diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index 248f33fb..6410c579 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -14909,43 +14909,48 @@ actions: category: Privacy over security children: - - category: Disable Microsoft Defender + category: Disable Defender docs: |- - This category offers scripts to disable Windows security components known as *Microsoft Defender*. - Although designed to protect you, these features may compromise your privacy and decrease computer performance. + This category offers scripts to disable Windows security components related to Defender. + Defender is also referred to as **Microsoft Defender** [1] [2] [3] [4] [5] [6] [7] [8] or **Windows Defender** [3] [6] [7] [8]. + Although designed to protect you, its features may compromise your privacy and decrease computer performance. Privacy concerns include: - - Sending personal data to Microsoft for analysis [1] [2] [3]. - - The labeling of efforts to block telemetry (data collection by Microsoft) as security threats [4] [5]. - - The incorrect flagging of privacy-enhancing scripts from privacy.sexy as malicious software [6]. + - Sending personal data to Microsoft for analysis [1] [2] [9]. + This allows Microsoft to collect and potentially access your sensitive information. + - Flagging attempts to block Microsoft's telemetry (data collection) as security threats [3] [10]. + This prevents users from controlling what data Microsoft collects about them. + - Incorrectly identifying privacy-enhancing scripts from privacy.sexy as malicious software [4]. + This discourages users from using tools designed to protect their privacy. - Turning off Microsoft Defender improves your computer's speed by freeing up system resources [7]. + Turning off Defender also improves your computer's speed by freeing up system resources [5]. - However, disabling these features could result in: + However, disabling these features may result in: - - Potential program malfunctions [8], as these security features are integral to Windows [9]. + - Potential program malfunctions [11], as these security features are integral to Windows [6]. - Lowered defenses against malware and other online threats. - These scripts target only the Defender features built into Windows and do not impact other Defender services available - with Microsoft 365 subscriptions [10] [11]. + These scripts are primarily designed to disable Defender features that come built into Windows. + They may also affect additional Defender products not included in the default Windows installation. + However, some Defender services available with Microsoft 365 subscriptions may remain unaffected + by these scripts [7] [8]. > **Caution**: > These scripts **may reduce your security** and **cause issues with software** relying on them. - > Consider an alternative security solutions to maintain protection. + > Consider an alternative security solution or careful security practices to maintain protection. [1]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20240409170815/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide "Microsoft Defender for Endpoint data storage and privacy | Microsoft Learn | learn.microsoft.com" - [3]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" - [4]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" - [5]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" - [6]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" - [7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" - [8]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [9]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" - [10]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" - [11]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn" - # See defender status: Get-MpComputerStatus + [3]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" + [4]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" + [5]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" + [6]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" + [7]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [8]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn" + [9]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" + [10]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" + [11]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" children: - category: Disable Defender data collection @@ -15500,407 +15505,73 @@ actions: data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - category: Disable Microsoft Defender firewall + category: Disable Defender Antivirus docs: |- - This category provides scripts to disable the Microsoft Defender Firewall. + This category provides scripts to disable Defender Antivirus. - This firewall serves as a security gate for your computer. - It controls network traffic to and from a computer [1] [2] [3] [4] [5]. - It blocks all incoming traffic by default and allows outgoing traffic [1]. - It enables users to block connections [1] [3] [5] [6] [7]. - For enhanced security, users can require a VPN for all connections with IPSec rules [1] [3] [7]. - This can protect your computer from unauthorized access [1] [4] [6] [8]. + Defender Antivirus, integrated into Windows, provides protection against viruses, ransomware, and other + types of malware [1] [2] [3]. + + Disabling Defender Antivirus may improve system performance and privacy by stopping related data collection + However, disabling it may severely compromise your system's security if not complemented by proper security practices. + Carefully consider the trade-off before proceeding. - Microsoft has renamed the firewall several times to reflect branding changes: + **Defender Antivirus** comes with following concerns: - 1. **Internet Connection Firewall** initially [3]. - 2. **Windows Firewall** with the release of Windows XP Service Pack 2 [3]. - 3. **Windows Defender Firewall** starting with Windows 10 build 1709 (September 2017) [4] [5]. - 4. **Microsoft Defender Firewall** from Windows 10 version 2004 onwards [5] [6]. - 5. **Windows Firewall** again in 2023 [9]. + - It sends files and personal data [4] to **Microsoft's Cloud Protection Service (MAPS)** + (also known as **Microsoft Active Protection Service** or **Microsoft SpyNet**) for analysis [5] [6]. + - Recent Windows versions deeply integrate Defender with mechanisms like **Early Boot Anti-Malware**, + **Tamper Protection**, making it extremely difficult to remove or uninstall [7] [8]. + This means that even if you want to stop using Defender for privacy reasons, these features make it + very difficult to do so using standard methods, keeping Microsoft's security and data collection systems + in place on your device. + - In 2020, Defender began flagging modifications to the hosts file that block Microsoft telemetry + as a security risk [8] [9]. + This prevents you from easily stopping Microsoft's data collection on your device. + - It flags privacy scripts as malicious, even though their purpose is to enhance privacy [8] [9]. + This discourages the use of tools designed to protect your personal data. + - Some reports suggest that Defender may consume significant system resources [10]. - Considerations: + **Defender Antivirus** evolution milestones: - - Malware or unauthorized users can bypass it if they gain direct access to the computer [10]. - - Default firewall settings often provide limited security unless properly configured [10]. - This is the case for most users. - - The firewall is enabled by default [1] [2] [4] [5]. - It still operates in the background when turned off [7]. - This can compromise privacy. - - Firewall logs detail user behavior [11]. - They fall under [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement). - This allows Microsoft to access and analyze these logs to study your behavior. + - Originally launched as **Windows AntiSpyware**, later renamed to **Windows Defender** [11]. + - Replaced **Microsoft Security Essentials** in Windows 8 [12]. + - **Windows Defender** is renamed to **Windows Defender Antivirus** in Windows 10 version 1703 [13]. + - First included in **Windows Security Center (WSC)** in the 1809 update [14]. + Later, it became part of the **Windows Security** suite [4] [5] [6]. + - Renamed to **Microsoft Defender Antivirus** in the 2004 update [15]. + However, it's still frequently referred to as Windows Defender, even by Microsoft in its current + documentation [1]. - Turning off this firewall may optimize system performance by reducing background tasks [7]. - It enhances privacy by preventing the collection of firewall logs [11]. - However, this could increase security risks by exposing your system to more threats [1] [4] [6] [8]. + To check if Defender Antivirus is active, you can use the following commands in a PowerShell prompt: - > **Caution**: - > Turning off the Microsoft Defender Firewall **may reduce your security**. - > Consider an alternative security solution to maintain protection. + - `Get-MpComputerStatus`: Displays the current state of Defender Antivirus [18]. + - `Get-MpPreference`: Shows the current configuration settings of Defender Antivirus [19]. - [1]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240408093812/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" - [3]: https://web.archive.org/web/20041020065757/http://support.microsoft.com/kb/875357 "Troubleshooting Windows Firewall settings in Windows XP Service Pack 2 | support.microsoft.com" - [4]: https://web.archive.org/web/20240408093959/https://microsoft.fandom.com/wiki/Windows_Firewall "Windows Firewall | Microsoft Wiki | Fandom | microsoft.fandom.com" - [5]: https://web.archive.org/web/20240408094033/https://www.tenforums.com/tutorials/70699-how-turn-off-microsoft-defender-firewall-windows-10-a.html "How to Turn On or Off Microsoft Defender Firewall in Windows 10 | Tutorials | www.tenforums.com" - [6]: https://web.archive.org/web/20240408094038/https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f "Turn Microsoft Defender Firewall on or off - Microsoft Support | support.microsoft.com" - [7]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [8]: https://web.archive.org/web/20240408094004/https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-defender-firewall-windows "Enable Windows Defender Firewall | Microsoft Learn | learn.microsoft.com" - [9]: https://web.archive.org/web/20240408093851/https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#microsoft-defender-firewall-profiles-are-renamed-to-windows-firewall "What's new in Microsoft Intune | Microsoft Learn | learn.microsoft.com" - [10]: https://web.archive.org/web/20240408101037/https://softwareg.com.au/blogs/internet-security/what-is-a-major-weakness-with-a-network-host-based-firewall "What Is A Major Weakness With A Network Host-Based Firewall | softwareg.com.au" - [11]: https://web.archive.org/web/20240409085528/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune "Configure Windows Firewall logging - Windows Security | Microsoft Learn | learn.microsoft.com" + > **Caution:** + > Disabling antivirus protection may significantly reduce your system's security. + > Consider having alternative security measures in place and practicing safe computing habits. + + [1]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20240819080500/https://support.microsoft.com/en-us/office/stay-protected-with-windows-security-ae70cc96-a9cd-4443-a210-e41cb973d3a6 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [4]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement – Microsoft privacy | privacy.microsoft.com" + [5]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20240409170815/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide "Microsoft Defender for Endpoint data storage and privacy | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support" + [8]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com" + [9]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com" + [10]: https://web.archive.org/web/20240819092823/https://www.dell.com/support/kbdoc/en-us/000128249/windows-defender-resolving-high-hard-disk-drive-and-cpu-usage-during-scans "Resolving High Hard Disk Drive and CPU Usage During Scans by Windows Defender | Dell US | www.dell.com" + [11]: https://web.archive.org/web/20051123220536/https://blogs.technet.com/antimalware/archive/2005/11/04/413700.aspx "Anti-Malware Engineering Team : What's in a name?? A lot!! Announcing Windows Defender! | blogs.technet.com" + [12]: https://web.archive.org/web/20200812011954/http://answers.microsoft.com/en-us/protect/forum/protect_start/windows-defender-and-microsoft-security-essentials/5309cb8d-02e1-40e8-974f-0dcedb9ab9fd + [13]: https://web.archive.org/web/20170602091134/https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1703 "What's in Windows 10, version 1703 | Microsoft Docs | docs.microsoft.com" + [14]: https://web.archive.org/web/20240819081301/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1809#windows-security-center "What's new in Windows 10, version 1809 - Windows 10 | Microsoft Learn | learn.microsoft.com" + [15]: https://web.archive.org/web/20240819092635/https://blogs.windows.com/windows-insider/2019/07/26/announcing-windows-10-insider-preview-build-18945/ "Announcing Windows 10 Insider Preview Build 18945 | Windows Insider Blog | blogs.windows.com" + [16]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com" + [17]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com" + [18]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com" + [19]: https://web.archive.org/web/20240819105412/https://learn.microsoft.com/en-us/powershell/module/defender/get-mppreference?view=windowsserver2022-ps "Get-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" children: - - - category: Disable Microsoft Defender Firewall services and drivers - docs: |- - This section contains scripts to disable the essential services and drivers of Microsoft Defender Firewall. - - Microsoft Defender Firewall uses services and drivers to operate. - Services run background tasks, while drivers help hardware and software communicate. - - Even with the firewall disabled in settings, its services and drivers continue running [1], - potentially monitoring network traffic and consuming resources. - These scripts directly disable these components, bypassing standard Windows settings and their limitations. - - Disabling these firewall services and drivers can enhance privacy by preventing potential network traffic monitoring by Microsoft. - Additionally, it may improve system performance by freeing up system resources otherwise consumed by these components. - - However, this can pose security risks and disrupt other software. - Microsoft Defender Firewall blocks unauthorized network access to protect against malicious attacks [2]. - Disabling it can leave your system vulnerable to such threats. - Additionally, this could affect software relying on the firewall [1]. - - > **Caution**: These scripts **may reduce your security** and **cause issues with software** relying on the firewall [1]. - - [1]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" - children: - - - name: >- - Disable "Windows Defender Firewall Authorization Driver" service - (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) - docs: |- # refactor-with-variables: Same • Firewall Service Caution - This script disables the **Windows Defender Firewall Authorization Driver** service. - - This service is a kernel mode driver crucial for inspecting network traffic entering and exiting your computer [1] [2]. - - Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. - It also improves system performance by decreasing background resource consumption. - - The driver is identified by the file `mpsdrv.sys` [1] [2] [3]. - This file is a component of **Microsoft Protection Service** [3]. - This service encompasses the **Windows Defender Firewall** (`mpssvc`) [4] [5]. - Disabling this driver disables **Windows Defender Firewall** [1] [2]. - This action can significantly increase security risks [6]. - - Restart your computer after running this script to ensure all changes take effect [7]. - - > **Caution**: Disabling this service causes problems with software that depends on it [8] such as: - > - Prevents **Microsoft Store** app downloads [9] [10], impacting **winget** CLI functionality [11]. - > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [8]. - > - Disables **Windows Sandbox** [7] [12], an isolated environment for safely running applications [13]. - > - Disables **Docker** [14], a platform for developing and running applications in isolated environments [15]. - > - Disables **Windows Subsystem for Linux (WSL)** [14], which lets Linux programs run directly on Windows [16]. - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🟢 Running | Manual | - - [1]: https://web.archive.org/web/20240314091039/https://batcmd.com/windows/10/services/mpsdrv/ "Windows Defender Firewall Authorization Driver - Windows 10 Service - batcmd.com | batcmd.com" - [2]: https://web.archive.org/web/20240406223537/https://revertservice.com/10/mpsdrv/ "Windows Defender Firewall Authorization Driver (mpsdrv) Service Defaults in Windows 10 | revertservice.com" - [3]: https://web.archive.org/web/20240406223542/https://www.file.net/process/mpsdrv.sys.html "mpsdrv.sys Windows process - What is it? | www.file.net" - [4]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" - [5]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" - [6]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" - [7]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" - [8]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" - [9]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" - [10]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" - [11]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" - [12]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" - [13]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" - [14]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" - [15]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" - [16]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" - [17]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - call: - - - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config - parameters: - serviceName: mpsdrv # Check: (Get-Service -Name 'mpsdrv').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%SYSTEMROOT%\System32\drivers\mpsdrv.sys' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - function: ShowComputerRestartSuggestion - - - name: >- - Disable "Windows Defender Firewall" service - (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) - docs: |- # refactor-with-variables: Same • Firewall Service Caution - This script disables the **Windows Defender Firewall** service (identified as `MpsSvc` [1] [2] [3] [4]). - This component acts as a gatekeeper for your computer, filtering incoming and outgoing network traffic based on - established security rules [1] [5] to prevent unauthorized access [3] [4]. - - This service runs the firewall component of Windows [4]. - It starts automatically [3] and runs the `%WINDIR%\System32\MPSSVC.dll` driver [3]. - This file is also referred to as **Microsoft Protection Service** [6]. - - Beyond firewall functionality, it plays an important role in **Windows Service Hardening** to protect Windows services - [7] [8]. It also enforces **network isolation** in virtualized environments [7] [9]. - - Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. - It also improves system performance by decreasing background resource consumption. - However, it may expose the system to substantial security threats [10]. - This risk is partly mitigated by boot-time filters that are triggered to protect the computer during startup or when the - firewall service stops unexpectedly [2]. - - Restart your computer after running this script to ensure all changes take effect [11]. - - > **Caution**: Disabling this service causes problems with software that depends on it [12] such as: - > - Prevents **Microsoft Store** app downloads (error code `0x80073D0A` [7] [13]), impacting **winget** CLI functionality [14]. - > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [15]. - > - Disables **Windows Sandbox** [11] [16], an isolated environment for safely running applications [17]. - > - Disables **Docker** [18], a platform for developing and running applications in isolated environments [19]. - > - Disables **Windows Subsystem for Linux (WSL)** [18], which lets Linux programs run directly on Windows [20]. - - ### Overview of default service statuses - - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | - | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | - - [1]: https://web.archive.org/web/20231206185904/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd349801%28v=ws.10%29 "Windows Firewall Service | learn.microsoft.com" - [2]: https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx "Stopping the Windows Authenticating Firewall Service and the boot time policy - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com" - [3]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" - [4]: https://web.archive.org/web/20240406233529/https://en.wikipedia.org/wiki/Windows_Firewall "Windows Firewall - Wikipedia | wikipedia.org" - [5]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" - [6]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" - [7]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" - [8]: https://web.archive.org/web/20240406232832/https://techcommunity.microsoft.com/t5/ask-the-performance-team/ws2008-windows-service-hardening/ba-p/372702 "WS2008: Windows Service Hardening - Microsoft Community Hub | techcommunity.microsoft." - [9]: https://web.archive.org/web/20240406232844/https://learn.microsoft.com/en-us/virtualization/windowscontainers/container-networking/network-isolation-security "Network isolation and security | Microsoft Learn | learn.microsoft.com" - [10]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" - [11]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" - [12]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" - [13]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" - [14]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" - [15]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" - [16]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" - [17]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" - [18]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" - [19]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" - [20]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" - call: - - - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config - parameters: - serviceName: MpsSvc # Check: (Get-Service -Name 'MpsSvc').StartType - defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%WINDIR%\System32\mpssvc.dll' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - function: ShowComputerRestartSuggestion - - - name: Disable firewall via command-line utility - # ❗️ Following must be enabled and in running state: - # - mpsdrv ("Windows Defender Firewall Authorization Driver") - # - bfe (Base Filtering Engine) - # - mpssvc ("Windows Defender Firewall") - # If the dependent services are not running, the script fails with: - # "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again." - # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc - docs: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior - call: - function: RunPowerShell - parameters: - code: |- - if(!(Get-Command 'netsh' -ErrorAction Ignore)) { - throw '"netsh" does not exist, is system installed correctly?' - } - $message=netsh advfirewall set allprofiles state off 2>&1 - if($?) { - Write-Host "Successfully disabled firewall." - } else { - if($message -like '*Firewall service*') { - Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' - } else { - throw "Cannot disable: $message" - } - } - revertCode: |- - if(!(Get-Command 'netsh' -ErrorAction Ignore)) { - throw '"netsh" does not exist, is system installed correctly?' - } - $message=netsh advfirewall set allprofiles state on 2>&1 - if($?) { - Write-Host "Successfully enabled firewall." - } else { - if($message -like '*Firewall service*') { - Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' - } else { - throw "Cannot enable: $message" - } - } - - - name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning - docs: - - https://web.archive.org/web/20240314124804/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 - - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 - - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416 - - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile - valueName: EnableFirewall - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Firewall & network protection" section in "Windows Security" - docs: |- - This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was - called "Windows Defender Security Center" [1]. - - The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status - of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see - this section in the "Windows Security" interface [3]. - - This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry - key to hide the Firewall and network protection area [3]. - - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn" - [3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn" - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection - valueName: UILockdown - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903 - docs: - - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender - valueName: DisableAntiSpyware - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender features - # Status: Get-MpPreference - children: - - - name: Disable Potentially Unwanted Application (PUA) feature # Already disabled as default - docs: - - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 - - https://web.archive.org/web/20240314124740/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide - - https://web.archive.org/web/20160410000519/https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/ - - https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection - # Managing with MpPreference module: - - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - call: - - - function: SetMpPreference - parameters: - # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' - property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection - value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 - default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 - - - function: SetRegistryValue # For legacy versions: Windows 10 v1809 and Windows Server 2019 - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine - valueName: MpEnablePus - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue # For newer Windows versions - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender - valueName: PUAProtection - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Tamper Protection docs: |- @@ -15993,6 +15664,53 @@ actions: dataType: REG_DWORD data: "2" dataOnRevert: "5" # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2) + - + name: Disable outdated Defender Antivirus # Deprecated since Windows 10 version 1903 + docs: + - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender + valueName: DisableAntiSpyware + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Potentially Unwanted Application (PUA) protection # Already disabled as default + docs: + - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 + - https://web.archive.org/web/20240314124740/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide + - https://web.archive.org/web/20160410000519/https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/ + - https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection + # Managing with MpPreference module: + - https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + call: + - + function: SetMpPreference + parameters: + # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' + property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection + value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 + default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 + - + function: SetRegistryValue # For legacy versions: Windows 10 v1809 and Windows Server 2019 + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine + valueName: MpEnablePus + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue # For newer Windows versions + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: PUAProtection + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable file hash computation feature # Added in Windows 10, version 2004 docs: @@ -16007,34 +15725,6 @@ actions: dataType: REG_DWORD data: "0" deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable "Windows Defender Exploit Guard" - docs: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ - children: - - - name: Disable prevention of users and apps from accessing dangerous websites - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - valueName: EnableNetworkProtection - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable controlled folder access - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access - valueName: EnableControlledFolderAccess - dataType: REG_DWORD - data: "0" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable network inspection system features children: @@ -16547,7 +16237,7 @@ actions: # parameters: # fileGlob: '%WINDIR%\System32\CodeIntegrity\SIPolicy.p7b' - - name: Disable auto-exclusions + name: Disable Defender auto-exclusions docs: - https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159 @@ -17322,10 +17012,10 @@ actions: # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" - - category: Disable Microsoft Defender reporting + category: Disable Defender reporting children: - - name: Disable Microsoft Defender logging + name: Disable Defender logging call: - function: SetRegistryValue @@ -17344,7 +17034,7 @@ actions: data: "0" dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) - - name: Disable Microsoft Defender ETW provider (Windows Event Logs) + name: Disable Defender ETW provider (Windows Event Logs) docs: - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - https://web.archive.org/web/20240314124054/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide @@ -17379,7 +17069,7 @@ actions: data: '1' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - name: Disable auditing events in Microsoft Defender Application Guard + name: Disable auditing events in Defender Application Guard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview @@ -17391,494 +17081,9 @@ actions: dataType: REG_DWORD data: '0' deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender user interface - children: - - - name: Remove "Windows Security" system tray icon - docs: |- - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray - valueName: HideSystray - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Remove "Scan with Microsoft Defender" from context menu - docs: |- - This script removes the **Scan with Microsoft Defender** option from the right-click context menu. - - This script enhances user privacy by limiting engagement with Microsoft Defender's data collection processes. - Defender may collect data during scans and at regular intervals, which some users may find unnecessary or unwanted. - - Removing this option only affects the context menu appearance and does not disable Microsoft Defender or its other functions. - - > **Caution**: This may reduce system security by making it less convenient to perform on-demand scans of specific files or folders. - - ### Technical Details - - The script functions by altering specific registry keys that correspond to the Defender context menu option. - It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. - The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` (HKEY_CLASSES_ROOT) view [3]. - - The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. - This feature is provided by `shellext.dll` file located in Defender's program files [1]. - - [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" - [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" - [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" - call: - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name '(Default)' - # Windows 10 (≥ 22H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) - # Windows 11 (≥ 23H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '%ProgramFiles%\Windows Defender\shellext.dll' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' - valueName: ThreadingModel - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name 'ThreadingModel' - # Windows 10 (≥ 22H2) : Apartment (REG_SZ) - # Windows 11 (≥ 23H2) : Apartment (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: 'Apartment' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)' - # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' - - - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' - valueName: (Default) - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)' - # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) - dataTypeOnRevert: REG_SZ - dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' - - - name: Remove "Windows Security" icon from taskbar - docs: |- - This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 - and was originally named "Windows Defender Security Center" [1]. - - The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. - - The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 - and Windows 10 22H2) with default value of `%WINDIR%\system32\SecurityHealthSystray.exe`. - - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" - [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" - call: - function: DeleteRegistryValue - parameters: - keyPath: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' - valueName: SecurityHealth - # Default values: - # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth' - # Windows 10 (≥ 22H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) - # Windows 11 (≥ 23H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) - dataTypeOnRevert: REG_EXPAND_SZ - dataOnRevert: '%WINDIR%\system32\SecurityHealthSystray.exe' - - - name: Disable Microsoft Defender Antimalware (AM) user interface - docs: |- - This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially - preventing user interactions with the Microsoft Defender Antivirus interface. - - Several reasons to hide the antivirus interface: - - 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing - its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more - in control of their data when they aren't constantly reminded of a running security service. - 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. - Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share - more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. - 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender - Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to - a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently - triggering options that might share data. - 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface - but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that - access has been restricted by the system administrator [2]. - - The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the - `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. - - [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" - [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable non-administrator access to threat history - docs: |- - This script disables privacy mode for Defender scans, limiting threat history access to administrators. - - By default, privacy mode is enabled [1]. - When active, it restricts the display of spyware and potentially dangerous programs to administrators only, - instead of all users on the computer [2]. - It blocks non-administrators from viewing threat history [1]. - - This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1]. - It has no impact on current platforms [1]. - - Limiting threat history to administrators has both benefits and drawbacks. - It improves security and privacy by limiting access to sensitive threat information. - However, it may reduce transparency and hinder security efforts for users without admin access who need this data. - - The script configures: - - 1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. - It sets the value to `$True`, effectively disabling privacy mode [1]. - - 2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. - This undocumented registry key has been verified to work on older Windows versions by the community [2]. - - [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" - [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "Софт | Секреты Windows 7 | www.win7help.ru" - [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" - call: - - - function: SetMpPreference - parameters: - property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode - value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True - default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - - - function: SetRegistryValueAsTrustedInstaller - # Without TrustedInstaller: ❌ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2) - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration - valueName: "DisablePrivacyMode" - dataType: REG_DWORD - data: "1" - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable sections in "Windows Security" - docs: |- - This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in - Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. - - "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display - in a restricted mode [1]. - - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - children: - - - name: Disable "Virus and threat protection" section in "Windows Security" - docs: |- - - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) - - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Ransomware data recovery" section in "Windows Security" - docs: |- - [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection - valueName: HideRansomwareRecovery - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Family options" section in "Windows Security" - docs: |- - - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) - - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Device performance and health" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) - - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Account protection" section in "Windows Security" - docs: |- - - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) - - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "App and browser control" section in "Windows Security" - docs: |- - - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) - - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable device security sections - children: - - - name: Disable "Device security" section in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) - - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: UILockdown - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Clear TPM" button in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) - - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableClearTpmButton - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Secure boot" button in "Windows Security" - docs: |- - [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideSecureBoot - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" - docs: |- - [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: HideTPMTroubleshooting - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable "TPM Firmware Update" recommendation in "Windows Security" - docs: |- - - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) - - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security - valueName: DisableTpmFirmwareUpdateWarning - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable Defender notifications - children: - - - category: Disable Windows Security notifications - docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications - children: - - - name: Disable all Defender notifications - docs: - - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable non-critical Defender notifications - docs: - - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications - call: - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - function: SetRegistryValue - parameters: - keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting - valueName: DisableEnhancedNotifications - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above - docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ - call: - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance - valueName: Enabled - dataType: REG_DWORD - data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable all Defender Antivirus notifications - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress - call: - - - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration - valueName: Notification_Suppress - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - - function: SetRegistryValue - parameters: - keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration - valueName: Notification_Suppress - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - name: Disable Defender reboot notifications - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification - call: - function: SetRegistryValue - parameters: - keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration - valueName: SuppressRebootNotification - dataType: REG_DWORD - data: '1' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - - category: Disable OS components for Defender # Hackers way of disabling Defender - children: - category: Disable Defender scheduled tasks children: - - - name: Disable "ExploitGuard MDM policy Refresh" task - docs: |- - This script disables the "ExploitGuard MDM policy Refresh" scheduled task. - - The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings". - - Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1]. - It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1]. - - Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2]. - MDM offers a method to remotely adjust the ExploitGuard settings on a device [2]. - - Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4]. - - Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3]. - - ### Overview of default task statuses - - `\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`: - - | OS Version | Default status | - | ---------------- | -------------- | - | Windows 10 22H2 | 🟢 Ready | - | Windows 11 22H2 | 🟢 Ready | - - [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog" - [2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn" - [3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov" - [4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" - call: - function: DisableScheduledTask - parameters: - # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' - taskPathPattern: \Microsoft\Windows\ExploitGuard\ - taskNamePattern: ExploitGuard MDM policy Refresh - name: Disable "Windows Defender Cache Maintenance" task docs: |- @@ -18151,67 +17356,418 @@ actions: # parameters: # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + category: Disable Defender Firewall + docs: |- + This category provides scripts to disable the Defender Firewall. + + This firewall serves as a security gate for your computer. + It controls network traffic to and from a computer [1] [2] [3] [4] [5]. + It blocks all incoming traffic by default and allows outgoing traffic [1]. + It enables users to block connections [1] [3] [5] [6] [7]. + For enhanced security, users can require a VPN for all connections with IPSec rules [1] [3] [7]. + This can protect your computer from unauthorized access [1] [4] [6] [8]. + + Microsoft has renamed the firewall several times to reflect branding changes: + + 1. **Internet Connection Firewall** initially [3]. + 2. **Windows Firewall** with the release of Windows XP Service Pack 2 [3]. + 3. **Windows Defender Firewall** starting with Windows 10 build 1709 (September 2017) [4] [5]. + 4. **Microsoft Defender Firewall** from Windows 10 version 2004 onwards [5] [6]. + 5. **Windows Firewall** again in 2023 [9]. + + Considerations: + + - Malware or unauthorized users can bypass it if they gain direct access to the computer [10]. + - Default firewall settings often provide limited security unless properly configured [10]. + This is the case for most users. + - The firewall is enabled by default [1] [2] [4] [5]. + It still operates in the background when turned off [7]. + This can compromise privacy. + - Firewall logs detail user behavior [11]. + They fall under [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement). + This allows Microsoft to access and analyze these logs to study your behavior. + + Turning off this firewall may optimize system performance by reducing background tasks [7]. + It enhances privacy by preventing the collection of firewall logs [11]. + However, this could increase security risks by exposing your system to more threats [1] [4] [6] [8]. + + > **Caution**: + > Turning off the Defender Firewall **may reduce your security**. + > Consider an alternative security solution to maintain protection. + + [1]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240408093812/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20041020065757/http://support.microsoft.com/kb/875357 "Troubleshooting Windows Firewall settings in Windows XP Service Pack 2 | support.microsoft.com" + [4]: https://web.archive.org/web/20240408093959/https://microsoft.fandom.com/wiki/Windows_Firewall "Windows Firewall | Microsoft Wiki | Fandom | microsoft.fandom.com" + [5]: https://web.archive.org/web/20240408094033/https://www.tenforums.com/tutorials/70699-how-turn-off-microsoft-defender-firewall-windows-10-a.html "How to Turn On or Off Microsoft Defender Firewall in Windows 10 | Tutorials | www.tenforums.com" + [6]: https://web.archive.org/web/20240408094038/https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f "Turn Microsoft Defender Firewall on or off - Microsoft Support | support.microsoft.com" + [7]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [8]: https://web.archive.org/web/20240408094004/https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-defender-firewall-windows "Enable Windows Defender Firewall | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20240408093851/https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#microsoft-defender-firewall-profiles-are-renamed-to-windows-firewall "What's new in Microsoft Intune | Microsoft Learn | learn.microsoft.com" + [10]: https://web.archive.org/web/20240408101037/https://softwareg.com.au/blogs/internet-security/what-is-a-major-weakness-with-a-network-host-based-firewall "What Is A Major Weakness With A Network Host-Based Firewall | softwareg.com.au" + [11]: https://web.archive.org/web/20240409085528/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune "Configure Windows Firewall logging - Windows Security | Microsoft Learn | learn.microsoft.com" + children: + - + category: Disable Defender Firewall services and drivers + docs: |- + This section contains scripts to disable the essential services and drivers of Defender Firewall. + + Defender Firewall uses services and drivers to operate. + Services run background tasks, while drivers help hardware and software communicate. + + Even with the firewall disabled in settings, its services and drivers continue running [1], + potentially monitoring network traffic and consuming resources. + These scripts directly disable these components, bypassing standard Windows settings and their limitations. + + Disabling these firewall services and drivers can enhance privacy by preventing potential network traffic monitoring by Microsoft. + Additionally, it may improve system performance by freeing up system resources otherwise consumed by these components. + + However, this can pose security risks and disrupt other software. + Defender Firewall blocks unauthorized network access to protect against malicious attacks [2]. + Disabling it can leave your system vulnerable to such threats. + Additionally, this could affect software relying on the firewall [1]. + + > **Caution**: These scripts **may reduce your security** and **cause issues with software** relying on the firewall [1]. + + [1]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" + children: - - name: Disable "Windows Defender Advanced Threat Protection Service" service - docs: |- - https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ + name: >- + Disable "Windows Defender Firewall Authorization Driver" service + (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) + docs: |- # refactor-with-variables: Same • Firewall Service Caution + This script disables the **Windows Defender Firewall Authorization Driver** service. - ### Overview of default service statuses + This service is a kernel mode driver crucial for inspecting network traffic entering and exiting your computer [1] [2]. - | OS Version | Status | Start type | - | ---------- | -------| ---------- | - | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | - call: - - - function: DisableServiceInRegistry - # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - parameters: - serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType - defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - - - function: SoftDeleteFiles - parameters: - fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' - grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - - - name: Disable "Windows Security Service" service - docs: |- - This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. - This service provides unified device protection and health information [2] [3]. + Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. + It also improves system performance by decreasing background resource consumption. - It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. - Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. - By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. + The driver is identified by the file `mpsdrv.sys` [1] [2] [3]. + This file is a component of **Microsoft Protection Service** [3]. + This service encompasses the **Windows Defender Firewall** (`mpssvc`) [4] [5]. + Disabling this driver disables **Windows Defender Firewall** [1] [2]. + This action can significantly increase security risks [6]. - The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. + Restart your computer after running this script to ensure all changes take effect [7]. + + > **Caution**: Disabling this service causes problems with software that depends on it [8] such as: + > - Prevents **Microsoft Store** app downloads [9] [10], impacting **winget** CLI functionality [11]. + > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [8]. + > - Disables **Windows Sandbox** [7] [12], an isolated environment for safely running applications [13]. + > - Disables **Docker** [14], a platform for developing and running applications in isolated environments [15]. + > - Disables **Windows Subsystem for Linux (WSL)** [14], which lets Linux programs run directly on Windows [16]. ### Overview of default service statuses | OS Version | Status | Start type | | ---------- | -------| ---------- | | Windows 10 (≥ 22H2) | 🟢 Running | Manual | - | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + | Windows 11 (≥ 23H2) | 🟢 Running | Manual | - [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" - [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" - [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" - [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states + [1]: https://web.archive.org/web/20240314091039/https://batcmd.com/windows/10/services/mpsdrv/ "Windows Defender Firewall Authorization Driver - Windows 10 Service - batcmd.com | batcmd.com" + [2]: https://web.archive.org/web/20240406223537/https://revertservice.com/10/mpsdrv/ "Windows Defender Firewall Authorization Driver (mpsdrv) Service Defaults in Windows 10 | revertservice.com" + [3]: https://web.archive.org/web/20240406223542/https://www.file.net/process/mpsdrv.sys.html "mpsdrv.sys Windows process - What is it? | www.file.net" + [4]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" + [5]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" + [6]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" + [7]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" + [8]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" + [10]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" + [11]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" + [12]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" + [13]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" + [14]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" + [15]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" + [16]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" + [17]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" call: - - # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` - function: DisableServiceInRegistryAsTrustedInstaller + function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: - serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType + serviceName: mpsdrv # Check: (Get-Service -Name 'mpsdrv').StartType defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual - function: SoftDeleteFiles parameters: - fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' + fileGlob: '%SYSTEMROOT%\System32\drivers\mpsdrv.sys' grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + function: ShowComputerRestartSuggestion + - + name: >- + Disable "Windows Defender Firewall" service + (breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL) + docs: |- # refactor-with-variables: Same • Firewall Service Caution + This script disables the **Windows Defender Firewall** service (identified as `MpsSvc` [1] [2] [3] [4]). + This component acts as a gatekeeper for your computer, filtering incoming and outgoing network traffic based on + established security rules [1] [5] to prevent unauthorized access [3] [4]. + + This service runs the firewall component of Windows [4]. + It starts automatically [3] and runs the `%WINDIR%\System32\MPSSVC.dll` driver [3]. + This file is also referred to as **Microsoft Protection Service** [6]. + + Beyond firewall functionality, it plays an important role in **Windows Service Hardening** to protect Windows services + [7] [8]. It also enforces **network isolation** in virtualized environments [7] [9]. + + Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic. + It also improves system performance by decreasing background resource consumption. + However, it may expose the system to substantial security threats [10]. + This risk is partly mitigated by boot-time filters that are triggered to protect the computer during startup or when the + firewall service stops unexpectedly [2]. + + Restart your computer after running this script to ensure all changes take effect [11]. + + > **Caution**: Disabling this service causes problems with software that depends on it [12] such as: + > - Prevents **Microsoft Store** app downloads (error code `0x80073D0A` [7] [13]), impacting **winget** CLI functionality [14]. + > - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [15]. + > - Disables **Windows Sandbox** [11] [16], an isolated environment for safely running applications [17]. + > - Disables **Docker** [18], a platform for developing and running applications in isolated environments [19]. + > - Disables **Windows Subsystem for Linux (WSL)** [18], which lets Linux programs run directly on Windows [20]. + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Automatic | + | Windows 11 (≥ 23H2) | 🟢 Running | Automatic | + + [1]: https://web.archive.org/web/20231206185904/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd349801%28v=ws.10%29 "Windows Firewall Service | learn.microsoft.com" + [2]: https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx "Stopping the Windows Authenticating Firewall Service and the boot time policy - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com" + [3]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" + [4]: https://web.archive.org/web/20240406233529/https://en.wikipedia.org/wiki/Windows_Firewall "Windows Firewall - Wikipedia | wikipedia.org" + [5]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com" + [6]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" + [7]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? – Walker News | www.walkernews.net" + [8]: https://web.archive.org/web/20240406232832/https://techcommunity.microsoft.com/t5/ask-the-performance-team/ws2008-windows-service-hardening/ba-p/372702 "WS2008: Windows Service Hardening - Microsoft Community Hub | techcommunity.microsoft." + [9]: https://web.archive.org/web/20240406232844/https://learn.microsoft.com/en-us/virtualization/windowscontainers/container-networking/network-isolation-security "Network isolation and security | Microsoft Learn | learn.microsoft.com" + [10]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" + [11]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy" + [12]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com" + [13]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" + [14]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com" + [15]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" + [16]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy" + [17]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com" + [18]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy" + [19]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com" + [20]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com" + call: + - + function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config + parameters: + serviceName: MpsSvc # Check: (Get-Service -Name 'MpsSvc').StartType + defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\mpssvc.dll' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + function: ShowComputerRestartSuggestion + - + name: Disable firewall via command-line utility + # ❗️ Following must be enabled and in running state: + # - mpsdrv ("Windows Defender Firewall Authorization Driver") + # - bfe (Base Filtering Engine) + # - mpssvc ("Windows Defender Firewall") + # If the dependent services are not running, the script fails with: + # "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again." + # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc + docs: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior + call: + function: RunPowerShell + parameters: + code: |- + if(!(Get-Command 'netsh' -ErrorAction Ignore)) { + throw '"netsh" does not exist, is system installed correctly?' + } + $message=netsh advfirewall set allprofiles state off 2>&1 + if($?) { + Write-Host "Successfully disabled firewall." + } else { + if($message -like '*Firewall service*') { + Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' + } else { + throw "Cannot disable: $message" + } + } + revertCode: |- + if(!(Get-Command 'netsh' -ErrorAction Ignore)) { + throw '"netsh" does not exist, is system installed correctly?' + } + $message=netsh advfirewall set allprofiles state on 2>&1 + if($?) { + Write-Host "Successfully enabled firewall." + } else { + if($message -like '*Firewall service*') { + Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' + } else { + throw "Cannot enable: $message" + } + } + - + name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning + docs: + - https://web.archive.org/web/20240314124804/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 + - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 + - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416 + - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Firewall & network protection" section in "Windows Security" + docs: |- + This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was + called "Windows Defender Security Center" [1]. + + The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status + of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see + this section in the "Windows Security" interface [3]. + + This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry + key to hide the Firewall and network protection area [3]. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn" + [3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection + valueName: UILockdown + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender for Endpoint + docs: |- + This category provides scripts to disable Defender for Endpoint, a security platform that impacts + user privacy. + + Defender for Endpoint is officially known as **Microsoft Defender for Endpoint** [1] [2] [3]. + It was previously called **Microsoft Defender Advanced Threat Protection (ATP)** [1] [4]. + It is designed to protect enterprise networks from advanced threats [1] [3]. + + An **advanced threat**, also known as an **Advanced Persistent Threat (APT)**, is a type of cyber + attack that uses continuous, covert, and sophisticated methods to gain and maintain unauthorized + access to a system for an extended period [5]. + These attacks usually target high-value entities such as nation states and large corporations [5]. + + Although designed for security, this service raises significant privacy concerns. + Microsoft collects and stores device details, including information about files, processes, + system configurations, and network connections [2]. + + Some components of Defender for Endpoint are included by default in consumer versions of Windows [4], + potentially exposing personal user data. + + Disabling this service can enhance privacy by limiting data collection and sharing with Microsoft. + It may also improve system performance by reducing background processes and resource usage. + However, disabling this service may reduce your device's security against advanced threats. + + > **Caution:** + > Disabling this service may reduce your device's security. + > Consider alternative protection methods and practice enhanced security awareness. + + [1]: https://web.archive.org/web/20240716092018/https://www.microsoft.com/en-us/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/ "Microsoft delivers unified SIEM and XDR to modernize security operations | Microsoft Security Blog | www.microsoft.com" + [2]: https://web.archive.org/web/20240821073232/https://learn.microsoft.com/en-us/defender-endpoint/data-storage-privacy "Microsoft Defender for Endpoint data storage and privacy - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [3]: https://web.archive.org/web/20240821073223/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint "Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240609160137/https://batcmd.com/windows/11/services/sense/ "Windows Defender Advanced Threat Protection Service - Windows 11 Service - batcmd.com | batcmd.com" + [5]: https://web.archive.org/web/20240821074532/https://www.kaspersky.com/resource-center/definitions/advanced-persistent-threats "What Is an Advanced Persistent Threat (APT)? | www.kaspersky.com" + children: + - + name: Disable "Windows Defender Advanced Threat Protection Service" service + docs: |- + https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/ + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🔴 Stopped | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + call: + - + function: DisableServiceInRegistry + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + parameters: + serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 - category: Disable SmartScreen docs: |- # refactor-with-variables: • SmartScreen Caution @@ -19238,6 +18794,674 @@ actions: parameters: fileGlob: '%WINDIR%\SysWOW64\SmartScreenSettings.exe' grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2 + - + category: Disable Windows Security interface + docs: |- + This category offers scripts to disable or modify different aspects of the **Windows Security** user interface, + formerly known as **Windows Defender Security Center**. + + **Windows Security** is a centralized interface managing various Windows security features [1] [2] [3] [4]. + It evolved from **Windows Defender**, initially a standalone antivirus with its own interface [5]. + Over time, Microsoft separated the management interface from the core antivirus component [6]. + + The evolution of Windows Security: + + 1. With launch of Windows 10, Microsoft removed the separate settings window from Windows Defender, replacing + it with a dedicated page in the main Settings app [6]. + 2. Windows 10 version 1703 introduced **Windows Defender Security Center (WDSC)**, combining Windows Defender's + interface with **Windows Security and Maintenance** [7]. + 3. Version 1803 renamed the Windows Defender settings page to **Windows Security** and redesigned it to emphasize + various protection areas [3]. + 4. In version 1809, **Windows Defender Security Center** was renamed to **Windows Security (WSC)** [1] [2] [4] [8]. + + Windows Security features include: + + - **Virus & threat protection:** [1] [2]: + Manages antivirus scans and updates [1] [2]. + It includes managing **Defender Antivirus** [1] [2] [8]. + - **Account protection:** [1] [2] + Handles sign-in options and account settings, including **Windows Hello** [1] [2]. + - **Firewall & network protection:** [1] [2] + Controls firewall settings and monitors network connections [1] [2]. + **Windows Security** brand does not include the firewall component **Windows Firewall** [8]. + However, it allows viewing and managing it, including turning it on and off [9]. + - **App & browser control:** [1] [2] + Manages Microsoft Defender SmartScreen settings to protect against potentially harmful apps, files, and downloads [1]. + - **Device security:** [1] [2] + Oversees built-in security features to protect against malware attacks [1] [2]. + - **Device performance & health** [1] [2]: + Monitors device health and provides system update information [1]. + - **Family options:** [1] [2] + Allows management of family online activity and connected devices [1] [2]. + + Scripts in this disables or adjust Windows Security components to: + + - Minimize data collection by limiting interactions with Microsoft's security services + - Increase user control over security settings by blocking UI access to Defender + + This allows users to decide which security features to manage or disable without interference. + However, be aware that limiting access to these settings may result in inadequate responses to + security threats, potentially making the system more vulnerable. + + > **Caution:** + > Disabling these features may prevent you from configuring and viewing Defender settings, which may reduce your + > system's security and convenience. + > Consider alternative security measures if you disable Windows Security components. + + [1]: https://web.archive.org/web/20240819080500/https://support.microsoft.com/en-us/office/stay-protected-with-windows-security-ae70cc96-a9cd-4443-a210-e41cb973d3a6 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" + [3]: https://web.archive.org/web/20240819081122/https://betawiki.net/wiki/Windows_10_build_17093 "Windows 10 build 17093 - BetaWiki | betawiki.net" + [4]: https://web.archive.org/web/20240819081301/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-1809#windows-security-center "What's new in Windows 10, version 1809 - Windows 10 | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20201219170833/https://www.digitalcitizen.life/windows-defender-windows-8-and-windows-7-what-s-new-and-different/ "Windows Defender in Windows 8 and Windows 7 - What's New & Different? | Digital Citizen | www.digitalcitizen.life" + [6]: https://web.archive.org/web/20240819080906/https://en.wikipedia.org/wiki/Microsoft_Defender_Antivirus "Microsoft Defender Antivirus - Wikipedia | en.wikipedia.org" + [7]: https://web.archive.org/web/20170803091535/https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus + [8]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com" + [9]: https://web.archive.org/web/20240819080607/https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-xdr "Microsoft Defender XDR | Microsoft Security | www.microsoft.com" + children: + - + name: Disable "Windows Security Service" service + docs: |- + This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. + This service provides unified device protection and health information [2] [3]. + + It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. + Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. + By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. + + The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. + + ### Overview of default service statuses + + | OS Version | Status | Start type | + | ---------- | -------| ---------- | + | Windows 10 (≥ 22H2) | 🟢 Running | Manual | + | Windows 11 (≥ 23H2) | 🔴 Stopped | Manual | + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" + [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states + call: + - + # Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + # Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller` + function: DisableServiceInRegistryAsTrustedInstaller + parameters: + serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType + defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual + - + function: SoftDeleteFiles + parameters: + fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' + grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2 + - + category: Disable Defender user interface + children: + - + name: Remove "Windows Security" system tray icon + docs: |- + https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray + valueName: HideSystray + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Remove "Scan with Defender" from context menu + docs: |- + This script removes the **Scan with Microsoft Defender** option from the right-click context menu. + + This script enhances user privacy by limiting engagement with Microsoft Defender's data collection processes. + Defender may collect data during scans and at regular intervals, which some users may find unnecessary or unwanted. + + Removing this option only affects the context menu appearance and does not disable Microsoft Defender or its other functions. + + > **Caution**: This may reduce system security by making it less convenient to perform on-demand scans of specific files or folders. + + ### Technical Details + + The script functions by altering specific registry keys that correspond to the Defender context menu option. + It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2]. + The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` (HKEY_CLASSES_ROOT) view [3]. + + The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu. + This feature is provided by `shellext.dll` file located in Defender's program files [1]. + + [1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io" + [2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com" + [3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com" + call: + - + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name '(Default)' + # Windows 10 (≥ 22H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) + # Windows 11 (≥ 23H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '%ProgramFiles%\Windows Defender\shellext.dll' + - + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' + valueName: ThreadingModel + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name 'ThreadingModel' + # Windows 10 (≥ 22H2) : Apartment (REG_SZ) + # Windows 11 (≥ 23H2) : Apartment (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: 'Apartment' + - + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)' + # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + - + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' + valueName: (Default) + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)' + # Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + # Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ) + dataTypeOnRevert: REG_SZ + dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}' + - + name: Remove "Windows Security" icon from taskbar + docs: |- + This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 + and was originally named "Windows Defender Security Center" [1]. + + The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. + + The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 + and Windows 10 22H2) with default value of `%WINDIR%\system32\SecurityHealthSystray.exe`. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" + [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" + call: + function: DeleteRegistryValue + parameters: + keyPath: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' + valueName: SecurityHealth + # Default values: + # Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth' + # Windows 10 (≥ 22H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) + # Windows 11 (≥ 23H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ) + dataTypeOnRevert: REG_EXPAND_SZ + dataOnRevert: '%WINDIR%\system32\SecurityHealthSystray.exe' + - + name: Disable Defender Antivirus interface + docs: |- + This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially + preventing user interactions with the Microsoft Defender Antivirus interface. + + Several reasons to hide the antivirus interface: + + 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing + its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more + in control of their data when they aren't constantly reminded of a running security service. + 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. + Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share + more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. + 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender + Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to + a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently + triggering options that might share data. + 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface + but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that + access has been restricted by the system administrator [2]. + + The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the + `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. + + [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" + [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable non-administrator access to Defender threat history + docs: |- + This script disables privacy mode for Defender scans, limiting threat history access to administrators. + + By default, privacy mode is enabled [1]. + When active, it restricts the display of spyware and potentially dangerous programs to administrators only, + instead of all users on the computer [2]. + It blocks non-administrators from viewing threat history [1]. + + This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1]. + It has no impact on current platforms [1]. + + Limiting threat history to administrators has both benefits and drawbacks. + It improves security and privacy by limiting access to sensitive threat information. + However, it may reduce transparency and hinder security efforts for users without admin access who need this data. + + The script configures: + + 1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3]. + It sets the value to `$True`, effectively disabling privacy mode [1]. + + 2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2]. + This undocumented registry key has been verified to work on older Windows versions by the community [2]. + + [1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "Софт | Секреты Windows 7 | www.win7help.ru" + [3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one" + call: + - + function: SetMpPreference + parameters: + property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode + value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True + default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False + - + function: SetRegistryValueAsTrustedInstaller + # Without TrustedInstaller: ❌ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2) + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: "DisablePrivacyMode" + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable sections in "Windows Security" + docs: |- + This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in + Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. + + "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display + in a restricted mode [1]. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + children: + - + name: Disable "Virus and threat protection" section in "Windows Security" + docs: |- + - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) + - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Ransomware data recovery" section in "Windows Security" + docs: |- + [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: HideRansomwareRecovery + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Family options" section in "Windows Security" + docs: |- + - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) + - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Device performance and health" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) + - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Account protection" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) + - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "App and browser control" section in "Windows Security" + docs: |- + - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) + - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable device security sections + children: + - + name: Disable "Device security" section in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) + - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Clear TPM" button in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) + - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableClearTpmButton + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Secure boot" button in "Windows Security" + docs: |- + [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideSecureBoot + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" + docs: |- + [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideTPMTroubleshooting + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "TPM Firmware Update" recommendation in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) + - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableTpmFirmwareUpdateWarning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender notifications + children: + - + category: Disable Windows Security notifications + docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications + children: + - + name: Disable all Defender notifications + docs: + - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable non-critical Defender notifications + docs: + - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable security and maintenance notifications # For Windows 10 build 1607 and above + docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable all Defender Antivirus notifications + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration + valueName: Notification_Suppress + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: Notification_Suppress + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable Defender reboot notifications + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: SuppressRebootNotification + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + category: Disable Defender Exploit Guard + docs: |- + This category disables Windows Defender Exploit Guard, potentially enhancing privacy and + system performance. + + Exploit Guard is also called **Windows Defender Exploit Guard** [1] [2] [3] [4] [5] + or **Microsoft Defender Exploit Guard** [6]. + This component has been a built-in feature of Windows 10 since version 1709 [1] [5]. + It's the successor to the **Enhanced Mitigation Experience Toolkit (EMET)** [1] [5]. + + Exploit Guard uses Microsoft Cloud for machine learning and to check websites and IP addresses [1]. + Disabling it may enhance privacy by preventing these connections. + It may improve system performance by reducing background processes. + It also increases user autonomy by enabling choices about which programs, scripts, and websites can connect + without automatic intervention. + + Disabling Exploit Guard may reduce protection against certain types of attacks. + Users should carefully weigh the trade-offs between enhanced privacy/performance and potential security + risks when disabling this feature. + + Exploit Guard consists of four main components: + + 1. **Attack Surface Reduction (ASR):** + Blocks Office-, script-, and email-based threats [1] [2] [7]. + 2. **Network protection:** + Blocks outbound connections to untrusted hosts/IP addresses using Defender SmartScreen [1] [2] [4]. + It extends SmartScreen to the operating system level [4]. + 3. **Controlled folder access:** + Protects sensitive data from ransomware by blocking untrusted processes from accessing protected folders [1] [2] [3]. + 4. **Exploit protection:** + Applies exploit mitigation techniques to operating system processes and applications [1] [2] [3]. + + These components are enabled and configured by default on Windows 10 and 11 [1] [3] [8]. + They can also be remotely configured and set up in managed environments, such as enterprise organizations [2]. + Disabling Exploit Guard can affect local or organizational configurations, such as those set by schools or employers. + + Defender Antivirus is the built-in antimalware component in Windows [5]. + Exploit Guard operates independently from Defender Antivirus [5]. + However, some features, like Attack Surface Reduction, depend on Defender Antivirus to function [1]. + Exploit Guard may also require Defender Antivirus for some of its configurations [6]. + + Exploit Guard is included in **Microsoft Defender for Endpoint** suite [9] [10]. + Defender for Endpoint enhances its functionality by providing additional detailed reporting into + exploit protection events and blocks as part of the usual alert investigation scenarios [10]. + Disabling Exploit Guard may impair the functionality of Defender for Endpoint. + + > **Caution:** + > Disabling Exploit Guard may lower your security if you do not have proper security practices + > or alternative protections in place. + + [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ + [2]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" + [3]: https://web.archive.org/web/20240821075921/https://learn.microsoft.com/en-us/defender-endpoint/enable-exploit-protection "Turn on exploit protection to help mitigate against attacks - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [4]: https://web.archive.org/web/20240821075805/https://learn.microsoft.com/en-us/defender-endpoint/network-protection "Use network protection to help prevent connections to bad sites - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [5]: https://web.archive.org/web/20240821075906/https://msrc.microsoft.com/blog/2017/08/moving-beyond-emet-ii-windows-defender-exploit-guard/ "Moving Beyond EMET II – Windows Defender Exploit Guard | MSRC Blog | Microsoft Security Response Center | msrc.microsoft.com" + [6]: https://web.archive.org/web/20240821080834/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-using-powershell#advanced-threat-and-exploit-mitigation-and-prevention-controlled-folder-access "Evaluate Microsoft Defender Antivirus using PowerShell. - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [7]: https://web.archive.org/web/20240821075836/https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction "Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [8]: https://web.archive.org/web/20240821075914/https://learn.microsoft.com/en-us/defender-endpoint/controlled-folders "Protect important folders from ransomware from encrypting your files with controlled folder access - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [9]: https://web.archive.org/web/20240821075742/https://learn.microsoft.com/en-us/defender-endpoint/overview-attack-surface-reduction "Understand and use attack surface reduction - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + [10]: https://web.archive.org/web/20240821075844/https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection "Apply mitigations to help prevent attacks through vulnerabilities - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com" + children: + - + name: Disable prevention of users and apps from accessing dangerous websites + docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + valueName: EnableNetworkProtection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable controlled folder access + docs: + - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess + - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access + valueName: EnableControlledFolderAccess + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + name: Disable "ExploitGuard MDM policy Refresh" task + docs: |- + This script disables the "ExploitGuard MDM policy Refresh" scheduled task. + + The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings". + + Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1]. + It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1]. + + Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2]. + MDM offers a method to remotely adjust the ExploitGuard settings on a device [2]. + + Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4]. + + Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3]. + + ### Overview of default task statuses + + `\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`: + + | OS Version | Default status | + | ---------------- | -------------- | + | Windows 10 22H2 | 🟢 Ready | + | Windows 11 22H2 | 🟢 Ready | + + [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog" + [2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn" + [3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov" + [4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" + call: + function: DisableScheduledTask + parameters: + # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' + taskPathPattern: \Microsoft\Windows\ExploitGuard\ + taskNamePattern: ExploitGuard MDM policy Refresh - category: Disable automatic updates docs: |-