Disable Windows Defender - Revisit Service List

[sickypedia]

Hello, I understand defender is disabled in windowsPE phase through the vbs script created by the synchronous commands, which honestly I'd like to say is genius! Thanks for incorporating this.

I see the service list which we're disabling are
Sense, WdBoot, WdFilter, WdNisDrv, WdNisSvc, WinDefend

I could see one more which seems related - "MDCoreSvc"
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25080.5-0\MpDefenderCoreService.exe"

Should we include this as well in the DisableDefender.vbs? It is very likely that defender isn't actually functional because of the other 6 services being disabled, but I'd like the list to be exhaustive.

Also, are you inclined to include the following registry edits to also Disable Virtualization Based Security, Credential Guard, HVCI, and LSASS Protection as these go together with disabling defender?

Disable VBS

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -PropertyType DWord -Value 0 -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -PropertyType DWord -Value 0 -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "HyperVVirtualizationBasedSecurityOptOut" -PropertyType DWord -Value 1 -Force

Disable Credential Guard

New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" -Name "Enabled" -PropertyType DWord -Value 0 -Force

Disable HVCI (Memory Integrity)

New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -PropertyType DWord -Value 0 -Force

Disable LSA Protection - Runtime setting

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -PropertyType DWord -Value 0 -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -PropertyType DWord -Value 0 -Force

Disable LSA Protection - Group Policy setting

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" -Name "LsaCfgFlags" -PropertyType DWord -Value 0 -Force

Disable Vulnerable Driver Blocklist

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI\Config" -Name "VulnerableDriverBlocklistEnable" -PropertyType DWord -Value 0 -Force

[stimpy81]

Everyone always forgets SmartScreen, both versions...

[cschneegans]

Everyone always forgets SmartScreen, both versions...

Note that there already is a setting Disable SmartScreen in Windows and Edge.

[cschneegans]

Hello, I understand defender is disabled in windowsPE phase through the vbs script created by the synchronous commands, (…)

Note that DisableDefender.vbs is only used with the (default) Let Windows Setup (setup.exe) handle the Windows PE stage as usual setting. When you select Generate a .cmd script using the form's other settings and also these options instead, the code necessary to disable Windows Defender becomes much simpler.

I could see one more which seems related - "MDCoreSvc"
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25080.5-0\MpDefenderCoreService.exe"

I don't see this service on any of my Windows 10 and Windows 11 machines. Is it related to enterprise editions of Windows?

[sickypedia]

Thanks for getting back!

I redid some tests and realized that I had installed my copy of Windows without disabling Defender. So once the system booted up and updates were installed, "MDCoreSvc" was created as part of the defender engine updates. I had manually disabled defender from Windows recovery environment by mounting registry hives.

However, now that we know that newer defender versions include this service, it is very likely that future ISO releases (Micrososft refreshes ISOs periodically) may have this service as well by default. I think including it in the list of services to disable will essentially future-proof this setting.