tacticalrmm/scripts/Win_Defender_Enable.ps1

136 lines
4.9 KiB
PowerShell

# Verifies that script is running on Windows 10 or greater
function Check-IsWindows10
{
if ([System.Environment]::OSVersion.Version.Major -ge "10")
{
Write-Output $true
}
else
{
Write-Output $false
}
}
# Verifies that script is running on Windows 10 1709 or greater
function Check-IsWindows10-1709
{
if ([System.Environment]::OSVersion.Version.Minor -ge "16299")
{
Write-Output $true
}
else
{
Write-Output $false
}
}
function SetRegistryKey([string]$key, [int]$value)
{
#Editing Windows Defender settings AV via registry is NOT supported. This is a scripting workaround instead of using Group Policy or SCCM for Windows 10 version 1703
$amRegistryPath = "HKLM:\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine"
$wdRegistryPath = "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine"
$regPathToUse = $wdRegistryPath #Default to WD path
if (Test-Path $amRegistryPath)
{
$regPathToUse = $amRegistryPath
}
New-ItemProperty -Path $regPathToUse -Name $key -Value $value -PropertyType DWORD -Force | Out-Null
}
#### Setup Windows Defender Secure Settings
# Start Windows Defender Service
Set-Service -Name "WinDefend" -Status running -StartupType automatic
Set-Service -Name "WdNisSvc" -Status running -StartupType automatic
# Enable real-time monitoring
Set-MpPreference -DisableRealtimeMonitoring 0
# Enable cloud-deliveredprotection#
Set-MpPreference -MAPSReporting Advanced
# Enable sample submission#
Set-MpPreference -SubmitSamplesConsent 1
# Enable checking signatures before scanning#
Set-MpPreference -CheckForSignaturesBeforeRunningScan 1
# Enable behavior monitoring#
Set-MpPreference -DisableBehaviorMonitoring 0
# Enable IOAV protection#
Set-MpPreference -DisableIOAVProtection 0
# Enable script scanning#
Set-MpPreference -DisableScriptScanning 0
# Enable removable drive scanning#
Set-MpPreference -DisableRemovableDriveScanning 0
# Enable Block at first sight#
Set-MpPreference -DisableBlockAtFirstSeen 0
# Enable potentially unwanted apps#
Set-MpPreference -PUAProtection Enabled
# Schedule signature updates every 8 hours#
Set-MpPreference -SignatureUpdateInterval 8
# Enable archive scanning#
Set-MpPreference -DisableArchiveScanning 0
# Enable email scanning#
Set-MpPreference -DisableEmailScanning 0
if (!(Check-IsWindows10-1709))
{
# Set cloud block level to 'High'#
Set-MpPreference -CloudBlockLevel High
# Set cloud block timeout to 1 minute#
Set-MpPreference -CloudExtendedTimeout 50
Write-Host # `nUpdating Windows Defender Exploit Guard settings`n# -ForegroundColor Green
Write-Host # Enabling Controlled Folder Access and setting to block mode#
Set-MpPreference -EnableControlledFolderAccess Enabled
Write-Host # Enabling Network Protection and setting to block mode#
Set-MpPreference -EnableNetworkProtection Enabled
Write-Host # Enabling Exploit Guard ASR rules and setting to block mode#
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
if ($false -eq (Test-Path ProcessMitigation.xml))
{
Write-Host # Downloading Process Mitigation file from https://demo.wd.microsoft.com/Content/ProcessMitigation.xml#
$url = 'https://demo.wd.microsoft.com/Content/ProcessMitigation.xml'
Invoke-WebRequest $url -OutFile ProcessMitigation.xml
}
Write-Host # Enabling Exploit Protection#
Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml
}
else
{
# # Workaround for Windows 10 version 1703
# Set cloud block level to 'High'#
SetRegistryKey -key MpCloudBlockLevel -value 2
# Set cloud block timeout to 1 minute#
SetRegistryKey -key MpBafsExtendedTimeout -value 50
}
Write-Host # `nSettings update complete# -ForegroundColor Green
Write-Host # `nOutput Windows Defender AV settings status# -ForegroundColor Green
Get-MpPreference