diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index 248f33fb..6410c579 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -14909,43 +14909,48 @@ actions: category: Privacy over security children: - - category: Disable Microsoft Defender + category: Disable Defender docs: |- - This category offers scripts to disable Windows security components known as *Microsoft Defender*. - Although designed to protect you, these features may compromise your privacy and decrease computer performance. + This category offers scripts to disable Windows security components related to Defender. + Defender is also referred to as **Microsoft Defender** [1] [2] [3] [4] [5] [6] [7] [8] or **Windows Defender** [3] [6] [7] [8]. + Although designed to protect you, its features may compromise your privacy and decrease computer performance. Privacy concerns include: - - Sending personal data to Microsoft for analysis [1] [2] [3]. - - The labeling of efforts to block telemetry (data collection by Microsoft) as security threats [4] [5]. - - The incorrect flagging of privacy-enhancing scripts from privacy.sexy as malicious software [6]. + - Sending personal data to Microsoft for analysis [1] [2] [9]. + This allows Microsoft to collect and potentially access your sensitive information. + - Flagging attempts to block Microsoft's telemetry (data collection) as security threats [3] [10]. + This prevents users from controlling what data Microsoft collects about them. + - Incorrectly identifying privacy-enhancing scripts from privacy.sexy as malicious software [4]. + This discourages users from using tools designed to protect their privacy. - Turning off Microsoft Defender improves your computer's speed by freeing up system resources [7]. + Turning off Defender also improves your computer's speed by freeing up system resources [5]. - However, disabling these features could result in: + However, disabling these features may result in: - - Potential program malfunctions [8], as these security features are integral to Windows [9]. + - Potential program malfunctions [11], as these security features are integral to Windows [6]. - Lowered defenses against malware and other online threats. - These scripts target only the Defender features built into Windows and do not impact other Defender services available - with Microsoft 365 subscriptions [10] [11]. + These scripts are primarily designed to disable Defender features that come built into Windows. + They may also affect additional Defender products not included in the default Windows installation. + However, some Defender services available with Microsoft 365 subscriptions may remain unaffected + by these scripts [7] [8]. > **Caution**: > These scripts **may reduce your security** and **cause issues with software** relying on them. - > Consider an alternative security solutions to maintain protection. + > Consider an alternative security solution or careful security practices to maintain protection. [1]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240409170815/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide "Microsoft Defender for Endpoint data storage and privacy | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" - [4]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" - [5]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" - [6]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" - [7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" - [8]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [9]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" - [10]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" - [11]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn" - # See defender status: Get-MpComputerStatus + [3]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" + [4]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" + [5]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" + [6]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" + [7]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [8]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn" + [9]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" + [10]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" + [11]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" children: - category: Disable Defender data collection @@ -15500,375 +15505,180 @@ actions: data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable Microsoft Defender firewall + category: Disable Defender Antivirus docs: |- - This category provides scripts to disable the Microsoft Defender Firewall. + This category provides scripts to disable Defender Antivirus. - This firewall serves as a security gate for your computer. - It controls network traffic to and from a computer [1] [2] [3] [4] [5]. - It blocks all incoming traffic by default and allows outgoing traffic [1]. - It enables users to block connections [1] [3] [5] [6] [7]. - For enhanced security, users can require a VPN for all connections with IPSec rules [1] [3] [7]. - This can protect your computer from unauthorized access [1] [4] [6] [8]. - - Microsoft has renamed the firewall several times to reflect branding changes: - - 1. **Internet Connection Firewall** initially [3]. - 2. **Windows Firewall** with the release of Windows XP Service Pack 2 [3]. - 3. **Windows Defender Firewall** starting with Windows 10 build 1709 (September 2017) [4] [5]. - 4. **Microsoft Defender Firewall** from Windows 10 version 2004 onwards [5] [6]. - 5. **Windows Firewall** again in 2023 [9]. - - Considerations: - - - Malware or unauthorized users can bypass it if they gain direct access to the computer [10]. - - Default firewall settings often provide limited security unless properly configured [10]. - This is the case for most users. - - The firewall is enabled by default [1] [2] [4] [5]. - It still operates in the background when turned off [7]. - This can compromise privacy. - - Firewall logs detail user behavior [11]. - They fall under [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement). - This allows Microsoft to access and analyze these logs to study your behavior. - - Turning off this firewall may optimize system performance by reducing background tasks [7]. - It enhances privacy by preventing the collection of firewall logs [11]. - However, this could increase security risks by exposing your system to more threats [1] [4] [6] [8]. + Defender Antivirus, integrated into Windows, provides protection against viruses, ransomware, and other + types of malware [1] [2] [3]. + + Disabling Defender Antivirus may improve system performance and privacy by stopping related data collection + However, disabling it may severely compromise your system's security if not complemented by proper security practices. + Carefully consider the trade-off before proceeding. + + **Defender Antivirus** comes with following concerns: + + - It sends files and personal data [4] to **Microsoft's Cloud Protection Service (MAPS)** + (also known as **Microsoft Active Protection Service** or **Microsoft SpyNet**) for analysis [5] [6]. + - Recent Windows versions deeply integrate Defender with mechanisms like **Early Boot Anti-Malware**, + **Tamper Protection**, making it extremely difficult to remove or uninstall [7] [8]. + This means that even if you want to stop using Defender for privacy reasons, these features make it + very difficult to do so using standard methods, keeping Microsoft's security and data collection systems + in place on your device. + - In 2020, Defender began flagging modifications to the hosts file that block Microsoft telemetry + as a security risk [8] [9]. + This prevents you from easily stopping Microsoft's data collection on your device. + - It flags privacy scripts as malicious, even though their purpose is to enhance privacy [8] [9]. + This discourages the use of tools designed to protect your personal data. + - Some reports suggest that Defender may consume significant system resources [10]. + + **Defender Antivirus** evolution milestones: + + - Originally launched as **Windows AntiSpyware**, later renamed to **Windows Defender** [11]. + - Replaced **Microsoft Security Essentials** in Windows 8 [12]. + - **Windows Defender** is renamed to **Windows Defender Antivirus** in Windows 10 version 1703 [13]. + - First included in **Windows Security Center (WSC)** in the 1809 update [14]. + Later, it became part of the **Windows Security** suite [4] [5] [6]. + - Renamed to **Microsoft Defender Antivirus** in the 2004 update [15]. + However, it's still frequently referred to as Windows Defender, even by Microsoft in its current + documentation [1]. + + To check if Defender Antivirus is active, you can use the following commands in a PowerShell prompt: + + - `Get-MpComputerStatus`: Displays the current state of Defender Antivirus [18]. + - `Get-MpPreference`: Shows the current configuration settings of Defender Antivirus [19]. - > **Caution**: - > Turning off the Microsoft Defender Firewall **may reduce your security**. - > Consider an alternative security solution to maintain protection. + > **Caution:** + > Disabling antivirus protection may significantly reduce your system's security. + > Consider having alternative security measures in place and practicing safe computing habits. - [1]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240408093812/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20041020065757/http://support.microsoft.com/kb/875357 "Troubleshooting Windows Firewall settings in Windows XP Service Pack 2 | support.microsoft.com" - [4]: https://web.archive.org/web/20240408093959/https://microsoft.fandom.com/wiki/Windows_Firewall "Windows Firewall | Microsoft Wiki | Fandom | microsoft.fandom.com" - [5]: https://web.archive.org/web/20240408094033/https://www.tenforums.com/tutorials/70699-how-turn-off-microsoft-defender-firewall-windows-10-a.html "How to Turn On or Off Microsoft Defender Firewall in Windows 10 | Tutorials | www.tenforums.com" - [6]: https://web.archive.org/web/20240408094038/https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f "Turn Microsoft Defender Firewall on or off - Microsoft Support | support.microsoft.com" - [7]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [8]: https://web.archive.org/web/20240408094004/https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-defender-firewall-windows "Enable Windows Defender Firewall | Microsoft Learn | learn.microsoft.com" - [9]: https://web.archive.org/web/20240408093851/https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#microsoft-defender-firewall-profiles-are-renamed-to-windows-firewall "What's new in Microsoft Intune | Microsoft Learn | learn.microsoft.com" - [10]: https://web.archive.org/web/20240408101037/https://softwareg.com.au/blogs/internet-security/what-is-a-major-weakness-with-a-network-host-based-firewall "What Is A Major Weakness With A Network Host-Based Firewall | softwareg.com.au" - [11]: https://web.archive.org/web/20240409085528/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune "Configure Windows Firewall logging - Windows Security | Microsoft Learn | learn.microsoft.com" + [1]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240819080500/https://support.microsoft.com/en-us/office/stay-protected-with-windows-security-ae70cc96-a9cd-4443-a210-e41cb973d3a6 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" + [5]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240409170815/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide "Microsoft Defender for Endpoint data storage and privacy | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" + [8]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" + [9]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" + [10]: https://web.archive.org/web/20240819092823/https://www.dell.com/support/kbdoc/en-us/000128249/windows-defender-resolving-high-hard-disk-drive-and-cpu-usage-during-scans "Resolving High Hard Disk Drive and CPU Usage During Scans by Windows Defender | Dell US | www.dell.com" + [11]: https://web.archive.org/web/20051123220536/https://blogs.technet.com/antimalware/archive/2005/11/04/413700.aspx "Anti-Malware Engineering Team : What's in a name?? A lot!! Announcing Windows Defender! | blogs.technet.com" + [12]: https://web.archive.org/web/20200812011954/http://answers.microsoft.com/en-us/protect/forum/protect_start/windows-defender-and-microsoft-security-essentials/5309cb8d-02e1-40e8-974f-0dcedb9ab9fd + [13]: https://web.archive.org/web/20170602091134/https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1703 "What's in Windows 10, version 1703 | Microsoft Docs | docs.microsoft.com" + [14]: https://web.archive.org/web/20240819081301/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1809#windows-security-center "What's new in Windows 10, version 1809 - Windows 10 | Microsoft Learn | learn.microsoft.com" + [15]: https://web.archive.org/web/20240819092635/https://blogs.windows.com/windows-insider/2019/07/26/announcing-windows-10-insider-preview-build-18945/ "Announcing Windows 10 Insider Preview Build 18945 | Windows Insider Blog | blogs.windows.com" + [16]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" + [17]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" + [18]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com" + [19]: https://web.archive.org/web/20240819105412/https://learn.microsoft.com/en-us/powershell/module/defender/get-mppreference?view=windowsserver2022-ps "Get-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" children: - - - category: Disable Microsoft Defender Firewall services and drivers + - + name: Disable Tamper Protection docs: |- - This section contains scripts to disable the essential services and drivers of Microsoft Defender Firewall. - - Microsoft Defender Firewall uses services and drivers to operate. - Services run background tasks, while drivers help hardware and software communicate. - - Even with the firewall disabled in settings, its services and drivers continue running [1], - potentially monitoring network traffic and consuming resources. - These scripts directly disable these components, bypassing standard Windows settings and their limitations. - - Disabling these firewall services and drivers can enhance privacy by preventing potential network traffic monitoring by Microsoft. - Additionally, it may improve system performance by freeing up system resources otherwise consumed by these components. - - However, this can pose security risks and disrupt other software. - Microsoft Defender Firewall blocks unauthorized network access to protect against malicious attacks [2]. - Disabling it can leave your system vulnerable to such threats. - Additionally, this could affect software relying on the firewall [1]. - - > **Caution**: These scripts **may reduce your security** and **cause issues with software** relying on the firewall [1]. + This script disables Tamper Protection in Microsoft Defender Antivirus. - [1]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" - children: - - - name: >- - Disable "Windows Defender Firewall Authorization Driver" service - (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) - docs: |- # refactor-with-variables: Same • Firewall Service Caution - This script disables the **Windows Defender Firewall Authorization Driver** service. + Tamper Protection is a security feature that blocks unauthorized changes to key Microsoft Defender Antivirus settings [1] [2]. + These settings include real-time protection [1] [2], behavior monitoring [2], and cloud-delivered protection [1]. + By default, Tamper Protection is enabled [1]. + It is available in all editions of Windows since Windows 10, version 1903 [3]. - This service is a kernel mode driver crucial for inspecting network traffic entering and exiting your computer [1] [2]. + Disabling Tamper Protection may increase privacy and control over your system by allowing you to: - Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. - It also improves system performance by decreasing background resource consumption. + - Change protected Microsoft Defender Antivirus settings to enhance privacy [1] [3] + - Disable Microsoft Defender Antivirus entirely [1] [3] to increase privacy + - Improve system performance by adjusting or disabling certain security features - The driver is identified by the file `mpsdrv.sys` [1] [2] [3]. - This file is a component of **Microsoft Protection Service** [3]. - This service encompasses the **Windows Defender Firewall** (`mpssvc`) [4] [5]. - Disabling this driver disables **Windows Defender Firewall** [1] [2]. - This action can significantly increase security risks [6]. + However, turning off Tamper Protection may reduce your system's security by: - Restart your computer after running this script to ensure all changes take effect [7]. + - Making your device more vulnerable to malware that attempts to disable security features + - Allowing potentially harmful changes to important security settings - > **Caution**: Disabling this service causes problems with software that depends on it [8] such as: - > - Prevents **Microsoft Store** app downloads [9] [10], impacting **winget** CLI functionality [11]. - > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [8]. - > - Disables **Windows Sandbox** [7] [12], an isolated environment for safely running applications [13]. - > - Disables **Docker** [14], a platform for developing and running applications in isolated environments [15]. - > - Disables **Windows Subsystem for Linux (WSL)** [14], which lets Linux programs run directly on Windows [16]. + With Tamper Protection enabled, users can modify protected settings through the Windows Security app [1]. + Disabling Tamper Protection allows changes through scripts and third-party apps such as privacy.sexy [1]. - ### Overview of default service statuses + ### Technical Details - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🟢 Running | Manual | + This script modifies the following registry keys: - [1]: https://web.archive.org/web/20240314091039/https://batcmd.com/windows/10/services/mpsdrv/ "Windows Defender Firewall Authorization Driver - Windows 10 Service - batcmd.com | batcmd.com" - [2]: https://web.archive.org/web/20240406223537/https://revertservice.com/10/mpsdrv/ "Windows Defender Firewall Authorization Driver (mpsdrv) Service Defaults in Windows 10 | revertservice.com" - [3]: https://web.archive.org/web/20240406223542/https://www.file.net/process/mpsdrv.sys.html "mpsdrv.sys Windows process - What is it? | www.file.net" - [4]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" - [5]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" - [6]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" - [7]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" - [8]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" - [9]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" - [10]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" - [11]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" - [12]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" - [13]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" - [14]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" - [15]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" - [16]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" - [17]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - call: - - - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config - parameters: - serviceName: mpsdrv # Check: (Get-Service -Name 'mpsdrv').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\mpsdrv.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - function: ShowComputerRestartSuggestion - - - name: >- - Disable "Windows Defender Firewall" service - (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) - docs: |- # refactor-with-variables: Same • Firewall Service Caution - This script disables the **Windows Defender Firewall** service (identified as `MpsSvc` [1] [2] [3] [4]). - This component acts as a gatekeeper for your computer, filtering incoming and outgoing network traffic based on - established security rules [1] [5] to prevent unauthorized access [3] [4]. + - `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtection` [4] [5] [6]. + - `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtectionSource` [7] + + These keys interact with the `MpClient.dll` library within Microsoft Defender Antivirus [8]. + The script sets values to replicate changes made through the Windows Security interface [5]. - This service runs the firewall component of Windows [4]. - It starts automatically [3] and runs the `%WINDIR%\System32\MPSSVC.dll` driver [3]. - This file is also referred to as **Microsoft Protection Service** [6]. + Tests reveal the following values for various Windows versions: - Beyond firewall functionality, it plays an important role in **Windows Service Hardening** to protect Windows services - [7] [8]. It also enforces **network isolation** in virtualized environments [7] [9]. + | Key | Opearting System | Default | After toggling ON | After toggling OFF | + | --- | ------- | ------- | -------------------- | --------------------- | + | `TamperProtection` | Windows 10 Pro (>= 22H2) | 1 | 5 [4] [6] | 4 [4] [6] [7] | + | `TamperProtection` | Windows 11 Pro (>= 23H2) | 1 | 5 [4] [5] | 4 [4] [5] | + | `TamperProtectionSource` | Windows 10 Pro (>= 22H2) | No value | No value | No value (Or 2 [7]) | + | `TamperProtectionSource` | Windows 11 Pro (>= 23H2) | 5 | 2 | 2 | - Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. - It also improves system performance by decreasing background resource consumption. - However, it may expose the system to substantial security threats [10]. - This risk is partly mitigated by boot-time filters that are triggered to protect the computer during startup or when the - firewall service stops unexpectedly [2]. + `TamperProtectionSource` value `2` means that the tamper protection is based on signatures. + Other recorded values in various installations include `ATP` [9], `Service Init` [10], `Intune` [11], + and `E5 transition` [12]. + However, these values lack official public documentation [13]. - Restart your computer after running this script to ensure all changes take effect [11]. + To check the current Tamper Protection source, use this command: - > **Caution**: Disabling this service causes problems with software that depends on it [12] such as: - > - Prevents **Microsoft Store** app downloads (error code `0x80073D0A` [7] [13]), impacting **winget** CLI functionality [14]. - > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [15]. - > - Disables **Windows Sandbox** [11] [16], an isolated environment for safely running applications [17]. - > - Disables **Docker** [18], a platform for developing and running applications in isolated environments [19]. - > - Disables **Windows Subsystem for Linux (WSL)** [18], which lets Linux programs run directly on Windows [20]. + ```batchfile + wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list | findstr "TamperProtectionSource" + ```` - ### Overview of default service statuses + Or this PowerShell command: - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | - | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + ```ps1 + Get-MpComputerStatus | Select-Object -ExpandProperty TamperProtectionSource + ``` - [1]: https://web.archive.org/web/20231206185904/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd349801%28v=ws.10%29 "Windows Firewall Service | learn.microsoft.com" - [2]: https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx "Stopping the Windows Authenticating Firewall Service and the boot time policy - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com" - [3]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" - [4]: https://web.archive.org/web/20240406233529/https://en.wikipedia.org/wiki/Windows_Firewall "Windows Firewall - Wikipedia | wikipedia.org" - [5]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" - [6]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" - [7]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" - [8]: https://web.archive.org/web/20240406232832/https://techcommunity.microsoft.com/t5/ask-the-performance-team/ws2008-windows-service-hardening/ba-p/372702 "WS2008: Windows Service Hardening - Microsoft Community Hub | techcommunity.microsoft." - [9]: https://web.archive.org/web/20240406232844/https://learn.microsoft.com/en-us/virtualization/windowscontainers/container-networking/network-isolation-security "Network isolation and security | Microsoft Learn | learn.microsoft.com" - [10]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" - [11]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" - [12]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [13]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" - [14]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" - [15]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" - [16]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" - [17]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" - [18]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" - [19]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" - [20]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" - call: - - - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config - parameters: - serviceName: MpsSvc # Check: (Get-Service -Name 'MpsSvc').StartType - defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\mpssvc.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - function: ShowComputerRestartSuggestion - - - name: Disable firewall via command-line utility - # ❗️ Following must be enabled and in running state: - # - mpsdrv ("Windows Defender Firewall Authorization Driver") - # - bfe (Base Filtering Engine) - # - mpssvc ("Windows Defender Firewall") - # If the dependent services are not running, the script fails with: - # "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again." - # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc - docs: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior + [1]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support" + [2]: https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationtamperprotection "Defender CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware "DisableAntiSpyware | Microsoft Learn" + [4]: https://web.archive.org/web/20240725101722/https://www.alteredsecurity.com/post/disabling-tamper-protection-and-other-defender-mde-components?ref=news.risky.biz "Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components | www.alteredsecurity.com" + [5]: https://web.archive.org/web/20240523053136/https://www.elevenforum.com/t/turn-on-or-off-tamper-protection-for-microsoft-defender-antivirus-in-windows-11.3973/ "Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" + [6]: https://web.archive.org/web/20240725111337/https://www.ghacks.net/2019/10/14/microsoft-enables-tamper-protection-on-windows-10-for-all-home-users/ "Microsoft enables Tamper Protection on Windows 10 for all Home users - gHacks Tech News | ghacks.net" + [7]: https://web.archive.org/web/20240725111606/https://wirediver.com/disable-windows-defender-in-powershell/ "Disable Windows Defender in powershell - a script to finally get rid of itWireDiver | wirediver.com" + [8]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings#L4520-L4521 "10_0_22623_1020/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com" + [9]: https://web.archive.org/web/20240725111557/https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-validate-defender-protection-and-additional-troubleshooting-part6/ "Validate Defender for Endpoint protection and additional troubleshooting | jeffreyappel.nl" + [10]: https://web.archive.org/web/20240725111814/https://blog.51sec.org/2022/03/microsoft-defender-for-endpoint.html "Microsoft Defender for Endpoint Configurations and Training Resources - NETSEC | blog.51sec.org" + [11]: https://github.com/privacysexy-forks/ClientInspectorV2/blob/main/README.md "ClientInspectorV2/README.md at main · privacysexy-forks/ClientInspectorV2 | github.com" + [12]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com" + [13]: https://web.archive.org/web/20240725111550/https://247tech.co.uk/intune-disables-tamper-protection-by-default/ "Intune disables Tamper Protection by default – 247 TECH | 247tech.co.uk" call: - function: RunPowerShell - parameters: - code: |- - if(!(Get-Command 'netsh' -ErrorAction Ignore)) { - throw '"netsh" does not exist, is system installed correctly?' - } - $message=netsh advfirewall set allprofiles state off 2>&1 - if($?) { - Write-Host "Successfully disabled firewall." - } else { - if($message -like '*Firewall service*') { - Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' - } else { - throw "Cannot disable: $message" - } - } - revertCode: |- - if(!(Get-Command 'netsh' -ErrorAction Ignore)) { - throw '"netsh" does not exist, is system installed correctly?' - } - $message=netsh advfirewall set allprofiles state on 2>&1 - if($?) { - Write-Host "Successfully enabled firewall." - } else { - if($message -like '*Firewall service*') { - Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' - } else { - throw "Cannot enable: $message" - } - } - - - name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning - docs: - - https://web.archive.org/web/20240314124804/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 - - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 - - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416 - - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - function: SetRegistryValue + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: ✅ Windows 10 Pro (20H2) | ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 21H2) parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile - valueName: EnableFirewall + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features + valueName: "TamperProtection" dataType: REG_DWORD - data: "0" + data: "4" dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - function: SetRegistryValue + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: ✅ Windows 10 Pro (>= 20H2) | ✅ Windows 11 Pro (>= 23H2) parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile - valueName: EnableFirewall + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features + valueName: "TamperProtectionSource" dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + data: "2" + dataOnRevert: "5" # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) - - name: Disable "Firewall & network protection" section in "Windows Security" - docs: |- - This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was - called "Windows Defender Security Center" [1]. - - The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status - of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see - this section in the "Windows Security" interface [3]. - - This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry - key to hide the Firewall and network protection area [3]. - - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn" - [3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn" + name: Disable outdated Defender Antivirus # Deprecated since Windows 10 version 1903 + docs: + - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender call: function: SetRegistryValue parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection - valueName: UILockdown + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender + valueName: DisableAntiSpyware dataType: REG_DWORD data: "1" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903 - docs: - - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender - valueName: DisableAntiSpyware - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender features - # Status: Get-MpPreference - children: - - name: Disable Potentially Unwanted Application (PUA) feature # Already disabled as default + name: Disable Potentially Unwanted Application (PUA) protection # Already disabled as default docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 - https://web.archive.org/web/20240314124740/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide @@ -15901,98 +15711,6 @@ actions: dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable Tamper Protection - docs: |- - This script disables Tamper Protection in Microsoft Defender Antivirus. - - Tamper Protection is a security feature that blocks unauthorized changes to key Microsoft Defender Antivirus settings [1] [2]. - These settings include real-time protection [1] [2], behavior monitoring [2], and cloud-delivered protection [1]. - By default, Tamper Protection is enabled [1]. - It is available in all editions of Windows since Windows 10, version 1903 [3]. - - Disabling Tamper Protection may increase privacy and control over your system by allowing you to: - - - Change protected Microsoft Defender Antivirus settings to enhance privacy [1] [3] - - Disable Microsoft Defender Antivirus entirely [1] [3] to increase privacy - - Improve system performance by adjusting or disabling certain security features - - However, turning off Tamper Protection may reduce your system's security by: - - - Making your device more vulnerable to malware that attempts to disable security features - - Allowing potentially harmful changes to important security settings - - With Tamper Protection enabled, users can modify protected settings through the Windows Security app [1]. - Disabling Tamper Protection allows changes through scripts and third-party apps such as privacy.sexy [1]. - - ### Technical Details - - This script modifies the following registry keys: - - - `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtection` [4] [5] [6]. - - `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtectionSource` [7] - - These keys interact with the `MpClient.dll` library within Microsoft Defender Antivirus [8]. - The script sets values to replicate changes made through the Windows Security interface [5]. - - Tests reveal the following values for various Windows versions: - - | Key | Opearting System | Default | After toggling ON | After toggling OFF | - | --- | ------- | ------- | -------------------- | --------------------- | - | `TamperProtection` | Windows 10 Pro (>= 22H2) | 1 | 5 [4] [6] | 4 [4] [6] [7] | - | `TamperProtection` | Windows 11 Pro (>= 23H2) | 1 | 5 [4] [5] | 4 [4] [5] | - | `TamperProtectionSource` | Windows 10 Pro (>= 22H2) | No value | No value | No value (Or 2 [7]) | - | `TamperProtectionSource` | Windows 11 Pro (>= 23H2) | 5 | 2 | 2 | - - `TamperProtectionSource` value `2` means that the tamper protection is based on signatures. - Other recorded values in various installations include `ATP` [9], `Service Init` [10], `Intune` [11], - and `E5 transition` [12]. - However, these values lack official public documentation [13]. - - To check the current Tamper Protection source, use this command: - - ```batchfile - wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list | findstr "TamperProtectionSource" - ```` - - Or this PowerShell command: - - ```ps1 - Get-MpComputerStatus | Select-Object -ExpandProperty TamperProtectionSource - ``` - - [1]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support" - [2]: https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationtamperprotection "Defender CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware "DisableAntiSpyware | Microsoft Learn" - [4]: https://web.archive.org/web/20240725101722/https://www.alteredsecurity.com/post/disabling-tamper-protection-and-other-defender-mde-components?ref=news.risky.biz "Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components | www.alteredsecurity.com" - [5]: https://web.archive.org/web/20240523053136/https://www.elevenforum.com/t/turn-on-or-off-tamper-protection-for-microsoft-defender-antivirus-in-windows-11.3973/ "Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" - [6]: https://web.archive.org/web/20240725111337/https://www.ghacks.net/2019/10/14/microsoft-enables-tamper-protection-on-windows-10-for-all-home-users/ "Microsoft enables Tamper Protection on Windows 10 for all Home users - gHacks Tech News | ghacks.net" - [7]: https://web.archive.org/web/20240725111606/https://wirediver.com/disable-windows-defender-in-powershell/ "Disable Windows Defender in powershell - a script to finally get rid of itWireDiver | wirediver.com" - [8]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings#L4520-L4521 "10_0_22623_1020/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com" - [9]: https://web.archive.org/web/20240725111557/https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-validate-defender-protection-and-additional-troubleshooting-part6/ "Validate Defender for Endpoint protection and additional troubleshooting | jeffreyappel.nl" - [10]: https://web.archive.org/web/20240725111814/https://blog.51sec.org/2022/03/microsoft-defender-for-endpoint.html "Microsoft Defender for Endpoint Configurations and Training Resources - NETSEC | blog.51sec.org" - [11]: https://github.com/privacysexy-forks/ClientInspectorV2/blob/main/README.md "ClientInspectorV2/README.md at main · privacysexy-forks/ClientInspectorV2 | github.com" - [12]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com" - [13]: https://web.archive.org/web/20240725111550/https://247tech.co.uk/intune-disables-tamper-protection-by-default/ "Intune disables Tamper Protection by default – 247 TECH | 247tech.co.uk" - call: - - - function: SetRegistryValueAsTrustedInstaller - # Without TrustedInstaller: ✅ Windows 10 Pro (20H2) | ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 21H2) - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features - valueName: "TamperProtection" - dataType: REG_DWORD - data: "4" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValueAsTrustedInstaller - # Without TrustedInstaller: ✅ Windows 10 Pro (>= 20H2) | ✅ Windows 11 Pro (>= 23H2) - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features - valueName: "TamperProtectionSource" - dataType: REG_DWORD - data: "2" - dataOnRevert: "5" # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) - name: Disable file hash computation feature # Added in Windows 10, version 2004 docs: @@ -16007,34 +15725,6 @@ actions: dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable "Windows Defender Exploit Guard" - docs: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ - children: - - - name: Disable prevention of users and apps from accessing dangerous websites - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - valueName: EnableNetworkProtection - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable controlled folder access - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access - valueName: EnableControlledFolderAccess - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable network inspection system features children: @@ -16547,7 +16237,7 @@ actions: # parameters: # fileGlob: '%WINDIR%\System32\CodeIntegrity\SIPolicy.p7b' - - name: Disable auto-exclusions + name: Disable Defender auto-exclusions docs: - https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159 @@ -17322,10 +17012,10 @@ actions: # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" - - category: Disable Microsoft Defender reporting + category: Disable Defender reporting children: - - name: Disable Microsoft Defender logging + name: Disable Defender logging call: - function: SetRegistryValue @@ -17344,7 +17034,7 @@ actions: data: "0" dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - name: Disable Microsoft Defender ETW provider (Windows Event Logs) + name: Disable Defender ETW provider (Windows Event Logs) docs: - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - https://web.archive.org/web/20240314124054/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide @@ -17379,7 +17069,7 @@ actions: data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable auditing events in Microsoft Defender Application Guard + name: Disable auditing events in Defender Application Guard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview @@ -17392,643 +17082,158 @@ actions: data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable Defender user interface + category: Disable Defender scheduled tasks children: - - name: Remove "Windows Security" system tray icon - docs: |- - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray - valueName: HideSystray - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Remove "Scan with Microsoft Defender" from context menu + name: Disable "Windows Defender Cache Maintenance" task docs: |- - This script removes the **Scan with Microsoft Defender** option from the right-click context menu. - - This script enhances user privacy by limiting engagement with Microsoft Defender's data collection processes. - Defender may collect data during scans and at regular intervals, which some users may find unnecessary or unwanted. + This script disables the "Windows Defender Cache Maintenance" scheduled task. - Removing this option only affects the context menu appearance and does not disable Microsoft Defender or its other functions. + The task is scheduled to periodically maintain the cache used by Microsoft Defender Antivirus [1]. + It runs the command `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance` [1]. + The `MpCmdRun.exe` is a command-line tool used to perform various Microsoft Defender Antivirus functions [2]. - > **Caution**: This may reduce system security by making it less convenient to perform on-demand scans of specific files or folders. + Cache maintenance involves managing temporary files that Microsoft Defender is either scanning or has quarantined [3] + Disabling this task prevents the system from automatically clearing the Defender cache [3]. - ### Technical Details + This is particularly useful if you want to ensure that files are not removed from quarantine or the cache without your explicit action. + Disabling this task is reported to optimize system boot speed [4] but it could potentially lead to increased storage use by temporary files. - The script functions by altering specific registry keys that correspond to the Defender context menu option. - It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. - The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` (HKEY_CLASSES_ROOT) view [3]. + ### Overview of default task statuses - The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. - This feature is provided by `shellext.dll` file located in Defender's program files [1]. + `\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance`: - [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" - [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | + + [1]: https://web.archive.org/web/20231102111550/http://windows.fyicenter.com/4439_Windows_Defender_Cache_Maintenance_Scheduled_Task_on_Windows_8.html '"Windows Defender Cache Maintenance" Scheduled Task on Windows 8 | windows.fyicenter.com' + [2]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" + [4]: https://web.archive.org/web/20231102111645/https://discussions.citrix.com/topic/417772-very-slow-boot-times/ "Very slow boot times - Provisioning Server for Datacenters - Discussions | discussions.citrix.com" call: - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name '(Default)' - # Windows 10 (≥ 22H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) - # Windows 11 (≥ 23H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '%ProgramFiles%\Windows Defender\shellext.dll' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' - valueName: ThreadingModel - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name 'ThreadingModel' - # Windows 10 (≥ 22H2) : Apartment (REG_SZ) - # Windows 11 (≥ 23H2) : Apartment (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: 'Apartment' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)' - # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)' - # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + function: DisableScheduledTask + parameters: + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cache Maintenance' + taskPathPattern: \Microsoft\Windows\Windows Defender\ + taskNamePattern: Windows Defender Cache Maintenance - - name: Remove "Windows Security" icon from taskbar + name: Disable "Windows Defender Cleanup" task docs: |- - This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 - and was originally named "Windows Defender Security Center" [1]. + This script disables the "Windows Defender Cleanup" scheduled task. - The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. + This task is used by Defender to remove unnecessary files, such as corrupted or quarantined items [1]. + The task is described in the Task Scheduler as "Periodic cleanup task" [2] [3]. + This task executes the following command: + `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup` [2] [3]. - The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 - and Windows 10 22H2) with default value of `%WINDIR%\system32\SecurityHealthSystray.exe`. + ### Overview of default task statuses - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" - [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" + `\Microsoft\Windows\Windows Defender\Windows Defender Cleanup`: + + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | + + [1]: https://web.archive.org/web/20231103171411/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" + [2]: https://web.archive.org/web/20231103171352/http://windows.fyicenter.com/4440_Windows_Defender_Cleanup_Scheduled_Task_on_Windows_8.html '"Windows Defender Cleanup" Scheduled Task on Windows 8 | windows.fyicenter.com' + [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" call: - function: DeleteRegistryValue + function: DisableScheduledTask parameters: - keyPath: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' - valueName: SecurityHealth - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth' - # Windows 10 (≥ 22H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) - # Windows 11 (≥ 23H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) - dataTypeOnRevert: REG_EXPAND_SZ - dataOnRevert: '%WINDIR%\system32\SecurityHealthSystray.exe' + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cleanup' + taskPathPattern: \Microsoft\Windows\Windows Defender\ + taskNamePattern: Windows Defender Cleanup - - name: Disable Microsoft Defender Antimalware (AM) user interface + name: Disable "Windows Defender Scheduled Scan" task docs: |- - This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially - preventing user interactions with the Microsoft Defender Antivirus interface. + This script disables the "Windows Defender Scheduled Scan" scheduled task. - Several reasons to hide the antivirus interface: + This scheduled task is responsible for performing automatic regular scans [1] [2]. + By disabling this task, users can control the scheduling and frequency of antivirus scans, according to their needs, thus balancing + security with system resource management [1] [2]. + + The task is known as "Periodic scan task" in the Task Scheduler [1] [3] [4]. + It executes the following command: + `C:\Program Files\Windows Defender\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55` [3] [4]. - 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing - its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more - in control of their data when they aren't constantly reminded of a running security service. - 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. - Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share - more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. - 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender - Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to - a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently - triggering options that might share data. - 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface - but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that - access has been restricted by the system administrator [2]. + ### Overview of default task statuses - The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the - `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. + `\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan`: - [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" - [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | + + [1]: https://web.archive.org/web/20231103171744/https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d "Schedule a scan in Microsoft Defender Antivirus - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" + [4]: https://web.archive.org/web/20231103171825/http://windows.fyicenter.com/4441_Windows_Defender_Scheduled_Scan_Scheduled_Task_on_Windows_8.html '"Windows Defender Scheduled Scan" Scheduled Task on Windows 8 | windows.fyicenter.com' call: - function: SetRegistryValue + function: DisableScheduledTask parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Scheduled Scan' + taskPathPattern: \Microsoft\Windows\Windows Defender\ + taskNamePattern: Windows Defender Scheduled Scan - - name: Disable non-administrator access to threat history + name: Disable "Windows Defender Verification" task docs: |- - This script disables privacy mode for Defender scans, limiting threat history access to administrators. - - By default, privacy mode is enabled [1]. - When active, it restricts the display of spyware and potentially dangerous programs to administrators only, - instead of all users on the computer [2]. - It blocks non-administrators from viewing threat history [1]. + This script disables the "Windows Defender Verification" scheduled task. - This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1]. - It has no impact on current platforms [1]. + This task checks for issues with Defender, such as update problems or system file errors [1]. + It is also linked to the creation of daily system restore points [2]. + Disabling this task can prevent unnecessary system slowdowns and restore point creation, conserving disk space and system resources. + It improves privacy by reducing the system state data stored on the device. - Limiting threat history to administrators has both benefits and drawbacks. - It improves security and privacy by limiting access to sensitive threat information. - However, it may reduce transparency and hinder security efforts for users without admin access who need this data. + The task is known as "Periodic verification task" in the Task Scheduler [3] [4]. + It executes the following command: + `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification` [3] [4]. - The script configures: + ### Overview of default task statuses - 1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. - It sets the value to `$True`, effectively disabling privacy mode [1]. + `\Microsoft\Windows\Windows Defender\Windows Defender Verification`: - 2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. - This undocumented registry key has been verified to work on older Windows versions by the community [2]. + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | - [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "Софт | Секреты Windows 7 | www.win7help.ru" - [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" + [1]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" + [2]: https://web.archive.org/web/20231103172413/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 "Windows Defender / System Restore Points - Microsoft Community | answers.microsoft.com" + [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" + [4]: https://web.archive.org/web/20231103172432/http://windows.fyicenter.com/4442_Windows_Defender_Verification_Scheduled_Task_on_Windows_8.html '"Windows Defender Verification" Scheduled Task on Windows 8 | windows.fyicenter.com' call: - - - function: SetMpPreference - parameters: - property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode - value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True - default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - - - function: SetRegistryValueAsTrustedInstaller - # Without TrustedInstaller: ❌ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2) - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration - valueName: "DisablePrivacyMode" - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + function: DisableScheduledTask + parameters: + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Verification' + taskPathPattern: \Microsoft\Windows\Windows Defender\ + taskNamePattern: Windows Defender Verification + - + category: Disable Defender services and drivers + # Windows Defender services are protected, requiring escalated methods to disable them: + # 1. Try `DisableService` first, as this is the standard method recommended for disabling services. + # 2. Try `DisableServiceInRegistry` if the first attempt fails due to access errors. + # 3. Try `DisableServiceInRegistryAsTrustedInstaller` as last effort. + children: - - category: Disable sections in "Windows Security" + name: Disable "Microsoft Defender Antivirus Service" + # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender + # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: + # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` + # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` docs: |- - This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in - Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. + https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ - "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display - in a restricted mode [1]. + ### Overview of default service statuses - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - children: - - - name: Disable "Virus and threat protection" section in "Windows Security" - docs: |- - - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) - - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Ransomware data recovery" section in "Windows Security" - docs: |- - [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: HideRansomwareRecovery - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Family options" section in "Windows Security" - docs: |- - - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) - - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Device performance and health" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) - - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Account protection" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) - - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "App and browser control" section in "Windows Security" - docs: |- - - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) - - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable device security sections - children: - - - name: Disable "Device security" section in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) - - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Clear TPM" button in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) - - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableClearTpmButton - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Secure boot" button in "Windows Security" - docs: |- - [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideSecureBoot - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" - docs: |- - [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideTPMTroubleshooting - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "TPM Firmware Update" recommendation in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) - - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableTpmFirmwareUpdateWarning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender notifications - children: - - - category: Disable Windows Security notifications - docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications - children: - - - name: Disable all Defender notifications - docs: - - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable non-critical Defender notifications - docs: - - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above - docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ - call: - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance - valueName: Enabled - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable all Defender Antivirus notifications - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress - call: - - - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration - valueName: Notification_Suppress - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration - valueName: Notification_Suppress - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable Defender reboot notifications - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration - valueName: SuppressRebootNotification - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable OS components for Defender # Hackers way of disabling Defender - children: - - - category: Disable Defender scheduled tasks - children: - - - name: Disable "ExploitGuard MDM policy Refresh" task - docs: |- - This script disables the "ExploitGuard MDM policy Refresh" scheduled task. - - The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings". - - Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1]. - It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1]. - - Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2]. - MDM offers a method to remotely adjust the ExploitGuard settings on a device [2]. - - Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4]. - - Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3]. - - ### Overview of default task statuses - - `\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog" - [2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn" - [3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov" - [4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' - taskPathPattern: \Microsoft\Windows\ExploitGuard\ - taskNamePattern: ExploitGuard MDM policy Refresh - - - name: Disable "Windows Defender Cache Maintenance" task - docs: |- - This script disables the "Windows Defender Cache Maintenance" scheduled task. - - The task is scheduled to periodically maintain the cache used by Microsoft Defender Antivirus [1]. - It runs the command `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance` [1]. - The `MpCmdRun.exe` is a command-line tool used to perform various Microsoft Defender Antivirus functions [2]. - - Cache maintenance involves managing temporary files that Microsoft Defender is either scanning or has quarantined [3] - Disabling this task prevents the system from automatically clearing the Defender cache [3]. - - This is particularly useful if you want to ensure that files are not removed from quarantine or the cache without your explicit action. - Disabling this task is reported to optimize system boot speed [4] but it could potentially lead to increased storage use by temporary files. - - ### Overview of default task statuses - - `\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231102111550/http://windows.fyicenter.com/4439_Windows_Defender_Cache_Maintenance_Scheduled_Task_on_Windows_8.html '"Windows Defender Cache Maintenance" Scheduled Task on Windows 8 | windows.fyicenter.com' - [2]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" - [4]: https://web.archive.org/web/20231102111645/https://discussions.citrix.com/topic/417772-very-slow-boot-times/ "Very slow boot times - Provisioning Server for Datacenters - Discussions | discussions.citrix.com" - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cache Maintenance' - taskPathPattern: \Microsoft\Windows\Windows Defender\ - taskNamePattern: Windows Defender Cache Maintenance - - - name: Disable "Windows Defender Cleanup" task - docs: |- - This script disables the "Windows Defender Cleanup" scheduled task. - - This task is used by Defender to remove unnecessary files, such as corrupted or quarantined items [1]. - The task is described in the Task Scheduler as "Periodic cleanup task" [2] [3]. - This task executes the following command: - `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup` [2] [3]. - - ### Overview of default task statuses - - `\Microsoft\Windows\Windows Defender\Windows Defender Cleanup`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231103171411/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" - [2]: https://web.archive.org/web/20231103171352/http://windows.fyicenter.com/4440_Windows_Defender_Cleanup_Scheduled_Task_on_Windows_8.html '"Windows Defender Cleanup" Scheduled Task on Windows 8 | windows.fyicenter.com' - [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cleanup' - taskPathPattern: \Microsoft\Windows\Windows Defender\ - taskNamePattern: Windows Defender Cleanup - - - name: Disable "Windows Defender Scheduled Scan" task - docs: |- - This script disables the "Windows Defender Scheduled Scan" scheduled task. - - This scheduled task is responsible for performing automatic regular scans [1] [2]. - By disabling this task, users can control the scheduling and frequency of antivirus scans, according to their needs, thus balancing - security with system resource management [1] [2]. - - The task is known as "Periodic scan task" in the Task Scheduler [1] [3] [4]. - It executes the following command: - `C:\Program Files\Windows Defender\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55` [3] [4]. - - ### Overview of default task statuses - - `\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231103171744/https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d "Schedule a scan in Microsoft Defender Antivirus - Microsoft Support | support.microsoft.com" - [2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" - [4]: https://web.archive.org/web/20231103171825/http://windows.fyicenter.com/4441_Windows_Defender_Scheduled_Scan_Scheduled_Task_on_Windows_8.html '"Windows Defender Scheduled Scan" Scheduled Task on Windows 8 | windows.fyicenter.com' - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Scheduled Scan' - taskPathPattern: \Microsoft\Windows\Windows Defender\ - taskNamePattern: Windows Defender Scheduled Scan - - - name: Disable "Windows Defender Verification" task - docs: |- - This script disables the "Windows Defender Verification" scheduled task. - - This task checks for issues with Defender, such as update problems or system file errors [1]. - It is also linked to the creation of daily system restore points [2]. - Disabling this task can prevent unnecessary system slowdowns and restore point creation, conserving disk space and system resources. - It improves privacy by reducing the system state data stored on the device. - - The task is known as "Periodic verification task" in the Task Scheduler [3] [4]. - It executes the following command: - `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification` [3] [4]. - - ### Overview of default task statuses - - `\Microsoft\Windows\Windows Defender\Windows Defender Verification`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" - [2]: https://web.archive.org/web/20231103172413/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 "Windows Defender / System Restore Points - Microsoft Community | answers.microsoft.com" - [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" - [4]: https://web.archive.org/web/20231103172432/http://windows.fyicenter.com/4442_Windows_Defender_Verification_Scheduled_Task_on_Windows_8.html '"Windows Defender Verification" Scheduled Task on Windows 8 | windows.fyicenter.com' - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Verification' - taskPathPattern: \Microsoft\Windows\Windows Defender\ - taskNamePattern: Windows Defender Verification - - - category: Disable Defender services and drivers - # Windows Defender services are protected, requiring escalated methods to disable them: - # 1. Try `DisableService` first, as this is the standard method recommended for disabling services. - # 2. Try `DisableServiceInRegistry` if the first attempt fails due to access errors. - # 3. Try `DisableServiceInRegistryAsTrustedInstaller` as last effort. - children: - - - name: Disable "Microsoft Defender Antivirus Service" - # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender - # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: - # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` - # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` - docs: |- - https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/ - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | - | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | - call: + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + call: - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` @@ -18078,140 +17283,491 @@ actions: - https://web.archive.org/web/20240314091638/https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - https://web.archive.org/web/20240314062047/https://batcmd.com/windows/10/services/wdfilter/ - ### Overview of default service statuses + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Boot | + | Windows 11 (≥ 23H2) | 🟢 Running | Boot | + call: + # Excluding: + # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: WdFilter # Check: (Get-Service -Name 'WdFilter').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + # notStoppable: true # See `sc queryex WdFilter`, tested since Windows 10 22H2, Windows 11 22H2. + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender Antivirus Boot Driver" service + docs: |- + https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Boot | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Boot | + call: + # Excluding: + # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: WdBoot # Check: (Get-Service -Name 'WdBoot').StartType + defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + name: Disable "Microsoft Defender Antivirus Network Inspection" service + docs: |- + - https://web.archive.org/web/20240314091310/https://batcmd.com/windows/10/services/wdnissvc/ + - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + call: + - + # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 + # function: SoftDeleteFiles + # parameters: + # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... + # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + category: Disable Defender Firewall + docs: |- + This category provides scripts to disable the Defender Firewall. + + This firewall serves as a security gate for your computer. + It controls network traffic to and from a computer [1] [2] [3] [4] [5]. + It blocks all incoming traffic by default and allows outgoing traffic [1]. + It enables users to block connections [1] [3] [5] [6] [7]. + For enhanced security, users can require a VPN for all connections with IPSec rules [1] [3] [7]. + This can protect your computer from unauthorized access [1] [4] [6] [8]. + + Microsoft has renamed the firewall several times to reflect branding changes: + + 1. **Internet Connection Firewall** initially [3]. + 2. **Windows Firewall** with the release of Windows XP Service Pack 2 [3]. + 3. **Windows Defender Firewall** starting with Windows 10 build 1709 (September 2017) [4] [5]. + 4. **Microsoft Defender Firewall** from Windows 10 version 2004 onwards [5] [6]. + 5. **Windows Firewall** again in 2023 [9]. + + Considerations: + + - Malware or unauthorized users can bypass it if they gain direct access to the computer [10]. + - Default firewall settings often provide limited security unless properly configured [10]. + This is the case for most users. + - The firewall is enabled by default [1] [2] [4] [5]. + It still operates in the background when turned off [7]. + This can compromise privacy. + - Firewall logs detail user behavior [11]. + They fall under [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement). + This allows Microsoft to access and analyze these logs to study your behavior. + + Turning off this firewall may optimize system performance by reducing background tasks [7]. + It enhances privacy by preventing the collection of firewall logs [11]. + However, this could increase security risks by exposing your system to more threats [1] [4] [6] [8]. + + > **Caution**: + > Turning off the Defender Firewall **may reduce your security**. + > Consider an alternative security solution to maintain protection. + + [1]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240408093812/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20041020065757/http://support.microsoft.com/kb/875357 "Troubleshooting Windows Firewall settings in Windows XP Service Pack 2 | support.microsoft.com" + [4]: https://web.archive.org/web/20240408093959/https://microsoft.fandom.com/wiki/Windows_Firewall "Windows Firewall | Microsoft Wiki | Fandom | microsoft.fandom.com" + [5]: https://web.archive.org/web/20240408094033/https://www.tenforums.com/tutorials/70699-how-turn-off-microsoft-defender-firewall-windows-10-a.html "How to Turn On or Off Microsoft Defender Firewall in Windows 10 | Tutorials | www.tenforums.com" + [6]: https://web.archive.org/web/20240408094038/https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f "Turn Microsoft Defender Firewall on or off - Microsoft Support | support.microsoft.com" + [7]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [8]: https://web.archive.org/web/20240408094004/https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-defender-firewall-windows "Enable Windows Defender Firewall | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20240408093851/https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#microsoft-defender-firewall-profiles-are-renamed-to-windows-firewall "What's new in Microsoft Intune | Microsoft Learn | learn.microsoft.com" + [10]: https://web.archive.org/web/20240408101037/https://softwareg.com.au/blogs/internet-security/what-is-a-major-weakness-with-a-network-host-based-firewall "What Is A Major Weakness With A Network Host-Based Firewall | softwareg.com.au" + [11]: https://web.archive.org/web/20240409085528/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune "Configure Windows Firewall logging - Windows Security | Microsoft Learn | learn.microsoft.com" + children: + - + category: Disable Defender Firewall services and drivers + docs: |- + This section contains scripts to disable the essential services and drivers of Defender Firewall. + + Defender Firewall uses services and drivers to operate. + Services run background tasks, while drivers help hardware and software communicate. + + Even with the firewall disabled in settings, its services and drivers continue running [1], + potentially monitoring network traffic and consuming resources. + These scripts directly disable these components, bypassing standard Windows settings and their limitations. + + Disabling these firewall services and drivers can enhance privacy by preventing potential network traffic monitoring by Microsoft. + Additionally, it may improve system performance by freeing up system resources otherwise consumed by these components. + + However, this can pose security risks and disrupt other software. + Defender Firewall blocks unauthorized network access to protect against malicious attacks [2]. + Disabling it can leave your system vulnerable to such threats. + Additionally, this could affect software relying on the firewall [1]. + + > **Caution**: These scripts **may reduce your security** and **cause issues with software** relying on the firewall [1]. + + [1]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" + children: + - + name: >- + Disable "Windows Defender Firewall Authorization Driver" service + (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) + docs: |- # refactor-with-variables: Same • Firewall Service Caution + This script disables the **Windows Defender Firewall Authorization Driver** service. + + This service is a kernel mode driver crucial for inspecting network traffic entering and exiting your computer [1] [2]. + + Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. + It also improves system performance by decreasing background resource consumption. + + The driver is identified by the file `mpsdrv.sys` [1] [2] [3]. + This file is a component of **Microsoft Protection Service** [3]. + This service encompasses the **Windows Defender Firewall** (`mpssvc`) [4] [5]. + Disabling this driver disables **Windows Defender Firewall** [1] [2]. + This action can significantly increase security risks [6]. + + Restart your computer after running this script to ensure all changes take effect [7]. + + > **Caution**: Disabling this service causes problems with software that depends on it [8] such as: + > - Prevents **Microsoft Store** app downloads [9] [10], impacting **winget** CLI functionality [11]. + > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [8]. + > - Disables **Windows Sandbox** [7] [12], an isolated environment for safely running applications [13]. + > - Disables **Docker** [14], a platform for developing and running applications in isolated environments [15]. + > - Disables **Windows Subsystem for Linux (WSL)** [14], which lets Linux programs run directly on Windows [16]. + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🟢 Running | Manual | + + [1]: https://web.archive.org/web/20240314091039/https://batcmd.com/windows/10/services/mpsdrv/ "Windows Defender Firewall Authorization Driver - Windows 10 Service - batcmd.com | batcmd.com" + [2]: https://web.archive.org/web/20240406223537/https://revertservice.com/10/mpsdrv/ "Windows Defender Firewall Authorization Driver (mpsdrv) Service Defaults in Windows 10 | revertservice.com" + [3]: https://web.archive.org/web/20240406223542/https://www.file.net/process/mpsdrv.sys.html "mpsdrv.sys Windows process - What is it? | www.file.net" + [4]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" + [6]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" + [7]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" + [8]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" + [10]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" + [11]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" + [12]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" + [13]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" + [14]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" + [15]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" + [16]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" + [17]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + call: + - + function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config + parameters: + serviceName: mpsdrv # Check: (Get-Service -Name 'mpsdrv').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%SYSTEMROOT%\System32\drivers\mpsdrv.sys' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + function: ShowComputerRestartSuggestion + - + name: >- + Disable "Windows Defender Firewall" service + (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) + docs: |- # refactor-with-variables: Same • Firewall Service Caution + This script disables the **Windows Defender Firewall** service (identified as `MpsSvc` [1] [2] [3] [4]). + This component acts as a gatekeeper for your computer, filtering incoming and outgoing network traffic based on + established security rules [1] [5] to prevent unauthorized access [3] [4]. + + This service runs the firewall component of Windows [4]. + It starts automatically [3] and runs the `%WINDIR%\System32\MPSSVC.dll` driver [3]. + This file is also referred to as **Microsoft Protection Service** [6]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Boot | - | Windows 11 (≥ 23H2) | 🟢 Running | Boot | - call: - # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller - parameters: - serviceName: WdFilter # Check: (Get-Service -Name 'WdFilter').StartType - defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual - # notStoppable: true # See `sc queryex WdFilter`, tested since Windows 10 22H2, Windows 11 22H2. - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - name: Disable "Microsoft Defender Antivirus Boot Driver" service - docs: |- - https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/ + Beyond firewall functionality, it plays an important role in **Windows Service Hardening** to protect Windows services + [7] [8]. It also enforces **network isolation** in virtualized environments [7] [9]. - ### Overview of default service statuses + Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. + It also improves system performance by decreasing background resource consumption. + However, it may expose the system to substantial security threats [10]. + This risk is partly mitigated by boot-time filters that are triggered to protect the computer during startup or when the + firewall service stops unexpectedly [2]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🔴 Stopped | Boot | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Boot | - call: - # Excluding: - # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller - parameters: - serviceName: WdBoot # Check: (Get-Service -Name 'WdBoot').StartType - defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - name: Disable "Microsoft Defender Antivirus Network Inspection" service - docs: |- - - https://web.archive.org/web/20240314091310/https://batcmd.com/windows/10/services/wdnissvc/ - - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ + Restart your computer after running this script to ensure all changes take effect [11]. + + > **Caution**: Disabling this service causes problems with software that depends on it [12] such as: + > - Prevents **Microsoft Store** app downloads (error code `0x80073D0A` [7] [13]), impacting **winget** CLI functionality [14]. + > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [15]. + > - Disables **Windows Sandbox** [11] [16], an isolated environment for safely running applications [17]. + > - Disables **Docker** [18], a platform for developing and running applications in isolated environments [19]. + > - Disables **Windows Subsystem for Linux (WSL)** [18], which lets Linux programs run directly on Windows [20]. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + + [1]: https://web.archive.org/web/20231206185904/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd349801%28v=ws.10%29 "Windows Firewall Service | learn.microsoft.com" + [2]: https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx "Stopping the Windows Authenticating Firewall Service and the boot time policy - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com" + [3]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" + [4]: https://web.archive.org/web/20240406233529/https://en.wikipedia.org/wiki/Windows_Firewall "Windows Firewall - Wikipedia | wikipedia.org" + [5]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" + [8]: https://web.archive.org/web/20240406232832/https://techcommunity.microsoft.com/t5/ask-the-performance-team/ws2008-windows-service-hardening/ba-p/372702 "WS2008: Windows Service Hardening - Microsoft Community Hub | techcommunity.microsoft." + [9]: https://web.archive.org/web/20240406232844/https://learn.microsoft.com/en-us/virtualization/windowscontainers/container-networking/network-isolation-security "Network isolation and security | Microsoft Learn | learn.microsoft.com" + [10]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" + [11]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" + [12]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [13]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" + [14]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" + [15]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" + [16]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" + [17]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" + [18]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" + [19]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" + [20]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" call: - - # Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller + function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: - serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - # - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 - # function: SoftDeleteFiles - # parameters: - # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + serviceName: MpsSvc # Check: (Get-Service -Name 'MpsSvc').StartType + defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\mpssvc.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + function: ShowComputerRestartSuggestion + - + name: Disable firewall via command-line utility + # ❗️ Following must be enabled and in running state: + # - mpsdrv ("Windows Defender Firewall Authorization Driver") + # - bfe (Base Filtering Engine) + # - mpssvc ("Windows Defender Firewall") + # If the dependent services are not running, the script fails with: + # "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again." + # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc + docs: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior + call: + function: RunPowerShell + parameters: + code: |- + if(!(Get-Command 'netsh' -ErrorAction Ignore)) { + throw '"netsh" does not exist, is system installed correctly?' + } + $message=netsh advfirewall set allprofiles state off 2>&1 + if($?) { + Write-Host "Successfully disabled firewall." + } else { + if($message -like '*Firewall service*') { + Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' + } else { + throw "Cannot disable: $message" + } + } + revertCode: |- + if(!(Get-Command 'netsh' -ErrorAction Ignore)) { + throw '"netsh" does not exist, is system installed correctly?' + } + $message=netsh advfirewall set allprofiles state on 2>&1 + if($?) { + Write-Host "Successfully enabled firewall." + } else { + if($message -like '*Firewall service*') { + Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' + } else { + throw "Cannot enable: $message" + } + } + - + name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning + docs: + - https://web.archive.org/web/20240314124804/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 + - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 + - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416 + - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 + call: - - name: Disable "Windows Defender Advanced Threat Protection Service" service - docs: |- - https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Firewall & network protection" section in "Windows Security" + docs: |- + This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was + called "Windows Defender Security Center" [1]. + + The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status + of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see + this section in the "Windows Security" interface [3]. + + This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry + key to hide the Firewall and network protection area [3]. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn" + [3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection + valueName: UILockdown + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender for Endpoint + docs: |- + This category provides scripts to disable Defender for Endpoint, a security platform that impacts + user privacy. - ### Overview of default service statuses + Defender for Endpoint is officially known as **Microsoft Defender for Endpoint** [1] [2] [3]. + It was previously called **Microsoft Defender Advanced Threat Protection (ATP)** [1] [4]. + It is designed to protect enterprise networks from advanced threats [1] [3]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | - call: - - - function: DisableServiceInRegistry - # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - parameters: - serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - name: Disable "Windows Security Service" service - docs: |- - This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. - This service provides unified device protection and health information [2] [3]. + An **advanced threat**, also known as an **Advanced Persistent Threat (APT)**, is a type of cyber + attack that uses continuous, covert, and sophisticated methods to gain and maintain unauthorized + access to a system for an extended period [5]. + These attacks usually target high-value entities such as nation states and large corporations [5]. - It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. - Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. - By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. + Although designed for security, this service raises significant privacy concerns. + Microsoft collects and stores device details, including information about files, processes, + system configurations, and network connections [2]. - The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. + Some components of Defender for Endpoint are included by default in consumer versions of Windows [4], + potentially exposing personal user data. - ### Overview of default service statuses + Disabling this service can enhance privacy by limiting data collection and sharing with Microsoft. + It may also improve system performance by reducing background processes and resource usage. + However, disabling this service may reduce your device's security against advanced threats. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + > **Caution:** + > Disabling this service may reduce your device's security. + > Consider alternative protection methods and practice enhanced security awareness. + + [1]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" + [2]: https://web.archive.org/web/20240821073232/https://learn.microsoft.com/en-us/defender-endpoint/data-storage-privacy "Microsoft Defender for Endpoint data storage and privacy - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240821073223/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint "Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240609160137/https://batcmd.com/windows/11/services/sense/ "Windows Defender Advanced Threat Protection Service - Windows 11 Service - batcmd.com | batcmd.com" + [5]: https://web.archive.org/web/20240821074532/https://www.kaspersky.com/resource-center/definitions/advanced-persistent-threats "What Is an Advanced Persistent Threat (APT)? | www.kaspersky.com" + children: + - + name: Disable "Windows Defender Advanced Threat Protection Service" service + docs: |- + https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" - [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" - [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states - call: - - - # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller - parameters: - serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + call: + - + function: DisableServiceInRegistry + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + parameters: + serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - category: Disable SmartScreen docs: |- # refactor-with-variables: • SmartScreen Caution @@ -18943,301 +18499,969 @@ actions: The script modifies the `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\2301` registry key [1] [2] [3]. Each zone in the registry represents a different security level [1]: - | Security Zone | Meaning | - |---------------|-------------------------| - | `0` | My Computer | - | `1` | Local Intranet Zone | - | `2` | Trusted Sites Zone | - | `3` | Internet Zone | - | `4` | Restricted Sites Zone | + | Security Zone | Meaning | + |---------------|-------------------------| + | `0` | My Computer | + | `1` | Local Intranet Zone | + | `2` | Trusted Sites Zone | + | `3` | Internet Zone | + | `4` | Restricted Sites Zone | + + Disabling SmartScreen is achieved by setting the value of `2301` to `3` [2]. + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240709095151/https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries "IE security zones registry entries for advanced users - Browsers | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240709102216/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 "Turn on SmartScreen Filter scan | admx.help" + [3]: https://web.archive.org/web/20240709102226/https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-06-08/finding/V-64719 "Turn on SmartScreen Filter scan option for the Internet Zone must be enabled. | www.stigviewer.com" + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 + valueName: '2301' + dataType: REG_DWORD + data: '3' # 0: Enable | 3: Disable + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable outdated Internet Explorer SmartScreen Filter component + docs: |- # refactor-with-variables: • SmartScreen Caution + This script disables the outdated Internet Explorer SmartScreen filter by safely removing the `ieapfltr.dll` file. + + The `ieapfltr.dll` file is also known as Microsoft SmartScreen Filter [1]. + It is mainly used by Internet Explorer [2]. + + Despite the official end of support for Internet Explorer 11 on June 15, 2022 [3], + some systems may still have this component. + + Benefits: + + - **Privacy improvement**: + By disabling the SmartScreen functionality that monitors user behavior, + this script enhances your privacy. + - **Security enhancement**: + It reduces the attack surface by removing unused components, aligning with + security best practices. + - **System performance**: + It may improve system performance by removing unnecessary components. + + Trade-offs: + + - **Reduced security**: + The absence of SmartScreen may decrease protection against malware and phishing. + - **Browser Functionality**: + If Internet Explorer is still in use, disabling the SmartScreen filter + may lead to errors, particularly with security features like phishing protection. + - **System stability**: + Internet Explorer components are integrated into Windows. + Some Windows features and third-party applications may depend on these components. + Removing the `ieapfltr.dll` file may lead to stability issues in applications that depend + on it, even if Internet Explorer is not actively used. + + File locations: + + | File path | Windows 11 (23H2) | Windows 10 (22H2) | + |-----------|-----------------------------|-----------------------------| + | `%WINDIR%\System32\ieapfltr.dll` [4] | ❌ Missing | ❌ Missing | + | `%WINDIR%\SysWOW64\ieapfltr.dll` [1] | ✅ Yes | ✅ Exists | + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240715082726/https://strontic.github.io/xcyclopedia/library/ieapfltr.dll-AA14BA778D11D244316DA63EEB040D92.html "ieapfltr.dll | Microsoft SmartScreen Filter | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20240715082546/https://support.microsoft.com/en-us/topic/ms09-034-cumulative-security-update-for-internet-explorer-5d8e79bc-4b42-fa92-313d-d39c7b112521 "MS09-034: Cumulative security update for Internet Explorer - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20240715082553/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer- "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240715083231/https://strontic.github.io/xcyclopedia/library/clsid_3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30.html "CLSID 3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30 | CLSID_AppRep | STRONTIC | strontic.github.io" + call: + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\ieapfltr.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\SysWOW64\ieapfltr.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + category: Disable SmartScreen system components + docs: |- + This category includes scripts that disable SmartScreen system components. + + SmartScreen is a security feature in Windows that helps protect your device from + potentially harmful applications, files, and websites [1]. + Its components run in the background as part of the operating system. + + Disabling these components may: + + - Improve privacy by reducing data collection used for SmartScreen functionality [2]. + - Increase system performance by eliminating background processes. + - Enhance security by removing potential attack surfaces. + + However, there are risks to consider: + + - Reduced protection against malicious software and phishing attempts. + - Potential impact on Windows system integrity. + + These scripts modify core system components. + Consider your personal risk tolerance and needs before applying these changes. + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240709105002/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ "Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows operating system components to Microsoft services - Windows Privacy | Microsoft Learn" + children: + - + name: Disable SmartScreen process + docs: |- # refactor-with-variables: • SmartScreen Caution + This script stops and prevents the `smartscreen.exe` from running. + + This process is officially known as *Windows Defender SmartScreen* [1] [2]. + It manages the SmartScreen functionality [3] [4]. + Its executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5]. + + Disabling SmartScreen improves your privacy because it stops outbound network connections + that transmit your data [5]. + This process runs in the background even when SmartScreen is disabled [3]. + It also improves system performance by reducing CPU usage [6]. + + However, disabling SmartScreen process can compromise your security by disabling its protective features. + Additionally, if SmartScreen remains partially enabled after the process is disabled, + it may impair the functionality of Microsoft Store apps [3] [5]. + + This script will: + + - **Terminate the process**: + Stops the `smartscreen.exe` process to prevent it from running. + - **Remove the executable**: + Safely deletes the `smartscreen.exe` file from the system to prevent it from restarting. + + > **Caution**: + > - Disabling SmartScreen may reduce your protection against phishing and malware. + > - Disabling this process may prevent Microsoft Store apps from loading. + + [1]: https://web.archive.org/web/20240708200821/https://www.file.net/process/smartscreen.exe.html "smartscreen.exe Windows process - What is it? | www.file.net" + [2]: https://web.archive.org/web/20240708201144/https://strontic.github.io/xcyclopedia/library/smartscreen.exe-B75FA41284409A6134BF824BEAE59B4E.html "smartscreen.exe | Windows Defender SmartScreen | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20240709102724/https://www.howtogeek.com/320711/what-is-smartscreen-and-why-is-it-running-on-my-pc/ "What Is \"SmartScreen\" and Why Is It Running on My PC? | www.howtogeek.com" + [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20240708201153/https://answers.microsoft.com/en-us/windows/forum/all/block-apps-from-accessing-internet-by-default/44a235ce-c9a5-4612-998b-a4c100da93df "Block apps from accessing internet by default... - Microsoft Community | answers.microsoft.com" + [6]: https://web.archive.org/web/20240708200833/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-smartscreen-using-lots-of-cpu/b795d47a-3f92-44b9-bbbc-c4439e932fc3 "Windows Defender Smartscreen Using Lots of CPU - Microsoft Community | answers.microsoft.com" + call: + - + function: TerminateAndBlockExecution + parameters: + executableNameWithExtension: smartscreen.exe + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\smartscreen.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + name: Disable SmartScreen libraries + docs: |- + This script disables essential SmartScreen libraries, limiting their functionality and preventing + their use by other programs. + + A *library* is a set of code and resources that help programs operate. + A *DLL (Dynamic Link Library)* contains code and data that multiple programs can use simultaneously. + + Disabling these libraries stops SmartScreen operations across applications. + This enhances your privacy by eliminating SmartScreen data collection. + It improves security by reducing the system's attack surface. + It may also improve system performance by freeing up system resources. + + However, turning off these libraries may lower your system's defenses against malware and phishing, + as it stops the identification and blocking of potentially unsafe content. + + This script targets and disables the following specific SmartScreen libraries critical to their operations: - Disabling SmartScreen is achieved by setting the value of `2301` to `3` [2]. + - `smartscreen.dll`: + This DLL enables core SmartScreen functionality [1]. + It manages essential SmartScreen tasks, such as performing security checks and evaluating the + safety and reputation of files, applications, and web content [2] [3]. + - `smartscreenps.dll`: + This DLL supports SmartScreen functionality [4]. + It facilitates SmartScreen's critical functions, including component management, registration, and + lifecycle within a COM framework [5] [6]. - > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + File locations: - [1]: https://web.archive.org/web/20240709095151/https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries "IE security zones registry entries for advanced users - Browsers | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240709102216/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 "Turn on SmartScreen Filter scan | admx.help" - [3]: https://web.archive.org/web/20240709102226/https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-06-08/finding/V-64719 "Turn on SmartScreen Filter scan option for the Internet Zone must be enabled. | www.stigviewer.com" + | File path | Windows 11 (23H2) | Windows 10 (22H2) | + |-----------|-----------------------------|-----------------------------| + | `%WINDIR%\System32\smartscreen.dll` [2] | ✅ Exists | ❌ Missing | + | `%WINDIR%\SysWOW64\smartscreen.dll` [3] | ✅ Exists | ❌ Missing | + | `%WINDIR%\System32\smartscreenps.dll` [4] [5] | ✅ Exists | ✅ Exists | + | `%WINDIR%\SysWOW64\smartscreenps.dll` [6] [7] | ✅ Exists | ✅ Exists | + + [1]: https://github.com/privacysexy-forks/10_0_22621_870/blob/8b13bab6a49d9d04990dfd78de7b39eb815dcddc/C/Windows/System32/smartscreen.exe.strings#L1090 "10_0_22621_870/C/Windows/System32/smartscreen.exe.strings at 8b13bab6a49d9d04990dfd78de7b39eb815dcddc · privacysexy-forks/10_0_22621_870 · GitHub | github.com" + [2]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreen.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreen.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com" + [3]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreen.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreen.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com" + [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" + [5]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreenps.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreenps.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com" + [6]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreenps.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreenps.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com" + [7]: https://web.archive.org/web/20240715092131/https://strontic.github.io/xcyclopedia/library/smartscreenps.dll-9C77057727E91884AA2AE5D6A85F90C5.html "smartscreenps.dll | SmartScreenPS | STRONTIC | strontic.github.io" call: - - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 - valueName: '2301' - dataType: REG_DWORD - data: '3' # 0: Enable | 3: Disable - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 - valueName: '2301' - dataType: REG_DWORD - data: '3' # 0: Enable | 3: Disable - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + fileGlob: '%WINDIR%\System32\smartscreen.dll' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 - valueName: '2301' - dataType: REG_DWORD - data: '3' # 0: Enable | 3: Disable - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + fileGlob: '%WINDIR%\System32\smartscreenps.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 - valueName: '2301' - dataType: REG_DWORD - data: '3' # 0: Enable | 3: Disable - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + fileGlob: '%WINDIR%\SysWOW64\smartscreen.dll' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - - function: SetRegistryValue + function: SoftDeleteFiles parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 - valueName: '2301' - dataType: REG_DWORD - data: '3' # 0: Enable | 3: Disable - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + fileGlob: '%WINDIR%\SysWOW64\smartscreenps.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + - + name: Disable outdated SmartScreen settings interface + docs: |- # refactor-with-variables: • SmartScreen Caution + This script disables the SmartScreen settings interface in older Windows versions. + + It specifically targets and soft-deletes the `SmartScreenSettings.exe` file [1] [2] [3] [4]. + Found only in older Windows versions [3] [4], including Windows 8 [3]. + Based on tests, this file does not exist in newer versions such as Windows 11 Pro (23H2) + or Windows 10 Pro (22H2) and beyond. + + The `SmartScreenSettings.exe` is a user interface component [1] [2] that displays settings + for the SmartScreen filter [3] [4]. + + Removing this component may enhance privacy by eliminating the possibility to modify + SmartScreen settings, which could otherwise be used to re-enable this monitoring feature [3] [4]. + It also optimizes system performance by removing this obsolete component. + + However, disabling this feature could reduce security by limiting your system's protection against + phishing and malware. + + It is located at the following paths: + + - `%WINDIR%\System32\SmartScreenSettings.exe` [1] [4] + - `%WINDIR%\SysWOW64\SmartScreenSettings.exe` [2] + + > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + + [1]: https://web.archive.org/web/20240714203112/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-43D69652F91822C4A0873884B829DD0A.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/save/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-6B2EA6F8937B573372304CAE5F829A4D.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io" + [3]: https://web.archive.org/web/20111013123233/https://techtrickz.com/how-to/enable-or-disable-windows-8-smartscreen-feature-how-to/ "Disable Windows 8 SmartScreen Feature | techtrickz.com" + [4]: https://web.archive.org/web/20240714203245/https://www.thewindowsclub.com/windows-smartscreen-cant-reached-right-now "Windows SmartScreen can't be reached right now | www.thewindowsclub.com" + call: - - name: Disable outdated Internet Explorer SmartScreen Filter component - docs: |- # refactor-with-variables: • SmartScreen Caution - This script disables the outdated Internet Explorer SmartScreen filter by safely removing the `ieapfltr.dll` file. + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\SmartScreenSettings.exe' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\SysWOW64\SmartScreenSettings.exe' + grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 + - + category: Disable Windows Security interface + docs: |- + This category offers scripts to disable or modify different aspects of the **Windows Security** user interface, + formerly known as **Windows Defender Security Center**. + + **Windows Security** is a centralized interface managing various Windows security features [1] [2] [3] [4]. + It evolved from **Windows Defender**, initially a standalone antivirus with its own interface [5]. + Over time, Microsoft separated the management interface from the core antivirus component [6]. + + The evolution of Windows Security: + + 1. With launch of Windows 10, Microsoft removed the separate settings window from Windows Defender, replacing + it with a dedicated page in the main Settings app [6]. + 2. Windows 10 version 1703 introduced **Windows Defender Security Center (WDSC)**, combining Windows Defender's + interface with **Windows Security and Maintenance** [7]. + 3. Version 1803 renamed the Windows Defender settings page to **Windows Security** and redesigned it to emphasize + various protection areas [3]. + 4. In version 1809, **Windows Defender Security Center** was renamed to **Windows Security (WSC)** [1] [2] [4] [8]. + + Windows Security features include: + + - **Virus & threat protection:** [1] [2]: + Manages antivirus scans and updates [1] [2]. + It includes managing **Defender Antivirus** [1] [2] [8]. + - **Account protection:** [1] [2] + Handles sign-in options and account settings, including **Windows Hello** [1] [2]. + - **Firewall & network protection:** [1] [2] + Controls firewall settings and monitors network connections [1] [2]. + **Windows Security** brand does not include the firewall component **Windows Firewall** [8]. + However, it allows viewing and managing it, including turning it on and off [9]. + - **App & browser control:** [1] [2] + Manages Microsoft Defender SmartScreen settings to protect against potentially harmful apps, files, and downloads [1]. + - **Device security:** [1] [2] + Oversees built-in security features to protect against malware attacks [1] [2]. + - **Device performance & health** [1] [2]: + Monitors device health and provides system update information [1]. + - **Family options:** [1] [2] + Allows management of family online activity and connected devices [1] [2]. + + Scripts in this disables or adjust Windows Security components to: + + - Minimize data collection by limiting interactions with Microsoft's security services + - Increase user control over security settings by blocking UI access to Defender + + This allows users to decide which security features to manage or disable without interference. + However, be aware that limiting access to these settings may result in inadequate responses to + security threats, potentially making the system more vulnerable. - The `ieapfltr.dll` file is also known as Microsoft SmartScreen Filter [1]. - It is mainly used by Internet Explorer [2]. + > **Caution:** + > Disabling these features may prevent you from configuring and viewing Defender settings, which may reduce your + > system's security and convenience. + > Consider alternative security measures if you disable Windows Security components. + + [1]: https://web.archive.org/web/20240819080500/https://support.microsoft.com/en-us/office/stay-protected-with-windows-security-ae70cc96-a9cd-4443-a210-e41cb973d3a6 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20240819081122/https://betawiki.net/wiki/Windows_10_build_17093 "Windows 10 build 17093 - BetaWiki | betawiki.net" + [4]: https://web.archive.org/web/20240819081301/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1809#windows-security-center "What's new in Windows 10, version 1809 - Windows 10 | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20201219170833/https://www.digitalcitizen.life/windows-defender-windows-8-and-windows-7-what-s-new-and-different/ "Windows Defender in Windows 8 and Windows 7 - What's New & Different? | Digital Citizen | www.digitalcitizen.life" + [6]: https://web.archive.org/web/20240819080906/https://en.wikipedia.org/wiki/Microsoft_Defender_Antivirus "Microsoft Defender Antivirus - Wikipedia | en.wikipedia.org" + [7]: https://web.archive.org/web/20170803091535/https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus + [8]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [9]: https://web.archive.org/web/20240819080607/https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-xdr "Microsoft Defender XDR | Microsoft Security | www.microsoft.com" + children: + - + name: Disable "Windows Security Service" service + docs: |- + This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. + This service provides unified device protection and health information [2] [3]. - Despite the official end of support for Internet Explorer 11 on June 15, 2022 [3], - some systems may still have this component. + It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. + Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. + By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. - Benefits: + The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. - - **Privacy improvement**: - By disabling the SmartScreen functionality that monitors user behavior, - this script enhances your privacy. - - **Security enhancement**: - It reduces the attack surface by removing unused components, aligning with - security best practices. - - **System performance**: - It may improve system performance by removing unnecessary components. - - Trade-offs: + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" + [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states + call: + - + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + category: Disable Defender user interface + children: + - + name: Remove "Windows Security" system tray icon + docs: |- + https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray + valueName: HideSystray + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Remove "Scan with Defender" from context menu + docs: |- + This script removes the **Scan with Microsoft Defender** option from the right-click context menu. - - **Reduced security**: - The absence of SmartScreen may decrease protection against malware and phishing. - - **Browser Functionality**: - If Internet Explorer is still in use, disabling the SmartScreen filter - may lead to errors, particularly with security features like phishing protection. - - **System stability**: - Internet Explorer components are integrated into Windows. - Some Windows features and third-party applications may depend on these components. - Removing the `ieapfltr.dll` file may lead to stability issues in applications that depend - on it, even if Internet Explorer is not actively used. + This script enhances user privacy by limiting engagement with Microsoft Defender's data collection processes. + Defender may collect data during scans and at regular intervals, which some users may find unnecessary or unwanted. - File locations: + Removing this option only affects the context menu appearance and does not disable Microsoft Defender or its other functions. - | File path | Windows 11 (23H2) | Windows 10 (22H2) | - |-----------|-----------------------------|-----------------------------| - | `%WINDIR%\System32\ieapfltr.dll` [4] | ❌ Missing | ❌ Missing | - | `%WINDIR%\SysWOW64\ieapfltr.dll` [1] | ✅ Yes | ✅ Exists | + > **Caution**: This may reduce system security by making it less convenient to perform on-demand scans of specific files or folders. - > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + ### Technical Details - [1]: https://web.archive.org/web/20240715082726/https://strontic.github.io/xcyclopedia/library/ieapfltr.dll-AA14BA778D11D244316DA63EEB040D92.html "ieapfltr.dll | Microsoft SmartScreen Filter | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/web/20240715082546/https://support.microsoft.com/en-us/topic/ms09-034-cumulative-security-update-for-internet-explorer-5d8e79bc-4b42-fa92-313d-d39c7b112521 "MS09-034: Cumulative security update for Internet Explorer - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20240715082553/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer- "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn | learn.microsoft.com" - [4]: https://web.archive.org/web/20240715083231/https://strontic.github.io/xcyclopedia/library/clsid_3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30.html "CLSID 3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30 | CLSID_AppRep | STRONTIC | strontic.github.io" + The script functions by altering specific registry keys that correspond to the Defender context menu option. + It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. + The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` (HKEY_CLASSES_ROOT) view [3]. + + The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. + This feature is provided by `shellext.dll` file located in Defender's program files [1]. + + [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" + [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" call: - - function: SoftDeleteFiles + function: DeleteRegistryValue parameters: - fileGlob: '%WINDIR%\System32\ieapfltr.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name '(Default)' + # Windows 10 (≥ 22H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) + # Windows 11 (≥ 23H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '%ProgramFiles%\Windows Defender\shellext.dll' - - function: SoftDeleteFiles + function: DeleteRegistryValue parameters: - fileGlob: '%WINDIR%\SysWOW64\ieapfltr.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 - - - category: Disable SmartScreen system components - docs: |- - This category includes scripts that disable SmartScreen system components. - - SmartScreen is a security feature in Windows that helps protect your device from - potentially harmful applications, files, and websites [1]. - Its components run in the background as part of the operating system. + keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' + valueName: ThreadingModel + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name 'ThreadingModel' + # Windows 10 (≥ 22H2) : Apartment (REG_SZ) + # Windows 11 (≥ 23H2) : Apartment (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: 'Apartment' + - + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)' + # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + - + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)' + # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + - + name: Remove "Windows Security" icon from taskbar + docs: |- + This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 + and was originally named "Windows Defender Security Center" [1]. - Disabling these components may: + The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. - - Improve privacy by reducing data collection used for SmartScreen functionality [2]. - - Increase system performance by eliminating background processes. - - Enhance security by removing potential attack surfaces. + The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 + and Windows 10 22H2) with default value of `%WINDIR%\system32\SecurityHealthSystray.exe`. - However, there are risks to consider: + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" + [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" + call: + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' + valueName: SecurityHealth + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth' + # Windows 10 (≥ 22H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) + # Windows 11 (≥ 23H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) + dataTypeOnRevert: REG_EXPAND_SZ + dataOnRevert: '%WINDIR%\system32\SecurityHealthSystray.exe' + - + name: Disable Defender Antivirus interface + docs: |- + This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially + preventing user interactions with the Microsoft Defender Antivirus interface. - - Reduced protection against malicious software and phishing attempts. - - Potential impact on Windows system integrity. + Several reasons to hide the antivirus interface: - These scripts modify core system components. - Consider your personal risk tolerance and needs before applying these changes. + 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing + its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more + in control of their data when they aren't constantly reminded of a running security service. + 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. + Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share + more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. + 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender + Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to + a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently + triggering options that might share data. + 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface + but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that + access has been restricted by the system administrator [2]. - > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the + `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. - [1]: https://web.archive.org/web/20240709105002/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ "Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows operating system components to Microsoft services - Windows Privacy | Microsoft Learn" - children: + [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" + [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable SmartScreen process - docs: |- # refactor-with-variables: • SmartScreen Caution - This script stops and prevents the `smartscreen.exe` from running. + name: Disable non-administrator access to Defender threat history + docs: |- + This script disables privacy mode for Defender scans, limiting threat history access to administrators. - This process is officially known as *Windows Defender SmartScreen* [1] [2]. - It manages the SmartScreen functionality [3] [4]. - Its executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5]. + By default, privacy mode is enabled [1]. + When active, it restricts the display of spyware and potentially dangerous programs to administrators only, + instead of all users on the computer [2]. + It blocks non-administrators from viewing threat history [1]. - Disabling SmartScreen improves your privacy because it stops outbound network connections - that transmit your data [5]. - This process runs in the background even when SmartScreen is disabled [3]. - It also improves system performance by reducing CPU usage [6]. + This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1]. + It has no impact on current platforms [1]. - However, disabling SmartScreen process can compromise your security by disabling its protective features. - Additionally, if SmartScreen remains partially enabled after the process is disabled, - it may impair the functionality of Microsoft Store apps [3] [5]. + Limiting threat history to administrators has both benefits and drawbacks. + It improves security and privacy by limiting access to sensitive threat information. + However, it may reduce transparency and hinder security efforts for users without admin access who need this data. - This script will: + The script configures: - - **Terminate the process**: - Stops the `smartscreen.exe` process to prevent it from running. - - **Remove the executable**: - Safely deletes the `smartscreen.exe` file from the system to prevent it from restarting. + 1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. + It sets the value to `$True`, effectively disabling privacy mode [1]. - > **Caution**: - > - Disabling SmartScreen may reduce your protection against phishing and malware. - > - Disabling this process may prevent Microsoft Store apps from loading. + 2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. + This undocumented registry key has been verified to work on older Windows versions by the community [2]. - [1]: https://web.archive.org/web/20240708200821/https://www.file.net/process/smartscreen.exe.html "smartscreen.exe Windows process - What is it? | www.file.net" - [2]: https://web.archive.org/web/20240708201144/https://strontic.github.io/xcyclopedia/library/smartscreen.exe-B75FA41284409A6134BF824BEAE59B4E.html "smartscreen.exe | Windows Defender SmartScreen | STRONTIC | strontic.github.io" - [3]: https://web.archive.org/web/20240709102724/https://www.howtogeek.com/320711/what-is-smartscreen-and-why-is-it-running-on-my-pc/ "What Is \"SmartScreen\" and Why Is It Running on My PC? | www.howtogeek.com" - [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" - [5]: https://web.archive.org/web/20240708201153/https://answers.microsoft.com/en-us/windows/forum/all/block-apps-from-accessing-internet-by-default/44a235ce-c9a5-4612-998b-a4c100da93df "Block apps from accessing internet by default... - Microsoft Community | answers.microsoft.com" - [6]: https://web.archive.org/web/20240708200833/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-smartscreen-using-lots-of-cpu/b795d47a-3f92-44b9-bbbc-c4439e932fc3 "Windows Defender Smartscreen Using Lots of CPU - Microsoft Community | answers.microsoft.com" + [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "Софт | Секреты Windows 7 | www.win7help.ru" + [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" call: - - function: TerminateAndBlockExecution + function: SetMpPreference parameters: - executableNameWithExtension: smartscreen.exe + property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode + value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True + default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - - function: SoftDeleteFiles + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: ❌ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2) parameters: - fileGlob: '%WINDIR%\System32\smartscreen.exe' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: "DisablePrivacyMode" + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable sections in "Windows Security" + docs: |- + This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in + Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. + + "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display + in a restricted mode [1]. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + children: + - + name: Disable "Virus and threat protection" section in "Windows Security" + docs: |- + - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) + - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Ransomware data recovery" section in "Windows Security" + docs: |- + [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: HideRansomwareRecovery + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Family options" section in "Windows Security" + docs: |- + - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) + - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Device performance and health" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) + - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Account protection" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) + - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "App and browser control" section in "Windows Security" + docs: |- + - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) + - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable device security sections + children: + - + name: Disable "Device security" section in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) + - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Clear TPM" button in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) + - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableClearTpmButton + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Secure boot" button in "Windows Security" + docs: |- + [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideSecureBoot + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" + docs: |- + [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideTPMTroubleshooting + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "TPM Firmware Update" recommendation in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) + - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableTpmFirmwareUpdateWarning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable SmartScreen libraries - docs: |- - This script disables essential SmartScreen libraries, limiting their functionality and preventing - their use by other programs. - - A *library* is a set of code and resources that help programs operate. - A *DLL (Dynamic Link Library)* contains code and data that multiple programs can use simultaneously. - - Disabling these libraries stops SmartScreen operations across applications. - This enhances your privacy by eliminating SmartScreen data collection. - It improves security by reducing the system's attack surface. - It may also improve system performance by freeing up system resources. - - However, turning off these libraries may lower your system's defenses against malware and phishing, - as it stops the identification and blocking of potentially unsafe content. - - This script targets and disables the following specific SmartScreen libraries critical to their operations: - - - `smartscreen.dll`: - This DLL enables core SmartScreen functionality [1]. - It manages essential SmartScreen tasks, such as performing security checks and evaluating the - safety and reputation of files, applications, and web content [2] [3]. - - `smartscreenps.dll`: - This DLL supports SmartScreen functionality [4]. - It facilitates SmartScreen's critical functions, including component management, registration, and - lifecycle within a COM framework [5] [6]. - - File locations: - - | File path | Windows 11 (23H2) | Windows 10 (22H2) | - |-----------|-----------------------------|-----------------------------| - | `%WINDIR%\System32\smartscreen.dll` [2] | ✅ Exists | ❌ Missing | - | `%WINDIR%\SysWOW64\smartscreen.dll` [3] | ✅ Exists | ❌ Missing | - | `%WINDIR%\System32\smartscreenps.dll` [4] [5] | ✅ Exists | ✅ Exists | - | `%WINDIR%\SysWOW64\smartscreenps.dll` [6] [7] | ✅ Exists | ✅ Exists | - - [1]: https://github.com/privacysexy-forks/10_0_22621_870/blob/8b13bab6a49d9d04990dfd78de7b39eb815dcddc/C/Windows/System32/smartscreen.exe.strings#L1090 "10_0_22621_870/C/Windows/System32/smartscreen.exe.strings at 8b13bab6a49d9d04990dfd78de7b39eb815dcddc · privacysexy-forks/10_0_22621_870 · GitHub | github.com" - [2]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreen.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreen.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com" - [3]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreen.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreen.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com" - [4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io" - [5]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreenps.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreenps.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com" - [6]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreenps.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreenps.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com" - [7]: https://web.archive.org/web/20240715092131/https://strontic.github.io/xcyclopedia/library/smartscreenps.dll-9C77057727E91884AA2AE5D6A85F90C5.html "smartscreenps.dll | SmartScreenPS | STRONTIC | strontic.github.io" - call: + category: Disable Defender notifications + children: - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\smartscreen.dll' - grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + category: Disable Windows Security notifications + docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications + children: + - + name: Disable all Defender notifications + docs: + - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable non-critical Defender notifications + docs: + - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\smartscreenps.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + name: Disable security and maintenance notifications # For Windows 10 build 1607 and above + docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\SysWOW64\smartscreen.dll' - grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + name: Disable all Defender Antivirus notifications + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration + valueName: Notification_Suppress + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: Notification_Suppress + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\SysWOW64\smartscreenps.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2 + name: Disable Defender reboot notifications + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: SuppressRebootNotification + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender Exploit Guard + docs: |- + This category disables Windows Defender Exploit Guard, potentially enhancing privacy and + system performance. + + Exploit Guard is also called **Windows Defender Exploit Guard** [1] [2] [3] [4] [5] + or **Microsoft Defender Exploit Guard** [6]. + This component has been a built-in feature of Windows 10 since version 1709 [1] [5]. + It's the successor to the **Enhanced Mitigation Experience Toolkit (EMET)** [1] [5]. + + Exploit Guard uses Microsoft Cloud for machine learning and to check websites and IP addresses [1]. + Disabling it may enhance privacy by preventing these connections. + It may improve system performance by reducing background processes. + It also increases user autonomy by enabling choices about which programs, scripts, and websites can connect + without automatic intervention. + + Disabling Exploit Guard may reduce protection against certain types of attacks. + Users should carefully weigh the trade-offs between enhanced privacy/performance and potential security + risks when disabling this feature. + + Exploit Guard consists of four main components: + + 1. **Attack Surface Reduction (ASR):** + Blocks Office-, script-, and email-based threats [1] [2] [7]. + 2. **Network protection:** + Blocks outbound connections to untrusted hosts/IP addresses using Defender SmartScreen [1] [2] [4]. + It extends SmartScreen to the operating system level [4]. + 3. **Controlled folder access:** + Protects sensitive data from ransomware by blocking untrusted processes from accessing protected folders [1] [2] [3]. + 4. **Exploit protection:** + Applies exploit mitigation techniques to operating system processes and applications [1] [2] [3]. + + These components are enabled and configured by default on Windows 10 and 11 [1] [3] [8]. + They can also be remotely configured and set up in managed environments, such as enterprise organizations [2]. + Disabling Exploit Guard can affect local or organizational configurations, such as those set by schools or employers. + + Defender Antivirus is the built-in antimalware component in Windows [5]. + Exploit Guard operates independently from Defender Antivirus [5]. + However, some features, like Attack Surface Reduction, depend on Defender Antivirus to function [1]. + Exploit Guard may also require Defender Antivirus for some of its configurations [6]. + + Exploit Guard is included in **Microsoft Defender for Endpoint** suite [9] [10]. + Defender for Endpoint enhances its functionality by providing additional detailed reporting into + exploit protection events and blocks as part of the usual alert investigation scenarios [10]. + Disabling Exploit Guard may impair the functionality of Defender for Endpoint. + + > **Caution:** + > Disabling Exploit Guard may lower your security if you do not have proper security practices + > or alternative protections in place. + + [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ + [2]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" + [3]: https://web.archive.org/web/20240821075921/https://learn.microsoft.com/en-us/defender-endpoint/enable-exploit-protection "Turn on exploit protection to help mitigate against attacks - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240821075805/https://learn.microsoft.com/en-us/defender-endpoint/network-protection "Use network protection to help prevent connections to bad sites - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240821075906/https://msrc.microsoft.com/blog/2017/08/moving-beyond-emet-ii-windows-defender-exploit-guard/ "Moving Beyond EMET II – Windows Defender Exploit Guard | MSRC Blog | Microsoft Security Response Center | msrc.microsoft.com" + [6]: https://web.archive.org/web/20240821080834/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-using-powershell#advanced-threat-and-exploit-mitigation-and-prevention-controlled-folder-access "Evaluate Microsoft Defender Antivirus using PowerShell. - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240821075836/https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction "Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [8]: https://web.archive.org/web/20240821075914/https://learn.microsoft.com/en-us/defender-endpoint/controlled-folders "Protect important folders from ransomware from encrypting your files with controlled folder access - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20240821075742/https://learn.microsoft.com/en-us/defender-endpoint/overview-attack-surface-reduction "Understand and use attack surface reduction - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [10]: https://web.archive.org/web/20240821075844/https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection "Apply mitigations to help prevent attacks through vulnerabilities - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + children: - - name: Disable outdated SmartScreen settings interface - docs: |- # refactor-with-variables: • SmartScreen Caution - This script disables the SmartScreen settings interface in older Windows versions. + name: Disable prevention of users and apps from accessing dangerous websites + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + valueName: EnableNetworkProtection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable controlled folder access + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess + - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access + valueName: EnableControlledFolderAccess + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "ExploitGuard MDM policy Refresh" task + docs: |- + This script disables the "ExploitGuard MDM policy Refresh" scheduled task. - It specifically targets and soft-deletes the `SmartScreenSettings.exe` file [1] [2] [3] [4]. - Found only in older Windows versions [3] [4], including Windows 8 [3]. - Based on tests, this file does not exist in newer versions such as Windows 11 Pro (23H2) - or Windows 10 Pro (22H2) and beyond. + The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings". - The `SmartScreenSettings.exe` is a user interface component [1] [2] that displays settings - for the SmartScreen filter [3] [4]. + Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1]. + It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1]. - Removing this component may enhance privacy by eliminating the possibility to modify - SmartScreen settings, which could otherwise be used to re-enable this monitoring feature [3] [4]. - It also optimizes system performance by removing this obsolete component. + Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2]. + MDM offers a method to remotely adjust the ExploitGuard settings on a device [2]. - However, disabling this feature could reduce security by limiting your system's protection against - phishing and malware. + Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4]. + + Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3]. - It is located at the following paths: + ### Overview of default task statuses - - `%WINDIR%\System32\SmartScreenSettings.exe` [1] [4] - - `%WINDIR%\SysWOW64\SmartScreenSettings.exe` [2] + `\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`: - > **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware. + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | - [1]: https://web.archive.org/web/20240714203112/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-43D69652F91822C4A0873884B829DD0A.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/save/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-6B2EA6F8937B573372304CAE5F829A4D.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io" - [3]: https://web.archive.org/web/20111013123233/https://techtrickz.com/how-to/enable-or-disable-windows-8-smartscreen-feature-how-to/ "Disable Windows 8 SmartScreen Feature | techtrickz.com" - [4]: https://web.archive.org/web/20240714203245/https://www.thewindowsclub.com/windows-smartscreen-cant-reached-right-now "Windows SmartScreen can't be reached right now | www.thewindowsclub.com" + [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog" + [2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn" + [3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov" + [4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" call: - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\SmartScreenSettings.exe' - grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\SysWOW64\SmartScreenSettings.exe' - grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 + function: DisableScheduledTask + parameters: + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' + taskPathPattern: \Microsoft\Windows\ExploitGuard\ + taskNamePattern: ExploitGuard MDM policy Refresh - category: Disable automatic updates docs: |-