44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Defender features errors in Windows #104

Browse Source 
- Refactor to use `Set-MpPreference` in a function instead.
- Better support for both Windows and Windows 11 with platform-specific
  logic, due to poor `Remove-MpPreference` used in Windows 10:
     * Use `Remove-MpPreference` on Windows 11, but switch to
       `Set-MpPreference` for some edge cases using a flag.
     * Use `Set-MpPreference` on Windows 10 by default, and use
       `Remove-MpPreference` for only small amount of cases where it is
       supported.
- Set default value instead of `Remove-MpPreference` on Windows 10 when
  it does not work as expected.
- Improve error messages when:
  * Command name (cmdlet) is not supported
  * Command parameter is not support
  * Failing due to Defender service not working
  * Argument is not supported (e.g. for 'Broad')
- Skip if a parameter or argument is not supported instead of failing.
- Set OS defaults when using `Set-MpPreference` when `Remove-MpPreference`
  does not set the OS defaults.
- Skip setting the setting if it already is as desired.
- Remove redundant scripts in "Disable remediation actions" setting
  `LowThreatDefaultAction`, `ModerateThreatDefaultAction`,
  `HighThreatDefaultAction` and `SevereThreatDefaultAction`. As they are
  all controlled by and limited to value of `UnknownThreatDefaultAction`.
- Fix registry policies not matching cmdlet behavior:
     > CheckForSignaturesBeforeRunningScan
     > SignatureUpdateCatchupInterval
- Fix reverting registry policies (`reg delete` command and error
  output):
    > Disable Malicious Software Reporting tool diagnostic data
    > Turn off block at first sight
- Fix DisableCatchupQuickScan MpPreference command being in wrong
  category by moving it to its right category and adding its correct
  equivalent.
This commit is contained in:
undergroundwires
2021-11-17 00:03:59 +01:00
parent bf83c58982
commit d7761ab30e
1 changed files with 337 additions and 260 deletions
Download Patch File Download Diff File Expand all files Collapse all files

597
src/application/collections/windows.yaml
View File

@@ -2618,17 +2618,16 @@ actions:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False (enabled) property: DisableBlockAtFirstSeen # Status: Get-MpPreference | Select-Object -Property DisableBlockAtFirstSeen
# Status: Get-MpPreference | Select-Object -Property DisableBlockAtFirstSeen value: $True # Set: Set-MpPreference -Force -DisableBlockAtFirstSeen $True
code: try { Set-MpPreference -Force -DisableBlockAtFirstSeen $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableBlockAtFirstSeen | Set-MpPreference -Force -DisableBlockAtFirstSeen $False
revertCode: try { Remove-MpPreference -Force -DisableBlockAtFirstSeen } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "0" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /f 2>nul
- -
name: Set maximum time possible for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required" name: Set maximum time possible for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required"
docs: docs:
@@ -2666,12 +2665,11 @@ actions:
call: call:
# 0: Disabled, 1: Basic, 2: Advanced (default) # 0: Disabled, 1: Basic, 2: Advanced (default)
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 2 (Advanced) property: MAPSReporting # Status: Get-MpPreference | Select-Object -Property MAPSReporting
# Status: Get-MpPreference | Select-Object -Property MAPSReporting value: "'0'" # Set: Set-MpPreference -Force -MAPSReporting 0
code: try { Set-MpPreference -Force -MAPSReporting 0 } catch { Write-Warning 'Function not found'; exit 1 } default: "'2'" # Default: 2 (Advanced) | Remove-MpPreference -Force -MAPSReporting | Set-MpPreference -Force -MAPSReporting 2
revertCode: try { Remove-MpPreference -Force -MAPSReporting } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -2689,15 +2687,12 @@ actions:
call: call:
# 0 = 'Always Prompt', 1 = 'Send safe samples automatically' (default), 2 = 'Never send', 3 = 'Send all samples automatically' # 0 = 'Always Prompt', 1 = 'Send safe samples automatically' (default), 2 = 'Never send', 3 = 'Send all samples automatically'
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 1 (Send safe samples automatically) property: SubmitSamplesConsent # Status: Get-MpPreference | Select-Object -Property SubmitSamplesConsent
# Status: Get-MpPreference | Select-Object -Property SubmitSamplesConsent value: "'2'" # Set: Set-MpPreference -Force -SubmitSamplesConsent 2
code: try { Set-MpPreference -Force -SubmitSamplesConsent 2 } catch { Write-Warning 'Function not found'; exit 1 } default: "'1'" # Default: 1 (Send safe samples automatically) | Remove-MpPreference -Force -SubmitSamplesConsent | Set-MpPreference -Force -SubmitSamplesConsent 1
# revertCode: try { Set-MpPreference -Force -SubmitSamplesConsent 1 } catch { Write-Warning 'Function not found'; exit 1 } setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 1 (OS default) in Windows 11
revertCode: try { Remove-MpPreference -Force -SubmitSamplesConsent } catch { Write-Warning 'Function not found'; exit 1 }
# ❌ Remove-MpPreference does not work in Windows 10 21H1, and sets it to 0 instead 1 (OS default) in Windows 11
# ❌ Remove-MpPreference -EnableFileHashComputation fails on Windows 10 with NamedParameterNotFound, successful on Windows 11
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -2708,7 +2703,7 @@ actions:
recommend: strict recommend: strict
docs: https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection docs: https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /f 2>nul
- -
name: Disable uploading files for threat analysis in real-time # Requires "Join Microsoft MAPS" name: Disable uploading files for threat analysis in real-time # Requires "Join Microsoft MAPS"
recommend: strict recommend: strict
@@ -2716,7 +2711,7 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /f 2>nul
- -
name: Disable the Potentially Unwanted Application (PUA) feature name: Disable the Potentially Unwanted Application (PUA) feature # Already disabled as default
docs: docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus
@@ -2727,13 +2722,12 @@ actions:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 0
# 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode'
# Status: Get-MpPreference | Select-Object -Property PUAProtection property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection
code: try { Set-MpPreference -Force -PUAProtection 0 } catch { Write-Warning 'Function not found'; exit 1 } value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0
revertCode: try { Remove-MpPreference -Force -PUAProtection } catch { Write-Warning 'Function not found'; exit 1 } # Sets to 0 default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -2821,13 +2815,13 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring
call: # Enabled by default (DisableRealtimeMonitoring is false) call: # Enabled by default (DisableRealtimeMonitoring is false)
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring
# Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True
# ❌ Windows 11: Does not fail but does not set the value | ✅ Windows 10: Works as expected # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
code: try { Set-MpPreference -Force -DisableRealtimeMonitoring $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False
revertCode: try { Remove-MpPreference -Force -DisableRealtimeMonitoring } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -2842,13 +2836,13 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: empty (no value) property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem
# Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True
# ❌ Windows 11 and Windows 10: Does not fail but does not set the value # ❌ Windows 11 and Windows 10: Does not fail but does not change the value
code: try { Set-MpPreference -Force -DisableIntrusionPreventionSystem $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False
revertCode: try { Remove-MpPreference -Force -DisableIntrusionPreventionSystem } catch { Write-Warning 'Function not found'; exit 1 } # ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -2871,13 +2865,12 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring
# Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True
# ❌ Windows 11: Does not fail but does not set the value | ✅ Windows 10: Works as expected # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
code: try { Set-MpPreference -Force -DisableBehaviorMonitoring $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False
revertCode: try { Remove-MpPreference -Force -DisableBehaviorMonitoring } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -2900,13 +2893,12 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection
# Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True
# ❌ Windows 11: Does not fail but does not set the value | ✅ Windows 10: Works as expected # ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected
code: try { Set-MpPreference -Force -DisableIOAVProtection $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False
revertCode: try { Remove-MpPreference -Force -DisableIOAVProtection } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -2929,7 +2921,7 @@ actions:
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /f 2>nul
- -
name: Disable bidirectional scanning of incoming and outgoing file and program activity name: Disable bidirectional scanning of incoming and outgoing file and program activity
docs: docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection
# Managing with MpPreference module: # Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
@@ -2939,17 +2931,16 @@ actions:
# 1='Incoming': scan only incoming (disable on-open) # 1='Incoming': scan only incoming (disable on-open)
# 2='Outcoming': scan only outgoing (disable on-close) # 2='Outcoming': scan only outgoing (disable on-close)
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 0 (Both) property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection
# Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1
code: try { Set-MpPreference -Force -RealTimeScanDirection 1 } catch { Write-Warning 'Function not found'; exit 1 } default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0
revertCode: try { Remove-MpPreference -Force -RealTimeScanDirection } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealtimeScanDirection" /t REG_DWORD /d "1" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealtimeScanDirection" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /f 2>nul
- -
name: Disable process scanning on real-time protection name: Disable process scanning on real-time protection
docs: docs:
@@ -2982,12 +2973,11 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 0 property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay
# Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8
code: try { Set-MpPreference -Force -RemediationScheduleDay 8 } catch { Write-Warning 'Function not found'; exit 1 } default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0
revertCode: try { Remove-MpPreference -Force -RemediationScheduleDay } catch { Write-Warning 'Function not found'; exit 1 }
- -
name: Disable remediation actions name: Disable remediation actions
docs: docs:
@@ -2998,45 +2988,18 @@ actions:
# None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10 # None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10
call: # Not using ThreatIdDefaultAction as it requires known threat IDs call: # Not using ThreatIdDefaultAction as it requires known threat IDs
- -
function: RunPowerShell function: SetMpPreference
# https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction
parameters: parameters:
# Default: None (0) property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction
# Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction # Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value):
# https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction # `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`.
code: try { Set-MpPreference -Force -UnknownThreatDefaultAction 'NoAction' } catch { Write-Warning 'Function not found'; exit 1 } # E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed.
revertCode: Remove-MpPreference -Force -UnknownThreatDefaultAction # Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction`
- value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9
function: RunPowerShell # Default: 0 (none)
parameters: # Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction`
# Default: None (0) # works on both Windows 10 and Windows 11
# Status: Get-MpPreference | Select-Object -Property LowThreatDefaultAction
# https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#lowthreatdefaultaction
code: try { Set-MpPreference -Force -LowThreatDefaultAction 'NoAction' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: Remove-MpPreference -Force -LowThreatDefaultAction
-
function: RunPowerShell
parameters:
# Default: None (0)
# Status: Get-MpPreference | Select-Object -Property ModerateThreatDefaultAction
# https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#moderatethreatdefaultaction
code: try { Set-MpPreference -Force -ModerateThreatDefaultAction 'NoAction' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: Remove-MpPreference -Force -ModerateThreatDefaultAction
-
function: RunPowerShell
parameters:
# Default: None (0)
# Status: Get-MpPreference | Select-Object -Property HighThreatDefaultAction
# https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#highthreatdefaultaction
code: try { Set-MpPreference -Force -HighThreatDefaultAction 'NoAction' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: Remove-MpPreference -Force -HighThreatDefaultAction
-
function: RunPowerShell
parameters:
# Default: None (0)
# Status: Get-MpPreference | Select-Object -Property SevereThreatDefaultAction
# https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#severethreatdefaultaction
code: try { Set-MpPreference -Force -SevereThreatDefaultAction 'NoAction' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: Remove-MpPreference -Force -SevereThreatDefaultAction
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -3068,12 +3031,12 @@ actions:
# Minimum: 1 # Minimum: 1
# 0 means indefinitely # 0 means indefinitely
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 90 property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay
# Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1
code: try { Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay "1" } catch { Write-Warning 'Function not found'; exit 1 } default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90
revertCode: try { Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay } catch { Write-Warning 'Function not found'; exit 1 } # TODO: SETS TO 0 BUT IS 90 SEEMS TO BE DEFAULT? setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -3161,12 +3124,12 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions
# Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True
code: try { Set-MpPreference -Force -DisableAutoExclusions $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False
revertCode: try { Remove-MpPreference -Force -DisableAutoExclusions } catch { Write-Warning 'Function not found'; exit 1 } setDefaultOnWindows11: true # `Remove-MpPreference` has no affect (does not change the value) in Windows 11
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -3187,16 +3150,15 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan
# Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False
code: try { Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False
revertCode: try { Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: # Default: Does not exist parameters: # Default: Does not exist
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "1" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /f 2>nul
- -
name: Disable creating system restore point on a daily basis # Default behavior name: Disable creating system restore point on a daily basis # Default behavior
@@ -3207,13 +3169,11 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: True property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint
# Status: Get-MpPreference | Select-Object -Property DisableRestorePoint value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True
code: try { Set-MpPreference -Force -DisableRestorePoint $True } catch { Write-Warning 'Function not found'; exit 1 } default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True
revertCode: try { Remove-MpPreference -Force -DisableRestorePoint } catch { Write-Warning 'Function not found'; exit 1 }
# ❌ Remove-MpPreference -DisableRestorePoint fails on Windows 10 with NamedParameterNotFound, successful on Windows 11
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -3228,12 +3188,11 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay
call: # Default is 15, minimum is 0 which means never removing items call: # Default is 15, minimum is 0 which means never removing items
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 15 property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay
# Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1
code: try { Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 } catch { Write-Warning 'Function not found'; exit 1 } default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15
revertCode: try { Remove-MpPreference -Force -ScanPurgeItemsAfterDelay } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -3254,15 +3213,14 @@ actions:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan
# Managing with MpPreference module: # Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: True property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan
# Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True
code: try { Set-MpPreference -Force -DisableCatchupQuickScan $True } catch { Write-Warning 'Function not found'; exit 1 } default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True
revertCode: try { Remove-MpPreference -Force -DisableCatchupQuickScan } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -3270,9 +3228,23 @@ actions:
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /f 2>nul
- -
name: Disable catch-up quick scans name: Disable catch-up quick scans
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan docs:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /f 2>nul # Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan
call:
-
function: SetMpPreference
parameters:
property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan
value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True
default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /f 2>nul
- -
category: Turn off scan options category: Turn off scan options
children: children:
@@ -3294,12 +3266,11 @@ actions:
call: call:
# Default: 50, minimum 1 # Default: 50, minimum 1
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 50 property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor
# Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1
code: try { Set-MpPreference -Force -ScanAvgCPULoadFactor 1 } catch { Write-Warning 'Function not found'; exit 1 } default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50
revertCode: try { Remove-MpPreference -Force -ScanAvgCPULoadFactor } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -3312,18 +3283,16 @@ actions:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans
# Default: True value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False
code: try { Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False } catch { Write-Warning 'Function not found'; exit 1 } default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True
revertCode: try { Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /f 2>nul
- -
name: Disable scanning when not idle # Default OS setting name: Disable scanning when not idle # Default OS setting
docs: docs:
@@ -3333,12 +3302,11 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: True property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled
# Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True
code: try { Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True } catch { Write-Warning 'Function not found'; exit 1 } default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True
revertCode: try { Remove-MpPreference -Force -ScanOnlyIfIdleEnabled } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -3360,12 +3328,11 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: True property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning
# Status: Get-MpPreference | Select-Object -Property DisableEmailScanning value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False
code: try { Set-MpPreference -Force -DisableEmailScanning $True } catch { Write-Warning 'Function not found'; exit 1 } default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True
revertCode: try { Remove-MpPreference -Force -DisableEmailScanning } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
@@ -3378,13 +3345,12 @@ actions:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning
call: call:
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning
# Status: Get-MpPreference | Select-Object -Property DisableScriptScanning value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True
# ❌ Windows 11: Does not fail but does not set the value | ✅ Windows 10: Works as expected # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
code: try { Set-MpPreference -Force -DisableScriptScanning $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False
revertCode: try { Remove-MpPreference -Force -DisableScriptScanning } catch { Write-Warning 'Function not found'; exit 1 }
- -
name: Disable reparse point scanning name: Disable reparse point scanning
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning
@@ -3404,13 +3370,11 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: True property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan
# Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False
code: try { Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True } catch { Write-Warning 'Function not found'; exit 1 } default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True
revertCode: try { Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan } catch { Write-Warning 'Function not found'; exit 1 }
# ❌ Remove-MpPreference -DisableScanningMappedNetworkDrivesForFullScan fails on Windows 10 with NamedParameterNotFound, successful on Windows 11
- -
name: Disable scanning network files name: Disable scanning network files
docs: docs:
@@ -3425,12 +3389,11 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles
# Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True
code: try { Set-MpPreference -Force -DisableScanningNetworkFiles $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False
revertCode: try { Remove-MpPreference -Force -DisableScanningNetworkFiles } catch { Write-Warning 'Function not found'; exit 1 }
- -
name: Disable scanning packed executables name: Disable scanning packed executables
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning
@@ -3453,12 +3416,11 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning
# Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True
code: try { Set-MpPreference -Force -DisableArchiveScanning $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False
revertCode: try { Remove-MpPreference -Force -DisableArchiveScanning } catch { Write-Warning 'Function not found'; exit 1 }
- -
name: Limit depth for scanning archive files to minimum name: Limit depth for scanning archive files to minimum
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth
@@ -3484,12 +3446,11 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: True property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning
# Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False
code: try { Set-MpPreference -Force -DisableRemovableDriveScanning $True } catch { Write-Warning 'Function not found'; exit 1 } default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True
revertCode: try { Remove-MpPreference -Force -DisableRemovableDriveScanning } catch { Write-Warning 'Function not found'; exit 1 }
- -
category: Disable auto-scans category: Disable auto-scans
children: children:
@@ -3511,12 +3472,11 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 0 (Every Day) property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay
# Status: Get-MpPreference | Select-Object -Property ScanScheduleDay value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8'
code: try { Set-MpPreference -Force -ScanScheduleDay 8 } catch { Write-Warning 'Function not found'; exit 1 } default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0'
revertCode: try { Remove-MpPreference -Force -ScanScheduleDay } catch { Write-Warning 'Function not found'; exit 1 }
- -
name: Disable randomizing scheduled task times name: Disable randomizing scheduled task times
docs: docs:
@@ -3531,12 +3491,11 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default is True property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes
# Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False
code: try { Set-MpPreference -Force -RandomizeScheduleTaskTimes $False } catch { Write-Warning 'Function not found'; exit 1 } default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True
revertCode: try { Remove-MpPreference -Force -RandomizeScheduleTaskTimes } catch { Write-Warning 'Function not found'; exit 1 }
- -
name: Disable scheduled full-scans name: Disable scheduled full-scans
docs: docs:
@@ -3553,14 +3512,12 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 1 property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters
# Status: Get-MpPreference | Select-Object -Property ScanParameters value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1'
code: try { Set-MpPreference -Force -ScanParameters 1 } catch { Write-Warning 'Function not found'; exit 1 } default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1'
# revertCode: try { Remove-MpPreference -Force -ScanParameters } catch { Write-Warning 'Function not found'; exit 1 } setDefaultOnWindows11: true # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11
# ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 10 and 11
# Commenting out revert code as this script is setting the default behavior anyway.
- -
name: Limit how many times quick scans run per day name: Limit how many times quick scans run per day
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval
@@ -3604,15 +3561,14 @@ actions:
- -
function: RunInlineCode function: RunInlineCode
parameters: parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d 4294967295 /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 1 property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval
# Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0'
code: try { Set-MpPreference -Force -SignatureUpdateCatchupInterval 0 } catch { Write-Warning 'Function not found'; exit 1 } default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1'
revertCode: try { Remove-MpPreference -Force -SignatureUpdateCatchupInterval } catch { Write-Warning 'Function not found'; exit 1 }
- -
name: Limit spyware security intelligence (signature) updates # default is one day, recommended is 7 days name: Limit spyware security intelligence (signature) updates # default is one day, recommended is 7 days
# Maximize period when spyware security intelligence (signature) is considered up-to-dates # Maximize period when spyware security intelligence (signature) is considered up-to-dates
@@ -3643,12 +3599,11 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine
# Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True
code: try { Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False
revertCode: try { Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine } catch { Write-Warning 'Function not found'; exit 1 }
- -
name: Disable automatically checking security intelligence (signature) updates # Already disabled by default name: Disable automatically checking security intelligence (signature) updates # Already disabled by default
docs: docs:
@@ -3666,12 +3621,11 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 8 property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay
# Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8'
code: try { Set-MpPreference -Force -SignatureScheduleDay "8" } catch { Write-Warning 'Function not found'; exit 1 } default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8'
revertCode: try { Remove-MpPreference -Force -SignatureScheduleDay } catch { Write-Warning 'Function not found'; exit 1 }
- -
name: Limit update checks for security intelligence (signature) updates name: Limit update checks for security intelligence (signature) updates
docs: docs:
@@ -3689,12 +3643,11 @@ actions:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /f 2>nul revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /f 2>nul
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 0 property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval
# Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24'
code: try { Set-MpPreference -Force -SignatureUpdateInterval "24" } catch { Write-Warning 'Function not found'; exit 1 } default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0'
revertCode: try { Remove-MpPreference -Force -SignatureUpdateInterval } catch { Write-Warning 'Function not found'; exit 1 }
- -
category: Disable alternate definition updates category: Disable alternate definition updates
children: children:
@@ -3714,60 +3667,58 @@ actions:
# Managing with MpPreference module: # Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call: call:
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
# Status: Get-MpPreference | Select-Object -Property DisableGradualRelease property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease
code: try { Set-MpPreference -Force -DisableGradualRelease $True } catch { Write-Warning 'Function not found'; exit 1 } value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True
revertCode: try { Remove-MpPreference -Force -DisableGradualRelease } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease
- -
name: Limit Defender engine updates to those that complete gradual release cycle name: Limit Defender engine updates to those that complete gradual release cycle
docs: docs:
# Managing with MpPreference module: # Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call: call:
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 0 (NotConfigured) # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
# Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel
# Valid values: value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad'
# 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # Valid values:
# ❌ Some options are not supported on Windows 11: 'Broad', 'Staged' # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged'
code: try { Set-MpPreference -Force -EngineUpdatesChannel 'Broad' } catch { Write-Warning 'Function not found'; exit 1 } # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
revertCode: try { Remove-MpPreference -Force -EngineUpdatesChannel } catch { Write-Warning 'Function not found'; exit 1 } default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'"
- -
name: Limit Defender platform updates to those that complete gradual release cycle name: Limit Defender platform updates to those that complete gradual release cycle
docs: docs:
# Managing with MpPreference module: # Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call: call:
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: 0 (NotConfigured) # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
# Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel
# Valid values: value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad'
# 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # Valid values:
# ❌ Some options are not supported on Windows 11: 'Broad', 'Staged' # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged'
code: try { Set-MpPreference -Force -PlatformUpdatesChannel 'Broad' } catch { Write-Warning 'Function not found'; exit 1 } # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
revertCode: try { Remove-MpPreference -Force -PlatformUpdatesChannel } catch { Write-Warning 'Function not found'; exit 1 } default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'"
- -
name: Limit Defender definition updates to those that complete gradual release cycle name: Limit Defender definition updates to those that complete gradual release cycle
docs: docs:
# Managing with MpPreference module: # Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call: call:
function: RunPowerShell # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
function: SetMpPreference
parameters: parameters:
# Default: 0 (NotConfigured) property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel
# Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel # Its former name was "SignaturesUpdatesChannel"
# Valid values: 'NotConfigured', 'Beta', 'Preview' value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad'
# Parameter "DefinitionUpdatesChannel" # 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged'
# ❌ Not generally supported (Windows 10 21H1, Windows 11 21H2) # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
# Its former name was SignaturesUpdatesChannel default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'"
# Supported since Windows 11 21H2 with parameters "NotConfigured", "Beta", "Preview"
# Not supported on Windows 10 21H1
code: try { Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Remove-MpPreference -Force -DefinitionUpdatesChannel } catch { Write-Warning 'Function not found'; exit 1 }
- -
category: Disable Windows Defender reporting category: Disable Windows Defender reporting
children: children:
@@ -3858,12 +3809,11 @@ actions:
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode
call: call:
- -
function: RunPowerShell function: SetMpPreference
parameters: parameters:
# Default: False property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode
# Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True
code: try { Set-MpPreference -Force -DisablePrivacyMode $True } catch { Write-Warning 'Function not found'; exit 1 } default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False
revertCode: try { Remove-MpPreference -Force -DisablePrivacyMode } catch { Write-Warning 'Function not found'; exit 1 }
- -
function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2)
parameters: parameters:
@@ -6468,3 +6418,130 @@ functions:
} else { } else {
Write-Error "Registry key at `"$regKey`" does not exist" Write-Error "Registry key at `"$regKey`" does not exist"
} }
-
name: SetMpPreference
# Configures preferences for Windows Defender scans and updates.
parameters:
- name: property
- name: value
-
# When provided, it sets defaults using `Set-MpPreference`.
# Used by default in Windows 10 as `Remove-MpPreference` cmdlet is very limited/poor in Windows 10.
# Ignored by default in Windows 11 with providing a value for `setDefaultOnWindows11`
name: default
optional: true
-
# When reverting in Windows 11, `Set-MpPreference` is called instead of `Remove-MpPreference`
# Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11.
name: setDefaultOnWindows11
optional: true
call:
function: RunPowerShell
parameters:
# Unsupported arguments ->
# Skips when error contains "Cannot convert", this happens e.g. when trying to set `PlatformUpdatesChannel`,
# `EngineUpdatesChannel`, `DefinitionUpdatesChannel` to `Broad`. `Broad` is not supported on all platforms
# and throws e.g. with:
# `Cannot process argument transformation on parameter 'EngineUpdatesChannel'. Cannot convert value
# "Broad" to type "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType".
# Error: "Unable to match the identifier name Broad to a valid enumerator name. Specify one of the
# following enumerator names and try again: NotConfigured, Beta, Preview"`
code: |-
$propertyName = '{{ $property }}'
$value = {{ $value }}
if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {
Write-Host "Skipping. `"$propertyName`" is already `"$value`" as desired."
exit 0
}
$command = Get-Command 'Set-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Set-MpPreference".'
exit 0
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"
Set-MpPreference -Force -{{ $property }} $value -ErrorAction Stop
Write-Host "Successfully set `"$propertyName`" to `"$value`"."
exit 0
} catch {
if ($_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender is not running. Try to enable it (revert) -> reboot -> re-run this?"
exit 0
} elseif (($_ | Out-String) -like '*Cannot convert*') {
Write-Host "Skipping. Argument `"$value`" for property `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
} else {
Write-Error "Failed to set using $($command.Name): $_"
exit 1
}
}
# `Remove-MpPreference` is different in Windows 11 / 10
# Windows 11 and 10 have different revert behavior which is caused by different `Remove-MpPreference` cmdlet versions used
# Windows 10 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2019-ps
# Windows 11 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2022-ps
# On Windows 11:
# - By default, `Remove-MpPreference` sets default values for settings for all cases.
# - `setDefaultOnWindows11` parameter changes this behavior to set the default value using `Set-MpPreference`
# On Windows 10:
# - If `default` argument is is provided, it's set using `Set-MpPreference`
# - `default` argument should not be provided if `Remove-MpPreference` is suppored in Windows 10,
revertCode: |-
$propertyName = '{{ $property }}'
{{ with $default }} $defaultValue = {{ . }} {{ end }}
$setDefaultOnWindows10 = {{ with $default }} $true # {{ end }} $false
$setDefaultOnWindows11 = {{ with $setDefaultOnWindows11 }} $true # {{ end }} $false
# ------ Set-MpPreference ------
if(($setDefaultOnWindows10 -and [System.Environment]::OSVersion.Version.Major -lt 11) `
-or ($setDefaultOnWindows11 -and [System.Environment]::OSVersion.Version.Major -eq 11)) {
if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $defaultValue) {
Write-Host "Skipping. `"$propertyName`" is already configured as desired `"$defaultValue`"."
exit 0
}
$command = Get-Command 'Set-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Set-MpPreference".'
exit 1
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName `$defaultValue -ErrorAction Stop"
Write-Host "Successfully restored `"$propertyName`" to its default `"$defaultValue`"."
exit 0
} catch {
if ($_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender is not running. Try to enable it (revert) -> reboot -> re-run this?"
} else {
Write-Error "Failed to set using $($command.Name): $_"
}
exit 1
}
}
# ------ Remove-MpPreference ------
$command = Get-Command 'Remove-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Remove-MpPreference".'
exit 1
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName -ErrorAction Stop"
Write-Host "Successfully restored `"$propertyName`" to its default."
exit 0
} catch {
if ($_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender is not running. Try to enable it (revert) -> reboot -> re-run this?"
} else {
Write-Error "Failed to set using $($command.Name): $_"
}
exit 1
}