WindowsDefender_InternalEvaluationSettings.ps1
|
<#PSScriptInfo .VERSION 1.44 .GUID da359534-9457-4525-ab44-fd9fa1cd2773 .AUTHOR yongrhee .COMPANYNAME .COPYRIGHT .TAGS .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES .PRIVATEDATA #> <# .DESCRIPTION This script enables many protection capabilities of Microsoft Defender Antivirus. These settings are not best practices or recommended settings for every organization, and should be used only when comparing Microsoft Defender AV or other 3rd party antimalware engines, not in production environments. #> Param() <# .SYNOPSIS This script sets Microsoft Defender AV to enable most features for the evaluation of protection capabilities in Windows 10 or Windows 11 using the Microsoft Defender AV cmdlets, described at https://technet.microsoft.com/en-us/library/dn433280.aspx .NOTES File Name : WindowsDefender_InternalEvaluationSettings.ps1 Author : Microsoft Email : MDAVcustomer@microsoft.com Requires : PowerShell V1 or newer .EXAMPLE PSH [C:\foo]: .\WindowsDefender_InternalEvaluationSettings.ps1 #> ## # Start of Script ## # ================================================================================================= # Functions # ================================================================================================= # Verifies that the script is running as admin function Check-IsElevated { $id = [System.Security.Principal.WindowsIdentity]::GetCurrent() $p = New-Object System.Security.Principal.WindowsPrincipal($id) if ($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Output $true } else { Write-Output $false } } # Verifies that script is running on Windows 10 or Windows 11 or greater function Check-IsWindows10 { if ([System.Environment]::OSVersion.Version.Major -ge "10") { Write-Output $true } else { Write-Output $false } } # Verifies that script is running on Windows 10 1709 or greater function Check-IsWindows10-1709 { if ([System.Environment]::OSVersion.Version.Minor -ge "16299") { Write-Output $true } else { Write-Output $false } } function SetRegistryKey([string]$key, [int]$value) { #Editing Microsoft Defender settings AV via registry is NOT supported. This is a scripting workaround instead of using Group Policy or SCCM for Windows 10 or Windows 11 version 1703 $amRegistryPath = "HKLM:\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine" $wdRegistryPath = "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" $regPathToUse = $wdRegistryPath #Default to WD path if (Test-Path $amRegistryPath) { $regPathToUse = $amRegistryPath } New-ItemProperty -Path $regPathToUse -Name $key -Value $value -PropertyType DWORD -Force | Out-Null } # ================================================================================================= # Main # ================================================================================================= $scriptDate = Get-Date -Day 24 -Month 1 -Year 2024 $currentDate = Get-Date if (!(Check-IsElevated)) { throw "Please run this script from an elevated PowerShell prompt" } if (!(Check-IsWindows10)) { throw "Please run this script on Windows 10 or Windows 11" } Write-Host "This script helps configure Microsoft Defender Antivirus and Microsoft Defender Exploit Guard in order to evaluate its protection capabilities. `nFor more information see the Microsoft Defender protection evaluation guide (https://aka.ms/EvaluateMDAV)`nSome of these settings are set using unsupported methods, you should consult Microsoft Defender AV documentation for proper configuration methods at https://aka.ms/MDAVDocs" -ForegroundColor Red Write-Host "Please note: If you are already configuring the client with tamper protection enabled, this script will have no effect" -ForegroundColor Red Write-Host "Updating Microsoft Defender AV settings" -ForegroundColor Green # ================================================================================================= # General Settings # ================================================================================================= Write-Host "General Settings" -ForegroundColor Black -BackgroundColor Blue Write-Host "Enable real-time monitoring" Set-MpPreference -DisableRealtimeMonitoring $False Write-Host "Enable cloud-delivere dprotection" Set-MpPreference -MAPSReporting Advanced Write-Host "Enable Block at first sight" Set-MpPreference -DisableBlockAtFirstSeen $False Write-Host "Enable Cloud-develivered protection extended timeout" Set-MpPreference -CloudExtendedTimeout 50 Write-Host "Enable sample submission" Set-MpPreference -SubmitSamplesConsent Always Write-Host "Enable checking signatures before scanning" Set-MpPreference -CheckForSignaturesBeforeRunningScan $True Write-Host "Enable behavior monitoring" Set-MpPreference -DisableBehaviorMonitoring $False Write-Host "Enable script scanning" Set-MpPreference -DisableScriptScanning $False Write-Host "Enable potentially unwanted apps" Set-MpPreference -PUAProtection Enabled Write-Host "Schedule signature updates every 8 hours" Set-MpPreference -SignatureUpdateInterval 8 Write-Host "Enable email scanning" Set-MpPreference -DisableEmailScanning $False Write-Host "Enable cache maintenance task" Set-MpPreference -DisableCacheMaintenance $False Write-Host "Enable catchup scan" # After the computer misses two scheduled full scans, Microsoft Defender runs a catch-up scan the next time someone logs on to the computer. Set-MpPreference -DisableCatchupFullScan $False Write-Host "Enable catchup quick scan" # After the computer misses two scheduled quick scans, Microsoft Defender runs a catch-up scan the next time someone logs onto the computer Set-MpPreference -DisableCatchupQuickScan $False # ================================================================================================= # Server specific settings # ================================================================================================= Write-Host "Server Specific Settings" -ForegroundColor Black -BackgroundColor Blue Write-Host "Enable Network Protection on Windows Server" Set-MpPreference -AllowNetworkProtectionOnWinServer $True Write-Host "Enable Network Protection on downlevel Windows Server" Set-MpPreference -AllowNetworkProtectionDownLevel $True Write-Host "Enable Datagram procesing on Windows Server" Set-MpPreference -AllowDatagramProcessingOnWinServer $True Write-Host "Enable automatic exclusions on server" Set-MpPreference -DisableAutoExclusions $True # ================================================================================================= # Network Protections # ================================================================================================= Write-Host "Network Protection Settings" -ForegroundColor Black -BackgroundColor Blue Write-Host "Enable Network Protection" Set-MpPreference -EnableNetworkProtection Enabled Write-Host "Enable Datagram Processing" Set-MpPreference -DisableDatagramProcessing $False Write-Host "Enable DNS over TCP Parsing" Set-MpPreference -DisableDnsOverTcpParsing $False Write-Host "Enable DNS Parsing" Set-MpPreference -DisableDnsParsing $False Write-Host "Enable FTP Parsing" Set-MpPreference -DisableFtpParsing $False Write-Host "Enable HTTP Parsing" Set-MpPreference -DisableHttpParsing $False Write-Host "Enable Inbound Connection Filtering" Set-MpPreference -DisableInboundConnectionFiltering $False Write-Host "Enable IOAV Protection" Set-MpPreference -DisableIOAVProtection $False Write-Host "Enable Network Protection Perf Telemetry" Set-MpPreference -DisableNetworkProtectionPerfTelemetry $False Write-Host "Enable Quic Parsing" Set-MpPreference -DisableQuicParsing $False Write-Host "Enable RDP Parsing" Set-MpPreference -DisableRdpParsing $False Write-Host "Enable SMTP Parsing" Set-MpPreference -DisableSmtpParsing $False Write-Host "Enable SSH Parsing" Set-MpPreference -DisableSshParsing $False Write-Host "Enable TLS Parsing" Set-MpPreference -DisableTlsParsing $False Write-Host "Enable DNS Sinkhole" Set-MpPreference -EnableDnsSinkhole $True Write-Host "Disable Switch to Async Inspection" # Specifies whether to enable a performance optimization that allows synchronously inspected network flows to switch to async inspection once they have been checked and validated. # For VDI workloads, you might need to set it to True. Set-MpPreference -AllowSwitchToAsyncInspection $False Write-Host "Enable Convert Warn to Block" # This setting controls whether network protection blocks network traffic instead of displaying a warning Set-MpPreference -EnableConvertWarnToBlock $True Write-Host "Disable network scanning to IOAV" Set-MpPreference -ApplyDisableNetworkScanningToIOAV $False # ================================================================================================= # Drive / file scanning options # ================================================================================================= Write-Host "Drive / file scanning options" -ForegroundColor Black -BackgroundColor Blue Write-Host "Enable Removeable Drive Scanning" Set-MpPreference -DisableRemovableDriveScanning $False Write-Host "Enable Restore Point Scanning" Set-MpPreference -DisableRestorePoint $False Write-Host "Enable Scanning Mapped Network Drives for Full Scan" Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $True Write-Host "Enable Scanning Network Files" Set-MpPreference -DisableScanningNetworkFiles $False Write-Host "Enable Controlled Folder Access" Set-MpPreference -EnableControlledFolderAccess Enabled Write-Host "Enable File Hash Computation" Set-MpPreference -EnableFileHashComputation $True Write-Host "Enable archive scanning" Set-MpPreference -DisableArchiveScanning $False # ================================================================================================= # Power Consumption # ================================================================================================= Write-Host "Power consumption settings" -ForegroundColor Black -BackgroundColor Blue Write-Host "Enable Full Scan on Battery Power" Set-MpPreference -EnableFullScanOnBatteryPower $True Write-Host "Enable Low CPU Priority" Set-MpPreference -EnableLowCpuPriority $True Write-Host "Disable CPU throttle on idle scans" Set-MpPreference -DisableCpuThrottleOnIdleScans $True if (!(Check-IsWindows10-1709)) { Write-Host "Set cloud block level to 'HighPlus' alternatively can be set to ZeroTolerance" Set-MpPreference -CloudBlockLevel HighPlus Write-Host "Set cloud block timeout to 1 minute by adding an additional 50 seconds to the base 10 seconds" Set-MpPreference -CloudExtendedTimeout 50 Write-Host "`nUpdating Microsoft Defender Exploit Guard settings`n" -ForegroundColor Green Write-Host "Enabling Controlled Folder Access and setting to block mode" Set-MpPreference -EnableControlledFolderAccess Enabled Write-Host "Enabling Attack Surface Reduction rules and setting to block mode. Some of these may block behavior that is acceptable in your organization, in this case please disable those specific rules. Learn more: https://learn.microsoft.com/en/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide" # Block Office applications from injecting code into other processes Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled # Block Office applications from creating executable content Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled # Block all Office applications from creating child processes Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled # Block JavaScript or VBScript from launching downloaded executable content Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled # Block execution of potentially obfuscated scripts Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled # Block executable content from email client and webmail Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled # Block Win32 API calls from Office macros Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled # Block process creations originating from PSExec and WMI commands Add-MpPreference -AttackSurfaceReductionRules_Ids D1E49AAC-8F56-4280-B9BA-993A6D77406C -AttackSurfaceReductionRules_Actions Enabled # Block untrusted and unsigned processes that run from USB Add-MpPreference -AttackSurfaceReductionRules_Ids B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -AttackSurfaceReductionRules_Actions Enabled # Use advanced protection against ransomware Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled # Block executable files from running unless they meet a prevalence, age, or trusted list criterion Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-CD74-433A-B99E-2ECDC07BFC25 -AttackSurfaceReductionRules_Actions Enabled # Block credential stealing from the Windows local security authority subsystem (lsass.exe) Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled # Block Office communication application from creating child processes Add-MpPreference -AttackSurfaceReductionRules_Ids 26190899-1602-49e8-8b27-eb1d0a1ce869 -AttackSurfaceReductionRules_Actions Enabled # Block Adobe Reader from creating child processes Add-MpPreference -AttackSurfaceReductionRules_Ids 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -AttackSurfaceReductionRules_Actions Enabled # Block persistence through WMI event subscription Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled # Block Webshell creation for Servers Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Enabled # Block abuse of exploited vulnerable signed drivers Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled if ($false -eq (Test-Path ProcessMitigation.xml)) { Write-Host "Downloading Process Mitigation file from https://demo.wd.microsoft.com/Content/ProcessMitigation.xml" $url = 'https://demo.wd.microsoft.com/Content/ProcessMitigation.xml' Invoke-WebRequest $url -OutFile ProcessMitigation.xml } Write-Host "Enabling Exploit Protection" Set-ProcessMitigation -PolicyFilePath ProcessMitigation.xml } else { ## Workaround for Windows 10 or Windows 11 version 1703 "Set cloud block level to 'HighPlus'" SetRegistryKey -key MpCloudBlockLevel -value 4 "Set cloud block timeout to 1 minute" SetRegistryKey -key MpBafsExtendedTimeout -value 50 } Write-Host "`nSettings update complete" -ForegroundColor Green Write-Host "`nOutput Microsoft Defender AV settings status" -ForegroundColor Green Get-MpPreference if ($scriptDate.AddDays(180) -lt $currentDate) { Write-Host "`nThis script is older than 180 days and there may be an updated version located here: https://aka.ms/MDAVEvalScript`n" -ForegroundColor yellow } exit 0 exit 0 |