Powershell: always remove windows defender

aramprice · aramprice · commit 49a1e3133980 · 2025-06-05T15:44:06.000-07:00
Even though the code had paths in the stembuild/modules/ powershell code
to disable rather than remove windows defender, it turns out that the
pipelines have been building `stembuild` with the top-level `modules/`
powershell code (orginally in `cloudfoundry/bosh-psmodules`).

Severl releases of stembuild have been released with this behavior to no
(apparent) ill effect so we are removing to unused conditional behavior
of disable vs remove.
diff --git a/modules/BOSH.CFCell/BOSH.CFCell.Tests.ps1 b/modules/BOSH.CFCell/BOSH.CFCell.Tests.ps1
@@ -33,7 +33,7 @@ Describe "Protect-CFCell" {
        Get-Service "Termservice" | Set-Service -StartupType "Automatic"
        netstat /p tcp /a | findstr ":3389 " | Should -Not -BeNullOrEmpty
 
-       Protect-CFCell -IaaS "not-vsphere"
+       Protect-CFCell -IaaS "ignored"
 
        Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" | select -exp fDenyTSConnections | Should -Be 1
        netstat /p tcp /a | findstr ":3389 " | Should -BeNullOrEmpty
@@ -44,7 +44,7 @@ Describe "Protect-CFCell" {
     It "disables the services" {
        Get-Service | Where-Object {$_.Name -eq "WinRM" } | Set-Service -StartupType Automatic
        Get-Service | Where-Object {$_.Name -eq "W3Svc" } | Set-Service -StartupType Automatic
-       Protect-CFCell -IaaS "not-vsphere"
+       Protect-CFCell -IaaS "ignored"
        (Get-Service | Where-Object {$_.Name -eq "WinRM" } ).StartType| Should -Be "Disabled"
        $w3svcStartType = (Get-Service | Where-Object {$_.Name -eq "W3Svc" } ).StartType
        "Disabled", $null -contains $w3svcStartType | Should -Be $true
@@ -55,7 +55,7 @@ Describe "Protect-CFCell" {
         get-firewall "public" | Should -Be "public,Allow,Allow"
         get-firewall "private" | Should -Be "private,Allow,Allow"
         get-firewall "domain" | Should -Be "domain,Allow,Allow"
-        Protect-CFCell -IaaS "not-vsphere"
+        Protect-CFCell -IaaS "ignored"
         get-firewall "public" | Should -Be "public,Block,Allow"
         get-firewall "private" | Should -Be "private,Block,Allow"
         get-firewall "domain" | Should -Be "domain,Block,Allow"
@@ -64,45 +64,10 @@ Describe "Protect-CFCell" {
     It "does not call 'Disable-WindowsDefenderFeatures'" {
         Mock -ModuleName BOSH.CFCell Disable-WindowsDefenderFeatures { }
 
-        { Protect-CFCell -IaaS "not-vsphere" } | Should -Not -Throw
+        { Protect-CFCell -IaaS "ignored" } | Should -Not -Throw
 
         Should -Not -Invoke -ModuleName BOSH.CFCell -CommandName Disable-WindowsDefenderFeatures
     }
-
-    Context "when -IaaS is 'vsphere'" {
-        It "sets all Windows Defender `disable` settings to true" {
-            Mock -ModuleName BOSH.CFCell Get-Command {
-                [hashtable]@{
-                    ParameterSets = [hashtable]@{
-                        Parameters = @(
-                            @{ Name = "DisableBehaviorMonitoring" },
-                            @{ Name = "OtherThing" }
-                        )
-                    }
-                }
-            }
-            Mock -ModuleName BOSH.CFCell Set-MpPreference { }
-
-            Protect-CFCell -IaaS "vsphere"
-
-            Assert-MockCalled Write-Log -Exactly 1 -Scope It -ModuleName BOSH.CFCell -ParameterFilter { $Message -eq "Disabling Windows Defender Features" }
-
-            Assert-MockCalled Set-MpPreference -Exactly 1 -Scope It -ParameterFilter { $DisableBehaviorMonitoring -eq $true } -ModuleName BOSH.CFCell
-            Assert-MockCalled Set-MpPreference -Exactly 0 -Scope It -ParameterFilter { $OtherThing -eq $true } -ModuleName BOSH.CFCell
-
-            Assert-MockCalled Write-Log -Exactly 1 -Scope It -ModuleName BOSH.CFCell -ParameterFilter { $Message -eq "Setting Defender preference DisableBehaviorMonitoring to True" }
-        }
-
-        It "does not attempt to change Windows Defender settings if Windows Defender is not installed" {
-            Mock -ModuleName BOSH.CFCell Get-Command { $false }
-            Mock -ModuleName BOSH.CFCell Set-MpPreference { }
-
-            Protect-CFCell -IaaS "vsphere"
-
-            Assert-MockCalled Write-Log -Exactly 1 -Scope It -ModuleName BOSH.CFCell -ParameterFilter { $Message -eq "Set-MpPreference command not found, assuming Windows Defender is not installed" }
-            Assert-MockCalled Set-MpPreference -Scope It -Exactly 0 -ModuleName BOSH.CFCell
-        }
-    }
 }
 
 Describe "Install-CFFeatures" {
@@ -116,42 +81,34 @@ Describe "Install-CFFeatures" {
     }
 
     It "triggers a machine restart when the -ForceReboot flag is set" {
-        { Install-CFFeatures -IaaS "not-vsphere" -ForceReboot } | Should -Not -Throw
+        { Install-CFFeatures -IaaS "ignored" -ForceReboot } | Should -Not -Throw
 
         Assert-MockCalled Restart-Computer -Times 1 -Scope It -ModuleName BOSH.CFCell
     }
 
     It "doesn't trigger a machine restart if -ForceReboot flag not set" {
-        { Install-CFFeatures -IaaS "not-vsphere" } | Should -Not -Throw
+        { Install-CFFeatures -IaaS "ignored" } | Should -Not -Throw
 
         Assert-MockCalled Restart-Computer -Times 0 -Scope It -ModuleName BOSH.CFCell
     }
 
     It "logs Installing CloudFoundry Cell Windows Features" {
-        { Install-CFFeatures -IaaS "not-vsphere" } | Should -Not -Throw
+        { Install-CFFeatures -IaaS "ignored" } | Should -Not -Throw
 
         Assert-MockCalled Write-Log -Times 1 -Scope It -ModuleName BOSH.CFCell -ParameterFilter { $Message -eq "Installing CloudFoundry Cell Windows Features" }
     }
 
     It "logs Installed CloudFoundry Cell Windows Features after installation" {
-        { Install-CFFeatures -IaaS "not-vsphere" } | Should -Not -Throw
+        { Install-CFFeatures -IaaS "ignored" } | Should -Not -Throw
 
         Assert-MockCalled Write-Log -Times 1 -Scope It -ModuleName BOSH.CFCell -ParameterFilter { $Message -eq "Installed CloudFoundry Cell Windows Features" }
     }
 
     It "calls Uninstall-WindowsFeature (for '*Defender')" {
-        { Install-CFFeatures -IaaS "not-vsphere" } | Should -Not -Throw
+        { Install-CFFeatures -IaaS "ignored" } | Should -Not -Throw
 
         Should -Invoke -ModuleName BOSH.CFCell -CommandName Uninstall-WindowsFeature
     }
-
-    Context "when -IaaS is 'vsphere'" {
-        It "does not call Uninstall-WindowsFeature (for '*Defender')" {
-            { Install-CFFeatures -IaaS "vsphere" } | Should -Not -Throw
-
-            Should -Not -Invoke -ModuleName BOSH.CFCell -CommandName Uninstall-WindowsFeature
-        }
-    }
 }
 
 Describe "Remove-DockerPackage" {
diff --git a/modules/BOSH.CFCell/BOSH.CFCell.psm1 b/modules/BOSH.CFCell/BOSH.CFCell.psm1
@@ -20,9 +20,7 @@ function Install-CFFeatures {
 
   WindowsFeatureInstall("FS-Resource-Manager")
   WindowsFeatureInstall("Containers")
-  if ($IaaS -ne "vsphere") {
-      Get-WindowsFeature | Where-Object -FilterScript { $_.Name -like '*Defender*' } | Uninstall-WindowsFeature -Remove
-  }
+  Get-WindowsFeature | Where-Object -FilterScript { $_.Name -like '*Defender*' } | Uninstall-WindowsFeature -Remove
   Write-Log "Installed CloudFoundry Cell Windows Features"
 
   Write-Log "Setting WinRM startup type to automatic"
@@ -77,28 +75,6 @@ function Protect-CFCell {
 
   Write-Log "Disabling NetBIOS over TCP"
   Disable-NetBIOS
-
-  if ($IaaS -eq "vsphere") {
-      Disable-WindowsDefenderFeatures
-  }
-}
-
-function Disable-WindowsDefenderFeatures {
-    if (Get-Command -Name Set-MpPreference -ErrorAction SilentlyContinue)
-    {
-        Write-Log "Disabling Windows Defender Features"
-        (Get-Command -Name Set-MpPreference).ParameterSets.Parameters |
-                Where-Object {
-                    $_.Name -Like "Disable*"
-                } |
-                ForEach-Object {
-                    Write-Log "Setting Defender preference $( $_.Name ) to True"
-                    iex "Set-MpPreference -$( $_.Name ) `$true"
-                }
-    }
-    else {
-        Write-Log "Set-MpPreference command not found, assuming Windows Defender is not installed"
-    }
 }
 
 function WindowsFeatureInstall {
diff --git a/stembuild/modules/BOSH.CFCell/BOSH.CFCell.Tests.ps1 b/stembuild/modules/BOSH.CFCell/BOSH.CFCell.Tests.ps1
@@ -33,7 +33,7 @@ Describe "Protect-CFCell" {
        Get-Service "Termservice" | Set-Service -StartupType "Automatic"
        netstat /p tcp /a | findstr ":3389 " | Should -Not -BeNullOrEmpty
 
-       Protect-CFCell -IaaS "not-vsphere"
+       Protect-CFCell -IaaS "ignored"
 
        Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" | select -exp fDenyTSConnections | Should -Be 1
        netstat /p tcp /a | findstr ":3389 " | Should -BeNullOrEmpty
@@ -44,7 +44,7 @@ Describe "Protect-CFCell" {
     It "disables the services" {
        Get-Service | Where-Object {$_.Name -eq "WinRM" } | Set-Service -StartupType Automatic
        Get-Service | Where-Object {$_.Name -eq "W3Svc" } | Set-Service -StartupType Automatic
-       Protect-CFCell -IaaS "not-vsphere"
+       Protect-CFCell -IaaS "ignored"
        (Get-Service | Where-Object {$_.Name -eq "WinRM" } ).StartType| Should -Be "Disabled"
        $w3svcStartType = (Get-Service | Where-Object {$_.Name -eq "W3Svc" } ).StartType
        "Disabled", $null -contains $w3svcStartType | Should -Be $true
@@ -55,7 +55,7 @@ Describe "Protect-CFCell" {
         get-firewall "public" | Should -Be "public,Allow,Allow"
         get-firewall "private" | Should -Be "private,Allow,Allow"
         get-firewall "domain" | Should -Be "domain,Allow,Allow"
-        Protect-CFCell -IaaS "not-vsphere"
+        Protect-CFCell -IaaS "ignored"
         get-firewall "public" | Should -Be "public,Block,Allow"
         get-firewall "private" | Should -Be "private,Block,Allow"
         get-firewall "domain" | Should -Be "domain,Block,Allow"
@@ -64,45 +64,10 @@ Describe "Protect-CFCell" {
     It "does not call 'Disable-WindowsDefenderFeatures'" {
         Mock -ModuleName BOSH.CFCell Disable-WindowsDefenderFeatures { }
 
-        { Protect-CFCell -IaaS "not-vsphere" } | Should -Not -Throw
+        { Protect-CFCell -IaaS "ignored" } | Should -Not -Throw
 
         Should -Not -Invoke -ModuleName BOSH.CFCell -CommandName Disable-WindowsDefenderFeatures
     }
-
-    Context "when -IaaS is 'vsphere'" {
-        It "sets all Windows Defender `disable` settings to true" {
-            Mock -ModuleName BOSH.CFCell Get-Command {
-                [hashtable]@{
-                    ParameterSets = [hashtable]@{
-                        Parameters = @(
-                            @{ Name = "DisableBehaviorMonitoring" },
-                            @{ Name = "OtherThing" }
-                        )
-                    }
-                }
-            }
-            Mock -ModuleName BOSH.CFCell Set-MpPreference { }
-
-            Protect-CFCell -IaaS "vsphere"
-
-            Assert-MockCalled Write-Log -Exactly 1 -Scope It -ModuleName BOSH.CFCell -ParameterFilter { $Message -eq "Disabling Windows Defender Features" }
-
-            Assert-MockCalled Set-MpPreference -Exactly 1 -Scope It -ParameterFilter { $DisableBehaviorMonitoring -eq $true } -ModuleName BOSH.CFCell
-            Assert-MockCalled Set-MpPreference -Exactly 0 -Scope It -ParameterFilter { $OtherThing -eq $true } -ModuleName BOSH.CFCell
-
-            Assert-MockCalled Write-Log -Exactly 1 -Scope It -ModuleName BOSH.CFCell -ParameterFilter { $Message -eq "Setting Defender preference DisableBehaviorMonitoring to True" }
-        }
-
-        It "does not attempt to change Windows Defender settings if Windows Defender is not installed" {
-            Mock -ModuleName BOSH.CFCell Get-Command { $false }
-            Mock -ModuleName BOSH.CFCell Set-MpPreference { }
-
-            Protect-CFCell -IaaS "vsphere"
-
-            Assert-MockCalled Write-Log -Exactly 1 -Scope It -ModuleName BOSH.CFCell -ParameterFilter { $Message -eq "Set-MpPreference command not found, assuming Windows Defender is not installed" }
-            Assert-MockCalled Set-MpPreference -Scope It -Exactly 0 -ModuleName BOSH.CFCell
-        }
-    }
 }
 
 Describe "Install-CFFeatures" {
@@ -116,42 +81,34 @@ Describe "Install-CFFeatures" {
     }
 
     It "triggers a machine restart when the -ForceReboot flag is set" {
-        { Install-CFFeatures -IaaS "not-vsphere" -ForceReboot } | Should -Not -Throw
+        { Install-CFFeatures -IaaS "ignored" -ForceReboot } | Should -Not -Throw
 
         Assert-MockCalled Restart-Computer -Times 1 -Scope It -ModuleName BOSH.CFCell
     }
 
     It "doesn't trigger a machine restart if -ForceReboot flag not set" {
-        { Install-CFFeatures -IaaS "not-vsphere" } | Should -Not -Throw
+        { Install-CFFeatures -IaaS "ignored" } | Should -Not -Throw
 
         Assert-MockCalled Restart-Computer -Times 0 -Scope It -ModuleName BOSH.CFCell
     }
 
     It "logs Installing CloudFoundry Cell Windows Features" {
-        { Install-CFFeatures -IaaS "not-vsphere" } | Should -Not -Throw
+        { Install-CFFeatures -IaaS "ignored" } | Should -Not -Throw
 
         Assert-MockCalled Write-Log -Times 1 -Scope It -ModuleName BOSH.CFCell -ParameterFilter { $Message -eq "Installing CloudFoundry Cell Windows Features" }
     }
 
     It "logs Installed CloudFoundry Cell Windows Features after installation" {
-        { Install-CFFeatures -IaaS "not-vsphere" } | Should -Not -Throw
+        { Install-CFFeatures -IaaS "ignored" } | Should -Not -Throw
 
         Assert-MockCalled Write-Log -Times 1 -Scope It -ModuleName BOSH.CFCell -ParameterFilter { $Message -eq "Installed CloudFoundry Cell Windows Features" }
     }
 
     It "calls Uninstall-WindowsFeature (for '*Defender')" {
-        { Install-CFFeatures -IaaS "not-vsphere" } | Should -Not -Throw
+        { Install-CFFeatures -IaaS "ignored" } | Should -Not -Throw
 
         Should -Invoke -ModuleName BOSH.CFCell -CommandName Uninstall-WindowsFeature
     }
-
-    Context "when -IaaS is 'vsphere'" {
-        It "does not call Uninstall-WindowsFeature (for '*Defender')" {
-            { Install-CFFeatures -IaaS "vsphere" } | Should -Not -Throw
-
-            Should -Not -Invoke -ModuleName BOSH.CFCell -CommandName Uninstall-WindowsFeature
-        }
-    }
 }
 
 Describe "Remove-DockerPackage" {
diff --git a/stembuild/modules/BOSH.CFCell/BOSH.CFCell.psm1 b/stembuild/modules/BOSH.CFCell/BOSH.CFCell.psm1
@@ -20,9 +20,7 @@ function Install-CFFeatures {
 
   WindowsFeatureInstall("FS-Resource-Manager")
   WindowsFeatureInstall("Containers")
-  if ($IaaS -ne "vsphere") {
-      Get-WindowsFeature | Where-Object -FilterScript { $_.Name -like '*Defender*' } | Uninstall-WindowsFeature -Remove
-  }
+  Get-WindowsFeature | Where-Object -FilterScript { $_.Name -like '*Defender*' } | Uninstall-WindowsFeature -Remove
   Write-Log "Installed CloudFoundry Cell Windows Features"
 
   Write-Log "Setting WinRM startup type to automatic"
@@ -77,28 +75,6 @@ function Protect-CFCell {
 
   Write-Log "Disabling NetBIOS over TCP"
   Disable-NetBIOS
-
-  if ($IaaS -eq "vsphere") {
-      Disable-WindowsDefenderFeatures
-  }
-}
-
-function Disable-WindowsDefenderFeatures {
-    if (Get-Command -Name Set-MpPreference -ErrorAction SilentlyContinue)
-    {
-        Write-Log "Disabling Windows Defender Features"
-        (Get-Command -Name Set-MpPreference).ParameterSets.Parameters |
-                Where-Object {
-                    $_.Name -Like "Disable*"
-                } |
-                ForEach-Object {
-                    Write-Log "Setting Defender preference $( $_.Name ) to True"
-                    iex "Set-MpPreference -$( $_.Name ) `$true"
-                }
-    }
-    else {
-        Write-Log "Set-MpPreference command not found, assuming Windows Defender is not installed"
-    }
 }
 
 function WindowsFeatureInstall {
