Windows Defender Hidden Settings Control Utility

This is a Castle Wall in Old San Juan.

Here is a great new utility by Jacques Bensimon.

If you’re among those who rely (as I do) on Windows Defender for anti-malware protection, even in enterprise environments, your number is growing due not only to the fact that it’s of course built into current Windows versions at no extra cost, but also that its reliability and performance have recently been receiving very positive reviews from sources that study such things.  What you may not know is that, aside from (and including) its configuration options available in the Windows Security GUI, a significant number of additional options are exposed through PowerShell, specifically via the Get-MpPreference and Set-MpPreference cmdlets.  Their use is illustrated in the following screenshot:

Many of the options available through PowerShell fall into the “Enable/Disable” (pure Boolean) category, so therefore lend themselves to being presented in a simple GUI with a bunch of checkboxes, and this new WDControl utility does just that.  Since the GUI is built dynamically after querying the available options, it should in theory automatically incorporate any future settings of the Enable/Disable variety.  I did however also include my favorite non-Boolean setting in the GUI, Real-Time Scan Direction:  as you can see in the following screenshots, it’s presented as a drop-down list, and it offers the three available options Incoming, Outgoing (referred to in PowerShell as “Outcoming” – huh?!), and Both, the default setting if not changed explicitly.  I favor Incoming because all the outgoing stuff is some other people’s problem! 😉

Notes:

  • As shown above, when running without elevation (i.e. not “as administrator”) with UAC enabled, the utility operates in a Read-Only mode that only displays the current settings.  This will be pointed out at launch with the option to immediately relaunch elevated, or you can switch modes later via the Elevate button if you’d like to change some settings.
  • Individual changes are applied immediately, and If a selection fails to change when attempted, the GUI will quickly reflect the fact by reverting it to its previous setting.  This can happen for one of three reasons of which I’m currently aware: 
    (1) the setting may be among those (like “Realtime Monitoring”) that cannot be modified when “Tamper Protection” is enabled in the Windows Security GUI – the utility will notify at launch if that’s the case, 
    (2) the setting may not be changeable at all despite appearing in the Windows Defender PowerShell cmdlets’ list of options – the only one such currently appears to be “Intrusion Prevention System”, or
    (3) the setting may be enforced via policy – the following Policy Editor screenshot displays a few of the (currently 13) policies available to allow local override of specific settings if they’re policy-enforced:
  • Some of the settings, in addition to offering the simple “Enabled/Disabled” options, also offer additional options via PowerShell (like “AuditMode”) – the two current such settings are “Controlled Folder Access” and “Network Protection”.  If one of them is currently configured with one of these other options when the utility is launched, it will be displayed in the GUI as 3-way checkbox set to its “gray” status, and it will be possible to cycle the setting only through unchecked (Disabled), checked (Enabled), and gray (back to original), but not to any other “non-standard” setting – use PowerShell for that.
  • The Reset button will reapply all the settings that were in force when the utility was launched (regardless of whether they were in fact ever changed), then redisplay all the current settings, which should match the originals.

I hope you’ll find this new tool useful, and as always please hit me up on Twitter with any issues or interesting observations.

JB

TAGS