<# .SYNOPSIS Enables Windows Defender and sets preferences to lock Defender down on workstations Win10+ .DESCRIPTION Windows Defender in its default configuration does basic protections. Running this script will enable many additional settings to increase security. .PARAMETER NoControlledFolders Adding this parameter will not enable Controlled Folders .EXAMPLE -NoControlledFolders .NOTES 9/2021 v1 Initial release dinger1986 11/24/2021 v1.1 adding command parameters for Controller Folder access by Tremor and silversword 30/03/2022 v1.2 adding command parameter for audit mode for ASR and added extra ASR rules suggested by SDM216 Not for use on servers #> param ( [switch] $NoControlledFolders, [switch] $AuditOnly ) # Verifies that script is running on Windows 10 or greater function Check-IsWindows10 { if ([System.Environment]::OSVersion.Version.Major -ge "10") { Write-Output $true } else { Write-Output $false } } # Verifies that script is running on Windows 10 1709 or greater function Check-IsWindows10-1709 { if ([System.Environment]::OSVersion.Version.Minor -ge "16299") { Write-Output $true } else { Write-Output $false } } function SetRegistryKey([string]$key, [int]$value) { #Editing Windows Defender settings AV via registry is NOT supported. This is a scripting workaround instead of using Group Policy or SCCM for Windows 10 version 1703 $amRegistryPath = "HKLM:\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine" $wdRegistryPath = "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" $regPathToUse = $wdRegistryPath #Default to WD path if (Test-Path $amRegistryPath) { $regPathToUse = $amRegistryPath } New-ItemProperty -Path $regPathToUse -Name $key -Value $value -PropertyType DWORD -Force | Out-Null } #### Setup Windows Defender Secure Settings # Start Windows Defender Service Set-Service -Name "WinDefend" -Status running -StartupType automatic Set-Service -Name "WdNisSvc" -Status running -StartupType automatic # Enable real-time monitoring Set-MpPreference -DisableRealtimeMonitoring 0 # Enable cloud-deliveredprotection# Set-MpPreference -MAPSReporting Advanced # Enable sample submission# Set-MpPreference -SubmitSamplesConsent 1 # Enable checking signatures before scanning# Set-MpPreference -CheckForSignaturesBeforeRunningScan 1 # Enable behavior monitoring# Set-MpPreference -DisableBehaviorMonitoring 0 # Enable IOAV protection# Set-MpPreference -DisableIOAVProtection 0 # Enable script scanning# Set-MpPreference -DisableScriptScanning 0 # Enable removable drive scanning# Set-MpPreference -DisableRemovableDriveScanning 0 # Enable Block at first sight# Set-MpPreference -DisableBlockAtFirstSeen 0 # Enable potentially unwanted apps# Set-MpPreference -PUAProtection Enabled # Schedule signature updates every 8 hours# Set-MpPreference -SignatureUpdateInterval 8 # Enable archive scanning# Set-MpPreference -DisableArchiveScanning 0 # Enable email scanning# Set-MpPreference -DisableEmailScanning 0 if (!(Check-IsWindows10-1709)) { # Set cloud block level to 'High'# Set-MpPreference -CloudBlockLevel High # Set cloud block timeout to 1 minute# Set-MpPreference -CloudExtendedTimeout 50 Write-Host # `nUpdating Windows Defender Exploit Guard settings`n# -ForegroundColor Green if ($NoControlledFolders) { # Check if user has run with -NoControlledFolders parameter Write-Host "Skipping enabling Controlled folders" } else { Write-Host "Enabling Controlled folders" Set-MpPreference -EnableControlledFolderAccess Enabled } Write-Host # Enabling Network Protection and setting to block mode# Set-MpPreference -EnableNetworkProtection Enabled if ($AuditOnly) { # Check if user has run with -AuditOnly parameter for ASR Rules Write-Host "Enabling Exploit Guard ASR rules and setting to Audit mode" #Block abuse of exploited vulnerable signed drivers Set-MpPreference -AttackSurfaceReductionRules_Ids "56a863a9-875e-4185-98a7-b882c64b5ce5" -AttackSurfaceReductionRules_Actions AuditMode #Block executable content from email client and webmail Add-MpPreference -AttackSurfaceReductionRules_Ids "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" -AttackSurfaceReductionRules_Actions AuditMode #Block all Office applications from creating child processes Add-MpPreference -AttackSurfaceReductionRules_Ids "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" -AttackSurfaceReductionRules_Actions AuditMode #Block Office applications from creating executable content Add-MpPreference -AttackSurfaceReductionRules_Ids "3B576869-A4EC-4529-8536-B80A7769E899" -AttackSurfaceReductionRules_Actions AuditMode #Block Office applications from injecting code into other processes Add-MpPreference -AttackSurfaceReductionRules_Ids "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84" -AttackSurfaceReductionRules_Actions AuditMode #Block JavaScript or VBScript from launching downloaded executable content Add-MpPreference -AttackSurfaceReductionRules_Ids "D3E037E1-3EB8-44C8-A917-57927947596D" -AttackSurfaceReductionRules_Actions AuditMode #Block execution of potentially obfuscated scripts Add-MpPreference -AttackSurfaceReductionRules_Ids "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" -AttackSurfaceReductionRules_Actions AuditMode #Block Win32 API calls from Office macros Add-MpPreference -AttackSurfaceReductionRules_Ids "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B" -AttackSurfaceReductionRules_Actions AuditMode #Block executable files from running unless they meet a prevalence, age, or trusted list criterion Add-MpPreference -AttackSurfaceReductionRules_Ids "01443614-cd74-433a-b99e-2ecdc07bfc25" -AttackSurfaceReductionRules_Actions AuditMode #Use advanced protection against ransomware Add-MpPreference -AttackSurfaceReductionRules_Ids "c1db55ab-c21a-4637-bb3f-a12568109d35" -AttackSurfaceReductionRules_Actions AuditMode #Block credential stealing from the Windows local security authority subsystem (lsass.exe) Add-MpPreference -AttackSurfaceReductionRules_Ids "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" -AttackSurfaceReductionRules_Actions AuditMode #Block process creations originating from PSExec and WMI commands Add-MpPreference -AttackSurfaceReductionRules_Ids "d1e49aac-8f56-4280-b9ba-993a6d77406c" -AttackSurfaceReductionRules_Actions AuditMode #Block untrusted and unsigned processes that run from USB Add-MpPreference -AttackSurfaceReductionRules_Ids "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" -AttackSurfaceReductionRules_Actions AuditMode #Block Office communication application from creating child processes Add-MpPreference -AttackSurfaceReductionRules_Ids "26190899-1602-49e8-8b27-eb1d0a1ce869" -AttackSurfaceReductionRules_Actions AuditMode #Block Adobe Reader from creating child processes Add-MpPreference -AttackSurfaceReductionRules_Ids "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" -AttackSurfaceReductionRules_Actions AuditMode #Block persistence through WMI event subscription Add-MpPreference -AttackSurfaceReductionRules_Ids "e6db77e5-3df2-4cf1-b95a-636979351e5b" -AttackSurfaceReductionRules_Actions AuditMode } else { Write-Host "Enabling Exploit Guard ASR rules and setting to suggested modes" #Block abuse of exploited vulnerable signed drivers Set-MpPreference -AttackSurfaceReductionRules_Ids "56a863a9-875e-4185-98a7-b882c64b5ce5" -AttackSurfaceReductionRules_Actions Enabled #Block executable content from email client and webmail Add-MpPreference -AttackSurfaceReductionRules_Ids "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" -AttackSurfaceReductionRules_Actions Enabled #Block all Office applications from creating child processes Add-MpPreference -AttackSurfaceReductionRules_Ids "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" -AttackSurfaceReductionRules_Actions Enabled #Block Office applications from creating executable content Add-MpPreference -AttackSurfaceReductionRules_Ids "3B576869-A4EC-4529-8536-B80A7769E899" -AttackSurfaceReductionRules_Actions Enabled #Block Office applications from injecting code into other processes Add-MpPreference -AttackSurfaceReductionRules_Ids "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84" -AttackSurfaceReductionRules_Actions Enabled #Block JavaScript or VBScript from launching downloaded executable content Add-MpPreference -AttackSurfaceReductionRules_Ids "D3E037E1-3EB8-44C8-A917-57927947596D" -AttackSurfaceReductionRules_Actions Enabled #Block execution of potentially obfuscated scripts Add-MpPreference -AttackSurfaceReductionRules_Ids "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" -AttackSurfaceReductionRules_Actions Enabled #Block Win32 API calls from Office macros Add-MpPreference -AttackSurfaceReductionRules_Ids "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B" -AttackSurfaceReductionRules_Actions Enabled #Block executable files from running unless they meet a prevalence, age, or trusted list criterion Add-MpPreference -AttackSurfaceReductionRules_Ids "01443614-cd74-433a-b99e-2ecdc07bfc25" -AttackSurfaceReductionRules_Actions Enabled #Use advanced protection against ransomware Add-MpPreference -AttackSurfaceReductionRules_Ids "c1db55ab-c21a-4637-bb3f-a12568109d35" -AttackSurfaceReductionRules_Actions Enabled #Block credential stealing from the Windows local security authority subsystem (lsass.exe) Add-MpPreference -AttackSurfaceReductionRules_Ids "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" -AttackSurfaceReductionRules_Actions AuditMode #Block process creations originating from PSExec and WMI commands Add-MpPreference -AttackSurfaceReductionRules_Ids "d1e49aac-8f56-4280-b9ba-993a6d77406c" -AttackSurfaceReductionRules_Actions Enabled #Block untrusted and unsigned processes that run from USB Add-MpPreference -AttackSurfaceReductionRules_Ids "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4" -AttackSurfaceReductionRules_Actions Enabled #Block Office communication application from creating child processes Add-MpPreference -AttackSurfaceReductionRules_Ids "26190899-1602-49e8-8b27-eb1d0a1ce869" -AttackSurfaceReductionRules_Actions AuditMode #Block Adobe Reader from creating child processes Add-MpPreference -AttackSurfaceReductionRules_Ids "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" -AttackSurfaceReductionRules_Actions AuditMode #Block persistence through WMI event subscription Add-MpPreference -AttackSurfaceReductionRules_Ids "e6db77e5-3df2-4cf1-b95a-636979351e5b" -AttackSurfaceReductionRules_Actions Enabled } if ($false -eq (Test-Path ProcessMitigation.xml)) { Write-Host # Downloading Process Mitigation file from https://demo.wd.microsoft.com/Content/ProcessMitigation.xml# $url = 'https://demo.wd.microsoft.com/Content/ProcessMitigation.xml' Invoke-WebRequest $url -OutFile ProcessMitigation.xml } Write-Host # Enabling Exploit Protection# Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml } else { # # Workaround for Windows 10 version 1703 # Set cloud block level to 'High'# SetRegistryKey -key MpCloudBlockLevel -value 2 # Set cloud block timeout to 1 minute# SetRegistryKey -key MpBafsExtendedTimeout -value 50 } Write-Host # `nSettings update complete# -ForegroundColor Green Write-Host # `nOutput Windows Defender AV settings status# -ForegroundColor Green Get-MpPreference