-
Notifications
You must be signed in to change notification settings - Fork 247
Windows Security Audit Script
directorcia edited this page Sep 14, 2025
·
2 revisions
The win10-def-get.ps1 script is a comprehensive Windows Defender and security configuration audit tool that collects, analyzes, and reports on various security settings, protection features, and system configurations on Windows 10/11 systems.
Script Version: 1.20
PowerShell Requirements: 5.1+ or PowerShell 7+
Elevation: Recommended (some features require administrator privileges)
- Attack Surface Reduction (ASR) Rules - Complete analysis of all 18 ASR rules
- Microsoft Defender Settings - Real-time protection, behavior monitoring, scanning preferences
- Signature and Engine Versions - Local vs latest available versions from Microsoft
- Exploit Protection - DEP, ASLR, CFG, SEHOP, and other mitigations
- Platform Security - Device Guard, Credential Guard, Secure Boot, TPM, BitLocker
- Microsoft Defender for Endpoint (MDE) - Onboarding status, service health, connectivity
- EDR in Block Mode - Enhanced detection with multiple fallback methods
- Tamper Protection - Cloud-managed and local configuration detection
- Device Health Attestation - Service status and policy configuration
- Controlled Folder Access - Ransomware protection settings
- Cloud-delivered Protection - MAPS reporting and cloud block levels
| Parameter | Type | Default | Description |
|---|---|---|---|
-Quiet |
Switch | False | Suppress informational output (warnings/errors only) |
-OutputMode |
String | 'Console' | Output format: Console, Plain, Object, Json, Csv, Html, Xml |
-OutputPath |
String | Auto-generated | File path for non-console output modes |
-SkipOnlineCheck |
Switch | False | Skip web lookup of latest Defender versions |
-IncludeRaw |
Switch | False | Include raw Get-MpPreference/Get-MpComputerStatus in output |
-SkipSlowChecks |
Switch | False | Skip time-consuming checks (Hyper-V, Windows Update, SMB shares) |
- Console (default) - Colored console output with status indicators
- Plain - Text output without colors (suitable for logging)
- Object - Returns PowerShell object for further processing
- Json - Exports to JSON file with structured data
- Csv - Flat CSV export for spreadsheet analysis
- Html - Styled HTML report for documentation
- Xml - PowerShell XML export using Export-Clixml
# Standard execution with colored console output
.\win10-def-get.ps1
# Quiet mode (only warnings/errors)
.\win10-def-get.ps1 -Quiet
# Fast mode (skip slow checks)
.\win10-def-get.ps1 -SkipSlowChecks# Generate JSON report
.\win10-def-get.ps1 -OutputMode Json -OutputPath "C:\Reports\defender-audit.json"
# Create HTML report
.\win10-def-get.ps1 -OutputMode Html -OutputPath "C:\Reports\security-report.html"
# Export to CSV for analysis
.\win10-def-get.ps1 -OutputMode Csv -OutputPath "C:\Reports\security-data.csv"
# Return object for pipeline processing
$result = .\win10-def-get.ps1 -OutputMode Object
$result.ASR | Where-Object { $_.State -eq 'Enabled' }# Complete audit with raw data included
.\win10-def-get.ps1 -OutputMode Json -IncludeRaw -OutputPath "C:\Audit\complete-audit.json"
# Offline execution (no internet connectivity)
.\win10-def-get.ps1 -SkipOnlineCheck
# Pipeline processing example
.\win10-def-get.ps1 -OutputMode Object -Quiet |
ConvertTo-Json -Depth 6 |
Out-File "audit-$(Get-Date -Format 'yyyyMMdd').json"18 ASR Rules Evaluated:
- Block executable content from email client and webmail
- Block Office applications from creating child processes
- Block Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Block JavaScript/VBScript from launching downloaded executable content
- Block execution of potentially obfuscated scripts
- Block Win32 API calls from Office macros
- Block executable files unless they meet criteria
- Use advanced protection against ransomware
- Block credential stealing from LSASS
- Block process creations from PSExec and WMI
- Block untrusted/unsigned processes from USB
- Block Office communication apps from creating child processes
- Block Adobe Reader from creating child processes
- Block persistence through WMI event subscription
- Block Webshell creation for Servers
- Block abuse of exploited vulnerable signed drivers
- Block rebooting machine in Safe Mode
- Block use of copied or impersonated system tools
Status Classifications:
- Enabled (Block mode) - ✅ Good
-
Audit (Audit mode) -
⚠️ Warning -
Warn (User prompt) -
⚠️ Warning - Not Enabled - ❌ Bad
Core Protection Features:
- Real-time protection status
- Behavior monitoring
- Cloud-delivered protection levels
- Network protection
- Potentially Unwanted Application (PUA) protection
- Sample submission settings
- Scanning configurations
Scanning Settings:
- Archive file scanning
- Email scanning
- Removable drive scanning
- Network file scanning
- Script scanning
- Exclusions (paths, extensions, processes)
Detection Methods:
- Registry onboarding state check
- Sense service status verification
- WdFilter driver status
- Cloud connectivity validation
- Organization ID and version reporting
Enhanced Display Format:
Defender for Endpoint: Onboarded
└─ OnboardingState: 1
└─ Last Connected: 2025-09-15 07:57
└─ OrgId: ef5c5795...
└─ Sense Service: Running
└─ WdFilter: Running
└─ Version: 10.8850.19041.1000
Multi-Method Detection:
- Get-MpComputerStatus property check
- Registry key analysis
- MDE service validation
- Cloud block level assessment
Comprehensive Detection:
- Primary Get-MpComputerStatus check
- Registry fallback locations
- Cloud-managed configuration detection
- Alternative registry paths
Enhanced Analysis:
- VBS (Virtualization-Based Security) enablement
- LSA configuration validation
- Runtime status verification via Win32_DeviceGuard
- Hardware requirements assessment
Security Features Evaluated:
- Secure Boot - UEFI Secure Boot status
- TPM - Presence, version, and configuration
- BitLocker - Protection status and encryption method
- Device Guard - VBS configuration
- Hyper-V - Virtualization feature status
- Windows Hello - Biometric authentication availability
- UAC - User Account Control level
- Firewall - Status across all profiles
Platform Details:
- BIOS mode (UEFI/Legacy)
- PCR7 configuration for measured boot
- TCG event log availability
- Hypervisor presence
- Windows Update status
- Network shares enumeration
- 🟢 Green (Good) - Optimal security configuration
- 🟡 Yellow (Warn) - Needs attention or suboptimal setting
- 🔴 Red (Bad) - Security risk or disabled protection
- ⚪ White (Neutral) - Informational or not applicable
The script calculates an overall security compliance percentage based on:
- Core Defender protection features
- ASR rule enablement
- Real-time protection status
- Network protection configuration
Scoring Thresholds:
- ≥80% - Good (Green)
- 60-79% - Warning (Yellow)
- <60% - Bad (Red)
For troubleshooting "Unknown" statuses, run these elevated PowerShell commands:
# MDE Verification
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status' |
Select-Object OnboardingState, LastConnected, OrgId, SenseVersion
Get-Service -Name 'Sense', 'WdFilter' | Select-Object Name, Status, StartType
# Tamper Protection
Get-MpComputerStatus | Select-Object IsTamperProtected, TamperProtectionSource
# Credential Guard
Get-CimInstance -ClassName Win32_DeviceGuard |
Select-Object SecurityServicesConfigured, SecurityServicesRunning
# VBS Status
Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\DeviceGuard' |
Select-Object EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures
# Device Health Attestation
Get-Service -Name 'DeviceHealthAttestationService' -ErrorAction SilentlyContinue |
Select-Object Status, StartType
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceHealthAttestation' -ErrorAction SilentlyContinueSkips these time-consuming operations:
- Hyper-V feature detection (10-60 seconds)
- Windows Update history query (10-30 seconds)
- SMB share enumeration (variable)
Estimated Execution Times:
- Normal Mode: 30-90 seconds
- Fast Mode: 5-15 seconds
- Offline Mode: 10-30 seconds
Causes:
- Machine not onboarded to MDE
- Running on Windows Home edition
- Insufficient registry permissions
Solution:
# Check MDE onboarding
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status'Causes:
- Not running as administrator
- Cloud-managed configuration
- Older Windows version
Solution:
# Run as administrator
Get-MpComputerStatus | Select-Object IsTamperProtectedCauses:
- Hardware doesn't support VBS
- Not Windows Pro/Enterprise
- UEFI/Secure Boot not configured
Solution:
# Check hardware requirements
Get-CimInstance -ClassName Win32_DeviceGuardElevated Privileges Needed For:
- Registry security keys
- Service status queries
- Device Guard information
- TPM details
- BitLocker status
Network Connectivity Required For:
- Latest signature version lookup
- Microsoft security intelligence updates
- Cloud protection verification
# Create scheduled task for weekly security audit
$Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File "C:\Scripts\win10-def-get.ps1" -OutputMode Json -OutputPath "C:\Reports\weekly-audit.json" -Quiet'
$Trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 6AM
Register-ScheduledTask -TaskName "WeeklySecurityAudit" -Action $Action -Trigger $Trigger- Copy script to network share
- Create GPO with scheduled task
- Configure output to central reporting location
- Set appropriate execution permissions
# Example: Convert to Splunk-friendly format
.\win10-def-get.ps1 -OutputMode Object -Quiet |
ConvertTo-Json -Compress |
Add-Content "C:\Logs\defender-audit.json"# Generate CSV for PowerBI consumption
.\win10-def-get.ps1 -OutputMode Csv -OutputPath "\\reports\defender-$(Get-Date -Format 'yyyyMMdd').csv"- Daily: In high-security environments
- Weekly: Standard enterprise deployment
- Monthly: Home/SOHO environments
- After Changes: Security policy modifications
- Keep historical reports for trend analysis
- Archive reports older than 90 days
- Maintain baseline configurations for comparison
- Store reports in secure locations
- Limit access to security audit data
- Review for sensitive information before sharing
- Use encryption for report storage/transmission
# Check execution policy
Get-ExecutionPolicy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
# Verify PowerShell version
$PSVersionTable.PSVersion# Use fast mode
.\win10-def-get.ps1 -SkipSlowChecks
# Run offline
.\win10-def-get.ps1 -SkipOnlineCheck# Run as administrator
Start-Process PowerShell -Verb RunAsVersion 1.20 Enhancements:
- Enhanced EDR in Block Mode detection
- Improved Tamper Protection analysis
- Advanced Credential Guard detection
- Better MDE onboarding status reporting
- Comprehensive Exploit Protection assessment
- Detailed Ransomware Protection evaluation
- Enhanced Cloud-delivered Protection analysis
- Hierarchical detail display format
Future Considerations:
- Microsoft Defender for Business integration
- Azure AD security policy reporting
- Intune configuration compliance
- Zero Trust architecture assessment
- New ASR rule additions
- Windows feature updates
- Registry key changes
- API modifications
- New security features
- Microsoft Security Intelligence
- Attack Surface Reduction Rules Reference
- Windows Security Documentation
To contribute improvements or report issues:
- Test changes in isolated environment
- Validate against multiple Windows versions
- Ensure backward compatibility
- Document new features thoroughly
- Submit pull requests with detailed descriptions
This documentation corresponds to script version 1.20. Always refer to the script header comments for the most current information.