# --- Author: zetod1ce (github.com/ztd38f) --- #
# --- DISCLAIMER: Provided as-is, without warranties. For educational and testing use only in controlled environments. Use at your own risk. --- #


Write-Host "0. Removing all exclusions" -f Yellow
$p = Get-MpPreference; ($p | gm Ex*).Name |? {$p.$_} |% {$h=@{$_=$p.$_}; Remove-MpPreference @h -force -ea 0};"Paths","Extensions","Processes","IpAddresses" |% {ri "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\$_" -rec -force -ea 0}

Write-Host "1. Resetting blocking policies (GPO)" -f Yellow
("DisableAntiSpyware","DisableAntiVirus","DisableSpecialRunningModes") |% {reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "$_" /f}
("DisableBehaviorMonitoring","DisableIOAVProtection","DisableOnAccessProtection","DisableRealtimeMonitoring","DisableRoutinelyTakingAction","DisableScanOnRealtimeEnable") |% {reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "$_" /f}
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /f
("SpynetReporting","DisableBlockAtFirstSeen","SubmitSamplesConsent") |% {reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "$_" /f}

Write-Host "2. Restoring and starting protection services" -f Yellow
("Sense","webthreatdefsvc","webthreatdefusersvc","WdNisSvc","WdNisDrv","MDCoreSvc","SgrmBroker","SecurityHealthService","wscsvc","WinDefend","WdFilter","WdBoot","MpsSvc","mpssvc","BFE","Wecsvc","EventLog") |% {
    spsv $_ -force -ea 0
    Set-Service $_ -st Automatic -ea 0
    reg add "HKLM\System\CurrentControlSet\Services\$_" /v "Start" /t REG_DWORD /d 2 /f
    reg delete "HKLM\System\CurrentControlSet\Services\$_" /v "AutorunsDisabled" /f
    sasv $_ -ea 0
}

Write-Host "3. Configuring components (Tamper, CFA)" -f Yellow
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 1 /f
Set-MpPreference -EnableControlledFolderAccess AuditMode -force -ea 0

Write-Host "4. Enabling WMI and SmartScreen" -f Yellow
("DefenderApiLogger","DefenderAuditLogger") |% {reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\$_" /v "Start" /t REG_DWORD /d 1 /f}
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d On /f
("SmartScreenEnabled","SmartScreenPuaEnabled") |% {reg add "HKCU\Software\Microsoft\Edge\$_" /ve /t REG_DWORD /d 1 /f}
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy" /v "VerifiedAndReputablePolicyState" /t REG_DWORD /d 1 /f
("SvcEnabled","ServiceStart","ServiceState") |% {reg add "HKLM\SYSTEM\CurrentControlSet\Control\CI" /v "$_" /t REG_DWORD /d 1 /f}

Write-Host "5. Enabling scheduled tasks" -f Yellow
schtasks /Change /tn "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /enable
("Windows Defender Cache Maintenance","Windows Defender Cleanup","Windows Defender Scheduled Scan","Windows Defender Verification") |% {schtasks /change /tn "Microsoft\Windows\Windows Defender\$_" /enable}

Write-Host "6. Interface and Notifications" -f Yellow
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "`"%windir%\system32\SecurityHealthSystray.exe`"" /f
("*","Directory","Drive") |% {reg add "HKCR\$_\shellex\ContextMenuHandlers\EPP" /ve /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f}
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SmartAppControl" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d 1 /f
("EnableNotifications","EnableToastApplicationNotification","NOC_GLOBAL_SETTING_TOASTS_ENABLED") |% {reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "$_" /t REG_DWORD /d 1 /f}
("DisableNotifications","DisableEnhancedNotifications","DisableMonitoring","DisableAlerts","DisableNotificationsUI","DisableNotificationCenter") |% {reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "$_" /t REG_DWORD /d 0 /f}
reg delete "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotification" /f
reg delete "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /f

Write-Host "Done." -f Green