19]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" + [20]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" call: - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller + function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: - serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 - # function: SoftDeleteFiles - # parameters: - # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + serviceName: MpsSvc # Check: (Get-Service -Name 'MpsSvc').StartType + defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\mpssvc.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + function: ShowComputerRestartSuggestion + - + name: Disable firewall via command-line utility + # ❗️ Following must be enabled and in running state: + # - mpsdrv ("Windows Defender Firewall Authorization Driver") + # - bfe (Base Filtering Engine) + # - mpssvc ("Windows Defender Firewall") + # If the dependent services are not running, the script fails with: + # "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again." + # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc + docs: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior + call: + function: RunPowerShell + parameters: + code: |- + if(!(Get-Command 'netsh' -ErrorAction Ignore)) { + throw '"netsh" does not exist, is system installed correctly?' + } + $message=netsh advfirewall set allprofiles state off 2>&1 + if($?) { + Write-Host "Successfully disabled firewall." + } else { + if($message -like '*Firewall service*') { + Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' + } else { + throw "Cannot disable: $message" + } + } + revertCode: |- + if(!(Get-Command 'netsh' -ErrorAction Ignore)) { + throw '"netsh" does not exist, is system installed correctly?' + } + $message=netsh advfirewall set allprofiles state on 2>&1 + if($?) { + Write-Host "Successfully enabled firewall." + } else { + if($message -like '*Firewall service*') { + Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' + } else { + throw "Cannot enable: $message" + } + } + - + name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning + docs: + - https://web.archive.org/web/20240314124804/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 + - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 + - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416 + - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 + call: - - name: Disable "Windows Defender Advanced Threat Protection Service" service - docs: |- - https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Firewall & network protection" section in "Windows Security" + docs: |- + This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was + called "Windows Defender Security Center" [1]. + + The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status + of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see + this section in the "Windows Security" interface [3]. + + This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry + key to hide the Firewall and network protection area [3]. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn" + [3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection + valueName: UILockdown + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender for Endpoint + docs: |- + This category provides scripts to disable Defender for Endpoint, a security platform that impacts + user privacy. - ### Overview of default service statuses + Defender for Endpoint is officially known as **Microsoft Defender for Endpoint** [1] [2] [3]. + It was previously called **Microsoft Defender Advanced Threat Protection (ATP)** [1] [4]. + It is designed to protect enterprise networks from advanced threats [1] [3]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | - call: - - - function: DisableServiceInRegistry - # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - parameters: - serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - name: Disable "Windows Security Service" service - docs: |- - This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. - This service provides unified device protection and health information [2] [3]. + An **advanced threat**, also known as an **Advanced Persistent Threat (APT)**, is a type of cyber + attack that uses continuous, covert, and sophisticated methods to gain and maintain unauthorized + access to a system for an extended period [5]. + These attacks usually target high-value entities such as nation states and large corporations [5]. - It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. - Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. - By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. + Although designed for security, this service raises significant privacy concerns. + It collects and stores device details in Microsoft Azure, including information about files, processes, + system configurations, and network connections [2]. - The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. + Some components of Defender for Endpoint are included by default in consumer versions of Windows [4], + potentially exposing personal user data. - ### Overview of default service statuses + Disabling this service can enhance privacy by limiting data collection and sharing with Microsoft. + It may also improve system performance by reducing background processes and resource usage. + However, disabling this service may reduce your device's security against advanced threats. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + > **Caution:** + > Disabling this service may reduce your device's security. + > Consider alternative protection methods and practice enhanced security awareness. + + [1]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" + [2]: https://web.archive.org/web/20240821073232/https://learn.microsoft.com/en-us/defender-endpoint/data-storage-privacy "Microsoft Defender for Endpoint data storage and privacy - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240821073223/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint "Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240609160137/https://batcmd.com/windows/11/services/sense/ "Windows Defender Advanced Threat Protection Service - Windows 11 Service - batcmd.com | batcmd.com" + [5]: https://web.archive.org/web/20240821074532/https://www.kaspersky.com/resource-center/definitions/advanced-persistent-threats "What Is an Advanced Persistent Threat (APT)? | www.kaspersky.com" + children: + - + name: Disable "Windows Defender Advanced Threat Protection Service" service + docs: |- + https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" - [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" - [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states - call: - - - # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller - parameters: - serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + call: + - + function: DisableServiceInRegistry + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + parameters: + serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - category: Disable SmartScreen docs: |- # refactor-with-variables: • SmartScreen Caution @@ -18943,301 +18497,969 @@ actions: The script modifies the `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\2301` registry key [1] [2] [3]. Each zone in the registry represents a different security level [1]: - | Security Zone | Meaning | - |---------------|-------------------------| - | `0` | My Computer | - | `1` | Local Intranet Zone | - | `2` | Trusted Sites Zone | - | `3` | Internet Zone | - | `4` | Restricted Sites Zone | + | Security Zone | Meaning | + |---------------|-------------------------| + | `0` | My Computer | + | `1` | Local Intranet Zone | + | `2` | Trusted Sites Zone | + | `3` | Internet Zone | + | `4` | Restricted Sites Zone | + + Disabling SmartScreen is achieved by setting the value of `2301` to `3` [2]. + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240709095151/https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries "IE security zones registry entries for advanced users - Browsers | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240709102216/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 "Turn on SmartScreen Filter scan | admx.help" + [3]: https://web.archive.org/web/20240709102226/https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-06-08/finding/V-64719 "Turn on SmartScreen Filter scan option for the Internet Zone must be enabled. | www.stigviewer.com" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable outdated Internet Explorer SmartScreen Filter component + docs: |- # refactor-with-variables: • SmartScreen Caution + This script disables the outdated Internet Explorer SmartScreen filter by safely removing the `ieapfltr.dll` file. + + The `ieapfltr.dll` file is also known as Microsoft SmartScreen Filter [1]. + It is mainly used by Internet Explorer [2]. + + Despite the official end of support for Internet Explorer 11 on June 15, 2022 [3], + some systems may still have this component. + + Benefits: + + - **Privacy improvement**: + By disabling the SmartScreen functionality that monitors user behavior, + this script enhances your privacy. + - **Security enhancement**: + It reduces the attack surface by removing unused components, aligning with + security best practices. + - **System performance**: + It may improve system performance by removing unnecessary components. + + Trade-offs: + + - **Reduced security**: + The absence of SmartScreen may decrease protection against malware and phishing. + - **Browser Functionality**: + If Internet Explorer is still in use, disabling the SmartScreen filter + may lead to errors, particularly with security features like phishing protection. + - **System stability**: + Internet Explorer components are integrated into Windows. + Some Windows features and third-party applications may depend on these components. + Removing the `ieapfltr.dll` file may lead to stability issues in applications that depend + on it, even if Internet Explorer is not actively used. + + File locations: + + | File path | Windows 11 (23H2) | Windows 10 (22H2) | + |-----------|-----------------------------|-----------------------------| + | `%WINDIR%\System32\ieapfltr.dll` [4] | ❌ Missing | ❌ Missing | + | `%WINDIR%\SysWOW64\ieapfltr.dll` [1] | ✅ Yes | ✅ Exists | + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240715082726/https://strontic.github.io/xcyclopedia/library/ieapfltr.dll-AA14BA778D11D244316DA63EEB040D92.html "ieapfltr.dll | Microsoft SmartScreen Filter | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20240715082546/https://support.microsoft.com/en-us/topic/ms09-034-cumulative-security-update-for-internet-explorer-5d8e79bc-4b42-fa92-313d-d39c7b112521 "MS09-034: Cumulative security update for Internet Explorer - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20240715082553/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer- "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240715083231/https://strontic.github.io/xcyclopedia/library/clsid_3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30.html "CLSID 3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30 | CLSID_AppRep | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\ieapfltr.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\SysWOW64\ieapfltr.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + category: Disable SmartScreen system components + docs: |- + This category includes scripts that disable SmartScreen system components. + + SmartScreen is a security feature in Windows that helps protect your device from + potentially harmful applications, files, and websites [1]. + Its components run in the background as part of the operating system. + + Disabling these components may: + + - Improve privacy by reducing data collection used for SmartScreen functionality [2]. + - Increase system performance by eliminating background processes. + - Enhance security by removing potential attack surfaces. + + However, there are risks to consider: + + - Reduced protection against malicious software and phishing attempts. + - Potential impact on Windows system integrity. + + These scripts modify core system components. + Consider your personal risk tolerance and needs before applying these changes. + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240709105002/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ "Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows operating system components to Microsoft services - Windows Privacy | Microsoft Learn" + children: + - + name: Disable SmartScreen process + docs: |- # refactor-with-variables: • SmartScreen Caution + This script stops and prevents the `smartscreen.exe` from running. + + This process is officially known as *Windows Defender SmartScreen* [1] [2]. + It manages the SmartScreen functionality [3] [4]. + Its executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5]. + + Disabling SmartScreen improves your privacy because it stops outbound network connections + that transmit your data [5]. + This process runs in the background even when SmartScreen is disabled [3]. + It also improves system performance by reducing CPU usage [6]. + + However, disabling SmartScreen process can compromise your security by disabling its protective features. + Additionally, if SmartScreen remains partially enabled after the process is disabled, + it may impair the functionality of Microsoft Store apps [3] [5]. + + This script will: + + - **Terminate the process**: + Stops the `smartscreen.exe` process to prevent it from running. + - **Remove the executable**: + Safely deletes the `smartscreen.exe` file from the system to prevent it from restarting. + + > **Caution**: + > - Disabling SmartScreen may reduce your protection against phishing and malware. + > - Disabling this process may prevent Microsoft Store apps from loading. + + [1]: https://web.archive.org/web/20240708200821/https://www.file.net/process/smartscreen.exe.html "smartscreen.exe Windows process - What is it? | www.file.net" + [2]: https://web.archive.org/web/20240708201144/https://strontic.github.io/xcyclopedia/library/smartscreen.exe-B75FA41284409A6134BF824BEAE59B4E.html "smartscreen.exe | Windows Defender SmartScreen | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240709102724/https://www.howtogeek.com/320711/what-is-smartscreen-and-why-is-it-running-on-my-pc/ "What Is \"SmartScreen\" and Why Is It Running on My PC? | www.howtogeek.com" + [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240708201153/https://answers.microsoft.com/en-us/windows/forum/all/block-apps-from-accessing-internet-by-default/44a235ce-c9a5-4612-998b-a4c100da93df "Block apps from accessing internet by default... - Microsoft Community | answers.microsoft.com" + [6]: https://web.archive.org/web/20240708200833/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-smartscreen-using-lots-of-cpu/b795d47a-3f92-44b9-bbbc-c4439e932fc3 "Windows Defender Smartscreen Using Lots of CPU - Microsoft Community | answers.microsoft.com" + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: smartscreen.exe + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\smartscreen.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + name: Disable SmartScreen libraries + docs: |- + This script disables essential SmartScreen libraries, limiting their functionality and preventing + their use by other programs. + + A *library* is a set of code and resources that help programs operate. + A *DLL (Dynamic Link Library)* contains code and data that multiple programs can use simultaneously. + + Disabling these libraries stops SmartScreen operations across applications. + This enhances your privacy by eliminating SmartScreen data collection. + It improves security by reducing the system's attack surface. + It may also improve system performance by freeing up system resources. + + However, turning off these libraries may lower your system's defenses against malware and phishing, + as it stops the identification and blocking of potentially unsafe content. + + This script targets and disables the following specific SmartScreen libraries critical to their operations: - Disabling SmartScreen is achieved by setting the value of `2301` to `3` [2]. + - `smartscreen.dll`: + This DLL enables core SmartScreen functionality [1]. + It manages essential SmartScreen tasks, such as performing security checks and evaluating the + safety and reputation of files, applications, and web content [2] [3]. + - `smartscreenps.dll`: + This DLL supports SmartScreen functionality [4]. + It facilitates SmartScreen's critical functions, including component management, registration, and + lifecycle within a COM framework [5] [6]. - > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + File locations: - [1]: https://web.archive.org/web/20240709095151/https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries "IE security zones registry entries for advanced users - Browsers | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240709102216/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 "Turn on SmartScreen Filter scan | admx.help" - [3]: https://web.archive.org/web/20240709102226/https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-06-08/finding/V-64719 "Turn on SmartScreen Filter scan option for the Internet Zone must be enabled. | www.stigviewer.com" + | File path | Windows 11 (23H2) | Windows 10 (22H2) | + |-----------|-----------------------------|-----------------------------| + | `%WINDIR%\System32\smartscreen.dll` [2] | ✅ Exists | ❌ Missing | + | `%WINDIR%\SysWOW64\smartscreen.dll` [3] | ✅ Exists | ❌ Missing | + | `%WINDIR%\System32\smartscreenps.dll` [4] [5] | ✅ Exists | ✅ Exists | + | `%WINDIR%\SysWOW64\smartscreenps.dll` [6] [7] | ✅ Exists | ✅ Exists | + + [1]: https://github.com/privacysexy-forks/10_0_22621_870/blob/8b13bab6a49d9d04990dfd78de7b39eb815dcddc/C/Windows/System32/smartscreen.exe.strings#L1090 "10_0_22621_870/C/Windows/System32/smartscreen.exe.strings at 8b13bab6a49d9d04990dfd78de7b39eb815dcddc · privacysexy-forks/10_0_22621_870 · GitHub | github.com" + [2]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreen.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreen.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com" + [3]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreen.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreen.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com" + [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" + [5]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreenps.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreenps.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com" + [6]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreenps.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreenps.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com" + [7]: https://web.archive.org/web/20240715092131/https://strontic.github.io/xcyclopedia/library/smartscreenps.dll-9C77057727E91884AA2AE5D6A85F90C5.html "smartscreenps.dll | SmartScreenPS | STRONTIC | strontic.github.io" call: - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 - valueName: '2301' - dataType: REG_DWORD - data: '3' # 0: Enable | 3: Disable - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 - valueName: '2301' - dataType: REG_DWORD - data: '3' # 0: Enable | 3: Disable - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + fileGlob: '%WINDIR%\System32\smartscreen.dll' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 - valueName: '2301' - dataType: REG_DWORD - data: '3' # 0: Enable | 3: Disable - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + fileGlob: '%WINDIR%\System32\smartscreenps.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 - valueName: '2301' - dataType: REG_DWORD - data: '3' # 0: Enable | 3: Disable - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + fileGlob: '%WINDIR%\SysWOW64\smartscreen.dll' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 - valueName: '2301' - dataType: REG_DWORD - data: '3' # 0: Enable | 3: Disable - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + fileGlob: '%WINDIR%\SysWOW64\smartscreenps.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + name: Disable outdated SmartScreen settings interface + docs: |- # refactor-with-variables: • SmartScreen Caution + This script disables the SmartScreen settings interface in older Windows versions. + + It specifically targets and soft-deletes the `SmartScreenSettings.exe` file [1] [2] [3] [4]. + Found only in older Windows versions [3] [4], including Windows 8 [3]. + Based on tests, this file does not exist in newer versions such as Windows 11 Pro (23H2) + or Windows 10 Pro (22H2) and beyond. + + The `SmartScreenSettings.exe` is a user interface component [1] [2] that displays settings + for the SmartScreen filter [3] [4]. + + Removing this component may enhance privacy by eliminating the possibility to modify + SmartScreen settings, which could otherwise be used to re-enable this monitoring feature [3] [4]. + It also optimizes system performance by removing this obsolete component. + + However, disabling this feature could reduce security by limiting your system's protection against + phishing and malware. + + It is located at the following paths: + + - `%WINDIR%\System32\SmartScreenSettings.exe` [1] [4] + - `%WINDIR%\SysWOW64\SmartScreenSettings.exe` [2] + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240714203112/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-43D69652F91822C4A0873884B829DD0A.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/save/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-6B2EA6F8937B573372304CAE5F829A4D.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20111013123233/https://techtrickz.com/how-to/enable-or-disable-windows-8-smartscreen-feature-how-to/ "Disable Windows 8 SmartScreen Feature | techtrickz.com" + [4]: https://web.archive.org/web/20240714203245/https://www.thewindowsclub.com/windows-smartscreen-cant-reached-right-now "Windows SmartScreen can't be reached right now | www.thewindowsclub.com" + call: - - name: Disable outdated Internet Explorer SmartScreen Filter component - docs: |- # refactor-with-variables: • SmartScreen Caution - This script disables the outdated Internet Explorer SmartScreen filter by safely removing the `ieapfltr.dll` file. + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\SmartScreenSettings.exe' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\SysWOW64\SmartScreenSettings.exe' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 + - + category: Disable Windows Security interface + docs: |- + This category offers scripts to disable or modify different aspects of the **Windows Security** user interface, + formerly known as **Windows Defender Security Center**. + + **Windows Security** is a centralized interface managing various Windows security features [1] [2] [3] [4]. + It evolved from **Windows Defender**, initially a standalone antivirus with its own interface [5]. + Over time, Microsoft separated the management interface from the core antivirus component [6]. + + The evolution of Windows Security: + + 1. With launch of Windows 10, Microsoft removed the separate settings window from Windows Defender, replacing + it with a dedicated page in the main Settings app [6]. + 2. Windows 10 version 1703 introduced **Windows Defender Security Center (WDSC)**, combining Windows Defender's + interface with **Windows Security and Maintenance** [7]. + 3. Version 1803 renamed the Windows Defender settings page to **Windows Security** and redesigned it to emphasize + various protection areas [3]. + 4. In version 1809, **Windows Defender Security Center** was renamed to **Windows Security (WSC)** [1] [2] [4] [8]. + + Windows Security features include: + + - **Virus & threat protection:** [1] [2]: + Manages antivirus scans and updates [1] [2]. + It includes managing **Defender Antivirus** [1] [2] [8]. + - **Account protection:** [1] [2] + Handles sign-in options and account settings, including **Windows Hello** [1] [2]. + - **Firewall & network protection:** [1] [2] + Controls firewall settings and monitors network connections [1] [2]. + **Windows Security** brand does not include the firewall component **Windows Firewall** [8]. + However, it allows viewing and managing it, including turning it on and off [9]. + - **App & browser control:** [1] [2] + Manages Microsoft Defender SmartScreen settings to protect against potentially harmful apps, files, and downloads [1]. + - **Device security:** [1] [2] + Oversees built-in security features to protect against malware attacks [1] [2]. + - **Device performance & health** [1] [2]: + Monitors device health and provides system update information [1]. + - **Family options:** [1] [2] + Allows management of family online activity and connected devices [1] [2]. + + Scripts in this disables or adjust Windows Security components to: + + - Minimize data collection by limiting interactions with Microsoft's security services + - Increase user control over security settings by blocking UI access to Defender + + This allows users to decide which security features to manage or disable without interference. + However, be aware that limiting access to these settings may result in inadequate responses to + security threats, potentially making the system more vulnerable. - The `ieapfltr.dll` file is also known as Microsoft SmartScreen Filter [1]. - It is mainly used by Internet Explorer [2]. + > **Caution:** + > Disabling these features may prevent you from configuring and viewing Defender settings, which may reduce your + > system's security and convenience. + > Consider alternative security measures if you disable Windows Security components. + + [1]: https://web.archive.org/web/20240819080500/https://support.microsoft.com/en-us/office/stay-protected-with-windows-security-ae70cc96-a9cd-4443-a210-e41cb973d3a6 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20240819081122/https://betawiki.net/wiki/Windows_10_build_17093 "Windows 10 build 17093 - BetaWiki | betawiki.net" + [4]: https://web.archive.org/web/20240819081301/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1809#windows-security-center "What's new in Windows 10, version 1809 - Windows 10 | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20201219170833/https://www.digitalcitizen.life/windows-defender-windows-8-and-windows-7-what-s-new-and-different/ "Windows Defender in Windows 8 and Windows 7 - What's New & Different? | Digital Citizen | www.digitalcitizen.life" + [6]: https://web.archive.org/web/20240819080906/https://en.wikipedia.org/wiki/Microsoft_Defender_Antivirus "Microsoft Defender Antivirus - Wikipedia | en.wikipedia.org" + [7]: https://web.archive.org/web/20170803091535/https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus + [8]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [9]: https://web.archive.org/web/20240819080607/https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-xdr "Microsoft Defender XDR | Microsoft Security | www.microsoft.com" + children: + - + name: Disable "Windows Security Service" service + docs: |- + This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. + This service provides unified device protection and health information [2] [3]. - Despite the official end of support for Internet Explorer 11 on June 15, 2022 [3], - some systems may still have this component. + It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. + Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. + By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. - Benefits: + The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. - - **Privacy improvement**: - By disabling the SmartScreen functionality that monitors user behavior, - this script enhances your privacy. - - **Security enhancement**: - It reduces the attack surface by removing unused components, aligning with - security best practices. - - **System performance**: - It may improve system performance by removing unnecessary components. - - Trade-offs: + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" + [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states + call: + - + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + category: Disable Defender user interface + children: + - + name: Remove "Windows Security" system tray icon + docs: |- + https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray + valueName: HideSystray + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Remove "Scan with Defender" from context menu + docs: |- + This script removes the **Scan with Microsoft Defender** option from the right-click context menu. - - **Reduced security**: - The absence of SmartScreen may decrease protection against malware and phishing. - - **Browser Functionality**: - If Internet Explorer is still in use, disabling the SmartScreen filter - may lead to errors, particularly with security features like phishing protection. - - **System stability**: - Internet Explorer components are integrated into Windows. - Some Windows features and third-party applications may depend on these components. - Removing the `ieapfltr.dll` file may lead to stability issues in applications that depend - on it, even if Internet Explorer is not actively used. + This script enhances user privacy by limiting engagement with Microsoft Defender's data collection processes. + Defender may collect data during scans and at regular intervals, which some users may find unnecessary or unwanted. - File locations: + Removing this option only affects the context menu appearance and does not disable Microsoft Defender or its other functions. - | File path | Windows 11 (23H2) | Windows 10 (22H2) | - |-----------|-----------------------------|-----------------------------| - | `%WINDIR%\System32\ieapfltr.dll` [4] | ❌ Missing | ❌ Missing | - | `%WINDIR%\SysWOW64\ieapfltr.dll` [1] | ✅ Yes | ✅ Exists | + > **Caution**: This may reduce system security by making it less convenient to perform on-demand scans of specific files or folders. - > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + ### Technical Details - [1]: https://web.archive.org/web/20240715082726/https://strontic.github.io/xcyclopedia/library/ieapfltr.dll-AA14BA778D11D244316DA63EEB040D92.html "ieapfltr.dll | Microsoft SmartScreen Filter | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/web/20240715082546/https://support.microsoft.com/en-us/topic/ms09-034-cumulative-security-update-for-internet-explorer-5d8e79bc-4b42-fa92-313d-d39c7b112521 "MS09-034: Cumulative security update for Internet Explorer - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20240715082553/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer- "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn | learn.microsoft.com" - [4]: https://web.archive.org/web/20240715083231/https://strontic.github.io/xcyclopedia/library/clsid_3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30.html "CLSID 3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30 | CLSID_AppRep | STRONTIC | strontic.github.io" + The script functions by altering specific registry keys that correspond to the Defender context menu option. + It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. + The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` (HKEY_CLASSES_ROOT) view [3]. + + The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. + This feature is provided by `shellext.dll` file located in Defender's program files [1]. + + [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" + [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" call: - - function: SoftDeleteFiles + function: DeleteRegistryValue parameters: - fileGlob: '%WINDIR%\System32\ieapfltr.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name '(Default)' + # Windows 10 (≥ 22H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) + # Windows 11 (≥ 23H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '%ProgramFiles%\Windows Defender\shellext.dll' - - function: SoftDeleteFiles + function: DeleteRegistryValue parameters: - fileGlob: '%WINDIR%\SysWOW64\ieapfltr.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - - - category: Disable SmartScreen system components - docs: |- - This category includes scripts that disable SmartScreen system components. - - SmartScreen is a security feature in Windows that helps protect your device from - potentially harmful applications, files, and websites [1]. - Its components run in the background as part of the operating system. + keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' + valueName: ThreadingModel + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name 'ThreadingModel' + # Windows 10 (≥ 22H2) : Apartment (REG_SZ) + # Windows 11 (≥ 23H2) : Apartment (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: 'Apartment' + - + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)' + # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + - + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)' + # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + - + name: Remove "Windows Security" icon from taskbar + docs: |- + This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 + and was originally named "Windows Defender Security Center" [1]. - Disabling these components may: + The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. - - Improve privacy by reducing data collection used for SmartScreen functionality [2]. - - Increase system performance by eliminating background processes. - - Enhance security by removing potential attack surfaces. + The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 + and Windows 10 22H2) with default value of `%WINDIR%\system32\SecurityHealthSystray.exe`. - However, there are risks to consider: + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" + [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" + call: + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' + valueName: SecurityHealth + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth' + # Windows 10 (≥ 22H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) + # Windows 11 (≥ 23H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) + dataTypeOnRevert: REG_EXPAND_SZ + dataOnRevert: '%WINDIR%\system32\SecurityHealthSystray.exe' + - + name: Disable Defender Antivirus interface + docs: |- + This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially + preventing user interactions with the Microsoft Defender Antivirus interface. - - Reduced protection against malicious software and phishing attempts. - - Potential impact on Windows system integrity. + Several reasons to hide the antivirus interface: - These scripts modify core system components. - Consider your personal risk tolerance and needs before applying these changes. + 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing + its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more + in control of their data when they aren't constantly reminded of a running security service. + 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. + Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share + more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. + 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender + Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to + a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently + triggering options that might share data. + 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface + but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that + access has been restricted by the system administrator [2]. - > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the + `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. - [1]: https://web.archive.org/web/20240709105002/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ "Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows operating system components to Microsoft services - Windows Privacy | Microsoft Learn" - children: + [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" + [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable SmartScreen process - docs: |- # refactor-with-variables: • SmartScreen Caution - This script stops and prevents the `smartscreen.exe` from running. + name: Disable non-administrator access to Defender threat history + docs: |- + This script disables privacy mode for Defender scans, limiting threat history access to administrators. - This process is officially known as *Windows Defender SmartScreen* [1] [2]. - It manages the SmartScreen functionality [3] [4]. - Its executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5]. + By default, privacy mode is enabled [1]. + When active, it restricts the display of spyware and potentially dangerous programs to administrators only, + instead of all users on the computer [2]. + It blocks non-administrators from viewing threat history [1]. - Disabling SmartScreen improves your privacy because it stops outbound network connections - that transmit your data [5]. - This process runs in the background even when SmartScreen is disabled [3]. - It also improves system performance by reducing CPU usage [6]. + This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1]. + It has no impact on current platforms [1]. - However, disabling SmartScreen process can compromise your security by disabling its protective features. - Additionally, if SmartScreen remains partially enabled after the process is disabled, - it may impair the functionality of Microsoft Store apps [3] [5]. + Limiting threat history to administrators has both benefits and drawbacks. + It improves security and privacy by limiting access to sensitive threat information. + However, it may reduce transparency and hinder security efforts for users without admin access who need this data. - This script will: + The script configures: - - **Terminate the process**: - Stops the `smartscreen.exe` process to prevent it from running. - - **Remove the executable**: - Safely deletes the `smartscreen.exe` file from the system to prevent it from restarting. + 1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. + It sets the value to `$True`, effectively disabling privacy mode [1]. - > **Caution**: - > - Disabling SmartScreen may reduce your protection against phishing and malware. - > - Disabling this process may prevent Microsoft Store apps from loading. + 2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. + This undocumented registry key has been verified to work on older Windows versions by the community [2]. - [1]: https://web.archive.org/web/20240708200821/https://www.file.net/process/smartscreen.exe.html "smartscreen.exe Windows process - What is it? | www.file.net" - [2]: https://web.archive.org/web/20240708201144/https://strontic.github.io/xcyclopedia/library/smartscreen.exe-B75FA41284409A6134BF824BEAE59B4E.html "smartscreen.exe | Windows Defender SmartScreen | STRONTIC | strontic.github.io" - [3]: https://web.archive.org/web/20240709102724/https://www.howtogeek.com/320711/what-is-smartscreen-and-why-is-it-running-on-my-pc/ "What Is \"SmartScreen\" and Why Is It Running on My PC? | www.howtogeek.com" - [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" - [5]: https://web.archive.org/web/20240708201153/https://answers.microsoft.com/en-us/windows/forum/all/block-apps-from-accessing-internet-by-default/44a235ce-c9a5-4612-998b-a4c100da93df "Block apps from accessing internet by default... - Microsoft Community | answers.microsoft.com" - [6]: https://web.archive.org/web/20240708200833/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-smartscreen-using-lots-of-cpu/b795d47a-3f92-44b9-bbbc-c4439e932fc3 "Windows Defender Smartscreen Using Lots of CPU - Microsoft Community | answers.microsoft.com" + [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "Софт | Секреты Windows 7 | www.win7help.ru" + [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" call: - - function: TerminateAndBlockExecution + function: SetMpPreference parameters: - executableNameWithExtension: smartscreen.exe + property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode + value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True + default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - - function: SoftDeleteFiles + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: ❌ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2) parameters: - fileGlob: '%WINDIR%\System32\smartscreen.exe' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: "DisablePrivacyMode" + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable sections in "Windows Security" + docs: |- + This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in + Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. + + "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display + in a restricted mode [1]. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + children: + - + name: Disable "Virus and threat protection" section in "Windows Security" + docs: |- + - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) + - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Ransomware data recovery" section in "Windows Security" + docs: |- + [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: HideRansomwareRecovery + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Family options" section in "Windows Security" + docs: |- + - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) + - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Device performance and health" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) + - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Account protection" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) + - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "App and browser control" section in "Windows Security" + docs: |- + - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) + - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable device security sections + children: + - + name: Disable "Device security" section in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) + - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Clear TPM" button in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) + - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableClearTpmButton + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Secure boot" button in "Windows Security" + docs: |- + [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideSecureBoot + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" + docs: |- + [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideTPMTroubleshooting + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "TPM Firmware Update" recommendation in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) + - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableTpmFirmwareUpdateWarning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable SmartScreen libraries - docs: |- - This script disables essential SmartScreen libraries, limiting their functionality and preventing - their use by other programs. - - A *library* is a set of code and resources that help programs operate. - A *DLL (Dynamic Link Library)* contains code and data that multiple programs can use simultaneously. - - Disabling these libraries stops SmartScreen operations across applications. - This enhances your privacy by eliminating SmartScreen data collection. - It improves security by reducing the system's attack surface. - It may also improve system performance by freeing up system resources. - - However, turning off these libraries may lower your system's defenses against malware and phishing, - as it stops the identification and blocking of potentially unsafe content. - - This script targets and disables the following specific SmartScreen libraries critical to their operations: - - - `smartscreen.dll`: - This DLL enables core SmartScreen functionality [1]. - It manages essential SmartScreen tasks, such as performing security checks and evaluating the - safety and reputation of files, applications, and web content [2] [3]. - - `smartscreenps.dll`: - This DLL supports SmartScreen functionality [4]. - It facilitates SmartScreen's critical functions, including component management, registration, and - lifecycle within a COM framework [5] [6]. - - File locations: - - | File path | Windows 11 (23H2) | Windows 10 (22H2) | - |-----------|-----------------------------|-----------------------------| - | `%WINDIR%\System32\smartscreen.dll` [2] | ✅ Exists | ❌ Missing | - | `%WINDIR%\SysWOW64\smartscreen.dll` [3] | ✅ Exists | ❌ Missing | - | `%WINDIR%\System32\smartscreenps.dll` [4] [5] | ✅ Exists | ✅ Exists | - | `%WINDIR%\SysWOW64\smartscreenps.dll` [6] [7] | ✅ Exists | ✅ Exists | - - [1]: https://github.com/privacysexy-forks/10_0_22621_870/blob/8b13bab6a49d9d04990dfd78de7b39eb815dcddc/C/Windows/System32/smartscreen.exe.strings#L1090 "10_0_22621_870/C/Windows/System32/smartscreen.exe.strings at 8b13bab6a49d9d04990dfd78de7b39eb815dcddc · privacysexy-forks/10_0_22621_870 · GitHub | github.com" - [2]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreen.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreen.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com" - [3]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreen.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreen.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com" - [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" - [5]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreenps.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreenps.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com" - [6]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreenps.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreenps.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com" - [7]: https://web.archive.org/web/20240715092131/https://strontic.github.io/xcyclopedia/library/smartscreenps.dll-9C77057727E91884AA2AE5D6A85F90C5.html "smartscreenps.dll | SmartScreenPS | STRONTIC | strontic.github.io" - call: + category: Disable Defender notifications + children: - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\smartscreen.dll' - grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + category: Disable Windows Security notifications + docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications + children: + - + name: Disable all Defender notifications + docs: + - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable non-critical Defender notifications + docs: + - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\smartscreenps.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + name: Disable security and maintenance notifications # For Windows 10 build 1607 and above + docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\SysWOW64\smartscreen.dll' - grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + name: Disable all Defender Antivirus notifications + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration + valueName: Notification_Suppress + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: Notification_Suppress + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\SysWOW64\smartscreenps.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + name: Disable Defender reboot notifications + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: SuppressRebootNotification + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender Exploit Guard + docs: |- + This category disables Windows Defender Exploit Guard, potentially enhancing privacy and + system performance. + + Exploit Guard is also called **Windows Defender Exploit Guard** [1] [2] [3] [4] [5] + or **Microsoft Defender Exploit Guard** [6]. + It is a built-in Windows 10 feature since version 1709 [1] [5]. + It's the successor to the **Enhanced Mitigation Experience Toolkit (EMET)** [1] [5]. + + Exploit Guard uses Microsoft Cloud for machine learning and to check websites and IP addresses [1]. + Disabling it may enhance privacy by preventing these connections. + It may improve system performance by reducing background processes. + It increases user autonomy by enabling choices about which programs, scripts, and websites can connect + without automatic intervention. + + Disabling Exploit Guard may reduce protection against certain types of attacks. + Users should carefully weigh the trade-offs between enhanced privacy/performance and potential security + risks when disabling this feature. + + Exploit Guard consists of four main components: + + 1. **Attack Surface Reduction (ASR):** + Blocks Office-, script-, and email-based threats [1] [2] [7]. + 2. **Network protection:** + Blocks outbound connections to untrusted hosts/IP addresses using Defender SmartScreen [1] [2] [4]. + It extends SmartScreen to the operating system level [4]. + 3. **Controlled folder Access:** + Protects sensitive data from ransomware by blocking untrusted processes from accessing protected folders [1] [2] [3]. + 4. **Exploit protection:** + Applies exploit mitigation techniques to operating system processes and applications [1] [2] [3]. + + These features are enabled and configured by default on Windows 10 and 11 [1] [3] [8]. + They can also be remotely configured and set up in managed environments, such as enterprise organizations [2]. + Disabling Exploit Guard can affect local or organizational configurations, such as those set by schools or employers. + + Defender Antivirus is the built-in antimalware component in Windows [5]. + Exploit Guard operates independently from Defender Antivirus [5]. + However, some features, like Attack Surface Reduction, depend on Defender Antivirus to function [1]. + Exploit Guard may also require Defender Antivirus for some of its configurations [6]. + + Exploit Guard is included in **Microsoft Defender for Endpoint** suite [9] [10]. + Defender for Endpoint enhances its functionality by providing additional detailed reporting into + exploit protection events and blocks as part of the usual alert investigation scenarios [10]. + Disabling Exploit Guard may impair the functionality of Defender for Endpoint. + + > **Caution:** + > Disabling Exploit Guard may lower your security if you do not have proper security practices + > or alternative protections in place. + + [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ + [2]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" + [3]: https://web.archive.org/web/20240821075921/https://learn.microsoft.com/en-us/defender-endpoint/enable-exploit-protection "Turn on exploit protection to help mitigate against attacks - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240821075805/https://learn.microsoft.com/en-us/defender-endpoint/network-protection "Use network protection to help prevent connections to bad sites - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240821075906/https://msrc.microsoft.com/blog/2017/08/moving-beyond-emet-ii-windows-defender-exploit-guard/ "Moving Beyond EMET II – Windows Defender Exploit Guard | MSRC Blog | Microsoft Security Response Center | msrc.microsoft.com" + [6]: https://web.archive.org/web/20240821080834/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-using-powershell#advanced-threat-and-exploit-mitigation-and-prevention-controlled-folder-access "Evaluate Microsoft Defender Antivirus using PowerShell. - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240821075836/https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction "Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [8]: https://web.archive.org/web/20240821075914/https://learn.microsoft.com/en-us/defender-endpoint/controlled-folders "Protect important folders from ransomware from encrypting your files with controlled folder access - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20240821075742/https://learn.microsoft.com/en-us/defender-endpoint/overview-attack-surface-reduction "Understand and use attack surface reduction - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [10]: https://web.archive.org/web/20240821075844/https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection "Apply mitigations to help prevent attacks through vulnerabilities - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + children: - - name: Disable outdated SmartScreen settings interface - docs: |- # refactor-with-variables: • SmartScreen Caution - This script disables the SmartScreen settings interface in older Windows versions. + name: Disable prevention of users and apps from accessing dangerous websites + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + valueName: EnableNetworkProtection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable controlled folder access + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess + - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access + valueName: EnableControlledFolderAccess + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "ExploitGuard MDM policy Refresh" task + docs: |- + This script disables the "ExploitGuard MDM policy Refresh" scheduled task. - It specifically targets and soft-deletes the `SmartScreenSettings.exe` file [1] [2] [3] [4]. - Found only in older Windows versions [3] [4], including Windows 8 [3]. - Based on tests, this file does not exist in newer versions such as Windows 11 Pro (23H2) - or Windows 10 Pro (22H2) and beyond. + The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings". - The `SmartScreenSettings.exe` is a user interface component [1] [2] that displays settings - for the SmartScreen filter [3] [4]. + Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1]. + It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1]. - Removing this component may enhance privacy by eliminating the possibility to modify - SmartScreen settings, which could otherwise be used to re-enable this monitoring feature [3] [4]. - It also optimizes system performance by removing this obsolete component. + Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2]. + MDM offers a method to remotely adjust the ExploitGuard settings on a device [2]. - However, disabling this feature could reduce security by limiting your system's protection against - phishing and malware. + Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4]. + + Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3]. - It is located at the following paths: + ### Overview of default task statuses - - `%WINDIR%\System32\SmartScreenSettings.exe` [1] [4] - - `%WINDIR%\SysWOW64\SmartScreenSettings.exe` [2] + `\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`: - > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | - [1]: https://web.archive.org/web/20240714203112/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-43D69652F91822C4A0873884B829DD0A.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/save/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-6B2EA6F8937B573372304CAE5F829A4D.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io" - [3]: https://web.archive.org/web/20111013123233/https://techtrickz.com/how-to/enable-or-disable-windows-8-smartscreen-feature-how-to/ "Disable Windows 8 SmartScreen Feature | techtrickz.com" - [4]: https://web.archive.org/web/20240714203245/https://www.thewindowsclub.com/windows-smartscreen-cant-reached-right-now "Windows SmartScreen can't be reached right now | www.thewindowsclub.com" + [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog" + [2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn" + [3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov" + [4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" call: - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\SmartScreenSettings.exe' - grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\SysWOW64\SmartScreenSettings.exe' - grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 + function: DisableScheduledTask + parameters: + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' + taskPathPattern: \Microsoft\Windows\ExploitGuard\ + taskNamePattern: ExploitGuard MDM policy Refresh - category: Disable automatic updates docs: |-