Created
November 8, 2022 18:14
-
-
Save AJMaxwell/5b9eafd20c20d6bc97e620cf4bcf8474 to your computer and use it in GitHub Desktop.
Supercharge Windows Defender with some basic Registry & Policy changes. Inspired by https://0ut3r.space/2022/03/06/windows-defender/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Supercharge Windows Defender | |
| # | |
| # Inspired by https://0ut3r.space/2022/03/06/windows-defender/ | |
| # Optional GUI Changes | |
| # Windows Security Memory Integrity | |
| # When an old driver is preventing Memory Integrity from enabling, delete the driver by running the following | |
| # PowerShell command as Administrator: | |
| # Get-CimInstance Win32_SystemDriver -Filter "name='<DriverName>'" | Invoke-CimMethod -MethodName Delete | |
| param ( | |
| [Parameter(HelpMessage="Installs Group Policy Editor GUI")] | |
| [switch]$InstallGPE = $False | |
| ) | |
| # Variables | |
| $DefenderLocations = "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine","HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet" | |
| # If -InstallGPE exists, install the Group Policy Editor GUI | |
| if ($InstallGPE) { | |
| # Find local Windows Group Policy Editor package files | |
| $files = Get-ChildItem -Name ${Env:SystemRoot}\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~3*.mum | |
| $files += Get-ChildItem -Name ${Env:SystemRoot}\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Pakcage~3*.mum | |
| # Install the packages found above | |
| foreach ($file in $files) { | |
| DISM /Online /NoRestart /Add-Package:"${Env:SystemRoot}\servicing\Packages\$file" | |
| } | |
| } | |
| # Create Windows Defender Registry locations if they do not exist | |
| foreach ($loc in $DefenderLocations) { | |
| if (!(Test-Path $loc)) { | |
| New-Item -Path $loc -Force | |
| } | |
| } | |
| New-ItemProperty -Path $DefenderLocations[0] -Name MpBafsExtendedTimeout -Value 50 -PropertyType DWORD -Force | |
| New-ItemProperty -Path $DefenderLocations[0] -Name MpCloudBlockLevel -Value 2 -PropertyType DWORD -Force | |
| New-ItemProperty -Path $DefenderLocations[1] -Name DisableBlockAtFirstSeen -Value 0 -PropertyType DWORD -Force | |
| New-ItemProperty -Path $DefenderLocations[1] -Name LocalSettingOverrideSpynetReporting -Value 1 -PropertyType DWORD -Force | |
| New-ItemProperty -Path $DefenderLocations[1] -Name SpynetReporting -Value 2 -PropertyType DWORD -Force | |
| New-ItemProperty -Path $DefenderLocations[1] -Name SubmitSamplesConsent -Value 1 -PropertyType DWORD -Force | |
| # Enable Windows Defender Realtime Monitoring | |
| Set-MpPreference -DisableRealtimeMonitoring $False | |
| # Enable Windows Defender MAPS | |
| Set-MpPreference -MAPSReporting Advanced | |
| Set-MpPreference -SubmitSamplesConsent SendSafeSamples | |
| Set-MpPreference -CloudBlockLevel High | |
| Set-MpPreference -CloudExtendedTimeout 50 | |
| # Update Windows Defender virus signatures | |
| Set-MpPreference -SignatureUpdateInterval 1 | |
| Set-MpPreference -CheckForSignaturesBeforeRunningScan 1 | |
| # Block potentially unwanted software | |
| Set-MpPreference -PUAProtection Enabled | |
| # Enable Ransomeware protection | |
| Set-MpPreference -EnableControlledFolderAccess 1 | |
| if ($InstallGPE) { | |
| Write-Information "Please reboot your machine for all settings to take effect" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment