From 7c1bcbc9aeb8349387f5e44ddf369761585e9c99 Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Sat, 3 Aug 2024 21:28:19 +0200 Subject: [PATCH] win: categorize disabling Defender Antivirus This commit creates a parent category for disabling Defender antivirus. Previously, the scripts to disable antivirus and its features were scattered around and not grouped. Grouping them informs users what defender component is being disabled. - Create a separate category for disabling Defender antivirus - Create a seprarate cateegory for disabling Defender user interface. - Create a separate category for disabling Exploit Guard. - Remove `Disable OS components for Defender`, instead of using this technical categorization, move them to their related features. - In category names, change word `Microsoft Defender` to `Defender` for simplicity and alignment with new branding. --- src/application/collections/windows.yaml | 3533 +++++++++++----------- 1 file changed, 1773 insertions(+), 1760 deletions(-) diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index c3cf476d..bdf391c5 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -13881,7 +13881,8 @@ actions: category: Privacy over security children: - - category: Disable Microsoft Defender + # TODO: BEfore doing anything, check other branches. + category: Disable Defender docs: |- This category offers scripts to disable Windows security components known as *Microsoft Defender*. Although designed to protect you, these features may compromise your privacy and decrease computer performance. @@ -14472,7 +14473,7 @@ actions: data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable Microsoft Defender firewall + category: Disable Defender firewall docs: |- This category provides scripts to disable the Microsoft Defender Firewall. @@ -14805,58 +14806,12 @@ actions: data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903 - docs: - - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender - valueName: DisableAntiSpyware - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender features - # Status: Get-MpPreference + category: Disable Defender Antivirus + docs: |- + # TODO: add docs children: - - name: Disable Potentially Unwanted Application (PUA) feature # Already disabled as default - docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 - - https://web.archive.org/web/20240314124740/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide - - https://web.archive.org/web/20160410000519/https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/ - - https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - call: - - - function: SetMpPreference - parameters: - # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' - property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection - value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 - default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 - - - function: SetRegistryValue # For legacy versions: Windows 10 v1809 and Windows Server 2019 - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine - valueName: MpEnablePus - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue # For newer Windows versions - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender - valueName: PUAProtection - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable Tamper Protection + name: Disable Tamper Protection # TODO: Move outside vs keep? docs: |- This script disables Tamper Protection in Microsoft Defender Antivirus. @@ -14948,1821 +14903,1408 @@ actions: data: "2" dataOnRevert: "5" # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) - - name: Disable file hash computation feature # Added in Windows 10, version 2004 + name: Disable outdated Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903 docs: - - https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation - - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 + - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender call: function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine - valueName: EnableFileHashComputation + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender + valueName: DisableAntiSpyware dataType: REG_DWORD - data: "0" + data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable "Windows Defender Exploit Guard" - docs: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ - children: - - - name: Disable prevention of users and apps from accessing dangerous websites - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - valueName: EnableNetworkProtection - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable controlled folder access - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access - valueName: EnableControlledFolderAccess - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable network inspection system features - children: - - - name: Disable protocol recognition - docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS - valueName: DisableProtocolRecognition - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable definition retirement - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS - valueName: DisableSignatureRetirement - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Minimize rate of detection events - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS - valueName: ThrottleDetectionEventsRate - dataType: REG_DWORD - data: "10000000" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable real-time protection + category: Disable Defender Antivirus features # TODO FLatten completely? + # Status: Get-MpPreference children: - - name: Disable real-time monitoring + name: Disable Defender Antivirus Potentially Unwanted Application (PUA) # Already disabled as default docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227 + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 + - https://web.archive.org/web/20240314124740/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide + - https://web.archive.org/web/20160410000519/https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/ + - https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring - call: # Enabled by default (DisableRealtimeMonitoring is false) + call: - function: SetMpPreference parameters: - property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring - value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True - # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected - default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False - + # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' + property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection + value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 + default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 - - function: SetRegistryValue + function: SetRegistryValue # For legacy versions: Windows 10 v1809 and Windows Server 2019 parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableRealtimeMonitoring + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine + valueName: MpEnablePus dataType: REG_DWORD - data: "1" + data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable intrusion prevention system (IPS) - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem - call: - - - function: SetMpPreference - parameters: - property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem - value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True - # ❌ Windows 11 and Windows 10: Does not fail but does not change the value - default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False - # ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set - - function: SetRegistryValue + function: SetRegistryValue # For newer Windows versions parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableIntrusionPreventionSystem + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: PUAProtection dataType: REG_DWORD - data: "1" + data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable Information Protection Control (IPC) - docs: https://web.archive.org/web/20231207105520/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl + name: Disable Defender Antivirus file hash computation # Added in Windows 10, version 2004 + docs: + - https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation + - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 call: function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableInformationProtectionControl + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine + valueName: EnableFileHashComputation dataType: REG_DWORD - data: "1" + data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable Defender monitoring of behavior + category: Disable network inspection system features + children: + - + name: Disable protocol recognition + docs: + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS + valueName: DisableProtocolRecognition + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable definition retirement + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS + valueName: DisableSignatureRetirement + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Minimize rate of detection events + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS + valueName: ThrottleDetectionEventsRate + dataType: REG_DWORD + data: "10000000" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable real-time protection children: - - name: Disable behavior monitoring + name: Disable real-time monitoring docs: - - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227 # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring - call: + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring + call: # Enabled by default (DisableRealtimeMonitoring is false) - function: SetMpPreference parameters: - property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring - value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True - # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected - default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False + property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring + value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True + # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected + default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False + - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableBehaviorMonitoring + valueName: DisableRealtimeMonitoring dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable sending raw write notifications to behavior monitoring - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableRawWriteNotification - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable monitoring of downloads and attachments in Defender - children: - - - name: Disable scanning of all downloaded files and attachments + name: Disable intrusion prevention system (IPS) docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem call: - function: SetMpPreference parameters: - property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection - value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True - # ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected - default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False + property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem + value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True + # ❌ Windows 11 and Windows 10: Does not fail but does not change the value + default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False + # ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableIOAVProtection + valueName: DisableIntrusionPreventionSystem dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable scanning files larger than 1 KB (minimum possible) - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize + name: Disable Information Protection Control (IPC) + docs: https://web.archive.org/web/20231207105520/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableInformationProtectionControl + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender monitoring of behavior + children: + - + name: Disable behavior monitoring + docs: + - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229 + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring + call: + - + function: SetMpPreference + parameters: + property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring + value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True + # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected + default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableBehaviorMonitoring + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable sending raw write notifications to behavior monitoring + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableRawWriteNotification + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable monitoring of downloads and attachments in Defender + children: + - + name: Disable scanning of all downloaded files and attachments + docs: + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225 + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection + call: + - + function: SetMpPreference + parameters: + property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection + value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True + # ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected + default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableIOAVProtection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scanning files larger than 1 KB (minimum possible) + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: IOAVMaxSize + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender monitoring of file and program activity + children: + - + name: Disable file and program activity monitoring + docs: + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableWindowsSpotlightFeatures + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable bidirectional scan for incoming and outgoing file and program activities + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection + call: + # 0='Both': bi-directional (full on-access, default) + # 1='Incoming': scan only incoming (disable on-open) + # 2='Outcoming': scan only outgoing (disable on-close) + - + function: SetMpPreference + parameters: + property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection + value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1 + default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: RealTimeScanDirection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable real-time protection process scanning + docs: + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable call: function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: IOAVMaxSize + valueName: DisableScanOnRealtimeEnable dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable Defender monitoring of file and program activity + category: Disable Defender remediation children: - - name: Disable file and program activity monitoring + name: Disable routine remediation docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection + - https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableroutinelytakingaction + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction call: function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableWindowsSpotlightFeatures + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: DisableRoutinelyTakingAction dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable bidirectional scan for incoming and outgoing file and program activities + name: Disable running scheduled auto-remediation docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday call: - # 0='Both': bi-directional (full on-access, default) - # 1='Incoming': scan only incoming (disable on-open) - # 2='Outcoming': scan only outgoing (disable on-close) + # 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Remediation + valueName: Scan_ScheduleDay + dataType: REG_DWORD + data: "8" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay + value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8 + default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0 + - + name: Disable remediation actions + docs: + - https://web.archive.org/web/20240314124221/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + # None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10 + call: # Not using ThreatIdDefaultAction as it requires known threat IDs - function: SetMpPreference + # https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction parameters: - property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection - value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1 - default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0 + property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction + # Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value): + # `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`. + # E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed. + # Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction` + value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9 + # Default: 0 (none) + # Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction` + # works on both Windows 10 and Windows 11 - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: RealTimeScanDirection + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats + valueName: Threats_ThreatSeverityDefaultAction dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "5" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "4" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "3" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "2" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "1" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Enable automatically purging items from quarantine folder + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay + call: + # Values: + # Default: 90 on both Windows 10 21H1 and Windows 11 21H2 + # Minimum: 1 + # 0 means indefinitely + - + function: SetMpPreference + parameters: + property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay + value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1 + default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90 + setDefaultOnWindows11: 'true' # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine + valueName: PurgeItemsAfterDelay + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable real-time protection process scanning - docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable + name: Disable always running antimalware service + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive call: function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - valueName: DisableScanOnRealtimeEnable + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: ServiceKeepAlive dataType: REG_DWORD - data: "1" + data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender remediation - children: - - - name: Disable routine remediation - docs: - - https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableroutinelytakingaction - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender - valueName: DisableRoutinelyTakingAction - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable running scheduled auto-remediation - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday - call: - # 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never' - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Remediation - valueName: Scan_ScheduleDay - dataType: REG_DWORD - data: "8" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay - value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8 - default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0 - - - name: Disable remediation actions - docs: - - https://web.archive.org/web/20240314124221/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - # None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10 - call: # Not using ThreatIdDefaultAction as it requires known threat IDs - - - function: SetMpPreference - # https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction - parameters: - property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction - # Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value): - # `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`. - # E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed. - # Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction` - value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9 - # Default: 0 (none) - # Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction` - # works on both Windows 10 and Windows 11 - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats - valueName: Threats_ThreatSeverityDefaultAction - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - valueName: "5" - dataType: REG_SZ - data: "9" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - valueName: "4" - dataType: REG_SZ - data: "9" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - valueName: "3" - dataType: REG_SZ - data: "9" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - valueName: "2" - dataType: REG_SZ - data: "9" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - valueName: "1" - dataType: REG_SZ - data: "9" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Enable automatically purging items from quarantine folder + # - # Too good to disable + # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" + # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 + # children: + # - + # name: Disable LSA protection (disabled by default) + # docs: + # - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection + # - https://itm4n.github.io/lsass-runasppl/ + # - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags + # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard + # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool + # call: + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa + # valueName: LsaCfgFlags + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\Software\Policies\Microsoft\Windows\DeviceGuard + # valueName: LsaCfgFlags + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # name: Disable virtualization-based security (disabled by default) + # docs: + # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard + # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool + # - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity + # call: + # # Virtualization features + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + # valueName: EnableVirtualizationBasedSecurity + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + # valueName: RequirePlatformSecurityFeatures + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # # Lock: + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + # valueName: Locked + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + # valueName: NoLock + # dataType: REG_DWORD + # data: '1' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # # HypervisorEnforcedCodeIntegrity: + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + # valueName: HypervisorEnforcedCodeIntegrity + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity + # valueName: Enabled + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity + # valueName: Locked + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # name: Disable System Guard Secure Launch + # docs: + # - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection + # - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch + # call: + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + # valueName: ConfigureSystemGuardLaunch + # dataType: REG_DWORD + # data: '2' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard + # valueName: Enabled + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # name: Disable Windows Defender Application Control Code Integrity Policy + # docs: + # - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy + # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool + # call: + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + # valueName: DeployConfigCIPolicy + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: DeleteFiles + # parameters: + # fileGlob: '%WINDIR%\System32\CodeIntegrity\SIPolicy.p7b' + - + name: Disable Defender Antivirus auto-exclusions docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay + - https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide + - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions call: - # Values: - # Default: 90 on both Windows 10 21H1 and Windows 11 21H2 - # Minimum: 1 - # 0 means indefinitely - function: SetMpPreference parameters: - property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay - value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1 - default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90 - setDefaultOnWindows11: 'true' # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11 + property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions + value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True + default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False + setDefaultOnWindows11: 'true' # `Remove-MpPreference` has no affect (does not change the value) in Windows 11 - function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine - valueName: PurgeItemsAfterDelay + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions + valueName: DisableAutoExclusions dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable always running antimalware service - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender - valueName: ServiceKeepAlive - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - # Too good to disable - # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" - # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 - # children: - # - - # name: Disable LSA protection (disabled by default) - # docs: - # - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection - # - https://itm4n.github.io/lsass-runasppl/ - # - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags - # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard - # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool - # call: - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa - # valueName: LsaCfgFlags - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\Software\Policies\Microsoft\Windows\DeviceGuard - # valueName: LsaCfgFlags - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # name: Disable virtualization-based security (disabled by default) - # docs: - # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard - # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool - # - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity - # call: - # # Virtualization features - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard - # valueName: EnableVirtualizationBasedSecurity - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard - # valueName: RequirePlatformSecurityFeatures - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # # Lock: - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard - # valueName: Locked - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard - # valueName: NoLock - # dataType: REG_DWORD - # data: '1' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # # HypervisorEnforcedCodeIntegrity: - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard - # valueName: HypervisorEnforcedCodeIntegrity - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity - # valueName: Enabled - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity - # valueName: Locked - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # name: Disable System Guard Secure Launch - # docs: - # - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection - # - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch - # call: - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - # valueName: ConfigureSystemGuardLaunch - # dataType: REG_DWORD - # data: '2' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard - # valueName: Enabled - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # name: Disable Windows Defender Application Control Code Integrity Policy - # docs: - # - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy - # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool - # call: - # - - # function: SetRegistryValue - # parameters: - # keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - # valueName: DeployConfigCIPolicy - # dataType: REG_DWORD - # data: '0' - # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # - - # function: DeleteFiles - # parameters: - # fileGlob: '%WINDIR%\System32\CodeIntegrity\SIPolicy.p7b' - - - name: Disable auto-exclusions - docs: - - https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide - - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions - call: - - - function: SetMpPreference - parameters: - property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions - value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True - default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False - setDefaultOnWindows11: 'true' # `Remove-MpPreference` has no affect (does not change the value) in Windows 11 - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions - valueName: DisableAutoExclusions - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender scans - children: - - - category: Disable scan actions - children: - - - name: Disable signature verification before scanning # Default configuration - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan - call: - - - function: SetMpPreference - parameters: - property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan - value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False - default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: CheckForSignaturesBeforeRunningScan - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable creation of daily system restore points # Default behavior - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint - call: - - - function: SetMpPreference - parameters: - property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint - value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True - default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableRestorePoint - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Minimize retention time for files in scan history - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay - call: # Default is 15, minimum is 0 which means never removing items - - - function: SetMpPreference - parameters: - property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay - value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 - default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15 - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: PurgeItemsAfterDelay - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable catch-up scans + category: Disable Defender Antivirus scans children: - - name: Maximize days until mandatory catch-up scan - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup - # Default and minimum is 2, maximum is 20 - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: MissedScheduledScanCountBeforeCatchup - dataType: REG_DWORD - data: '20' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable catch-up full scans # Disabled by default - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan - call: - - - function: SetMpPreference - parameters: - property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan - value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True - default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True + category: Disable scan actions + children: - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableCatchupFullScan - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable catch-up quick scans - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan - call: + name: Disable signature verification before scanning # Default configuration + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan + call: + - + function: SetMpPreference + parameters: + property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan + value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False + default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: CheckForSignaturesBeforeRunningScan + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SetMpPreference - parameters: - property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan - value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True - default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True + name: Disable creation of daily system restore points # Default behavior + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint + call: + - + function: SetMpPreference + parameters: + property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint + value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True + default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableRestorePoint + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableCatchupQuickScan - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender scan options - children: - - - name: Disable scan heuristics - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableHeuristics - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + name: Minimize retention time for files in scan history + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay + call: # Default is 15, minimum is 0 which means never removing items + - + function: SetMpPreference + parameters: + property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay + value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 + default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: PurgeItemsAfterDelay + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable intensive CPU usage during Defender scans + category: Disable catch-up scans children: - - name: Minimize CPU usage during scans + name: Maximize days until mandatory catch-up scan + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup + # Default and minimum is 2, maximum is 20 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: MissedScheduledScanCountBeforeCatchup + dataType: REG_DWORD + data: '20' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable catch-up full scans # Disabled by default docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan call: - # Default: 50, minimum 1 - function: SetMpPreference parameters: - property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor - value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1 - default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50 + property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan + value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True + default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: AvgCPULoadFactor + valueName: DisableCatchupFullScan dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Minimize CPU usage during idle scans + name: Disable catch-up quick scans docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan call: - function: SetMpPreference parameters: - property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans - value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False - default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True + property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan + value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True + default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableCpuThrottleOnIdleScans + valueName: DisableCatchupQuickScan dataType: REG_DWORD - data: '0' + data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable scanning when not idle # Default OS setting - docs: - - https://web.archive.org/web/20231206191436/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled - call: + category: Disable Defender scan options + children: - - function: SetMpPreference - parameters: - property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled - value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True - default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True + name: Disable scan heuristics + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableHeuristics + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: ScanOnlyIfIdle - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable scheduled anti-malware scanner (MRT) - docs: |- - This script disables the scheduled scans by the Malicious Software Removal Tool (MSRT) provided by Microsoft. + category: Disable intensive CPU usage during Defender scans + children: + - + name: Minimize CPU usage during scans + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor + call: + # Default: 50, minimum 1 + - + function: SetMpPreference + parameters: + property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor + value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1 + default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: AvgCPULoadFactor + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Minimize CPU usage during idle scans + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + call: + - + function: SetMpPreference + parameters: + property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans + value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False + default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableCpuThrottleOnIdleScans + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scanning when not idle # Default OS setting + docs: + - https://web.archive.org/web/20231206191436/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled + call: + - + function: SetMpPreference + parameters: + property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled + value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True + default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ScanOnlyIfIdle + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scheduled anti-malware scanner (MRT) + docs: |- + This script disables the scheduled scans by the Malicious Software Removal Tool (MSRT) provided by Microsoft. - Starting from version 5.39 in August 2016, MSRT sends a "Heartbeat Report" to Microsoft every time it runs [1]. This behavior occurs even if certain user - preferences like the Customer Experience Improvement Program (CEIP) are turned off or if "DiagTrack" is not on the computer [1]. A record of this "Successfully - Submitted Heartbeat Report" can be checked in the MRT log, found at `%windir%\debug\mrt.log` [1]. + Starting from version 5.39 in August 2016, MSRT sends a "Heartbeat Report" to Microsoft every time it runs [1]. This behavior occurs even if certain user + preferences like the Customer Experience Improvement Program (CEIP) are turned off or if "DiagTrack" is not on the computer [1]. A record of this "Successfully + Submitted Heartbeat Report" can be checked in the MRT log, found at `%windir%\debug\mrt.log` [1]. - By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft. + By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft. - [1]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\MRT - valueName: DontOfferThroughWUAU - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Minimize scanned areas - children: - - - name: Disable e-mail scanning # Disabled by default - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning - call: - - - function: SetMpPreference - parameters: - property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning - value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False - default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableEmailScanning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable script scanning - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning - call: - function: SetMpPreference - parameters: - property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning - value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True - # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected - default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False - - - name: Disable reparse point scanning - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableReparsePointScanning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable scanning mapped network drives during full scan - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableScanningMappedNetworkDrivesForFullScan - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan - value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False - default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True - - - name: Disable network file scanning - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableScanningNetworkFiles - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles - value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True - default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False - - - name: Disable scanning packed executables - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisablePackedExeScanning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + [1]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\MRT + valueName: DontOfferThroughWUAU + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable scanning archive files + category: Minimize scanned areas children: - - name: Disable Defender archive file scanning + name: Disable e-mail scanning # Disabled by default docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning # Managing with MpPreference module: - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning call: + - + function: SetMpPreference + parameters: + property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning + value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False + default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True - function: SetRegistryValue parameters: keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableArchiveScanning + valueName: DisableEmailScanning dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning - value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True - default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False - - - name: Minimize scanning depth of archive files - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: ArchiveMaxDepth - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Minimize file size for scanning archive files - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: ArchiveMaxSize - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable scanning removable drives - docs: - # Disabled by default - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: DisableRemovableDriveScanning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning - value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False - default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True - - - category: Disable auto-scans - children: - - - name: Disable scheduled scans - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay - - https://web.archive.org/web/20240314122526/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday - call: - # Options are: - # 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday', - # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: ScheduleDay - dataType: REG_DWORD - data: '8' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay - value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8' - default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0' - - - name: Disable randomizing scheduled task times - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender - valueName: RandomizeScheduleTaskTimes - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes - value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False - default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True - - - name: Disable scheduled full-scans - docs: - - https://web.archive.org/web/20240314122452/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters - call: - # Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan' - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: ScanParameters - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters - value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1' - default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1' - setDefaultOnWindows11: 'true' # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11 - - - name: Minimize daily quick scan frequency - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan - valueName: QuickScanInterval - dataType: REG_DWORD - data: '24' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable scanning after security intelligence (signature) update - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: DisableScanOnUpdate - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender updates - children: - - - category: Disable Defender Security Intelligence (signature) updates - children: - - - name: Disable forced security intelligence (signature) updates from Microsoft Update - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: ForceUpdateFromMU - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable security intelligence (signature) updates when running on battery power - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: DisableScheduledSignatureUpdateOnBattery - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable startup check for latest virus and spyware security intelligence (signature) - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: UpdateOnStartUp - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable catch-up security intelligence (signature) updates # default is one day - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval - call: - # Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: SignatureUpdateCatchupInterval - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SetMpPreference - parameters: - property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval - value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0' - default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1' - - - name: Minimize spyware security intelligence (signature) updates # default is one day, recommended is 7 days - # Maximize period when spyware security intelligence (signature) is considered up-to-dates - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241 - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: ASSignatureDue - dataType: REG_DWORD - data: '4294967295' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Minimize virus security intelligence (signature) updates # default is one day, recommended is 7 days - # Maximize period when virus security intelligence (signature) is considered up-to-date - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue - - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243 - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: AVSignatureDue - dataType: REG_DWORD - data: '4294967295' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable security intelligence (signature) update on startup - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: DisableUpdateOnStartupWithoutEngine - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine - value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True - default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False - - - name: Disable automatic checks for security intelligence (signature) updates # Already disabled by default - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday - call: - # Options: - # 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday' - # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: ScheduleDay - dataType: REG_DWORD - data: '8' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay - value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8' - default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8' - - - name: Minimize checks for security intelligence (signature) updates - docs: - - https://web.archive.org/web/20240314122335/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval - call: - # Valid values range from 1 (every hour) to 24 (once per day). - # If not specified (0), parameter, Microsoft Defender checks at the default interval - - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: SignatureUpdateInterval - dataType: REG_DWORD - data: '24' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetMpPreference - parameters: - property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval - value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24' - default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0' - - - category: Disable alternate definition updates - children: - - - name: Disable definition updates via WSUS and Microsoft Malware Protection Center - docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: CheckAlternateHttpLocation - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable definition updates through both WSUS and Windows Update - docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - valueName: CheckAlternateDownloadLocation - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Minimize Defender updates to completed gradual release cycles - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - call: - function: SetMpPreference - parameters: - # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) - property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease - value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True - default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease - - - - name: Minimize Defender engine updates to completed release cycles - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - call: - function: SetMpPreference - parameters: - # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) - property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel - value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad' - # Valid values: - # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' - # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' - default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'" - - - name: Minimize Defender platform updates to completed release cycles - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - call: - function: SetMpPreference - parameters: - # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) - property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel - value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad' - # Valid values: - # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' - # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' - default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'" - - - name: Minimize Defender definition updates to completed gradual release cycles - docs: - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - call: - # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) - function: SetMpPreference - parameters: - property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel - # Its former name was "SignaturesUpdatesChannel" - value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad' - # 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged' - # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' - default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" - - - category: Disable Microsoft Defender reporting - children: - - - name: Disable Microsoft Defender logging - code: |- - reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f - reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f - revertCode: |- # 1 as default in registry - reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f - reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f - - - name: Disable Microsoft Defender ETW provider (Windows Event Logs) - docs: - - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - - https://web.archive.org/web/20240314124054/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide - code: |- - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f - revertCode: |- # 1 as default in registry - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f - - - name: Minimize Windows software trace preprocessor (WPP Software Tracing) - docs: - - https://web.archive.org/web/20240314123926/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting - valueName: WppTracingLevel - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable auditing events in Microsoft Defender Application Guard - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI - valueName: AuditApplicationGuard - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender user interface - children: - - - name: Remove "Windows Security" system tray icon - docs: |- - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray - valueName: HideSystray - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Remove "Scan with Microsoft Defender" from context menu - docs: - - https://windowsreport.com/remove-right-click-windows-defender-scan-windows-10/ - - https://web.archive.org/web/20240314174846/https://twigstechtips.blogspot.com/2010/06/windows-remove-with-microsoft-security.html - call: - - - function: RunInlineCode - parameters: - code: |- - reg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f 2>nul - revertCode: |- - reg add "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f - reg add "HKCR\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f - reg add "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /ve /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f - - - function: RunInlineCode - parameters: - code: reg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul - revertCode: reg add "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f - - - function: RunInlineCode - parameters: - code: reg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul - revertCode: reg add "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f - - - function: RunInlineCode - parameters: - code: reg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul - revertCode: reg add "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f - - - name: Remove "Windows Security" icon from taskbar - docs: |- - This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 - and was originally named "Windows Defender Security Center" [1]. - - The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. - - The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 - and Windows 10 22H2) with default value of `%windir%\system32\SecurityHealthSystray.exe`. - - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" - [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" - code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809 - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "%windir%\system32\SecurityHealthSystray.exe" /f - - - name: Disable Microsoft Defender Antimalware (AM) user interface - docs: |- - This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially - preventing user interactions with the Microsoft Defender Antivirus interface. - - Several reasons to hide the antivirus interface: - - 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing - its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more - in control of their data when they aren't constantly reminded of a running security service. - 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. - Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share - more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. - 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender - Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to - a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently - triggering options that might share data. - 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface - but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that - access has been restricted by the system administrator [2]. - - The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the - `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. - - [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" - [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable non-administrator access to threat history - docs: |- - This script disables privacy mode for Defender scans, limiting threat history access to administrators. - - By default, privacy mode is enabled [1]. - When active, it restricts the display of spyware and potentially dangerous programs to administrators only, - instead of all users on the computer [2]. - It blocks non-administrators from viewing threat history [1]. - - This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1]. - It has no impact on current platforms [1]. - - Limiting threat history to administrators has both benefits and drawbacks. - It improves security and privacy by limiting access to sensitive threat information. - However, it may reduce transparency and hinder security efforts for users without admin access who need this data. - - The script configures: - - 1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. - It sets the value to `$True`, effectively disabling privacy mode [1]. - - 2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. - This undocumented registry key has been verified to work on older Windows versions by the community [2]. - - [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "Софт | Секреты Windows 7 | www.win7help.ru" - [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" - call: - - - function: SetMpPreference - parameters: - property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode - value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True - default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - - - function: SetRegistryValueAsTrustedInstaller - # Without TrustedInstaller: ❌ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2) - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration - valueName: "DisablePrivacyMode" - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable sections in "Windows Security" - docs: |- - This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in - Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. - - "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display - in a restricted mode [1]. - - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - children: - - - name: Disable "Virus and threat protection" section in "Windows Security" - docs: |- - - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) - - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Ransomware data recovery" section in "Windows Security" - docs: |- - [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: HideRansomwareRecovery - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Family options" section in "Windows Security" - docs: |- - - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) - - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Device performance and health" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) - - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Account protection" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) - - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "App and browser control" section in "Windows Security" - docs: |- - - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) - - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + name: Disable script scanning + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning + call: + function: SetMpPreference + parameters: + property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning + value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True + # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected + default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False + - + name: Disable reparse point scanning + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableReparsePointScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scanning mapped network drives during full scan + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableScanningMappedNetworkDrivesForFullScan + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan + value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False + default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True + - + name: Disable network file scanning + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableScanningNetworkFiles + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles + value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True + default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False + - + name: Disable scanning packed executables + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisablePackedExeScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable scanning archive files + children: + - + name: Disable Defender archive file scanning + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableArchiveScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning + value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True + default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False + - + name: Minimize scanning depth of archive files + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ArchiveMaxDepth + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Minimize file size for scanning archive files + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ArchiveMaxSize + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable scanning removable drives + docs: + # Disabled by default + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableRemovableDriveScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning + value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False + default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True - - category: Disable device security sections + category: Disable auto-scans children: - - name: Disable "Device security" section in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) - - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) + name: Disable scheduled scans + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay + - https://web.archive.org/web/20240314122526/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday + call: + # Options are: + # 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday', + # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ScheduleDay + dataType: REG_DWORD + data: '8' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay + value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8' + default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0' + - + name: Disable randomizing scheduled task times + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: RandomizeScheduleTaskTimes + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes + value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False + default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True + - + name: Disable scheduled full-scans + docs: + - https://web.archive.org/web/20240314122452/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters + call: + # Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ScanParameters + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters + value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1' + default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1' + setDefaultOnWindows11: 'true' # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11 + - + name: Minimize daily quick scan frequency + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval call: function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: UILockdown + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: QuickScanInterval dataType: REG_DWORD - data: '1' + data: '24' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable "Clear TPM" button in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) - - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) + name: Disable scanning after security intelligence (signature) update + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate call: function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableClearTpmButton + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: DisableScanOnUpdate dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender Antivirus updates + children: + - + category: Disable Defender Security Intelligence (signature) updates + children: - - name: Disable "Secure boot" button in "Windows Security" - docs: |- - [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) + name: Disable forced security intelligence (signature) updates from Microsoft Update + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU call: function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideSecureBoot + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: ForceUpdateFromMU dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" - docs: |- - [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) + name: Disable security intelligence (signature) updates when running on battery power + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery call: function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideTPMTroubleshooting + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: DisableScheduledSignatureUpdateOnBattery dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable "TPM Firmware Update" recommendation in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) - - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) + name: Disable startup check for latest virus and spyware security intelligence (signature) + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup call: function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableTpmFirmwareUpdateWarning + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: UpdateOnStartUp dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender notifications - children: - - - category: Disable Windows Security notifications - docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications - children: - - name: Disable all Defender notifications + name: Disable catch-up security intelligence (signature) updates # default is one day docs: - - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval call: + # Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc - function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: SignatureUpdateCatchupInterval dataType: REG_DWORD - data: '1' + data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SetRegistryValue + function: SetMpPreference parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval + value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0' + default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1' + - + name: Minimize spyware security intelligence (signature) updates # default is one day, recommended is 7 days + # Maximize period when spyware security intelligence (signature) is considered up-to-dates + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: ASSignatureDue + dataType: REG_DWORD + data: '4294967295' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Minimize virus security intelligence (signature) updates # default is one day, recommended is 7 days + # Maximize period when virus security intelligence (signature) is considered up-to-date + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue + - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: AVSignatureDue + dataType: REG_DWORD + data: '4294967295' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable non-critical Defender notifications + name: Disable security intelligence (signature) update on startup docs: - - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine call: - function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: DisableUpdateOnStartupWithoutEngine dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine + value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True + default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False + - + name: Disable automatic checks for security intelligence (signature) updates # Already disabled by default + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday + call: + # Options: + # 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday' + # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default) - function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: ScheduleDay dataType: REG_DWORD - data: '1' + data: '8' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay + value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8' + default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8' + - + name: Minimize checks for security intelligence (signature) updates + docs: + - https://web.archive.org/web/20240314122335/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval + call: + # Valid values range from 1 (every hour) to 24 (once per day). + # If not specified (0), parameter, Microsoft Defender checks at the default interval - function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting - valueName: DisableEnhancedNotifications + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: SignatureUpdateInterval dataType: REG_DWORD - data: '1' + data: '24' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetMpPreference + parameters: + property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval + value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24' + default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0' + - + category: Disable alternate definition updates + children: + - + name: Disable definition updates via WSUS and Microsoft Malware Protection Center + docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: CheckAlternateHttpLocation + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable definition updates through both WSUS and Windows Update + docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: CheckAlternateDownloadLocation + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above - docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ + name: Minimize Defender updates to completed gradual release cycles + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps call: - function: SetRegistryValue + function: SetMpPreference parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance - valueName: Enabled - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) + property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease + value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True + default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease + + - + name: Minimize Defender engine updates to completed release cycles + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + call: + function: SetMpPreference + parameters: + # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) + property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel + value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad' + # Valid values: + # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' + # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' + default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'" - - name: Disable all Defender Antivirus notifications - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress + name: Minimize Defender platform updates to completed release cycles + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps call: - - - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration - valueName: Notification_Suppress - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration - valueName: Notification_Suppress - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + function: SetMpPreference + parameters: + # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) + property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel + value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad' + # Valid values: + # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' + # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' + default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'" + - + name: Minimize Defender definition updates to completed gradual release cycles + docs: + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + call: + # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) + function: SetMpPreference + parameters: + property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel + # Its former name was "SignaturesUpdatesChannel" + value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad' + # 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged' + # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' + default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" + - + category: Disable Defender Antivirus reporting + children: - - name: Disable Defender reboot notifications - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification + name: Disable Microsoft Defender logging + docs: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/Microsoft_Antivirus.pdf?__blob=publicationFile&v=2 + code: |- + reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f + reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f + revertCode: |- # 1 as default in registry + reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f + reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f + - + name: Disable Microsoft Defender ETW provider (Windows Event Logs) + docs: + - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ + - https://web.archive.org/web/20240314124054/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide + code: |- + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f + revertCode: |- # 1 as default in registry + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f + - + name: Minimize Windows software trace preprocessor (WPP Software Tracing) + docs: + - https://web.archive.org/web/20240314123926/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel call: function: SetRegistryValue parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration - valueName: SuppressRebootNotification + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: WppTracingLevel dataType: REG_DWORD data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable OS components for Defender # Hackers way of disabling Defender - children: - - - category: Disable Defender scheduled tasks - children: - - - name: Disable "ExploitGuard MDM policy Refresh" task - docs: |- - This script disables the "ExploitGuard MDM policy Refresh" scheduled task. - - The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings". - - Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1]. - It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1]. - - Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2]. - MDM offers a method to remotely adjust the ExploitGuard settings on a device [2]. - - Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4]. - - Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3]. - - ### Overview of default task statuses - - `\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog" - [2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn" - [3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov" - [4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' - taskPathPattern: \Microsoft\Windows\ExploitGuard\ - taskNamePattern: ExploitGuard MDM policy Refresh + - + name: Disable auditing events in Microsoft Defender Application Guard + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig + - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI + valueName: AuditApplicationGuard + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender Antivirus scheduled tasks + children: - name: Disable "Windows Defender Cache Maintenance" task docs: |- @@ -16926,176 +16468,617 @@ actions: # fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - category: Disable Defender kernel-level drivers + category: Disable Defender kernel-level drivers + children: + # - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only + - + name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service + docs: |- + https://web.archive.org/web/20240314062056/https://batcmd.com/windows/10/services/wdnisdrv/ + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + call: + # Excluding: + # - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: WdNisDrv # Check: (Get-Service -Name 'WdNisDrv').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + waitForDependentServicesOnStop: 'true' # Or it fails, `Microsoft Defender Antivirus Network Inspection Service (WdNisSvc)` depends on this + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\WdNisDrv.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender Antivirus Mini-Filter Driver" service + docs: |- + - https://web.archive.org/web/20240314091638/https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ + - https://web.archive.org/web/20240314062047/https://batcmd.com/windows/10/services/wdfilter/ + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Boot | + | Windows 11 (≥ 23H2) | 🟢 Running | Boot | + call: + # Excluding: + # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: WdFilter # Check: (Get-Service -Name 'WdFilter').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + # notStoppable: true # See `sc queryex WdFilter`, tested since Windows 10 22H2, Windows 11 22H2. + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender Antivirus Boot Driver" service + docs: |- + https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Boot | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Boot | + call: + # Excluding: + # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: WdBoot # Check: (Get-Service -Name 'WdBoot').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender Antivirus Network Inspection" service + docs: |- + - https://web.archive.org/web/20240314091310/https://batcmd.com/windows/10/services/wdnissvc/ + - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + call: + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... + # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + category: Disable Defender user interface + docs: |- # TODO: add docs + Explain that it disables user interface components + children: + - + name: Disable "Windows Security Service" + docs: |- + This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. + This service provides unified device protection and health information [2] [3]. + + It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. + Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. + By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. + + The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" + [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states + call: + - + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Remove "Windows Security" system tray icon + docs: |- + https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray + valueName: HideSystray + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Remove "Scan with Microsoft Defender" from context menu + docs: + - https://windowsreport.com/remove-right-click-windows-defender-scan-windows-10/ + - https://web.archive.org/web/20240314174846/https://twigstechtips.blogspot.com/2010/06/windows-remove-with-microsoft-security.html + call: + - + function: RunInlineCode + parameters: + code: |- + reg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f 2>nul + revertCode: |- + reg add "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f + reg add "HKCR\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f + reg add "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /ve /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f + - + function: RunInlineCode + parameters: + code: reg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul + revertCode: reg add "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f + - + function: RunInlineCode + parameters: + code: reg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul + revertCode: reg add "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f + - + function: RunInlineCode + parameters: + code: reg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul + revertCode: reg add "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f + - + name: Remove "Windows Security" icon from taskbar + docs: |- + This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 + and was originally named "Windows Defender Security Center" [1]. + + The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. + + The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 + and Windows 10 22H2) with default value of `%windir%\system32\SecurityHealthSystray.exe`. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" + [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" + code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809 + revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "%windir%\system32\SecurityHealthSystray.exe" /f + - + name: Disable Microsoft Defender Antimalware (AM) user interface + docs: |- + This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially + preventing user interactions with the Microsoft Defender Antivirus interface. + + Several reasons to hide the antivirus interface: + + 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing + its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more + in control of their data when they aren't constantly reminded of a running security service. + 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. + Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share + more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. + 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender + Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to + a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently + triggering options that might share data. + 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface + but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that + access has been restricted by the system administrator [2]. + + The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the + `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. + + [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" + [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable non-administrator access to threat history + docs: |- + This script disables privacy mode for Defender scans, limiting threat history access to administrators. + + By default, privacy mode is enabled [1]. + When active, it restricts the display of spyware and potentially dangerous programs to administrators only, + instead of all users on the computer [2]. + It blocks non-administrators from viewing threat history [1]. + + This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1]. + It has no impact on current platforms [1]. + + Limiting threat history to administrators has both benefits and drawbacks. + It improves security and privacy by limiting access to sensitive threat information. + However, it may reduce transparency and hinder security efforts for users without admin access who need this data. + + The script configures: + + 1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. + It sets the value to `$True`, effectively disabling privacy mode [1]. + + 2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. + This undocumented registry key has been verified to work on older Windows versions by the community [2]. + + [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "Софт | Секреты Windows 7 | www.win7help.ru" + [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" + call: + - + function: SetMpPreference + parameters: + property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode + value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True + default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False + - + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: ❌ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2) + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: "DisablePrivacyMode" + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable sections in "Windows Security" + docs: |- + This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in + Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. + + "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display + in a restricted mode [1]. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + children: + - + name: Disable "Virus and threat protection" section in "Windows Security" + docs: |- + - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) + - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Ransomware data recovery" section in "Windows Security" + docs: |- + [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: HideRansomwareRecovery + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Family options" section in "Windows Security" + docs: |- + - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) + - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Device performance and health" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) + - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Account protection" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) + - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "App and browser control" section in "Windows Security" + docs: |- + - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) + - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable device security sections children: - # - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only - - name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service + name: Disable "Device security" section in "Windows Security" docs: |- - https://web.archive.org/web/20240314062056/https://batcmd.com/windows/10/services/wdnisdrv/ - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) + - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) call: - # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller - parameters: - serviceName: WdNisDrv # Check: (Get-Service -Name 'WdNisDrv').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - waitForDependentServicesOnStop: 'true' # Or it fails, `Microsoft Defender Antivirus Network Inspection Service (WdNisSvc)` depends on this - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\WdNisDrv.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable "Microsoft Defender Antivirus Mini-Filter Driver" service + name: Disable "Clear TPM" button in "Windows Security" docs: |- - - https://web.archive.org/web/20240314091638/https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - - https://web.archive.org/web/20240314062047/https://batcmd.com/windows/10/services/wdfilter/ - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Boot | - | Windows 11 (≥ 23H2) | 🟢 Running | Boot | + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) + - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableClearTpmButton + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Secure boot" button in "Windows Security" + docs: |- + [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideSecureBoot + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" + docs: |- + [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideTPMTroubleshooting + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "TPM Firmware Update" recommendation in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) + - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableTpmFirmwareUpdateWarning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender notifications + children: + - + category: Disable Windows Security notifications + docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications + children: + - + name: Disable all Defender notifications + docs: + - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications call: - # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller + function: SetRegistryValue parameters: - serviceName: WdFilter # Check: (Get-Service -Name 'WdFilter').StartType - defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual - # notStoppable: true # See `sc queryex WdFilter`, tested since Windows 10 22H2, Windows 11 22H2. + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SoftDeleteFiles + function: SetRegistryValue parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable "Microsoft Defender Antivirus Boot Driver" service - docs: |- - https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🔴 Stopped | Boot | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Boot | + name: Disable non-critical Defender notifications + docs: + - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications call: - # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller + function: SetRegistryValue parameters: - serviceName: WdBoot # Check: (Get-Service -Name 'WdBoot').StartType - defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SoftDeleteFiles + function: SetRegistryValue parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable "Microsoft Defender Antivirus Network Inspection" service - docs: |- - - https://web.archive.org/web/20240314091310/https://batcmd.com/windows/10/services/wdnissvc/ - - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above + docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ call: - - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller - parameters: - serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 - # function: SoftDeleteFiles - # parameters: - # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable "Windows Defender Advanced Threat Protection Service" service - docs: |- - https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + name: Disable all Defender Antivirus notifications + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress call: - - function: DisableServiceInRegistry - # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: SetRegistryValue parameters: - serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration + valueName: Notification_Suppress + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - - function: SoftDeleteFiles + function: SetRegistryValue parameters: - fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: Notification_Suppress + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable "Windows Security Service" service - docs: |- - This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. - This service provides unified device protection and health information [2] [3]. + name: Disable Defender reboot notifications + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: SuppressRebootNotification + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender Exploit Guard + docs: + - https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ + - https://learn.microsoft.com/en-us/defender-endpoint/enable-network-protection + children: + - + name: Disable prevention of users and apps from accessing dangerous websites + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + valueName: EnableNetworkProtection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable controlled folder access + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess + - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access + valueName: EnableControlledFolderAccess + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "ExploitGuard MDM policy Refresh" task + docs: |- + This script disables the "ExploitGuard MDM policy Refresh" scheduled task. - It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. - Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. - By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. + The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings". - The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. + Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1]. + It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1]. - ### Overview of default service statuses + Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2]. + MDM offers a method to remotely adjust the ExploitGuard settings on a device [2]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4]. + + Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3]. - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" - [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" - [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states - call: - - - # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller - parameters: - serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + ### Overview of default task statuses + + `\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`: + + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | + + [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog" + [2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn" + [3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov" + [4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" + call: + function: DisableScheduledTask + parameters: + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' + taskPathPattern: \Microsoft\Windows\ExploitGuard\ + taskNamePattern: ExploitGuard MDM policy Refresh - category: Disable SmartScreen docs: |- # refactor-with-variables: • SmartScreen Caution @@ -18120,6 +18103,36 @@ actions: parameters: fileGlob: '%WINDIR%\SysWOW64\SmartScreenSettings.exe' grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 + - + category: Disable Defender for Endpoint + docs: |- + # TODO: Get docs from other branches its in processes or services, + children: + - + name: Disable "Windows Defender Advanced Threat Protection Service" service + docs: |- + https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + call: + - + function: DisableServiceInRegistry + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + parameters: + serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - category: Disable automatic updates docs: |-