win: add disabling Phishing Protection #385
This commit adds options to disable Enhanced Phishing Protection features in Defender SmartScreen. This includes disabling background services, automatic data collection and various notification types. Key changes: - Add disabling of W11-only "Enhanced Phishing Protection" - Add disabling of Web Threat Defense services. Supporting changes: - Add minimum version constraint for `DisablePerUserService` - Use less characters in `RunPowerShellWithWindowsVersionConstraints` to avoid reaching the max batchfile line lengths.
This commit is contained in:
undergroundwires
@@ -20121,6 +20121,494 @@ actions:
|
|||||||
# Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
# Availability: ✅ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.AppReputationService
|
keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.AppReputationService
|
||||||
elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2)
|
elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2)
|
||||||
|
-
|
||||||
|
category: Disable SmartScreen Enhanced Phishing Protection
|
||||||
|
docs: |-
|
||||||
|
This category contains scripts to disable SmartScreen's **Enhanced Phishing Protection** feature,
|
||||||
|
which monitors password usage and sends data to Microsoft.
|
||||||
|
|
||||||
|
This feature collects information from suspicious websites or apps to identify security threats when users enter their passwords [1].
|
||||||
|
It was introduced in Windows 11, version 22H2 [1] [2], and is technically identified as `webthreatdefense` (Web Threat Defense) [2].
|
||||||
|
|
||||||
|
This feature raises several privacy concerns, including:
|
||||||
|
|
||||||
|
- Monitoring of password entries across various applications and websites [1] [2]
|
||||||
|
- Collection of additional data in suspicious scenarios, including displayed content, played sounds, and application memory [1] [2]
|
||||||
|
- Transmission of telemetry data to Microsoft [1] [2]
|
||||||
|
- Potential sharing of data with organizational IT departments via **Intune** and **Defender for Endpoint** [1]
|
||||||
|
- Tracking of password reuse across different services [1] [2]
|
||||||
|
- Monitoring of password input in common applications like Notepad, Word, OneNote, or Excel [2], and other office apps [1]
|
||||||
|
|
||||||
|
Disabling these features enhances privacy by:
|
||||||
|
|
||||||
|
- Reducing the sensitive data collected and shared with Microsoft.
|
||||||
|
- Limiting the monitoring of password usage across applications.
|
||||||
|
- Decreasing the telemetry sent from your device.
|
||||||
|
|
||||||
|
It may also improve system performance by reducing background monitoring activities.
|
||||||
|
|
||||||
|
However, disabling **Enhanced Phishing Protection** may reduce your security
|
||||||
|
by removing alerts that help protect against phishing attacks and unsafe password practices.
|
||||||
|
|
||||||
|
> **Caution**:
|
||||||
|
> Disabling this feature means you will not receive warnings about potential phishing attacks
|
||||||
|
> or unsafe password usage, which may increase your vulnerability.
|
||||||
|
|
||||||
|
[1]: https://web.archive.org/web/20240720170645/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection?tabs=intune "Enhanced Phishing Protection in Microsoft Defender SmartScreen - Windows Security | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[2]: https://web.archive.org/web/20240716182210/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense "WebThreatDefense Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
|
||||||
|
children:
|
||||||
|
-
|
||||||
|
name: Disable SmartScreen Enhanced Phishing Protection Web background services
|
||||||
|
docs: |-
|
||||||
|
This script disables the `webthreatdefsvc` and `webthreatdefusersvc` services.
|
||||||
|
|
||||||
|
These services enhance security by monitoring for unauthorized access to user credentials [1] [2] [3].
|
||||||
|
However, these services also collect telemetry [4] [5] and sensor data [5], raising privacy concerns.
|
||||||
|
Disabling these services reduces this data collection, thereby enhancing privacy.
|
||||||
|
|
||||||
|
Additionally, these services require opening firewall ports [6] and running background services [6],
|
||||||
|
which may increase your attack surface and reduce security.
|
||||||
|
|
||||||
|
Disabling these services may also improve system performance by reducing background activity.
|
||||||
|
|
||||||
|
However, disabling these services may reduce protection against some web threats.
|
||||||
|
|
||||||
|
> **Caution:** Disabling this service may reduce your defense against certain web threats.
|
||||||
|
|
||||||
|
### Technical Details
|
||||||
|
|
||||||
|
This script disables the related services, their files and COM registrations.
|
||||||
|
|
||||||
|
#### Services Overview
|
||||||
|
|
||||||
|
| Service | Service Name | Service File |
|
||||||
|
| ------- | ------------ | ------------ |
|
||||||
|
| `webthreatdefsvc` | Web Threat Defense Endpoint Service [1] | `%SYSTEMROOT%\System32\webthreatdefsvc.dll` [1] [6] |
|
||||||
|
| `webthreatdefusersvc` | Web Threat Defense User Service [2] [3] | `%SYSTEMROOT%\System32\webthreatdefusersvc.dll` [2] |
|
||||||
|
|
||||||
|
Both services send data to Microsoft, including telemetry data from `MicrosoftTelemetryAssertTriggeredUM` [4] [5]
|
||||||
|
and sensor data `Office App Sensor` [5].
|
||||||
|
|
||||||
|
These services are associated with the **Microsoft Defender for Endpoint** suite.
|
||||||
|
This program was formerly known as **Windows Advanced Threat Protection** [7].
|
||||||
|
They read settings from `Software\Microsoft\Windows Advanced Threat Protection` [4].
|
||||||
|
These settings manage **Defender for Endpoint** [8].
|
||||||
|
|
||||||
|
These services are linked to **SmartScreen Enhanced Phishing Protection** because:
|
||||||
|
|
||||||
|
- They access configurations under `Policies\Microsoft\Windows\WTDS\Components` [4], which
|
||||||
|
are specific to SmartScreen Enhanced Phishing Protection [9].
|
||||||
|
- They are named Web Threat Defense, and SmartScreen Enhanced Phishing Protection is technically
|
||||||
|
named `WebThreatDefense` [9].
|
||||||
|
|
||||||
|
They are available on Windows 11 22H2 and later but are missing on earlier Windows versions [1] [2],
|
||||||
|
including Windows 10.
|
||||||
|
|
||||||
|
#### Services Files
|
||||||
|
|
||||||
|
- `webthreatdefsvc.dll` manages web threats using threat intelligence (via `ThreatIntelligence.dll`)
|
||||||
|
and interfaces with system resources [4] [10].
|
||||||
|
- `webthreatdefusersvc.dll` provides threat detection and management at the user level,
|
||||||
|
integrating with real-time monitoring and user activities in Office applications [5] [11].
|
||||||
|
|
||||||
|
#### Registry clean-up
|
||||||
|
|
||||||
|
This script cleans up following registry keys related to the service:
|
||||||
|
|
||||||
|
- `HKLM\SOFTWARE\Microsoft\WindowsRuntime\Server\WebThreatDefSvc` [6] for COM server implementation.
|
||||||
|
- `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WebThreatDefense` [6] for service host registration.
|
||||||
|
- `HKCR\Interface\{ac889b17-df54-4854-a439-d7b68d1e16e8}` [6] for interface registration.
|
||||||
|
- `HKCR\CLSID\{E2F1C91D-C762-4B5A-A8C1-4734E48C5FF4}` [6] for COM class registration.
|
||||||
|
- `HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Service.UserSessionServiceManager` [6] for Windows Runtime class activation.
|
||||||
|
- `HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Configuration.WTDUserSettings` [6] for Windows Runtime configuration settings.
|
||||||
|
|
||||||
|
#### Overview of default service statuses
|
||||||
|
|
||||||
|
`webthreatdefsvc`:
|
||||||
|
|
||||||
|
| OS Version | Status | Start type |
|
||||||
|
| ---------- | -------| ---------- |
|
||||||
|
| Windows 10 (≥ 22H2) | 🟡 Missing | N/A |
|
||||||
|
| Windows 11 (≥ 23H2) | 🟢 Running | Manual |
|
||||||
|
|
||||||
|
`webthreatdefusersvc`:
|
||||||
|
|
||||||
|
| OS Version | Status | Start type |
|
||||||
|
| ---------- | -------| ---------- |
|
||||||
|
| Windows 10 (≥ 22H2) | 🟡 Missing | N/A |
|
||||||
|
| Windows 11 (≥ 23H2) | 🔴 Stopped | Automatic |
|
||||||
|
|
||||||
|
[1]: https://web.archive.org/web/20240716182225/https://batcmd.com/windows/11/services/webthreatdefsvc/ "Web Threat Defense Service - Windows 11 Service - batcmd.com | batcmd.com"
|
||||||
|
[2]: https://web.archive.org/web/20240716182233/https://batcmd.com/windows/11/services/webthreatdefusersvc/ "Web Threat Defense User Service - Windows 11 Service - batcmd.com | batcmd.com"
|
||||||
|
[3]: https://web.archive.org/web/20240119153912/https://learn.microsoft.com/en-us/windows/application-management/per-user-services-in-windows#list-of-per-user-services "Per-user services - Windows Application Management | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[4]: https://web.archive.org/web/20240924170830/https://github.com/privacysexy-forks/10_0_25197_1000/blob/40c2bd1b216c06e28578a227b520a1bcf6531406/C/Windows/System32/webthreatdefsvc.dll.strings "10_0_25197_1000/C/Windows/System32/webthreatdefsvc.dll.strings at 40c2bd1b216c06e28578a227b520a1bcf6531406 · privacysexy-forks/10_0_25197_1000 · GitHub | github.com"
|
||||||
|
[5]: https://web.archive.org/web/20240924190736/https://github.com/privacysexy-forks/10_0_25197_1000/blob/40c2bd1b216c06e28578a227b520a1bcf6531406/C/Windows/System32/webthreatdefusersvc.dll.strings "10_0_25197_1000/C/Windows/System32/webthreatdefusersvc.dll.strings at 40c2bd1b216c06e28578a227b520a1bcf6531406 · privacysexy-forks/10_0_25197_1000 · GitHub | github.com"
|
||||||
|
[6]: https://web.archive.org/web/20240924164240/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com"
|
||||||
|
[7]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com"
|
||||||
|
[8]: https://web.archive.org/web/20240717094647/https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-onboarding "Troubleshoot Microsoft Defender for Endpoint onboarding issues - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[9]: https://web.archive.org/web/20240716182210/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense "WebThreatDefense Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[10]: https://web.archive.org/web/20240924175428/https://github.com/privacysexy-forks/10_0_25197_1000/blob/40c2bd1b216c06e28578a227b520a1bcf6531406/C/Windows/System32/webthreatdefsvc.dll.coff "10_0_25197_1000/C/Windows/System32/webthreatdefsvc.dll.coff at 40c2bd1b216c06e28578a227b520a1bcf6531406 · privacysexy-forks/10_0_25197_1000 | github.com"
|
||||||
|
[11]: https://web.archive.org/web/20240924175556/https://github.com/privacysexy-forks/10_0_25197_1000/blob/40c2bd1b216c06e28578a227b520a1bcf6531406/C/Windows/System32/webthreatdefusersvc.dll.coff "10_0_25197_1000/C/Windows/System32/webthreatdefusersvc.dll.coff at 40c2bd1b216c06e28578a227b520a1bcf6531406 · privacysexy-forks/10_0_25197_1000 | github.com"
|
||||||
|
call:
|
||||||
|
-
|
||||||
|
function: DisableService
|
||||||
|
parameters:
|
||||||
|
# Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
|
serviceName: webthreatdefsvc # (Get-Service -Name 'webthreatdefsvc').StartType
|
||||||
|
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
|
||||||
|
minimumWindowsVersion: 'Windows11-22H2'
|
||||||
|
-
|
||||||
|
function: SoftDeleteFiles
|
||||||
|
parameters:
|
||||||
|
# Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
|
fileGlob: '%SYSTEMROOT%\System32\webthreatdefsvc.dll'
|
||||||
|
grantPermissions: 'true' # 🔒️ Protected on Windows 11 since 22H2 | 🔍 Missing on Windows 10 (≥ 22H2)
|
||||||
|
minimumWindowsVersion: 'Windows11-22H2'
|
||||||
|
-
|
||||||
|
function: DisablePerUserService
|
||||||
|
parameters:
|
||||||
|
# Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
|
serviceName: webthreatdefusersvc # (Get-Service -Name 'webthreatdefusersvc').StartType
|
||||||
|
defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual
|
||||||
|
minimumWindowsVersion: 'Windows11-22H2'
|
||||||
|
-
|
||||||
|
function: SoftDeleteFiles
|
||||||
|
parameters:
|
||||||
|
# Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
|
fileGlob: '%SYSTEMROOT%\System32\webthreatdefusersvc.dll'
|
||||||
|
grantPermissions: 'true' # 🔒️ Protected on Windows 11 since 22H2 | 🔍 Missing on Windows 10 (≥ 22H2)
|
||||||
|
minimumWindowsVersion: 'Windows11-22H2'
|
||||||
|
-
|
||||||
|
function: SoftDeleteRegistryKey
|
||||||
|
parameters:
|
||||||
|
# Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
|
keyPath: HKLM\SOFTWARE\Microsoft\WindowsRuntime\Server\WebThreatDefSvc
|
||||||
|
elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 11 since 22H2 | 🔍 Missing on Windows 10 (≥ 22H2)
|
||||||
|
minimumWindowsVersion: 'Windows11-22H2'
|
||||||
|
-
|
||||||
|
function: SoftDeleteRegistryKey
|
||||||
|
parameters:
|
||||||
|
# Check: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WebThreatDefense"
|
||||||
|
# Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
|
keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WebThreatDefense
|
||||||
|
minimumWindowsVersion: 'Windows11-22H2'
|
||||||
|
-
|
||||||
|
function: SoftDeleteRegistryKey
|
||||||
|
parameters:
|
||||||
|
# Check: reg query "HKLM\Software\Classes\Interface\{ac889b17-df54-4854-a439-d7b68d1e16e8}"
|
||||||
|
# Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
|
keyPath: HKLM\Software\Classes\Interface\{ac889b17-df54-4854-a439-d7b68d1e16e8} # HKCR\Interface\{ac889b17-df54-4854-a439-d7b68d1e16e8} links to it
|
||||||
|
elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 11 since 22H2 | 🔍 Missing on Windows 10 (≥ 22H2)
|
||||||
|
minimumWindowsVersion: 'Windows11-22H2'
|
||||||
|
-
|
||||||
|
function: SoftDeleteRegistryKey
|
||||||
|
parameters:
|
||||||
|
# Check: reg query "HKLM\Software\Classes\CLSID\{E2F1C91D-C762-4B5A-A8C1-4734E48C5FF4}"
|
||||||
|
# Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
|
keyPath: HKLM\Software\Classes\CLSID\{E2F1C91D-C762-4B5A-A8C1-4734E48C5FF4}
|
||||||
|
elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 11 since 22H2 | 🔍 Missing on Windows 10 (≥ 22H2)
|
||||||
|
minimumWindowsVersion: 'Windows11-22H2'
|
||||||
|
-
|
||||||
|
function: SoftDeleteRegistryKey
|
||||||
|
parameters:
|
||||||
|
# Check: reg query "HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Service.UserSessionServiceManager"
|
||||||
|
# Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
|
keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Service.UserSessionServiceManager
|
||||||
|
elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 11 since 22H2 | 🔍 Missing on Windows 10 (≥ 22H2)
|
||||||
|
minimumWindowsVersion: 'Windows11-22H2'
|
||||||
|
-
|
||||||
|
function: SoftDeleteRegistryKey
|
||||||
|
parameters:
|
||||||
|
# Check: reg query "HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Configuration.WTDUserSettings"
|
||||||
|
# Availability: ❌ Windows 10 Pro (≥ 22H2) | ✅ Windows 11 Pro (≥ 23H2)
|
||||||
|
keyPath: HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Microsoft.OneCore.WebThreatDefense.Configuration.WTDUserSettings
|
||||||
|
elevateToTrustedInstaller: 'true' # 🔒️ Protected on Windows 11 since 22H2 | 🔍 Missing on Windows 10 (≥ 22H2)
|
||||||
|
minimumWindowsVersion: 'Windows11-22H2'
|
||||||
|
-
|
||||||
|
name: Disable SmartScreen Enhanced Phishing Protection automatic data collection
|
||||||
|
recommend: strict # Significant privacy improvement but comes with security trade-off
|
||||||
|
docs: |-
|
||||||
|
This script disables automatic data collection by SmartScreen's **Enhanced Phishing Protection**.
|
||||||
|
|
||||||
|
**Enhanced Phishing Protection** collects additional information when users enter their work or school
|
||||||
|
passwords on suspicious websites or apps [1] [2].
|
||||||
|
This information may include displayed content, played sounds, and application memory [1] [2].
|
||||||
|
|
||||||
|
Microsoft uses this data to enhance SmartScreen's ability to identify malicious websites or apps [1] [2].
|
||||||
|
This data helps **Defender SmartScreen** determine if the user entered their work or school password on a
|
||||||
|
suspicious website or app [1] [2].
|
||||||
|
|
||||||
|
After running this script, **Enhanced Phishing Protection** will no longer collect additional data when
|
||||||
|
users enter work or school passwords on potentially malicious sites or apps [2].
|
||||||
|
|
||||||
|
This script improves privacy by stopping the collection of potentially sensitive user data.
|
||||||
|
It may also slightly boost system performance by reducing background data collection.
|
||||||
|
|
||||||
|
However, disabling this feature may weaken phishing protection.
|
||||||
|
Organizations like the Center for Internet Security (CIS) recommend keeping this setting enabled for stronger security [1].
|
||||||
|
|
||||||
|
> **Caution:**
|
||||||
|
> Disabling this feature may increase vulnerability to advanced phishing attacks targeting work or school credentials.
|
||||||
|
|
||||||
|
### Technical Details
|
||||||
|
|
||||||
|
This script sets the `CaptureThreatWindow` [2] policy to disabled state.
|
||||||
|
|
||||||
|
[1]: https://web.archive.org/web/20240924164530/https://www.tenable.com/audits/items/CIS_Microsoft_Windows_11_Enterprise_v3.0.0_L1.audit:54aecdce87a28d24fd08046713c9dd0c "18.10.75.1.1 (L1) Ensure 'Automatic Data Collection' is set to... | Tenable® | www.tenable.com"
|
||||||
|
[2]: https://web.archive.org/web/20240716182210/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#automaticdatacollection "WebThreatDefense Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
|
||||||
|
call:
|
||||||
|
function: SetWebThreatDefensePolicyDisabledViaRegistry
|
||||||
|
parameters:
|
||||||
|
valueName: CaptureThreatWindow
|
||||||
|
-
|
||||||
|
name: Disable SmartScreen Enhanced Phishing Protection "potentially malicious" notifications
|
||||||
|
docs: |-
|
||||||
|
This script disables the **Enhanced Phishing Protection** warnings in Defender SmartScreen related to potentially
|
||||||
|
malicious password entry scenarios.
|
||||||
|
|
||||||
|
By default, these warnings are turned off [1].
|
||||||
|
This script ensures it remains disabled.
|
||||||
|
Disabling this feature stops warnings from appearing when users enter their work or school passwords
|
||||||
|
into potentially malicious websites or applications [1].
|
||||||
|
|
||||||
|
This option is also known as **Warn me about malicious apps and sites** [2].
|
||||||
|
It warns users when they enter their work or school password into potentially malicious situations [1] [3].
|
||||||
|
These scenarios include:
|
||||||
|
|
||||||
|
- Reported phishing sites [1] [3]
|
||||||
|
- Microsoft login URLs with invalid certificates [1] [3]
|
||||||
|
- Applications connecting to either of the above [1] [3]
|
||||||
|
|
||||||
|
It displays a pop-up notification when users try to access a website blocked by **Defender SmartScreen** [3].
|
||||||
|
It helps users understand why a website is blocked and decide whether to proceed [3].
|
||||||
|
|
||||||
|
This script enhances privacy by reducing the data sent to Microsoft.
|
||||||
|
It may also improve system performance through reduced resource usage, fewer notifications, and less network activity.
|
||||||
|
|
||||||
|
However, this script may decrease security.
|
||||||
|
The Center for Internet Security (CIS) recommends enabling this feature for better protection against phishing attacks [3].
|
||||||
|
|
||||||
|
> **Caution**: Disabling this feature may expose you to phishing attacks and other online threats without warning.
|
||||||
|
|
||||||
|
### Technical Details
|
||||||
|
|
||||||
|
This script applies only to Microsoft Accounts [3].
|
||||||
|
It is only supported on Microsoft Windows 11 and later versions [1] [3].
|
||||||
|
It does not affect on-premises domain-joined accounts [3].
|
||||||
|
|
||||||
|
This script sets the `NotifyMalicious` [1] [2] [4] policy to disabled state.
|
||||||
|
|
||||||
|
[1]: https://web.archive.org/web/20240716182210/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifymalicious "WebThreatDefense Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[2]: https://web.archive.org/web/20240118235908/https://www.elevenforum.com/t/enable-or-disable-microsoft-defender-smartscreen-phishing-protection-windows-11.5721/ "Enable or Disable Microsoft Defender SmartScreen Phishing Protection Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
|
||||||
|
[3]: https://web.archive.org/web/20240924172324/https://www.tenable.com/audits/items/CIS_Microsoft_Windows_11_Enterprise_v3.0.0_L1.audit:9131c40aab73eab101b55f874c48589d "18.10.75.1.2 (L1) Ensure 'Notify Malicious' is set to 'Enabled' | Tenable® | ://www.tenable.com"
|
||||||
|
[4]: https://web.archive.org/web/20240924164240/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com"
|
||||||
|
call:
|
||||||
|
function: SetWebThreatDefensePolicyDisabledViaRegistry
|
||||||
|
parameters:
|
||||||
|
valueName: NotifyMalicious
|
||||||
|
-
|
||||||
|
name: Disable SmartScreen Enhanced Phishing Protection "password reuse" notifications
|
||||||
|
docs: |-
|
||||||
|
This script disables the **Warn me about password reuse** feature in Defender SmartScreen's **Enhanced Phishing Protection**.
|
||||||
|
|
||||||
|
The script prevents SmartScreen from warning users when they reuse their work or school password across different services [1] [2].
|
||||||
|
The feature aims to encourage users to change reused passwords [1].
|
||||||
|
|
||||||
|
This feature is off by default [1].
|
||||||
|
By explicitly disabling it, the script ensures it remains inactive persistently.
|
||||||
|
|
||||||
|
This script improves privacy by reducing the password-related data shared with Microsoft.
|
||||||
|
It may also improve system performance by eliminating the background processes that check for password reuse.
|
||||||
|
This feature may occasionally misidentify password reuse [2], potentially causing user inconvenience.
|
||||||
|
|
||||||
|
However, disabling this feature may reduce security.
|
||||||
|
The Center for Internet Security (CIS) recommends keeping it enabled for stronger security [2].
|
||||||
|
When active, this feature alerts users if they try to use a password that has been exposed in a known data breach [2].
|
||||||
|
This can help reduce the risk of unauthorized access to online accounts and encourage the use of strong, unique passwords [2].
|
||||||
|
|
||||||
|
> **Caution**: Disabling this feature means you won't receive warnings about potentially compromised passwords,
|
||||||
|
> which may increase your risk of using unsafe passwords.
|
||||||
|
|
||||||
|
### Technical Details
|
||||||
|
|
||||||
|
This script sets the `NotifyPasswordReuse` [1] [3] [4] policy to disabled state.
|
||||||
|
This setting applies only to Microsoft accounts used for Windows or browser login [2].
|
||||||
|
It is only supported on Microsoft Windows 11 and later versions [1] [2].
|
||||||
|
It does not affect on-premises domain-joined accounts [2].
|
||||||
|
|
||||||
|
[1]: https://web.archive.org/web/20240716182210/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifypasswordreuse "WebThreatDefense Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[2]: https://web.archive.org/web/20240924174830/https://www.tenable.com/audits/items/CIS_Microsoft_Windows_11_Stand-alone_v2.0.0_L1.audit:bcffe7061e6b119dfc3502e67b1976e9 "18.10.76.1.2 Ensure 'Notify Password Reuse' is set to 'Enabled' | Tenable®"
|
||||||
|
[3]: https://web.archive.org/web/20240924164240/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com"
|
||||||
|
[4]: https://web.archive.org/web/20240118235908/https://www.elevenforum.com/t/enable-or-disable-microsoft-defender-smartscreen-phishing-protection-windows-11.5721/ "Enable or Disable Microsoft Defender SmartScreen Phishing Protection Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
|
||||||
|
call:
|
||||||
|
function: SetWebThreatDefensePolicyDisabledViaRegistry
|
||||||
|
parameters:
|
||||||
|
valueName: NotifyPasswordReuse
|
||||||
|
-
|
||||||
|
name: Disable SmartScreen Enhanced Phishing Protection "unsafe apps" notifications
|
||||||
|
docs: |-
|
||||||
|
This script disables **Defender SmartScreen**'s **Enhanced Phishing Protection** feature that warns
|
||||||
|
users about unsafe password storage.
|
||||||
|
|
||||||
|
This feature warns you when you enter passwords in apps such as Notepad, Word, OneNote, or Excel [1] [2].
|
||||||
|
This option is known as **Warn me about unsafe password storage** [3].
|
||||||
|
|
||||||
|
By default, this feature is disabled [1]
|
||||||
|
This script explicitly disables this feature to maintain the default behavior consistently.
|
||||||
|
|
||||||
|
This script enhances privacy by preventing Microsoft from monitoring password input across applications.
|
||||||
|
It may also improve system performance by reducing background processes related to password monitoring.
|
||||||
|
|
||||||
|
However, disabling this feature may reduce security.
|
||||||
|
Without these warnings, you may unknowingly store passwords in unsafe locations [2].
|
||||||
|
This increases the risk of unauthorized access if your device is compromised [2].
|
||||||
|
The Center for Internet Security (CIS) recommends enabling this feature to improve security [2].
|
||||||
|
|
||||||
|
> **Caution**:
|
||||||
|
> Disabling this feature removes warnings about unsafe password storage, which may lead to insecure password practices.
|
||||||
|
|
||||||
|
### Technical Details
|
||||||
|
|
||||||
|
This script sets the `NotifyUnsafeApp` [1] [3] [4] policy to disabled state.
|
||||||
|
This setting applies only to Microsoft accounts used for computer or browser login [2].
|
||||||
|
It is only supported on Microsoft Windows 11 and later versions [1] [2].
|
||||||
|
It has no effect on accounts joined to on-premises domains [2].
|
||||||
|
|
||||||
|
[1]: https://web.archive.org/web/20240716182210/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#notifyunsafeapp "WebThreatDefense Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[2]: https://web.archive.org/web/20240924181530/https://www.tenable.com/audits/items/CIS_Microsoft_Windows_11_Stand-alone_v2.0.0_L1.audit:7f9d8484c2dcdd3457c543d9973b6b7a "18.10.76.1.3 Ensure 'Notify Unsafe App' is set to 'Enabled' | Tenable® | www.tenable.com"
|
||||||
|
[3]: https://web.archive.org/web/20240118235908/https://www.elevenforum.com/t/enable-or-disable-microsoft-defender-smartscreen-phishing-protection-windows-11.5721/ "Enable or Disable Microsoft Defender SmartScreen Phishing Protection Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
|
||||||
|
[4]: https://web.archive.org/web/20240924164240/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com"
|
||||||
|
call:
|
||||||
|
function: SetWebThreatDefensePolicyDisabledViaRegistry
|
||||||
|
parameters:
|
||||||
|
valueName: NotifyUnsafeApp
|
||||||
|
-
|
||||||
|
name: Disable SmartScreen Enhanced Phishing Protection audit mode
|
||||||
|
docs: |-
|
||||||
|
This script disables Enhanced Phishing Protection in Microsoft Defender SmartScreen on Windows.
|
||||||
|
|
||||||
|
Enhanced Phishing Protection monitors and captures unsafe password entries, sending telemetry data to
|
||||||
|
Microsoft Defender [1] [2].
|
||||||
|
In audit mode, users are not notified about potential security risks [1] [2].
|
||||||
|
|
||||||
|
Running this script fully disables Enhanced Phishing Protection [1].
|
||||||
|
It will no longer capture events, send telemetry, or notify users [1].
|
||||||
|
Users will not be able to re-enable it through the graphical interface [1].
|
||||||
|
|
||||||
|
This script enhances privacy by preventing the collection and transmission of user data related to password entry events.
|
||||||
|
It may also improve system performance by reducing background processes and data transmission.
|
||||||
|
|
||||||
|
However, disabling this feature may reduce your protection against phishing attempts.
|
||||||
|
The Center for Internet Security (CIS) recommends keeping this feature enabled for better security [2].
|
||||||
|
|
||||||
|
> **Caution:**
|
||||||
|
> Disabling Enhanced Phishing Protection may leave you more vulnerable to phishing attacks.
|
||||||
|
> You will not be able to re-enable this feature without reverting the script's changes.
|
||||||
|
> Consider implementing alternative security measures to protect against phishing attempts.
|
||||||
|
|
||||||
|
### Technical Details
|
||||||
|
|
||||||
|
This script sets the `ServiceEnabled` policy to disabled state [1] [2] [3] [4].
|
||||||
|
By default, this feature is enabled [1].
|
||||||
|
This setting only applies to Windows 11, version 22H2 (10.0.22621) and later [1].
|
||||||
|
|
||||||
|
[1]: https://web.archive.org/web/20240716182210/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense#serviceenabled "WebThreatDefense Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[2]: https://web.archive.org/web/20240826103724/https://www.tenable.com/audits/items/CIS_Microsoft_Windows_11_Enterprise_v2.0.0_L1.audit:783c73a2e3e7c5b7ed18051225489c55 "18.10.76.1.4 Ensure 'Service Enabled' is set to 'Enabled' | Tenable® | www.tenable.com"
|
||||||
|
[3]: https://web.archive.org/web/20240924164240/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com"
|
||||||
|
[4]: https://web.archive.org/web/20240118235908/https://www.elevenforum.com/t/enable-or-disable-microsoft-defender-smartscreen-phishing-protection-windows-11.5721/ "Enable or Disable Microsoft Defender SmartScreen Phishing Protection Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
|
||||||
|
call:
|
||||||
|
function: SetWebThreatDefensePolicyDisabledViaRegistry
|
||||||
|
parameters:
|
||||||
|
valueName: ServiceEnabled
|
||||||
|
-
|
||||||
|
name: Disable SmartScreen Enhanced Phishing Protection warnings and prompts
|
||||||
|
docs: |-
|
||||||
|
This script disables the user interface for Enhanced Phishing Protection on Windows.
|
||||||
|
|
||||||
|
Enhanced Phishing Protection is a feature in Windows 11 that aims to protect users
|
||||||
|
from phishing attacks [1].
|
||||||
|
This feature monitors the passwords you enter and warns you if a site may be malicious [1].
|
||||||
|
|
||||||
|
This script prevents Enhanced Phishing Protection from displaying warnings and prompts.
|
||||||
|
It does not stop the underlying monitoring but disables only the visual warnings and prompts.
|
||||||
|
|
||||||
|
This may enhance privacy perception by reducing monitoring notifications, though background
|
||||||
|
monitoring continues.
|
||||||
|
It may slightly improve system performance by disabling these UI elements.
|
||||||
|
However, you will not receive warnings about potential phishing attempts, increasing your
|
||||||
|
risk of falling victim to such attacks.
|
||||||
|
|
||||||
|
> **Caution**: This action reduces your ability to detect phishing attempts.
|
||||||
|
|
||||||
|
### Technical Details
|
||||||
|
|
||||||
|
The script sets the following registry value:
|
||||||
|
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\FeatureFlags!BlockUxDisabled` [2] [3].
|
||||||
|
|
||||||
|
This feature is unavailable on Windows 10 and Windows 11 21H2 [1].
|
||||||
|
It is enabled by default on Windows 11 [3] (confirmed by tests on version 23H2 and later).
|
||||||
|
|
||||||
|
[1]: https://web.archive.org/web/20240720170645/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection?tabs=intune "Enhanced Phishing Protection in Microsoft Defender SmartScreen - Windows Security | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[2]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/ThreatAssessment.dll.strings#L14141 "10_0_22622_601/C/Windows/System32/ThreatAssessment.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com"
|
||||||
|
[3]: https://web.archive.org/web/20240924164240/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com"
|
||||||
|
call:
|
||||||
|
function: SetRegistryValue
|
||||||
|
parameters:
|
||||||
|
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\FeatureFlags
|
||||||
|
valueName: BlockUxDisabled
|
||||||
|
dataType: REG_DWORD
|
||||||
|
data: '1'
|
||||||
|
dataOnRevert: '0' # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
|
||||||
|
minimumWindowsVersion: Windows11-22H2
|
||||||
|
elevateToTrustedInstaller: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2)
|
||||||
|
-
|
||||||
|
name: Disable SmartScreen Enhanced Phishing Protection telemetry
|
||||||
|
recommend: strict # Significant privacy improvement without security trade-off
|
||||||
|
docs: |-
|
||||||
|
This script disables the Enhanced Phishing Protection telemetry feature in Windows.
|
||||||
|
|
||||||
|
Enhanced Phishing Protection collects data on phishing attacks to improve Microsoft's security products [1].
|
||||||
|
It shares this data across Microsoft's security suite, including Microsoft Defender for Endpoint [1].
|
||||||
|
|
||||||
|
This feature allows organizations to monitor unsafe password usage through alerts and reports in
|
||||||
|
the Microsoft 365 Defender Portal [1].
|
||||||
|
|
||||||
|
This script enhances your privacy by:
|
||||||
|
|
||||||
|
- Preventing data collection and sharing related to your online activities.
|
||||||
|
- Reducing the data collected by Microsoft and potentially your organization regarding your browsing habits.
|
||||||
|
|
||||||
|
However, disabling this feature may:
|
||||||
|
|
||||||
|
- Reduce the effectiveness of Microsoft's phishing protection.
|
||||||
|
- Limit your organization's ability to detect and respond to phishing threats.
|
||||||
|
|
||||||
|
> **Caution**:
|
||||||
|
> Disabling this feature may:
|
||||||
|
> - Decrease protection against phishing attacks.
|
||||||
|
> - Impact your organization's security monitoring if you're using a work or school computer.
|
||||||
|
|
||||||
|
### Technical Details
|
||||||
|
|
||||||
|
The script sets the following registry value:
|
||||||
|
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\FeatureFlags!TelemetryCallsEnabled` [2] [3].
|
||||||
|
|
||||||
|
This feature is unavailable on Windows 10 and Windows 11 21H2 [1].
|
||||||
|
It is enabled by default on Windows 11 Pro (version 23H2 and later versions) [3].
|
||||||
|
|
||||||
|
[1]: https://web.archive.org/web/20240720170645/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection?tabs=intune "Enhanced Phishing Protection in Microsoft Defender SmartScreen - Windows Security | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[2]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/ThreatAssessment.dll.strings#L14142 "10_0_22622_601/C/Windows/System32/ThreatAssessment.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com"
|
||||||
|
[3]: https://web.archive.org/web/20240924164240/https://github.com/privacysexy-forks/nickel-x64/blob/b3f8c9549e49f2a92b401b3809b210d5f78190ba/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest "nickel-x64/WinSxS/Manifests/amd64_microsoft-onecore-w..reatdefense-service_31bf3856ad364e35_10.0.22621.1_none_828ac38f82738863.manifest at b3f8c9549e49f2a92b401b3809b210d5f78190ba · privacysexy-forks/nickel-x64 | github.com"
|
||||||
|
call:
|
||||||
|
function: SetRegistryValue
|
||||||
|
parameters:
|
||||||
|
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\FeatureFlags
|
||||||
|
valueName: TelemetryCallsEnabled
|
||||||
|
dataType: REG_DWORD
|
||||||
|
data: '0'
|
||||||
|
dataOnRevert: "0" # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
|
||||||
|
minimumWindowsVersion: Windows11-22H2
|
||||||
|
elevateToTrustedInstaller: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 23H2)
|
||||||
-
|
-
|
||||||
name: Disable outdated SmartScreen settings interface
|
name: Disable outdated SmartScreen settings interface
|
||||||
docs: |- # refactor-with-variables: • SmartScreen Caution
|
docs: |- # refactor-with-variables: • SmartScreen Caution
|
||||||
@@ -34416,6 +34904,8 @@ functions:
|
|||||||
parameters:
|
parameters:
|
||||||
- name: serviceName # The name of the service to disable
|
- name: serviceName # The name of the service to disable
|
||||||
- name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual
|
- name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual
|
||||||
|
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
|
||||||
|
optional: true
|
||||||
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
|
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
|
||||||
optional: true
|
optional: true
|
||||||
docs: |-
|
docs: |-
|
||||||
@@ -34439,6 +34929,7 @@ functions:
|
|||||||
parameters:
|
parameters:
|
||||||
serviceName: '{{ $serviceName }}'
|
serviceName: '{{ $serviceName }}'
|
||||||
defaultStartupMode: '{{ $defaultStartupMode }}'
|
defaultStartupMode: '{{ $defaultStartupMode }}'
|
||||||
|
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
|
||||||
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
|
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
|
||||||
-
|
-
|
||||||
function: Comment
|
function: Comment
|
||||||
@@ -34450,6 +34941,7 @@ functions:
|
|||||||
parameters:
|
parameters:
|
||||||
serviceName: '{{ $serviceName }}_*'
|
serviceName: '{{ $serviceName }}_*'
|
||||||
defaultStartupMode: '{{ $defaultStartupMode }}'
|
defaultStartupMode: '{{ $defaultStartupMode }}'
|
||||||
|
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
|
||||||
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
|
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
|
||||||
-
|
-
|
||||||
name: RunInlineCode
|
name: RunInlineCode
|
||||||
@@ -34618,6 +35110,8 @@ functions:
|
|||||||
optional: true # Set to `false` to stop the service immediately without waiting for dependents.
|
optional: true # Set to `false` to stop the service immediately without waiting for dependents.
|
||||||
- name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation`
|
- name: elevateToTrustedInstaller # See `RunPowerShellWithOptionalElevation`
|
||||||
optional: true
|
optional: true
|
||||||
|
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
|
||||||
|
optional: true
|
||||||
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
|
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
|
||||||
optional: true
|
optional: true
|
||||||
call:
|
call:
|
||||||
@@ -34642,6 +35136,7 @@ functions:
|
|||||||
# - With `Stop-Service` PowerShell cmdlet throws `CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommand` error
|
# - With `Stop-Service` PowerShell cmdlet throws `CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommand` error
|
||||||
parameters:
|
parameters:
|
||||||
elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}'
|
elevateToTrustedInstaller: '{{ with $elevateToTrustedInstaller }}true{{ end }}'
|
||||||
|
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
|
||||||
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
|
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
|
||||||
code: |-
|
code: |-
|
||||||
$serviceQuery = '{{ $serviceName }}'
|
$serviceQuery = '{{ $serviceName }}'
|
||||||
@@ -35016,6 +35511,8 @@ functions:
|
|||||||
- name: defaultStartupMode # Allowed values: Automatic | Manual
|
- name: defaultStartupMode # Allowed values: Automatic | Manual
|
||||||
- name: ignoreMissingOnRevert # When set to true, the revert operation will skip any actions for services that cannot be found, instead of failing.
|
- name: ignoreMissingOnRevert # When set to true, the revert operation will skip any actions for services that cannot be found, instead of failing.
|
||||||
optional: true
|
optional: true
|
||||||
|
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
|
||||||
|
optional: true
|
||||||
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
|
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
|
||||||
optional: true
|
optional: true
|
||||||
call:
|
call:
|
||||||
@@ -35038,6 +35535,7 @@ functions:
|
|||||||
# https://github.com/PowerShell/PowerShell/blob/v7.2.0/src/Microsoft.PowerShell.Commands.Management/commands/management/Service.cs#L2966-L2978
|
# https://github.com/PowerShell/PowerShell/blob/v7.2.0/src/Microsoft.PowerShell.Commands.Management/commands/management/Service.cs#L2966-L2978
|
||||||
# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.4
|
# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.4
|
||||||
parameters:
|
parameters:
|
||||||
|
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
|
||||||
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
|
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
|
||||||
code: |-
|
code: |-
|
||||||
$serviceName = '{{ $serviceName }}'
|
$serviceName = '{{ $serviceName }}'
|
||||||
@@ -37230,6 +37728,7 @@ functions:
|
|||||||
$versionName = '{{ . }}'
|
$versionName = '{{ . }}'
|
||||||
$buildNumber = switch ($versionName) {
|
$buildNumber = switch ($versionName) {
|
||||||
'Windows11-FirstRelease' { '10.0.22000' }
|
'Windows11-FirstRelease' { '10.0.22000' }
|
||||||
|
'Windows11-22H2' { '10.0.22621' }
|
||||||
'Windows11-21H2' { '10.0.22000' }
|
'Windows11-21H2' { '10.0.22000' }
|
||||||
'Windows10-22H2' { '10.0.19045' }
|
'Windows10-22H2' { '10.0.19045' }
|
||||||
'Windows10-21H2' { '10.0.19044' }
|
'Windows10-21H2' { '10.0.19044' }
|
||||||
@@ -37241,10 +37740,10 @@ functions:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
$minVersion = [System.Version]::Parse($buildNumber)
|
$minVersion = [System.Version]::Parse($buildNumber)
|
||||||
$version = [Environment]::OSVersion.Version
|
$ver = [Environment]::OSVersion.Version
|
||||||
$versionNoPatch = [System.Version]::new($version.Major, $version.Minor, $version.Build)
|
$verNoPatch = [System.Version]::new($ver.Major, $ver.Minor, $ver.Build)
|
||||||
if ($versionNoPatch -lt $minVersion) {
|
if ($verNoPatch -lt $minVersion) {
|
||||||
Write-Output "Skipping: Windows ($versionNoPatch) is below minimum $minVersion ($versionName)"
|
Write-Output "Skipping: Windows ($verNoPatch) is below minimum $minVersion ($versionName)"
|
||||||
Exit 0
|
Exit 0
|
||||||
}
|
}
|
||||||
{{ end }}{{ with $maximumWindowsVersion }}
|
{{ end }}{{ with $maximumWindowsVersion }}
|
||||||
@@ -37260,10 +37759,10 @@ functions:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
$maxVersion=[System.Version]::Parse($buildNumber)
|
$maxVersion=[System.Version]::Parse($buildNumber)
|
||||||
$version = [Environment]::OSVersion.Version
|
$ver = [Environment]::OSVersion.Version
|
||||||
$versionNoPatch = [System.Version]::new($version.Major, $version.Minor, $version.Build)
|
$verNoPatch = [System.Version]::new($ver.Major, $ver.Minor, $ver.Build)
|
||||||
if ($versionNoPatch -gt $maxVersion) {
|
if ($verNoPatch -gt $maxVersion) {
|
||||||
Write-Output "Skipping: Windows ($versionNoPatch) is above maximum $maxVersion ($versionName)"
|
Write-Output "Skipping: Windows ($verNoPatch) is above maximum $maxVersion ($versionName)"
|
||||||
Exit 0
|
Exit 0
|
||||||
}
|
}
|
||||||
{{ end }}{{ with $setupCode }}
|
{{ end }}{{ with $setupCode }}
|
||||||
@@ -38491,3 +38990,44 @@ functions:
|
|||||||
Write-Error 'Failed to restore'
|
Write-Error 'Failed to restore'
|
||||||
Exit 1
|
Exit 1
|
||||||
}
|
}
|
||||||
|
-
|
||||||
|
name: SetWebThreatDefensePolicyDisabledViaRegistry
|
||||||
|
parameters:
|
||||||
|
- name: valueName
|
||||||
|
docs: |-
|
||||||
|
This function configures **Enhanced Phishing Protection** in **Microsoft Defender SmartScreen** [2].
|
||||||
|
This feature is technically known as `WebThreatDefense` [1] [2] [3].
|
||||||
|
It was introduced in Windows 11 [3] and available only for Windows 11 versions [2].
|
||||||
|
|
||||||
|
The function sets the following registry key paths:
|
||||||
|
|
||||||
|
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components`:
|
||||||
|
This is used to set Group Policy Objects (GPOs) [2].
|
||||||
|
- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components`:
|
||||||
|
This key lacks official documentation.
|
||||||
|
The component responsible for this functionality (`webthreatdefsvc.dll`) reads these configurations for its operation [3].
|
||||||
|
Tests (conducted on Windows 11 version 23H2 and later) show that access to this registry key requires `TrustedInstaller` privileges.
|
||||||
|
|
||||||
|
[1]: https://web.archive.org/web/20240720170645/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection?tabs=intune "Enhanced Phishing Protection in Microsoft Defender SmartScreen - Windows Security | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[2]: https://web.archive.org/web/20240720170652/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-webthreatdefense "WebThreatDefense Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
|
||||||
|
[3]: https://web.archive.org/web/20240924170830/https://github.com/privacysexy-forks/10_0_25197_1000/blob/40c2bd1b216c06e28578a227b520a1bcf6531406/C/Windows/System32/webthreatdefsvc.dll.strings "10_0_25197_1000/C/Windows/System32/webthreatdefsvc.dll.strings at 40c2bd1b216c06e28578a227b520a1bcf6531406 · privacysexy-forks/10_0_25197_1000 | github.com"
|
||||||
|
call:
|
||||||
|
-
|
||||||
|
function: SetRegistryValue # GPO
|
||||||
|
parameters:
|
||||||
|
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WTDS\Components
|
||||||
|
valueName: "{{ $valueName }}"
|
||||||
|
dataType: REG_DWORD
|
||||||
|
data: '0'
|
||||||
|
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
|
||||||
|
minimumWindowsVersion: Windows11-FirstRelease
|
||||||
|
-
|
||||||
|
function: SetRegistryValue
|
||||||
|
parameters:
|
||||||
|
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WTDS\Components
|
||||||
|
valueName: "{{ $valueName }}"
|
||||||
|
dataType: REG_DWORD
|
||||||
|
data: '0'
|
||||||
|
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) | Tested since EdgeUpdate ≥ 1.3.187.41
|
||||||
|
minimumWindowsVersion: Windows11-FirstRelease # No TrustedInstaller is needed on Windows 10, but the functionality is missing so the script won't work.
|
||||||
|
elevateToTrustedInstaller: 'true' # Without TrustedInstaller: ✅ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2)
|
||||||
|
|||||||
Reference in New Issue
Block a user