Defender toggle

src/playbook/Configuration/atlas/appx.yml

@@ -79,11 +79,6 @@ actions:
   - !appx: {name: '*Microsoft.Windows.OOBENetworkCaptivePortal*', type: family}
   - !appx: {name: '*Microsoft.Windows.OOBENetworkConnectionFlow*', type: family}
 
-  # Windows Security (Defender)
-  - !appx: {name: '*Microsoft.Windows.SecHealthUI*', type: family}
-  # SmartScreen
-  - !appx: {name: '*Microsoft.Windows.Apprep.ChxApp*', type: family}
-
   # Mail and Calendar
   - !appx: {name: '*microsoft.windowscommunicationsapps*', type: family}
 

src/playbook/Configuration/atlas/components.yml

@@ -4,29 +4,17 @@ description: Removes certain Windows components
 privilege: TrustedInstaller
 actions:
     # Windows Defender
-  - !writeStatus: {status: 'Removing Windows Defender'}
-  - !taskKill: {name: 'NisSrv'}
-  - !taskKill: {name: 'SecurityHealthHost'}
-  - !taskKill: {name: 'SecurityHealthService'}
-  - !taskKill: {name: 'SecurityHealthSystray'}
-  - !taskKill: {name: 'SkypeBackgroundHost'}
-  - !taskKill: {name: 'MsMpEng'}
-  - !taskKill: {name: 'msiexec'}
-  - !file: {path: 'C:\Windows\System32\smartscreen.exe'}
-  - !file: {path: 'C:\Windows\System32\SecurityHealthSystray.exe'}
-  - !file: {path: 'C:\Windows\System32\SecurityHealthService.exe'}
-  - !file: {path: 'C:\Windows\System32\SecurityHealthAgent.dll'}
-  - !file: {path: 'C:\Windows\System32\SecurityHealthHost.exe'}
-  - !file: {path: 'C:\Windows\System32\SecurityHealthSSO.dll'}
-  - !file: {path: 'C:\Windows\System32\SecurityHealthCore.dll'}
-  - !file: {path: 'C:\Windows\System32\SecurityHealthProxyStub.dll'}
-  - !file: {path: 'C:\Windows\System32\SecurityHealthUdk.dll'}
-  - !file: {path: 'C:\Program Files\Windows Defender', weight: 30}
-  - !file: {path: 'C:\ProgramData\Microsoft\Windows Defender', weight: 30}
-  - !file: {path: 'C:\Program Files (x86)\Windows Defender', weight: 30}
-  - !file: {path: 'C:\Windows\System32\drivers\WdNisDrv.sys'}
-  - !file: {path: 'C:\Program Files\Windows Defender Advanced Threat Protection'}
-  - !file: {path: 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'}
+  - !writeStatus: {status: 'Removing Windows Defender', option: 'defender-disable'}
+  - !run:
+    exe: 'C:\Users\Default\Desktop\Atlas\3. Configuration\5. Security\Defender\Toggle Defender.cmd'
+    args: '-Disable'
+    wait: true
+    option: 'defender-disable'
+  - !run:
+    exe: 'C:\Users\Default\Desktop\Atlas\3. Configuration\5. Security\Defender\Toggle Defender.cmd'
+    args: '-Disable'
+    wait: true
+    option: 'defender-disable'
     # Remove Security Center startup item
   - !registryValue: {path: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run', value: 'SecurityHealth', operation: delete}
 

src/playbook/Configuration/atlas/kill-kph.yml

@@ -0,0 +1,10 @@
+---
+title: Kill & Disable KProcessHacker2
+description: Kills, removes and disables ProcessHacker using its kernel mode driver to prevent conflicts with Memory Integrity and the Microsoft Vulnerable Driver Blocklist 
+privilege: TrustedInstaller
+actions:
+  - !run:
+    exe: 'powershell.exe'
+    args: '-NoP -Ex Unrestricted -File KILLKPH.ps1'
+    exeDir: true
+    wait: true

src/playbook/Configuration/atlas/services.yml

@@ -28,22 +28,6 @@ actions:
   - !service: {name: 'AssignedAccessManagerSvc', operation: delete}
   - !service: {name: 'RetailDemo', operation: delete}
 
-  # Defender
-  - !taskKill: {name: 'SecurityHealthSystray'}
-  - !taskKill: {name: 'SecurityHealthService'}
-  - !service: {name: 'WpcMonSvc', operation: delete}
-  - !service: {name: 'wisvc', operation: delete}
-  - !service: {name: 'Sense', operation: delete}
-  - !service: {name: 'webthreatdefusersvc*', operation: delete}
-  - !service: {name: 'webthreatdefsvc', operation: delete}
-  - !service: {name: 'UevAgentService', operation: delete}
-  - !service: {name: 'wscsvc', operation: delete}
-  - !service: {name: 'SecurityHealthService', operation: delete}
-  - !registryKey: {path: 'HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv'}
-  - !registryKey: {path: 'HKLM\SYSTEM\CurrentControlSet001\Services\WdNisDrv'}
-  - !registryKey: {path: 'HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc'}
-  - !registryKey: {path: 'HKLM\SYSTEM\CurrentControlSet001\Services\WdNisSvc'}
-
   # Backup default Windows serivces & drivers
   - !run: {exe: 'BACKUP1.cmd', exeDir: true}
 

src/playbook/Configuration/custom.yml

@@ -6,9 +6,9 @@ actions: []
 features:
   # Configure PowerShell first so that other PowerShell scripts work
   - tweaks\qol\config-powershell.yml
+  - atlas\kill-kph.yml
   - atlas\start.yml
   - atlas\services.yml
   - atlas\components.yml
   - atlas\appx.yml
-  - atlas\packages.yml
   - tweaks.yml

src/playbook/Configuration/tweaks.yml

@@ -228,9 +228,7 @@ features:
   # -------------------------------------------------------------------------- #
   #  qol\security                                                              #
   # -------------------------------------------------------------------------- #
-  - tweaks\qol\security\disable-online-file-security-warn.yml
-  - tweaks\qol\security\disable-smartscreen.yml
-  - tweaks\qol\disable-uac-secure-desktop.yml
+  - tweaks\qol\security\disable-uac-secure-desktop.yml
 
   # -------------------------------------------------------------------------- #
   #  qol\shell                                                                 #
@@ -314,6 +312,7 @@ features:
   - tweaks\debloat\legacy-photo-viewer.yml
   - tweaks\debloat\prevent-edge-update.yml
   - tweaks\debloat\scheduled-tasks.yml
+  - tweaks\debloat\hide-unused-security-pages.yml
   - tweaks\debloat\config-storage-sense.yml
 
   # -----------------------------------------------------

src/playbook/Configuration/tweaks/debloat/hide-unused-security-pages.yml

@@ -0,0 +1,21 @@
+---
+title: Hide Unused Windows Security Pages
+description: Hides Windows Security pages that are not commonly needed/used to have a more clean UI
+privilege: TrustedInstaller
+actions:
+    # Remove bloat pages
+  - !registryValue:
+    path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options'
+    value: 'UILockdown'
+    data: '1'
+    type: REG_DWORD
+  - !registryValue:
+    path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health'
+    value: 'UILockdown'
+    data: '1'
+    type: REG_DWORD
+  - !registryValue:
+    path: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection'
+    value: 'UILockdown'
+    data: '1'
+    type: REG_DWORD

src/playbook/Executables/Atlas/3. Configuration/5. Security/Defender/Hide App and Browser Control/Hide App and Browser Control.reg

@@ -0,0 +1,4 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection]
+"UILockdown"=dword:00000001

src/playbook/Executables/Atlas/3. Configuration/5. Security/Defender/Hide App and Browser Control/Show App and Browser Control.reg

@@ -0,0 +1,4 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection]
+"UILockdown"=-

src/playbook/Executables/Atlas/3. Configuration/5. Security/Defender/Security Health Tray/Remove Security Tray from Startup (default).reg

@@ -0,0 +1,4 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+"SecurityHealth"=-

src/playbook/Executables/Atlas/3. Configuration/5. Security/Defender/Toggle Defender.cmd

@@ -0,0 +1,129 @@
+<# : batch portion
+@echo off
+
+if "%~1"=="-Help" (goto help) else (if "%~1"=="-help" (goto help) else (if "%~1"=="/h" (goto help) else (goto main)))
+
+:help
+echo Usage = Toggle Defender.cmd [-Help] [-Enable] [-Disable]
+exit /b
+
+:main
+if "%*"=="" (
+	fltmc >nul 2>&1 || (
+		echo Administrator privileges are required.
+		PowerShell Start -Verb RunAs '%0' 2> nul || (
+			echo You must run this script as admin.
+			pause & exit /b 1
+		)
+		exit /b 0
+	)
+)
+
+set args= & set "args1=%*"
+if defined args1 set "args=%args1:"='%"
+powershell -nop "& ([Scriptblock]::Create((Get-Content '%~f0' -Raw))) %args%"
+exit /b %errorlevel%
+: end batch / begin PowerShell #>
+
+param (
+    [switch]$Enable,
+    [switch]$Disable
+)
+
+$AtlasPackageName = 'Z-Atlas-NoDefender-Package'
+
+$AtlasModules = "$env:windir\AtlasModules"
+$onlineSxS = "$AtlasModules\Scripts\online-sxs.cmd"
+$packagesPath = "$AtlasModules\Packages"
+$ProgressPreference = 'SilentlyContinue'
+
+if ($Enable -or $Disable) {$Silent = $true}
+
+function PauseNul ($message = "Press any key to exit... ") {
+	Write-Host $message -NoNewLine
+	$Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown') | Out-Null
+}
+
+$packages = (Get-WindowsPackage -online | Where-Object { $_.PackageName -like "*$AtlasPackageName*" }).PackageName
+if (!($?)) {
+	Write-Host "Failed to get packages!" -ForegroundColor Red
+	if (!($Silent)) {PauseNul}; exit 1
+}
+if ($null -eq $packages) {$DefenderEnabled = '(current)'} else {$DefenderDisabled = '(current)'}
+
+function UninstallPackage {
+	param (
+		[switch]$Disable
+	)
+	foreach ($package in $packages) {
+		try {
+			Remove-WindowsPackage -Online -PackageName $package -NoRestart -LogLevel 1 *>$null
+		} catch {
+			Write-Host "Something went wrong removing the package: $package" -ForegroundColor Red
+			Write-Host "$_`n" -ForegroundColor Red
+			if (!($Silent)) {PauseNul}; exit 1
+		}
+	}
+}
+
+function InstallPackage {
+	$latestCabPath = (Get-ChildItem -Path $packagesPath -Filter "*$AtlasPackageName*.cab" | Sort-Object | Select-Object -Last 1).FullName
+	Write-Warning "Installing package to remove Defender..."
+	try {
+		& $onlineSxS "$latestCabPath" -Silent
+	} catch {
+		Write-Host "`nSomething went wrong whilst adding the Defender package.`nPlease report the error above to the Atlas team." -ForegroundColor Yellow
+		if (!($Silent)) {PauseNul}; exit 1
+	}
+}
+
+function Finish {
+	Write-Host "`nCompleted!" -ForegroundColor Green
+	choice /c yn /n /m "Would you like to restart now to apply the changes? [Y/N] "
+	if ($lastexitcode -eq 1) {Restart-Computer} else {
+		Write-Host "`nChanges will apply after next restart." -ForegroundColor Yellow
+		Start-Sleep 2; exit
+	}
+}
+
+if ($Disable) {InstallPackage; exit} elseif ($Enable) {UninstallPackage; exit}
+
+function Menu {
+	Clear-Host
+	$ColourDisable = 'White'; $ColourEnable = $ColourDisable
+	if ($DefenderDisabled) {$ColourDisable = 'Gray'} else {$ColourEnable = 'Gray'}
+
+	Write-Host "1) Disable Defender $DefenderDisabled" -ForegroundColor $ColourDisable
+	Write-Host "2) Enable Defender $DefenderEnabled`n" -ForegroundColor $ColourEnable
+
+	Write-Host "Choose 1 or 2: " -NoNewline -ForegroundColor Yellow
+	$pageInput = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown')
+
+	switch ($pageInput.Character) {
+		# Disable Defender
+		1 {
+			if ($DefenderDisabled) {Menu}
+			Clear-Host
+			Write-Host "Are you sure that you want to disable Defender?" -ForegroundColor Red
+			Write-Host "Although disabling Windows Defender will improve performance and convienience, it's important for security.`n"
+
+			Pause
+			Clear-Host
+			InstallPackage
+			Finish
+		}
+		# Enable Defender
+		2 {
+			if ($DefenderEnabled) {Menu}
+			Clear-Host
+			UninstallPackage
+			Finish
+		}
+		default {
+			# Do nothing
+			Menu
+		}
+	}
+}
+
+Menu

src/playbook/Executables/AtlasModules/Acknowledgements/online-sxs GitHub.url

@@ -0,0 +1,5 @@
+[{000214A0-0000-0000-C000-000000000046}]
+Prop3=19,11
+[InternetShortcut]
+IDList=
+URL=https://github.com/he3als/online-sxs