WindowsDefender_InternalEvaluationSettings.ps1
<#PSScriptInfo .VERSION 1.1 .GUID 86032f0b-c434-41ae-9aac-094ff69b2b9a .AUTHOR iaanMSFT .COMPANYNAME .COPYRIGHT .TAGS .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES Added new cloud block level and timeout settings, and decreased signature update interval. #> <# .DESCRIPTION This script enables many protection capabilities of Windows Defender Antivirus. These settings are not best practices or recommended settings for every organization, and should be used only when comparing Windows Defender AV or other 3rd party antimalware engines, not in production environments. #> Param() <# .SYNOPSIS This script sets Windows Defender AV to enable most features for the evaluation of protection capabilities in Windows 10 using the Windows Defender AV cmdlets, described at https://technet.microsoft.com/en-us/library/dn433280.aspx .NOTES File Name : WindowsDefender_InternalEvaluationSettings.ps1 Author : Microsoft Email : Wdcustomer@microsoft.com Requires : PowerShell V1 .EXAMPLE PSH [C:\foo]: .\WindowsDefender_InternalEvaluationSettings.ps1 #> ## # Start of Script ## # ================================================================================================= # Functions # ================================================================================================= # Verifies that the script is running as admin function Check-IsElevated { $id = [System.Security.Principal.WindowsIdentity]::GetCurrent() $p = New-Object System.Security.Principal.WindowsPrincipal($id) if ($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Output $true } else { Write-Output $false } } # Verifies that script is running on Windows 10 or greater function Check-IsWindows10 { if ([System.Environment]::OSVersion.Version.Major -ge "10") { Write-Output $true } else { Write-Output $false } } function SetRegistryKey([string]$key, [int]$value) { #Editing Windows Defender settings AV via registry is NOT supported. This is a scripting workaround instead of using Group Policy or SCCM $amRegistryPath = "HKLM:\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine" $wdRegistryPath = "HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine" $regPathToUse = $wdRegistryPath #Default to WD path if (Test-Path $amRegistryPath) { $regPathToUse = $amRegistryPath } New-ItemProperty -Path $regPathToUse -Name $key -Value $value -PropertyType DWORD -Force | Out-Null } # ================================================================================================= # Main # ================================================================================================= $scriptDate = Get-Date "5/1/2017" $currentDate = Get-Date if (!(Check-IsElevated)) { throw "Please run this script from an elevated PowerShell prompt" } if (!(Check-IsWindows10)) { throw "Please run this script on Windows 10" } Write-Host "This script helps configure Windows Defender Antivirus in order to evaluate its protection capabilities. `nFor more information see the Windows Defender AV protection evaluation guide (https://aka.ms/evaluatewdav)`nSome of these settings are set using unsupported methods, you should consult Windows Defender AV documentation for proper configuration methods at https://aka.ms/wdavdocs" Write-Host "`nUpdating Windows Defender AV settings`n" -ForegroundColor Green "Enable real-time monitoring" Set-MpPreference -DisableRealtimeMonitoring 0 "Enable cloud-deliveredprotection" Set-MpPreference -MAPSReporting Advanced "Enable sample submission" Set-MpPreference -SubmitSamplesConsent Always "Enable checking signatures before scanning" Set-MpPreference -CheckForSignaturesBeforeRunningScan 1 "Enable behavior monitoring" Set-MpPreference -DisableBehaviorMonitoring 0 "Enable IOAV protection" Set-MpPreference -DisableIOAVProtection 0 "Enable script scanning" Set-MpPreference -DisableScriptScanning 0 "Enable removable drive scanning" Set-MpPreference -DisableRemovableDriveScanning 0 "Enable Block at first sight" Set-MpPreference -DisableBlockAtFirstSeen 0 "Enable potentially unwanted apps" Set-MpPreference -PUAProtection Enabled "Schedule signature updates every 8 hours" Set-MpPreference -SignatureUpdateInterval 8 "Enable archive scanning" Set-MpPreference -DisableArchiveScanning 0 "Enable email scanning (if testing performance, disable this)" Set-MpPreference -DisableEmailScanning 0 "Set cloud block level to 'High'" SetRegistryKey -key MpCloudBlockLevel -value 2 "Set cloud block timeout to 1 minute" SetRegistryKey -key MpBafsExtendedTimeout -value 50 Write-Host "`nSettings update complete" -ForegroundColor Green Write-Host "`nOutput Windows Defender AV settings status" -ForegroundColor Green Get-MpPreference if ($scriptDate.AddDays(90) -lt $currentDate) { Write-Host "`nThis script is older than 90 days and there may be an updated version located here: https://aka.ms/wdavevalscript`n" -ForegroundColor yellow } exit 0 #https://technet.microsoft.com/en-us/library/dn433280.aspx #Set-MpPreference Options #[-ExclusionPath <string[]>] #[-ExclusionExtension <string[]>] #[-ExclusionProcess <string[]>] #[-RealTimeScanDirection {Both | Incoming | Outcoming}] #[-QuarantinePurgeItemsAfterDelay <uint32>] #[-RemediationScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}] #[-RemediationScheduleTime <datetime>] #[-ReportingAdditionalActionTimeOut <uint32>] #[-ReportingCriticalFailureTimeOut <uint32>] #[-ReportingNonCriticalTimeOut <uint32>] #[-ScanAvgCPULoadFactor <byte>] #[-CheckForSignaturesBeforeRunningScan <bool>] #[-ScanPurgeItemsAfterDelay <uint32>] #[-ScanOnlyIfIdleEnabled <bool>] #[-ScanParameters {QuickScan | FullScan}] #[-ScanScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}] #[-ScanScheduleQuickScanTime <datetime>] #[-ScanScheduleTime <datetime>] #[-SignatureFirstAuGracePeriod <uint32>] #[-SignatureAuGracePeriod <uint32>] #[-SignatureDefinitionUpdateFileSharesSources <string>] #[-SignatureDisableUpdateOnStartupWithoutEngine <bool>] #[-SignatureFallbackOrder <string>] #[-SignatureScheduleDay {Everyday | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | Saturday | Never}] #[-SignatureScheduleTime <datetime>] #[-SignatureUpdateCatchupInterval <uint32>] #[-SignatureUpdateInterval <uint32>] #[-MAPSReporting {Disabled | Basic | Advanced}] #[-SubmitSamplesConsent {None | Always | Never}] #[-DisableAutoExclusions <bool>] #[-DisablePrivacyMode <bool>] #[-RandomizeScheduleTaskTimes <bool>] #[-DisableBehaviorMonitoring <bool>] #[-DisableIntrusionPreventionSystem <bool>] #[-DisableIOAVProtection <bool>] #[-DisableRealtimeMonitoring <bool>] #[-DisableScriptScanning <bool>] #[-DisableArchiveScanning <bool>] #[-DisableCatchupFullScan <bool>] #[-DisableCatchupQuickScan <bool>] #[-DisableEmailScanning <bool>] #[-DisableRemovableDriveScanning <bool>] #[-DisableRestorePoint <bool>] #[-DisableScanningMappedNetworkDrivesForFullScan <bool>] #[-DisableScanningNetworkFiles <bool>] #[-UILockdown <bool>] #[-ThreatIDDefaultAction_Ids <long[]>] #[-ThreatIDDefaultAction_Actions {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}] #[-UnknownThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}] #[-LowThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}] #[-ModerateThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}] #[-HighThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}] #[-SevereThreatDefaultAction {Clean | Quarantine | Remove | Allow | UserDefined | NoAction | Block}] #[-Force] #[-DisableBlockAtFirstSeen <bool>] #[-PUAProtection {Disabled | Enabled | AuditMode}] #[-CimSession <CimSession[]>] #[-ThrottleLimit <int>] [-AsJob] [<CommonParameters>] exit 0 |