diff --git a/docs/collection-files.md b/docs/collection-files.md index 9cd0f1d4..74065660 100644 --- a/docs/collection-files.md +++ b/docs/collection-files.md @@ -174,3 +174,19 @@ - `endCode:` *`string`* (**required**) - Code that'll be inserted at the end of user created script. - Global variables such as `$homepage`, `$version`, `$date` can be used using [parameter substitution](./templating.md#parameter-substitution) code syntax such as `Welcome to {{ $homepage }}!` + +## Naming guidelines + +- Prioritize consistency throughout all names. +- Use an instruction format like "do this, do that" for clear, direct guidance. This approach reduces potential confusion and offers easy-to-follow steps. It provides specific, unambiguous instructions. +- Ensure brand names adhere to their official casing. +- Choose clear and uncomplicated language. +- Favor the terms: + - "Disable" over "Turn off" + - "Configure" over "Set up" + - "Clear" over "Erase" or "Clean" + - "Minimize" over "Limit" or "Reduce" (when it enhances clarity) + - "Remove" over "Uninstall" +- Structure your phrases for clarity. + - For instance, "Disable XX telemetry" or "Clear XX data" are preferred over "Clear data from XX", "Disable telemetry in XX", or "Clear data of XX". +- Use sentence case rather than Title Case. diff --git a/src/application/collections/linux.yaml b/src/application/collections/linux.yaml index 48915f5c..499fed17 100644 --- a/src/application/collections/linux.yaml +++ b/src/application/collections/linux.yaml @@ -1,4 +1,4 @@ -# Structure documented in "docs/collection-files.md" +# Structure is documented in "docs/collection-files.md" os: linux scripting: language: shellscript @@ -24,7 +24,7 @@ actions: docs: |- These scripts allow you to increase privacy by deleting collected data about you and your behavior. children: - - + - category: Clear terminal history docs: |- Reading terminal history is one of the attack techniques. @@ -52,7 +52,7 @@ actions: Zsh is also known as Z-shell [1]. See its [homepage](https://web.archive.org/web/20221029211848/https://www.zsh.org/) for more information. It is one of the most used shells and has been the default shell in Kali Linux since 2020.4 [2]. Arch Linux installer uses zsh [3] but sets bash on disk as default [4]. - + [1]: https://web.archive.org/web/20221029134900/https://en.wikipedia.org/wiki/Z_shell "Z shell - Wikipedia | wikipedia.org" [2]: https://web.archive.org/web/20221029134925/https://www.kali.org/blog/kali-linux-2020-4-release/ "Kali Linux 2020.4 Release (ZSH, Bash, CME, MOTD, AWS, Docs, Win-KeX & Vagrant) | Kali Linux Blog | kali.org" [3]: https://web.archive.org/web/20221029181441/https://gitlab.archlinux.org/archlinux/archiso/-/blob/9f16862acd7e7be02da72f63a03b4c0e256dabff/configs/releng/packages.x86_64#L32 "configs/releng/packages.x86_64 · 9f16862acd7e7be02da72f63a03b4c0e256dabff · Arch Linux / archiso · GitLab" @@ -108,7 +108,7 @@ actions: The latest maintained version is `ksh93u+m`, see its [GitHub repository (ksh93/ksh)](https://web.archive.org/web/20221029212509/https://github.com/ksh93/ksh). Its history file (histfile) is saved at `~/.sh_history` by default [1] [2]. - + OpenBSD symlinks sh to ksh [3]. See also the [Wikipedia page](https://web.archive.org/web/20221029212931/https://en.wikipedia.org/wiki/KornShell) for more information. @@ -120,7 +120,7 @@ actions: function: DeleteFileFromUserAndRootHome parameters: file: .sh_history - # - + # - # Dash [1] (used by Debian, Ubuntu, Void Linux etc.) does not support history [2]. # [1]: https://web.archive.org/web/20221029135301/https://git.kernel.org/pub/scm/utils/dash/dash.git # [2]: https://web.archive.org/web/20221029135344/https://unix.stackexchange.com/questions/271595/how-can-i-access-the-history-buffer-in-sh-not-in-bash @@ -132,10 +132,10 @@ actions: It's mainly a fork of dash (Debian Almquist shell) used in embedded Linux distributions such as DSLinux, Alpine Linux, Tiny Core Linux and Linux-based router firmware such as OpenWrt, Tomato and DD-WRT [1]. It was also used by Android until Android 4.0 [2]. - + It uses `~/.ash_history` as the history file [3]. - [1]: https://web.archive.org/web/20221030142637/https://en.wikipedia.org/wiki/Almquist_shell#Embededed_Linux "Almquist shell - Wikipedia | wikipedia.org" + [1]: https://web.archive.org/web/20221030142637/https://en.wikipedia.org/wiki/Almquist_shell#Embedded_Linux "Almquist shell - Wikipedia | wikipedia.org" [2]: https://web.archive.org/web/20221029135416/https://android.googlesource.com/platform/system/core/+/master/shell_and_utilities/README.md "Android's shell and utilities | android.googlesource.com" [3]: https://web.archive.org/web/20221029135513/https://github.com/brgl/busybox/blob/abbf17abccbf832365d9acf1c280369ba7d5f8b2/shell/ash.c#L13626 "busybox/ash.c source code | github.com/brgl/busybox" call: @@ -223,8 +223,8 @@ actions: 1. Temporary Windows files. Wine saves temporary Windows files at `/drive_c/windows/temp/` [1] [2]. 2. Temporary Wine application cache [3] that is not connected to inner Windows files. - [1]: https://web.archive.org/web/20180328090608/http://www.zdnet.com/article/keeping-temp-folders-clean/ "Keeping temp folders clean | ZDNet | dnet.com" - [2]: https://web.archive.org/web/20221029135944/https://ubuntuforums.org/showthread.php?t=1006132 "Why does Wine have its own temp folders? | UbuntuForums | ubuntuforums.org" + [1]: https://web.archive.org/web/20180328090608/http://www.zdnet.com/article/keeping-temp-folders-clean/ "Keeping temp folders clean | ZDNet | zdnet.com" + [2]: https://web.archive.org/web/20221029135944/https://ubuntuforums.org/showthread.php?t=1006132 "Why does Wine have its own temp folders? | UbuntuForums | ubuntuforums.org" [3]: https://web.archive.org/web/20221029135955/https://wiki.debian.org/Wine#Mono_and_Gecko "Wine - Debian Wiki | wiki.debian.org" code: |- # Temporary Windows files for global prefix @@ -232,7 +232,7 @@ actions: # Wine cache: rm -rfv ~/.cache/wine/ - - name: Clear Winetricks downloads cache + name: Clear Winetricks cache recommend: standard docs: |- Winetricks is a helper script to download and install various redistributable runtime libraries @@ -254,7 +254,7 @@ actions: docs: |- LibreOffice is a free and open-source office productivity software suite, a project of The Document Foundation (TDF) [1]. - `registrymodifications.xcu` is an XML file that contains the user-specified settings [2]. + `registrymodifications.xcu` is an XML file that contains the user-specified settings [2]. It is found inside the user settings directory (`~/.config/libreoffice/4/user`) [2]. It includes thumbnails generated [3], and a recent document list [4]. @@ -263,7 +263,7 @@ actions: [1]: https://web.archive.org/web/20221029140306/https://en.wikipedia.org/wiki/LibreOffice "LibreOffice | Wikipedia | en.wikipedia.org" [2]: https://web.archive.org/web/20221029140313/https://wiki.documentfoundation.org/images/b/b0/LibreOffice_config_extension_writing.pdf "Config specification | LibreOffice documentation | wiki.documentfoundation.org" [3]: https://web.archive.org/web/20221029140438/https://askubuntu.com/questions/996397/where-are-libre-office-thumbnails-stored/996528 "Where are Libre Office thumbnails stored? | Ask Ubuntu Forums | askubuntu.com" - [4]: https://web.archive.org/web/20221029140501/https://forum.openoffice.org/en/forum/viewtopic.php?f=6&t=102020 "Restoring Recent documents list < Apache OpenOffice Community Forum | forum.openoffice.org" + [4]: https://web.archive.org/web/20221029140501/https://forum.openoffice.org/en/forum/viewtopic.php?f=6&t=102020 "Restoring Recent documents list | Apache OpenOffice Community Forum | forum.openoffice.org" code: |- # Global installation rm -f ~/.config/libreoffice/4/user/registrymodifications.xcu @@ -315,22 +315,22 @@ actions: parameters: file: cookies.sqlite-shm - - name: Clear Thunderbird session restore (open windows and tabs) + name: Clear Thunderbird session restoration data (open windows and tabs) docs: |- The default window layout is saved in the session file (`session.json`) [1]. It includes data on what tabs are open [1]. - + [1]: https://web.archive.org/web/20221029140819/https://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird "Files and folders in the profile | Thunderbird | kb.mozillazine.org" call: function: DeleteFileFromThunderbirdProfiles parameters: file: session.json - - name: Clear Thunderbird accounts + name: Clear Thunderbird passwords docs: |- `logins.json` stores encrypted passwords [1]. It replaces `signons.sqlite`, which had replaced `signons.txt` [1]. - + `logins-backup.json` is stored to recreate `logins.json` [2]. [1]: https://web.archive.org/web/20221029140819/https://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird "Files and folders in the profile | Thunderbird | kb.mozillazine.org" @@ -369,10 +369,10 @@ actions: Most users open the Thunderbird address book from within the email client, but it can also be launched separately [1]. Mozilla Thunderbird by default comes with two address books, even though more can be added [2]: - - 1. **Personal book**: For the most frequently used contacts. + + 1. **Personal book**: For the most frequently used contacts. 2. **Collected book**: Collects addresses from email that you send. - + [1]: https://web.archive.org/web/20221029141424/https://wiki.mozilla.org/Thunderbird:Help_Documentation:Using_the_Address_Book "Thunderbird:Help Documentation:Using the Address Book | MozillaWiki | wiki.mozilla.org" [2]: https://web.archive.org/web/20221029141448/https://support.mozilla.org/en-US/questions/1038172 "WHAT ARE COLLECTED ADDRESSES VS, PERSONAL ADDRESS BOOK | Thunderbird Support Forum | Mozilla Support | support.mozilla.org" children: @@ -397,7 +397,7 @@ actions: - function: DeleteFileFromThunderbirdProfiles parameters: - file: abook.mab # Thunderbird < v78 + file: abook.mab # < Thunderbird v78 - name: Clear Thunderbird collected address book docs: |- @@ -419,15 +419,15 @@ actions: - function: DeleteFileFromThunderbirdProfiles parameters: - file: history.mab # Thunderbird < v78 + file: history.mab # < Thunderbird v78 - - name: Clear Thunderbird's history of clicked links + name: Clear clicked links history in Thunderbird docs: |- Thunderbird saves annotations, bookmarks, favorite icons, input history, keywords, and browsing history (a list of pages visited) [1]. - + Data is saved at persistent `places.sqlite` [1] and temporary `places.sqlite-shm` and `places.sqlite.wal` [2]. - + [1]: https://web.archive.org/web/20221029141626/https://kb.mozillazine.org/Places.sqlite "Places.sqlite | MozillaZine Knowledge Base | kb.mozillazine.org" [2]: https://web.archive.org/web/20221029141631/https://bugzilla.mozilla.org/show_bug.cgi?id=686237 "686237 - places.sqlite-wal and places.sqlite-shm not removed on exit | Mozilla Bugs | bugzilla.mozilla.org" call: @@ -444,11 +444,11 @@ actions: parameters: file: places.sqlite.wal - - category: Clear development tools data + category: Clear data from development tools docs: |- This category includes tools that are typically used by developers, also known as "developer tools". These tools allow a developer to create, test, and debug software. - Their data may leak data about the developer, his/her usage patterns, the environment used for development or the developed project. + Their data may leak data about the developer, their usage patterns, the environment used for development or the developed project. children: - name: Clear Python history @@ -456,9 +456,9 @@ actions: Python is a high-level, general-purpose programming language [1]. Python comes preinstalled on most Linux distributions [2]. Since Python 3.4 the interactive mode does log all commands to `~/.python_history` [3]. - + See also: - + - [Source code](https://web.archive.org/web/20221029214327/https://github.com/python/cpython/blob/b2499669ef2e6dc9a2cdb49b4dc498e078167e26/Lib/site.py#L430-L451) that creates the file and registers it. - [Python homepage](https://web.archive.org/web/20221029214344/https://www.python.org/) @@ -479,7 +479,7 @@ actions: [1]: https://web.archive.org/web/20221029142001/https://en.wikipedia.org/wiki/Visual_Studio_Code "Visual Studio Code | Wikipedia | en.wikipedia.org" children: - - name: Clear Visual Studio Code Crash Reports + name: Clear Visual Studio Code crash reports recommend: standard docs: |- Visual Studio Code stores crash reports that later on are uploaded to Microsoft servers by default [1]. @@ -559,9 +559,9 @@ actions: [1]: https://web.archive.org/web/20221029142932/https://learn.microsoft.com/en-us/cli/azure/ "Azure Command-Line Interface (CLI) - Overview | Microsoft Learn | learn.microsoft.com" children: - - name: Clear Azure CLI telemetry + name: Clear Azure CLI telemetry data recommend: standard - docs: |- + docs: |- The Azure CLI stores telemetry in the `telemetry` directory and `telemetry.txt`, `logs/telemetry.txt` files [1]. [1]: https://web.archive.org/web/20221029142939/https://github.com/Azure/azure-cli/blob/29767d75d850ddc1c24cc85bd46d861b61d77a47/src/azure-cli-telemetry/azure/cli/telemetry/const.py "Azure CLI Source Code | GitHub | github.com" @@ -583,7 +583,7 @@ actions: docs: |- This script deletes cached Azure CLI objects [1]. Cleaning cache does not remove your credentials, so you'll keep your session and be logged in. - + [1]: https://web.archive.org/web/20221029143238/https://learn.microsoft.com/en-us/cli/azure/cache?view=azure-cli-latest#az_cache_purge "az cache | Microsoft Learn | learn.microsoft.com" call: function: RunIfCommandExists @@ -591,7 +591,7 @@ actions: command: az code: az cache purge - - name: Clear Azure login data (logs out of the current session) + name: Clear Azure login data (this will log you out of the current session) recommend: strict docs: |- This script cleans the login data in three steps: @@ -599,7 +599,7 @@ actions: 1. **`az logout`**: It deletes the current authentication token and subscription ID [1]. It only logs out the selected/current user [1]. - + 2. **`az account clear`**: It clears all other subscriptions from the CLI's local cache [2]. It also logs out all users [2]. @@ -652,7 +652,7 @@ actions: rm -rfv /.cache/epiphany/* # Flatpak installation rm -rfv ~/.var/app/org.gnome.Epiphany/cache/* - # Snap insallation + # Snap installation rm -rfv ~/~/snap/epiphany/common/.cache/* - name: Clear GNOME Web browsing history @@ -710,7 +710,7 @@ actions: Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary the Mozilla Corporation [1]. - Firefox stores user-related data in user profiles [2]. + Firefox stores user-related data in user profiles [2]. See also [the Firefox homepage](https://web.archive.org/web/20221029214632/https://www.mozilla.org/en-US/firefox/). @@ -722,7 +722,7 @@ actions: recommend: standard docs: |- The cache gets stored `.cache` folder, which you can see when you navigate to `about:cache` [1] [2]. - + [1]: https://web.archive.org/web/20221029145216/https://support.mozilla.org/en-US/questions/1317032 "How to locate and change Firefox Cache storage location | Firefox Support Forum | Mozilla Support | support.mozilla.org" [2]: https://web.archive.org/web/20221029145237/https://wiki.archlinux.org/title/Firefox/Profile_on_RAM "Firefox/Profile on RAM | ArchWiki | wiki.archlinux.org" code: |- @@ -733,7 +733,7 @@ actions: # Snap installation rm -rfv ~/snap/firefox/common/.cache/* - - name: Clear Firefox Crash Reports + name: Clear Firefox crash reports recommend: standard docs: |- Firefox stores crash reports in `~/.mozilla/firefox/Crash Reports/` to submit them later [1]. @@ -769,7 +769,7 @@ actions: parameters: path: cookies.sqlite - - name: Clear Firefox URL history (downloads, bookmarks, website visits, annotations, icons, inputs, keywords) + name: Clear Firefox browsing history (URLs, downloads, bookmarks, visits, etc.) docs: |- The file "places.sqlite" stores the annotations, bookmarks, favorite icons, input history, keywords, and browsing history (a record of visited pages) [1]. The tables include [1]: @@ -777,7 +777,7 @@ actions: - `moz_annos`: Annotations - `moz_bookmarks`: Bookmarks - `moz_bookmarks_roots`: Bookmark roots i.e. places, menu, toolbar, tags, unfiled - - `moz_favicons`: Favourite icons - including URL of icon + - `moz_favicons`: Favorite icons - including URL of icon - `moz_historyvisits`: A history of the number of times a site has been visited - `moz_inputhistory`: A history of URLs typed by the user - `moz_items_annos`: Item annotations @@ -853,17 +853,17 @@ actions: docs: |- The `formhistory.sqlite` file remembers what you have searched for in the Firefox search bar and what information you've entered into website forms [1]. - + [1]: https://web.archive.org/web/20221029145152/https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data "Profiles - Where Firefox stores your bookmarks, passwords and other user data | Firefox Help | support.mozilla.org" call: function: DeleteFromFirefoxProfiles parameters: path: formhistory.sqlite - - name: Clear Firefox multi-account containers data + name: Clear Firefox "Multi-Account Containers" data docs: |- The `containers.json` file stores the details of containers used by the [Container Tabs](https://web.archive.org/web/20221029214648/https://support.mozilla.org/en-US/kb/containers) feature [1]. - + [1]: https://web.archive.org/web/20221029145152/https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data "Profiles - Where Firefox stores your bookmarks, passwords and other user data | Firefox Help | support.mozilla.org" call: function: DeleteFromFirefoxProfiles @@ -875,14 +875,14 @@ actions: The `sessionstore.jsonlz4` file stores the currently open tabs and windows [1]. See ["Restore previous session - Configure when Firefox shows your most recent tabs and windows"](https://web.archive.org/web/20221029220311/https://support.mozilla.org/en-US/kb/restore-previous-session). - + [1]: https://web.archive.org/web/20221029145152/https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data "Profiles - Where Firefox stores your bookmarks, passwords and other user data | Firefox Help | support.mozilla.org" call: function: DeleteFromFirefoxProfiles parameters: path: sessionstore.jsonlz4 - - category: Clear system and/or kernel data + category: Clear system and kernel usage data docs: |- Your system (operating system along with other software on it) and kernel store data that may reveal your behavior and can be considered sensitive. These scripts clean @@ -916,7 +916,7 @@ actions: sudo rm -rfv /var/crash/* sudo rm -rfv /var/lib/systemd/coredump/ - - name: Clear system (journald) logs + name: Clear system logs (`journald`) docs: |- journald is the part of systemd that captures, queries, and removes logs when needed [1]. It allows removing logs by setting `--vacuum-time` [2]. @@ -974,7 +974,7 @@ actions: and acts like a database of all the recently used files [3]. GTK is used by many GUI software. GNOME uses the GTK+ library [2], while KDE uses the QT library [4]. - `recently-used.xbel` is also used by other third-party GTK 3 based applications such as Firefox, + `recently-used.xbel` is used by other third-party GTK 3 based applications such as Firefox, Visual Studio Code (and all other Electron applications [5]), Thunderbird… See also: ["List of GTK applications | Wikipedia"](https://web.archive.org/web/20221029221112/https://en.wikipedia.org/wiki/List_of_GTK_applications). @@ -995,7 +995,7 @@ actions: name: Clear KDE-tracked recently used items list recommend: strict docs: |- - `.desktop` files are used by KDE to store recent documents and are exposed as an API [1]. + `.desktop` files are used by KDE to store recent documents and are exposed through an API [1]. They are not only specific to the desktop environment, but also used by applications. Likewise, they are used by the KDE implementation of QT components, such as [QFileDialog](https://web.archive.org/web/20221029221146/https://doc.qt.io/qt-5/qfiledialog.html) @@ -1013,10 +1013,10 @@ actions: # From Flatpak packages rm -rfv ~/.var/app/*/data/*.desktop - - name: Clear trash + name: Empty trash docs: |- The trash location is standardized by ["The FreeDesktop.org Trash specification"](https://web.archive.org/web/20221029151648/https://specifications.freedesktop.org/trash-spec/trashspec-latest.html) [1]. - It uses the `$XDG_DATA_HOME/Trash` directory, [1] which defaults to `$HOME/.local/share/Trash` [2]. + It uses the `$XDG_DATA_HOME/Trash` directory [1], which defaults to `$HOME/.local/share/Trash` [2]. Flatpak applications may use the same trash using special APIs [3]. However, Snap applications do not have an API to use the global trash [4]. @@ -1104,7 +1104,7 @@ actions: Snap is a software packaging and deployment system developed by Canonical [1]. The packages are called snaps, and the tool for using them is called snapd [1]. Snap is available on many distros and is supported out-of-the-box by distros - such as Ubuntu, Kubuntu, Xubuntu, Manjoro, Zorin OS, KDE Neon and Solus among + such as Ubuntu, Kubuntu, Xubuntu, Manjaro, Zorin OS, KDE Neon and Solus among others [1]. [1]: https://web.archive.org/web/20221029152606/https://en.wikipedia.org/wiki/Snap_%28software%29 "Snap | Wikipedia | en.wikipedia.org" @@ -1130,7 +1130,7 @@ actions: multiple revisions of the same package [1]. Disabled state means that the binaries and services of the snap will no longer be available [2]. But all the data is still available, and the snap can easily be enabled again [2]. - + [1]: https://web.archive.org/web/20221029153110/https://forum.snapcraft.io/t/configure-number-of-old-revisions-to-keep/2337/7 "Configure number of old revisions to keep - snapd | forum.snapcraft.io" [2]: https://web.archive.org/web/20221029153125/https://www.mankier.com/8/snap#Commands-disable "snap man page - snapd - System Administration | ManKier | www.mankier.com" call: @@ -1154,7 +1154,7 @@ actions: [1]: https://web.archive.org/web/20221029153354/https://en.wikipedia.org/wiki/Flatpak "Flatpak - Wikipedia | en.wikipedia.org" children: - - name: Uninstall orphaned Flatpak runtimes + name: Remove orphaned Flatpak runtimes recommend: standard docs: |- This script removes runtimes and extensions that are not used by installed @@ -1199,8 +1199,8 @@ actions: - category: Clear APT data docs: |- - Advanced Package Tool (or APT) is a free software user interface that works with - core libraries to handle the installation and removal of software on Debiana, and + Advanced Package Tool (APT) is a free software user interface that works with + core libraries to handle the installation and removal of software on Debian, and Debian-based Linux distributions [1]. See also: ["APT | Debian Wiki"](https://web.archive.org/web/20221029221422/https://wiki.debian.org/Apt). @@ -1222,14 +1222,14 @@ actions: command: apt-get code: sudo apt-get autoclean - - name: Clear APT package list + name: Clear APT package file lists docs: |- This script removes package file lists. APT stores a copy of those files (in `/var/lib/apt/lists/`) and searches are done within those local files to avoid going through the network for every search [1]. An `apt-get update` will repopulate the necessary information and recreate the list file [2]. The list files should be recreated as they get lost over time [2]. - + [1]: https://web.archive.org/web/20221029153731/https://www.debian.org/doc/manuals/debian-handbook/sect.apt-cache.en.html "6.3. The apt-cache Command | Debian Handbook | www.debian.org" [2]: https://web.archive.org/web/20221029154335/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775163 "#775163 - apt pigs out in /var, particularly with multi-arch - Debian Bug report logs | bugs.debian.org" code: sudo rm -rfv /var/lib/apt/lists/* @@ -1250,7 +1250,7 @@ actions: command: apt-get code: sudo apt-get -y autoremove --purge - - name: Clear APT package (.deb file) cache + name: Clear cache for APT packages docs: |- This script runs the `clean` command. It clears out the local repository of retrieved package files [1], meaning that it deletes downloaded packages (`.deb`) already installed (and no longer needed) [2]. @@ -1265,8 +1265,8 @@ actions: parameters: command: apt-get code: sudo apt-get clean - - - category: Clear all cache + - + category: Clear shared caches docs: |- The scripts in this category bulk delete all cache entries for the given scope. These scripts are designed to affect more than a single application and do a wide range of cleaning. @@ -1291,25 +1291,25 @@ actions: sudo rm -rfv root/.cache/* - name: Clear system-wide cache - docs: |- + docs: |- The `/var/cache` directory contains cached files, i.e. files that were generated and can be re-generated at any time, but they are worth storing to save time recomputing them [1]. The application must be able to regenerate or restore the data [2], so the system can delete the contents of /var/cache either periodically or when its contents get too large [1]. However, there is no guarantee that applications will follow the specification, but this is very rare. - + It's not only used by applications but also by the operating system. This may include OS folders such as [2]: - Locally-generated fonts (`/var/cache/fonts`) - Locally-formatted manual pages (`/var/cache/man`) - - WWW proxy or cache data (`/var/cache/www`) + - WWW proxy or cache data (`/var/cache/www`) [1]: https://web.archive.org/web/20130511220135/http://www.lindevdoc.org/wiki//var/cache "/var/cache - Linux Developer's Documentation" [2]: https://web.archive.org/web/20221029154623/https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s05.html "5.5. /var/cache : Application cache data | refspecs.linuxfoundation.org" code: rm -rf /var/cache/* - - name: Clear cache from Flatpak applications + name: Clear Flatpak application cache docs: |- Non-essential user-specific data is stored in `~/.var/app//cache` by Flatpak applications [1]. This directory points to `XDG_CACHE_HOME` [1] from the XDG base directory specification [2]. @@ -1318,7 +1318,7 @@ actions: [2]: https://web.archive.org/web/20221029151712/https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html "XDG Base Directory Specification | specifications.freedesktop.org" code: rm -rfv ~/.var/app/*/cache/* - - name: Clear cache from Snap applications + name: Clear Snap application cache docs: |- Application caches are isolated per application and stored in the `~/snaps/APP-NAME/VERSION/.cache` folders for Snap applications [1]. @@ -1332,7 +1332,7 @@ actions: them, serving the same role for images as a normal text index does for words [1]. Depending on the program that processes the thumbnails, the "icons" are usually located either in the - `~/.cache/thumbnails/` folder (e.g., Nautilus from GNOME does this [2] [3]) or the `~/.thumbnails/` + `~/.cache/thumbnails/` folder (e.g., Nautilus from GNOME does this [2] [3]) or the `~/.thumbnails/` directory [4]. [1]: https://web.archive.org/web/20221029154942/https://en.wikipedia.org/wiki/Thumbnail "Thumbnail - Wikipedia | en.wikipedia.org" @@ -1349,11 +1349,11 @@ actions: Flameshot also uses the same default folder as GNOME [2]. Despite being GNOME-based, Ubuntu changes this default to `~/Pictures/` with files that look like "`Screenshot from ***.png`" [3]. - + KDE ([Spectacle](https://web.archive.org/web/20221029221516/https://apps.kde.org/spectacle/)) saves screenshots in the `~/Pictures/` folder with the default name format of `Screenshot_%Y%M%D_%H%m%S.**` [4]. - + Other applications use different paths, e.g. ksnip uses `ksnip_$Y$M$D-$T.png` by default in the home folder [5]. @@ -1395,7 +1395,7 @@ actions: docs: |- Debian, also known as Debian GNU/Linux, is a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project [1]. - Debian-based distributions include Ubuntu, Kali Linux, MX Linux, Pardus, Parrot OS, PureOS, + Debian-based distributions include Ubuntu, Kali Linux, MX Linux, Pardus, Parrot OS, PureOS, Raspberry Pi OS, TAILS, and others [2]. Debian contains some telemetry client libraries, and some packages depend or build-depend on them [3]. @@ -1408,7 +1408,7 @@ actions: [4]: https://web.archive.org/web/20221030133248/https://www.debian.org/legal/privacy "Debian -- Privacy Policy | www.debian.org" children: - - category: Disable sending package statistics (popcon) + category: Disable sending of package statistics (popcon) docs: |- Popularity Contest (or popcon) collects statistical data to determine which packages are the most popular [1]. It sends a list of packages installed and the access and change times of relevant files to the server via email @@ -1433,11 +1433,11 @@ actions: [4]: https://web.archive.org/web/20221029160841/https://popcon.debian.org/FAQ "FAQ | popcon | popcon.debian.org" children: - - name: Opt-out of the popularity contest + name: Disable participation in Popularity Contest recommend: standard docs: |- `popularity-contest` checks `/etc/popularity-contest.conf` for the value of `PARTICIPATE` to send data [1]. - Configuring this configuration allows you to opt-out of the submission of data [1]. + Configuring this configuration allows you to opt out of the submission of data [1]. [1]: https://web.archive.org/web/20221029161047/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172824 "#172824 - popularity-contest: dpkg-reconfigure popularity-contest does not include PARTICIPATE=yes - Debian Bug report logs | bugs.debian.org" code: |- @@ -1455,7 +1455,7 @@ actions: echo "Skipping because configuration file ($config_file) is not found. Is popcon installed?" fi - - name: Uninstall Popularity Contest (popcon) + name: Remove Popularity Contest (`popcon`) package recommend: strict docs: |- This script deletes the `popularity-contest` package. @@ -1501,7 +1501,7 @@ actions: [2]: https://web.archive.org/web/20221029161559/https://manpages.ubuntu.com/manpages/trusty/man1/reportbug.1.html "Ubuntu Manpage: reportbug - reports a bug to a debbugs server | manpages.ubuntu.com" children: - - name: Uninstall `reportbug` package + name: Remove `reportbug` package recommend: strict docs: |- This script uninstalls `reportbug` package, which includes the tool itself. @@ -1513,7 +1513,7 @@ actions: parameters: packageName: reportbug - - name: Uninstall Python modules for reportbug + name: Remove Python modules for `reportbug` recommend: strict docs: |- This script uninstalls `python3-reportbug`. @@ -1526,7 +1526,7 @@ actions: parameters: packageName: python3-reportbug - - name: Uninstall UI for reportbug (`reportbug-gtk` package) + name: Remove UI for reportbug (`reportbug-gtk` package) recommend: strict docs: |- This script uninstalls `reportbug-gtk`. It consists of a desktop file and an icon, and it has dependencies to enable the @@ -1551,7 +1551,7 @@ actions: - category: Disable `pkgstats` that collects installed package list (opt-in) docs: |- - `pkgstats` sends a list of all installed packages, the architecture, and the mirror you are using to + `pkgstats` sends a list of all installed packages, the architecture, and the mirror you are using to the Arch Linux project [1]. It stores personally identifiable information such as IP addresses for one month [2] and then anonymizes and aggregates the data [1] [2]. @@ -1559,7 +1559,7 @@ actions: [2]: https://web.archive.org/web/20221029161821/https://pkgstats.archlinux.de/privacy-policy "Privacy policy | pkgstats | pkgstats.archlinux.de" children: - - name: Uninstall `pkgstats` package + name: Remove `pkgstats` package recommend: strict docs: |- `pkgstats` package submits a list of installed packages to the Arch Linux project [1]. @@ -1573,7 +1573,7 @@ actions: parameters: packageName: pkgstats - - name: Disable weekly pkgstats submission + name: Disable weekly `pkgstats` submission recommend: standard docs: |- `pkgstats` is set up to automatically run every week using systemd/timers [1]. Once disabled, @@ -1604,12 +1604,12 @@ actions: [1]: https://web.archive.org/web/20221029162136/https://zorin.com/legal/privacy/ "Privacy Policy - Zorin | zorin.com" [2]: https://web.archive.org/web/20221029162148/https://launchpad.net/~zorinos/+archive/ubuntu/stable/+sourcepub/7408190/+listing-archive-extra "Zorin OS source code | launchpad.net" [3]: https://web.archive.org/web/20221029162231/https://launchpadlibrarian.net/425925849/zorin-os-census_1.1~zorinos15_1.2.diff.gz "Zorin OS source code | launchpad.net" - call: + call: function: UninstallAptPackage parameters: packageName: zorin-os-census - - name: Remove the Zorin OS census unique ID + name: Remove Zorin OS census unique ID docs: |- Census submits a unique ID associated with the installation when pings are sent [1]. Removing the identifier reduces the risk of your computer being identified. @@ -1634,7 +1634,7 @@ actions: [2]: https://web.archive.org/web/20221029160241/https://en.wikipedia.org/wiki/List_of_Linux_distributions#Ubuntu-based "List of Linux distributions - Wikipedia | en.wikipedia.org" children: - - name: Disable online search results (collects queries) + name: Disable online search result collection (collects queries) recommend: strict docs: |- Online search is introduced in Ubuntu Lens in Ubuntu 12.10 [1]. It has been known as "Shopping Lens", @@ -1642,7 +1642,7 @@ actions: Online search results are considered a privacy concern by governments [2] and can be disabled using the `remote-content-search` option [2]. - + [1]: https://web.archive.org/web/20221029162420/https://help.ubuntu.com/community/UbuntuLens "UbuntuLens - Community Help Wiki | help.ubuntu.com" [2]: https://web.archive.org/web/20221029162443/https://www.gov.uk/government/publications/end-user-devices-security-guidance-ubuntu-1404-lts/end-user-devices-guidance-ubuntu-1404-lts "End User Devices Guidance: Ubuntu 14.04 LTS | gov.uk" call: @@ -1652,7 +1652,7 @@ actions: code: gsettings set com.canonical.Unity.Lenses remote-content-search none revertCode: gsettings set com.canonical.Unity.Lenses remote-content-search all - - category: Disable Ubuntu reporting metrics + category: Disable metrics reporting in Ubuntu docs: |- `ubuntu-report` reports hardware and other collected metrics like installer or upgrade information [1]. @@ -1682,7 +1682,7 @@ actions: [2]: https://web.archive.org/web/20221029162538/https://github.com/ubuntu/ubuntu-report/blob/8e6030ff9bbeacacf41a9b58ea638a5c9a6f864d/README.md "More diagnostics data from desktop | lists.ubuntu.com" children: - - name: Opt-out of Ubuntu reporting metrics + name: Disable participation in metrics reporting in Ubuntu recommend: standard docs: |- This script uses the `ubuntu-report` CLI to opt you out of data submission [1]. @@ -1708,7 +1708,7 @@ actions: >&2 echo 'Failed to opt in.' fi - - name: Uninstall Ubuntu Report tool (`ubuntu-report`) + name: Remove Ubuntu Report tool (`ubuntu-report`) recommend: strict docs: |- `ubuntu-report` is installed as an apt package and can be uninstalled in this way [1]. @@ -1748,7 +1748,7 @@ actions: Apport collects potentially sensitive data, such as core dumps, stack traces, and log files [2]. It can contain passwords, credit card numbers, serial numbers, and other private information [2]. - + Bug reports are shared with the [Ubuntu bug triaging team](https://web.archive.org/web/20221029222122/https://launchpad.net/~ubuntu-crashes-universe) [2]. Apport is disabled by default in stable releases due to the sensitive data it collects [2]. @@ -1762,7 +1762,7 @@ actions: [4]: https://web.archive.org/web/20221029150025/https://support.starlabs.systems/kb/guides/disable-program-problem-reports "Disable program problem reports - Star Labs | support.starlabs.systems" children: - - name: Uninstall `apport` package + name: Remove `apport` package recommend: strict docs: |- The `apport` package is responsible for automatically generating crash reports for debugging [1]. @@ -1777,7 +1777,7 @@ actions: is not yet supported [3]. See also ["source code of apport | launchpad.net"](https://web.archive.org/web/20221029222108/https://code.launchpad.net/ubuntu/+source/apport). - + [1]: https://web.archive.org/web/20221030194324/https://packages.ubuntu.com/bionic/apport "Ubuntu - Details of package apport in bionic | packages.ubuntu.com" [2]: https://web.archive.org/web/20221029162934/https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1773087 "Bug #1773087 “Remove python3-apport as dependency of xserver-xor...” : Bugs : xorg package : Ubuntu | bugs.launchpad.net" [3]: https://web.archive.org/web/20221029162946/https://bugs.launchpad.net/apport/+bug/1910304 "Issue showing that uninstallation support is undecided | Bug #1910304 “Add non-invasive option to disable python3-apport ...” : Bugs : Apport | bugs.launchpad.net" @@ -1804,16 +1804,16 @@ actions: parameters: serviceName: apport - - name: Opt-out of Apport error messaging system + name: Disable participation in Apport error messaging system recommend: standard docs: |- Opting out of Apport prevents it from creating crash files after a crash [1]. It can be disabled by setting `enabled=0` in `/etc/default/apport` [1] [2]. - This setting comes enabled by default in a clean installation of Ubuntu and + This setting comes enabled by default in a clean installation of Ubuntu and some of its derivatives (such as Pop!_OS). This script is used as part of a post-installation script by the National Cyber Security Centre in the UK [1]. - + [1]: https://web.archive.org/web/20221029163213/https://help.ubuntu.com/community/ReportingBugs?action=recall&rev=321#Reporting_a_crash_when_no_message_shows_up_and_crash_files_not_created "ReportingBugs - Community Help Wiki | help.ubuntu.com" [2]: https://web.archive.org/web/20221029163228/https://bugs.launchpad.net/ubuntu/+source/xorg/+bug/1773087/comments/1 "Comment #1 : Bug #1773087 : Bugs : xorg package : Ubuntu | help.ubuntu.com" [3]: https://web.archive.org/web/20221029163054/https://www.ncsc.gov.uk/files/ubuntu1804_post_install.sh_.txt "ubuntu1804_post_install.sh_.txt | nscs.gov.uk" @@ -1853,7 +1853,7 @@ actions: [3]: https://web.archive.org/web/20221029162829/https://help.ubuntu.com/community/ReportingBugs#A4._Collect_information_about_the_bug "ReportingBugs - Community Help Wiki | help.ubuntu.com" children: - - name: Uninstall `whoopsie` package + name: Remove `whoopsie` package docs: |- This script uninstalls the `whoopsie` package. This package is used for error tracker submission in Ubuntu [1]. @@ -1871,7 +1871,7 @@ actions: This script disables this service to immobilize the main functionality of Whoopsie. This script is used as part of a post-installation script by the National Cyber Security Centre in the UK [2]. - + [1]: https://web.archive.org/web/20221029163615/https://packages.ubuntu.com/focal/all/whoopsie/filelist "Ubuntu – File list of package whoopsie/focal/all | packages.ubuntu.com" [2]: https://web.archive.org/web/20221029163054/https://www.ncsc.gov.uk/files/ubuntu1804_post_install.sh_.txt "ubuntu1804_post_install.sh_.txt | nscs.gov.uk" call: @@ -1879,7 +1879,7 @@ actions: parameters: serviceName: whoopsie - - name: Opt-out of reporting crashes + name: Disable crash report submissions recommend: standard docs: |- Once opted-out Whoopsie disables the related service [1]. @@ -1897,12 +1897,12 @@ actions: sudo sed -i 's/report_crashes=false/report_crashes=true/' /etc/default/whoopsie fi - - category: Disable Zeitgeist (activity logging framework) + category: Disable Zeitgeist activity logging docs: |- Zeitgeist logs files opened, websites visited, conversations, and emails and provides - this information over an API to applications [1]. + this information over an API to applications [1]. It serves as a comprehensive activity log and also makes it possible to determine - relationships between items based on usage patterns [1]. + relationships between items based on usage patterns [1]. It stores computer use actions such as files accessed, sites visited, and conversations held. The data is typically used to facilitate searches and "best-fit" to your local query only. @@ -1912,7 +1912,7 @@ actions: usage information that can be used for further exploitation. It is primarily used by desktop environments such as GNOME [2], Pantheon [3], and Unity [4]. - Furthermore, it is supported by applications (typically as optional functionality) such as + Furthermore, it is supported by applications (typically as optional functionality) such as Gnome Rhythmbox (as a plugin) [5], catfish (optional support) [6], and synapse [7]. Read more about Zeitgeist: @@ -1931,7 +1931,7 @@ actions: [7]: https://web.archive.org/web/20221029164405/https://launchpad.net/synapse-project "Synapse in Launchpad | launchpad.net" children: - - name: Stop the Zeitgeist deamon + name: Kill Zeitgeist daemon process docs: |- `zeitgeist-daemon` is a daemon providing an activity log [1]. Activity logs consist of a central database for events such as file usage, browser history, and calendar entries [1]. @@ -1957,7 +1957,7 @@ actions: # > used, zeitgeist-daemon will refuse to start if another running instance is found. revertCode: zeitgeist-daemon --replace - - name: Prevent Zeitgeist from running on startup + name: Remove Zeitgeist startup entry docs: |- This script removes the Autostart entry that is used by the Zeitgeist package to start itself [1]. [The XDG Autostart specification](https://web.archive.org/web/20221029223114/https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html) @@ -1989,7 +1989,7 @@ actions: if [ -f "$file" ]; then chmod -rw "$file" echo "Successfully disabled read/write access to $file." - else + else echo "Skipping, no action needed, file does not exist at $file." fi revertCode: |- @@ -1997,11 +1997,11 @@ actions: if [ -f "$file" ]; then chmod +rw "$file" echo "Successfully restored read/write access to $file." - else + else >&2 echo "Failed to restore access, file does not exist at $file." fi - - name: Uninstall the Zeitgeist package (can break integrated software) + name: Remove Zeitgeist package (can break integrated software) docs: |- The main functionality for Zeitgeist is provided by the `zeitgeist` package in Fedora [1] and Arch Linux [2], and the `zeitgeist-core` package in Debian [3]. @@ -2026,7 +2026,7 @@ actions: parameters: packageName: zeitgeist-core # Other related packages include (apt list *zeitgeist*): - # zeitgeist-core, zeitgeist-datahub, python3-zeitgeist among many others. + # zeitgeist-core, zeitgeist-datahub, python3-zeitgeist among many others. # Packages that use it include e.g. activity-log-manager, activity-log-manager-control-center.. - function: UninstallPacmanPackage @@ -2073,11 +2073,11 @@ actions: echo "Skipping, connectivity checks are already disabled through $file." else echo -n "$content" | sudo tee "$file" > /dev/null - echo 'Successfully disabled connectivity checks-' + echo 'Successfully disabled connectivity checks.' fi if command -v 'nmcli' &> /dev/null; then sudo nmcli general reload - echo 'Successfuly reloaded configuration.' + echo 'Successfully reloaded configuration.' else echo 'It will take effect after reboot.' fi @@ -2086,11 +2086,11 @@ actions: echo 'Skipping, connectivity checks are not disabled.' else sudo rm -fv "$file" - echo 'Successfuly restored connectivity checks.' + echo 'Successfully restored connectivity checks.' fi if command -v 'nmcli' &> /dev/null; then sudo nmcli general reload - echo 'Successfuly reloaded configuration.' + echo 'Successfully reloaded configuration.' else echo 'It will take effect after reboot.' fi @@ -2136,7 +2136,7 @@ actions: category: Disable Visual Studio Code data collection docs: |- Visual Studio Code, also commonly referred to as VS Code, is a source-code editor made by Microsoft [1]. - + Visual Studio Code makes outgoing network requests to collect data in the background without users invoking a feature that requires online access [2]. The requests include, but are not limited to, automatic extension update checks, querying settings for A/B experiments, and fetching online data for auto-completion [2]. @@ -2178,7 +2178,7 @@ actions: [6]: https://web.archive.org/web/20221029171339/https://github.com/microsoft/vscode/blob/1dd67592e120d916a8963903babaf0fae74440c5/src/vs/code/electron-main/app.ts#L1259 "vscode/app.ts at 1dd67592e120d916a8963903babaf0fae74440c5 · microsoft/vscode · GitHub | github.com" [7]: https://web.archive.org/web/20221029171353/https://github.com/microsoft/vscode/blob/17fc955b4ffb1f9a0097a561291aaa5c8918eee6/src/vs/workbench/electron-sandbox/desktop.contribution.ts#L253-L267 "vscode/desktop.contribution.ts at 17fc955b4ffb1f9a0097a561291aaa5c8918eee6 · microsoft/vscode · GitHub | github.com" call: - - + - function: SetVsCodeSetting parameters: setting: telemetry.telemetryLevel @@ -2197,7 +2197,7 @@ actions: jsonValue: >- false - - name: Do not run Microsoft online experiments on Visual Studio Code + name: Disable online experiments by Microsoft in Visual Studio Code recommend: standard docs: |- VS Code employs experiments to test new features or gradually roll them out [1]. @@ -2217,7 +2217,7 @@ actions: jsonValue: >- false - - name: Choose manual Visual Studio Code updates over automatic updates + name: Disable Visual Studio Code automatic updates in favor of manual updates docs: |- By default, VS Code is configured to automatically update when new versions are released [1]. Automatic updates reduce your control over privacy by sending data to Microsoft servers. @@ -2245,7 +2245,7 @@ actions: jsonValue: >- "none" - - name: Prevent fetching Visual Studio Code release notes from Microsoft servers + name: Disable fetching release notes from Microsoft servers after an update docs: |- This script prevents Visual Studio Code from displaying release notes after an update [1]. @@ -2262,18 +2262,18 @@ actions: jsonValue: >- false - - category: Configure auto-updates from Visual Studio Code extensions + category: Configure auto-update settings for Visual Studio Code extensions docs: |- These scripts control the automatic update behavior of extensions. Updates are fetched from Microsoft servers [1] [2]. Use of online Microsoft services can disclose information about you and your behavior. - [1]: https://web.archive.org/web/20221029171704/https://github.com/microsoft/vscode/blob/b784e0514d4608cc20a0e7ce62baf7bc8131158c/src/vs/workbench/contrib/extensions/browser/extensions.contribution.ts#L135-L150 "vscode/extensions.contribution.ts at b784e0514d4608cc20a0e7ce62baf7bc8131158c · microsoft/vscode · GitHub | github.com" + [1]: https://web.archive.org/web/20221029171704/https://github.com/microsoft/vscode/blob/b784e0514d4608cc20a0e7ce62baf7bc8131158c/src/vs/workbench/contrib/extensions/browser/extensions.contribution.ts#L135-L150 "vscode/extensions.contribution.ts at b784e0514d4608cc20a0e7ce62baf7bc8131158c · microsoft/vscode · GitHub | github.com" [2]: https://web.archive.org/web/20221029171719/https://github.com/microsoft/vscode-docs/blob/9a900b380e11530376104ffc83a004b82553728e/docs/editor/extension-marketplace.md#extension-auto-update "vscode-docs/extension-marketplace.md at 9a900b380e11530376104ffc83a004b82553728e · microsoft/vscode-docs · GitHub | github.com" children: - - name: Prevent auto-updates of Visual Studio Code extensions + name: Disable automatic Visual Studio Code extension updates docs: |- By default, Visual Studio Code automatically downloads and installs updates for all extensions [1]. These updates are fetched from a Microsoft online service [1]. @@ -2290,7 +2290,7 @@ actions: jsonValue: >- false - - name: Prevent automatically checking Visual Studio Code extension updates from Microsoft servers + name: Disable Visual Studio Code automatic extension update checks docs: |- By default, Visual Studio Code automatically checks extensions for updates [1]. If an update for an extension is available, it is marked as outdated in the Extensions view [1]. @@ -2308,7 +2308,7 @@ actions: jsonValue: >- false - - name: Disable auto-fetching Microsoft recommendations in Visual Studio Code + name: Disable automatic fetching of Microsoft recommendations in Visual Studio Code recommend: strict docs: |- Visual Studio Code, by default, fetches recommendations from online Microsoft servers [1]. @@ -2328,7 +2328,7 @@ actions: jsonValue: >- true - - name: Disable automatic fetching remote repository in Visual Studio Code + name: Disable automatic fetching of remote repositories in Visual Studio Code docs: |- Visual Studio Code (VS Code) periodically fetches changes from remote repositories [1]. This feature lets VS Code display how many changes your local repository is ahead or behind the remote [1]. @@ -2353,7 +2353,7 @@ actions: jsonValue: >- false - - name: Prevent fetching package information from NPM and Bower in Visual Studio Code + name: Disable fetching package information from NPM and Bower in Visual Studio Code docs: |- Visual Studio Code fetches data from NPM and Bower to provide autocompletion and hover information for npm dependencies [1]. By default, this feature is enabled [2] and fetches data from @@ -2381,7 +2381,7 @@ actions: You can disable this feature by setting `enableNaturalLanguageSettingsSearch` to `false` [1]. For more information, see [Settings search | Feature announcement](https://web.archive.org/web/20221029223417/https://github.com/microsoft/vscode-docs/blob/8f6d43a3b24d8661f25f93d5e679c3e6ee1191b6/release-notes/v1_20.md#settings-search). - + [1]: https://web.archive.org/web/20221029172320/https://github.com/microsoft/vscode/blob/13ba7bb446a638d37ebccb1a7d74e31c32bb9790/src/vs/workbench/contrib/preferences/common/preferencesContribution.ts#L151-L157 "vscode/preferencesContribution.ts at 13ba7bb446a638d37ebccb1a7d74e31c32bb9790 · microsoft/vscode · GitHub | github.com" call: function: SetVsCodeSetting @@ -2445,7 +2445,7 @@ actions: jsonValue: >- false - - category: Disable Visual Studio Code Settings Sync data sharing + category: Disable data sharing for Visual Studio Code "Settings Sync" docs: |- **Settings Sync** is a Visual Studio Code feature that synchronizes settings, keybindings, and installed extensions across different machines [1]. This data is stored in the Microsoft @@ -2454,7 +2454,7 @@ actions: [1]: https://web.archive.org/web/20221029172856/https://github.com/microsoft/vscode-docs/blob/9a900b380e11530376104ffc83a004b82553728e/docs/editor/settings-sync.md "vscode-docs/settings-sync.md at main · microsoft/vscode-docs · GitHub | github.com" children: - - name: Disable synchronizing Visaul Studio Code keybindings + name: Disable synchronization of Visual Studio Code keybindings docs: |- By default [1], Keyboard Shortcuts are synchronized across platforms [2]. You can disable this by setting `settingsSync.keybindingsPerPlatform` to `false` [1] [2]. @@ -2468,7 +2468,7 @@ actions: jsonValue: >- false - - name: Disable synchronizing Visual Studio Code extension + name: Disable synchronization of Visual Studio Code extensions docs: |- Visual Studio Code synchronizes all built-in and installed extensions, along with their global enablement state, by default [1] [2]. @@ -2487,8 +2487,8 @@ actions: jsonValue: >- ["*"] - - name: Disable synchronizing Visual Studio Code settings - docs: |- + name: Disable synchronization of Visual Studio Code settings + docs: |- By default, Visual Studio Code synchronizes all settings, except for machine settings (those with machine or machine-overridable scopes), as these are specific to a given machine [1] [2]. @@ -2612,7 +2612,7 @@ actions: recommend: standard docs: |- Dynamic First-Party Isolation, also known as dFPI, is an advanced privacy feature in Firefox. This feature commonly - referred as: + referred to as: - Total Cookie Protection [1], - dFPI (dynamic First-Party Isolation) [2], @@ -2655,12 +2655,12 @@ actions: isolated storage location, preventing it from accessing data from another website [1]. This limits the ability of websites to track users across multiple sites [1]. - Network Partitioning, formerly referred as *cache partitioning* [2], is a subset of state partitioning [1]. While state partitioning + Network Partitioning, formerly referred to as *cache partitioning* [2], is a subset of state partitioning [1]. While state partitioning deals with data like cookies, network partitioning deals with networking-related components, such as caches and connection pools [1]. It ensures that these components are isolated to each website, further enhancing user privacy [1]. Firefox has enabled network partitioning by default since version 85 [1]. Once enabled, network partitioning becomes permanent, - meaning websites cannot bypass or relax its restrictions [1]. + meaning websites cannot bypass or weaken its restrictions [1]. Network partitioning can be controlled with the `privacy.partition.network_state` preference [1]. @@ -2672,7 +2672,7 @@ actions: prefName: privacy.partition.network_state jsonValue: 'true' - - name: Disable depreciated Firefox First-Party Isolation (FPI) + name: Disable outdated Firefox First-Party Isolation (FPI) recommend: strict docs: |- First-party isolation (FPI) helps in preventing third parties from tracking users across multiple websites [1] [2]. This is sometimes @@ -2682,7 +2682,7 @@ actions: 1. FPI and dFPI conflict with each other, and they cannot function simultaneously [3] [4]. Additionally, Mozilla doesn't plan to make them compatible [5]. - 2. FPI has been marked as depreciated and is expected to be phased out [3], with dFPI set to become the standard in the future [6]. + 2. FPI has been marked as deprecated and is expected to be phased out [3], with dFPI set to become the standard in the future [6]. 3. dFPI, when combined with network partitioning, offers broader and more effective privacy coverage than FPI, being essentially a superset of FPI [3] [7]. @@ -2710,7 +2710,7 @@ actions: This script enables the `privacy.resistFingerprinting` preference, activating anti-fingerprinting [1][2]. - Beyond privacy advantages, enabling tracking protection may reduce load time by 44% [3]. + Beyond privacy advantages; enabling tracking protection may reduce load time by 44% [3]. Note: If you are already using an ad blocker with the correct lists, tracking protection might be redundant. @@ -2727,9 +2727,9 @@ actions: name: Enable Firefox anti-fingerprinting (may break some websites) recommend: strict docs: |- - Fingerprinting Protection is a heavily developing experimental feature in Firefox [1]. - As part of a project to integrate features from the Tor Browser, Mozilla has launched an - anti-fingerprinting project in Firefox [2]. + Fingerprinting Protection is a heavily developed experimental feature in Firefox [1]. + As part of a project to integrate features from the Tor Browser, Mozilla launched an + anti-fingerprinting project in Firefox [2]. This script enables the `privacy.resistFingerprinting` preference, activating anti-fingerprinting [1][2]. @@ -2756,7 +2756,7 @@ actions: WebRTC (Web Real-Time Communication) is a free and open-source project offering real-time communication (RTC) via application programming interfaces (APIs) to web browsers and mobile applications [2]. It enables audio and video communication to work inside web pages by facilitating - direct peer-to-peer communication, thereby eliminating the need for plugin installations or native + direct peer-to-peer communication, and thereby eliminating the need for plugin installations or native app downloads [3]. Supported by Apple, Google, Microsoft, Mozilla, and Opera, WebRTC's specifications have been published by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF) [2]. @@ -2774,9 +2774,9 @@ actions: docs: |- By default, Firefox collects telemetry data [1]. This data comprises two main categories: **interaction data** and **technical data** [1]. - + **Interaction data** includes metrics such as the number of open tabs and windows, the number of - webpages visited, the number and type of installed Firefox Add-ons, session length, and + webpages visited, the number and type of installed Firefox Add-ons, session length, and interactions with features offered by Mozilla or third parties. These features may include Firefox search features and search partner referrals [1]. @@ -2789,14 +2789,14 @@ actions: [1]: https://web.archive.org/web/20220901045358/https://support.mozilla.org/en-US/kb/telemetry-clientid "Telemetry collection and deletion | Firefox Help | support.mozilla.org" children: - - name: Disable Firefox technical and interaction data collection + name: Disable collection of technical and interaction data in Firefox recommend: standard docs: |- This script alters the `datareporting.healthreport.uploadEnabled` preference, effectively disabling it. This preference regulates whether Firefox sends telemetry data [1]. The script halts all data transmitted from Firefox to Mozilla via Telemetry [2], preventing - Firefox from sending technical and interaction data to Mozilla [3]. + Firefox from sending technical and interaction data to Mozilla [3]. For reasons of military security, it's recommended by the U.S. government (NIST 800-53) that this data collection is disabled [4]. @@ -2811,7 +2811,7 @@ actions: prefName: datareporting.healthreport.uploadEnabled jsonValue: 'false' - - name: Disable verbose Firefox telemetry collection + name: Disable detailed telemetry collection in Firefox recommend: standard docs: |- This script disables the `toolkit.telemetry.enabled` preference, which controls whether the @@ -2838,8 +2838,8 @@ actions: parameters: prefName: toolkit.telemetry.enabled jsonValue: 'false' - - - name: Disable Firefox telemetry archive + - + name: Disable archiving of Firefox telemetry recommend: standard docs: |- This script configures the `toolkit.telemetry.archive.enabled` preference to be disabled, thus @@ -2893,12 +2893,12 @@ actions: docs: |- This script sets the `toolkit.telemetry.log.level` preference to the least verbosity to minimize logs. This preference adjusts the telemetry logging verbosity as per `Log.jsm` [1]. - By default, logging is restricted to the console service [1] + By default, logging is restricted to the console service [1]. It displays telemetry information in the browser console [2] and can be used to monitor telemetry activity in the JavaScript console [3]. This process is also referred to as telemetry tracing [4]. The output can be accessed via the DevTools console [4], navigable through the menu by selecting - "Tools" => "Developer Tools" => "Error Console" (CTRL+SHIFT+J). + "Tools" => "Developer Tools" => "Error Console" (CTRL+SHIFT+J). The available verbosity levels, in descending order, are `Trace`, `Debug`, `Config`, `Info`, `Warn` (default), `Error`, and `Fatal` [1]. @@ -2913,10 +2913,10 @@ actions: prefName: toolkit.telemetry.log.level jsonValue: 'Fatal' - - name: Disable dumping Firefox Telemetry log messages to stdout + name: Disable Firefox telemetry log output recommend: standard docs: |- - This script deactivates `toolkit.telemetry.log.dump` as much as possible. + This script adjusts the `toolkit.telemetry.log.dump` setting to its most restricted value. This preference controls whether to dump telemetry log messages to `stdout` [1]. [1]: https://web.archive.org/web/20221015102124/https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/internals/preferences.html "Preferences and Defines — Firefox Source Docs documentation | firefox-source-docs.mozilla.org" @@ -2949,7 +2949,7 @@ actions: [1]: https://web.archive.org/web/20221025163526/https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/concepts/pings.html "Telemetry pings — Firefox Source Docs documentation | firefox-source-docs.mozilla.org" children: - - name: Disable pinging to Firefox telemetry server + name: Disable pings to Firefox telemetry server recommend: standard docs: |- This script sets `toolkit.telemetry.server` to be empty. @@ -3065,7 +3065,7 @@ actions: Firefox Pioneer is a system in Firefox to test new features and changes on a subset of Firefox users [1]. Pioneer program sends private/sensitive data to Mozilla [2] [3]. - + [1]: https://web.archive.org/web/20221025161925/https://www.ghacks.net/2017/11/15/what-is-firefox-pioneer/ "What is Firefox Pioneer? - gHacks Tech News | ghacks.net" [2]: https://web.archive.org/web/20221025160326/https://support.mozilla.org/en-US/questions/1224660 "What is a firefox pioneer example of how data will be used and how can this lead to a better user experience? | Firefox Support Forum | Mozilla Support" [3]: https://web.archive.org/web/20221025162028/https://medium.com/firefox-context-graph/make-firefox-better-with-pioneer-10c82d0f9301 "Make Firefox Better With Pioneer. Data is the lifeblood of any product… | by Toby Elliott | Firefox Context Graph | Medium" @@ -3074,7 +3074,7 @@ actions: name: Disable Firefox Pioneer study monitoring recommend: standard docs: |- - This script configures `toolkit.telemetry.pioneer-new-studies-available` to be disabled to opt-out from + This script configures `toolkit.telemetry.pioneer-new-studies-available` to be disabled to opt out. Firefox Pioneer program. This setting disables availability check for Firefox Pioneer studies [1]. @@ -3105,7 +3105,7 @@ actions: This script turns off the Firefox Captive Portal detection feature. Firefox uses this feature to determine if a network connection requires a login, such as a - public Wi-Fi hotspot [1]. The test involves initiating an outgoing connection to Mozilla servers [1]. + public Wi-Fi hotspot [1]. The test involves initiating an outgoing connection to Mozilla servers [1]. By default, these connection attempts occur at regular intervals [2][3]. @@ -3129,7 +3129,7 @@ actions: prefName: network.captive-portal-service.enabled jsonValue: 'false' - - category: Disable Firefox Phishing Protection (decreases your security) + category: Disable Firefox Phishing Protection (Safe Browsing) (decreases security) docs: |- Firefox's Safe Browsing feature, now referred to as Phishing Protection, is still internally recognized as "Safe Browsing" [1]. @@ -3153,12 +3153,22 @@ actions: [3]: https://web.archive.org/web/20221025192516/https://www.usnews.com/opinion/articles/2016-06-22/google-is-the-worlds-biggest-censor-and-its-power-must-be-regulated "Google Is the World's Biggest Censor and Its Power Must Be Regulated | usnews.com" children: - - name: Disable Firefox plugin stability blocking + name: Disable blocking of unstable plugins in Firefox docs: |- This script sets `browser.safebrowsing.blockedURIs.enabled` to 'false', thereby disabling plugin stability blocking [1]. + Disabling this feature might have mixed implications: + + - Disabling the blocking of unstable plugins can potentially expose the user to vulnerabilities associated with these plugins. + These plugins may include malware, which would compromise user privacy and data. + - It removes the need for data communication via Mozilla servers `addons.mozilla.org` for list retrieval [2]. This feature requires + frequent requests to download large amount of data. + + If this blocking is removed, the user should be knowledgeable about the potential risks and will take precautions. + [1]: https://web.archive.org/web/20221025192643/https://wiki.mozilla.org/Security/Safe_Browsing#Prefs "Security/Safe Browsing - MozillaWiki | wiki.mozilla.org" + [2]: https://web.archive.org/web/20230811024650/https://blog.mozilla.org/addons/2020/08/24/introducing-a-scalable-add-ons-blocklist/ "Introducing a scalable add-ons blocklist | Mozilla Add-ons Community Blog" call: function: AddFirefoxPrefs parameters: @@ -3168,7 +3178,7 @@ actions: name: Disable Firefox application reputation checks for downloads docs: |- This script pertains to a feature that safeguards users from malware downloads [1]. - + This protective measure operates by transmitting downloaded URL and file data to Google's servers [3]. @@ -3199,7 +3209,7 @@ actions: Disabling it halts the downloading of malware blacklists and ceases checks on downloads [1]. It is active by default [1]. - Note that disabling this protection disrupts application reputation checks for downloaded files, + Note that disabling this protection disrupts application reputation checks for downloaded files, since it relies on this feature [2]. [1]: https://web.archive.org/web/20221025211950/https://kb.mozillazine.org/Browser.safebrowsing.malware.enabled "Browser.safebrowsing.malware.enabled - MozillaZine Knowledge Base | kb.mozillazine.org" @@ -3337,7 +3347,7 @@ functions: target = json.loads('{{ $jsonValue }}') home_dir = f'/home/{os.getenv("SUDO_USER", os.getenv("USER"))}' settings_files = [ - # Global installation (also snap that installs with "--classic" flag) + # Global installation (also Snap that installs with "--classic" flag) f'{home_dir}/.config/Code/User/settings.json', # Flatpak installation f'{home_dir}/.var/app/com.visualstudio.code/config/Code/User/settings.json' @@ -3451,17 +3461,17 @@ functions: if ! sudo systemctl stop "$service"; then >&2 echo "Could not stop $service." else - echo 'Successfuly stopped' + echo 'Successfully stopped' fi fi if sudo systemctl disable "$service"; then - echo "Successfuly disabled $service." + echo "Successfully disabled $service." else >&2 echo "Failed to disable $service." fi else echo "Skipping, $service is already disabled." - fi + fi else echo "Skipping, $service does not exist." fi @@ -3472,7 +3482,7 @@ functions: echo "Skipping, $service is already enabled." else if sudo systemctl enable "$service"; then - echo "Successfuly enabled $service, it may require reboot to start." + echo "Successfully enabled $service, it may require reboot to start." else >&2 echo "Failed to enable $service." fi @@ -3634,7 +3644,7 @@ functions: if ! [ -f "$declaration_file" ]; then echo "Skipping, \"$declaration_file\" does not exist." else - assignment="$variable=$value" + assignment="$variable=$value" if grep --quiet "^$assignment$" "${declaration_file}"; then if sudo sed --in-place "/^$assignment$/d" "$declaration_file"; then echo "Successfully deleted \"$variable\" with \"$value\"." @@ -3650,7 +3660,7 @@ functions: parameters: - name: jobName # Cron is not restarted after changes because according to manpage: - # > …cron will then examine the modification time on all crontabs and reload those which have changed. + # > …cron will then examine the modification time on all crontabs and reload those which have changed. # > Thus cron need not be restarted whenever a crontab file is modified. code: |- job_name='{{ $jobName }}' @@ -3686,11 +3696,11 @@ functions: This script either creates or updates the `user.js` file to set specific Mozilla Firefox preferences. The `user.js` file can be found in a Firefox profile folder [1] and its location depends on the type of installation: - + - Default: `~/.mozilla/firefox//user.js` - Flatpak: `~/.var/app/org.mozilla.firefox/.mozilla/firefox//user.js` - Snap: `~/snap/firefox/common/.mozilla/firefox//user.js` - + While the `user.js` file is optional [2], if it's present, the Firefox application will prioritize its settings over those in `prefs.js` upon startup [1][2]. To prevent potential profile corruption, Mozilla advises against editing `prefs.js` directly [2]. @@ -3799,7 +3809,7 @@ functions: echo "Succesfully restored." else >&2 echo "Failed to restore, backup file could not be found at $backup_file." - >&2 echo "Was it change initially applied by privacy.sexy?" + >&2 echo "Was the change initially applied by privacy.sexy?" fi - name: ReplaceFileContent @@ -3826,5 +3836,5 @@ functions: else sudo rm -fv "$file" sudo mv "$file.backup" "$file" - echo "Successfuly restored from backup: $file" + echo "Successfully restored from backup: $file" fi diff --git a/src/application/collections/macos.yaml b/src/application/collections/macos.yaml index 1bb01fbc..5f8bf656 100644 --- a/src/application/collections/macos.yaml +++ b/src/application/collections/macos.yaml @@ -1,4 +1,4 @@ -# Structure documented in "docs/collection-files.md" +# Structure is documented in "docs/collection-files.md" os: macos scripting: language: shellscript @@ -21,7 +21,7 @@ actions: - category: Privacy cleanup children: - - + - category: Clear terminal history children: - @@ -48,18 +48,18 @@ actions: # on main HDD sudo rm -rfv ~/.Trash/* &>/dev/null - - name: Clear system cache files + name: Clear system cache recommend: strict code: |- sudo rm -rfv /Library/Caches/* &>/dev/null sudo rm -rfv /System/Library/Caches/* &>/dev/null sudo rm -rfv ~/Library/Caches/* &>/dev/null - - category: Clear OS logs + category: Clear operating system logs recommend: strict children: - - category: Clear unified logs (diagnostics) + category: Clear unified diagnostic logs docs: https://developer.apple.com/documentation/os/logging children: - @@ -69,15 +69,15 @@ actions: sudo rm -rfv /private/var/db/diagnostics/* sudo rm -rfv /var/db/diagnostics/* - - name: Clear shared-cache strings data - docs: + name: Clear shared cache strings data + docs: - https://eclecticlight.co/2017/09/23/sierras-unified-log-evolves-more-persistent-and-a-valuable-log-log/ - https://github.com/privacysexy-forks/dtformats/blob/main/documentation/Apple%20Unified%20Logging%20and%20Activity%20Tracing%20formats.asciidoc code: |- sudo rm -rfv /private/var/db/uuidtext/ sudo rm -rfv /var/db/uuidtext/ - - category: Clear system logs (/var/log/) + category: Clear system logs children: - name: Clear Apple System Logs (ASL) @@ -94,7 +94,7 @@ actions: docs: https://discussions.apple.com/thread/1829842 code: sudo rm -fv /var/log/install.log - - name: Clear all system logs + name: Clear all system logs in `/var/log/` directory docs: https://www.howtogeek.com/356942/how-to-view-the-system-log-on-a-mac/ code: sudo rm -rfv /var/log/* # Clears including /var/log/system.log - @@ -105,7 +105,7 @@ actions: name: Clear Mail logs code: rm -rfv ~/Library/Containers/com.apple.mail/Data/Library/Logs/Mail/* - - name: Clear audit logs (login, logout, authentication and other user activity) + name: Clear user activity audit logs (login, logout, authentication, etc.) docs: - https://papers.put.as/papers/macosx/2012/Mac_Log_Analysis_Sarah_Edwards_DFIRSummit2012.pdf - http://macadmins.psu.edu/wp-content/uploads/sites/24696/2016/06/psumac2016-19-osxlogs_macadmins_2016.pdf @@ -113,7 +113,7 @@ actions: sudo rm -rfv /var/audit/* sudo rm -rfv /private/var/audit/* - - name: Clear user logs (user reports) + name: Clear user report logs docs: - https://www.howtogeek.com/356942/how-to-view-the-system-log-on-a-mac/ - https://apple.stackexchange.com/questions/272929/is-it-safe-to-delete-the-content-of-library-logs @@ -134,15 +134,15 @@ actions: category: Clear browser history children: - - category: Clear Google Chrome history + category: Clear Chrome history children: - - name: Clear Google Chrome browsing history + name: Clear Chrome browsing history code: |- rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History &>/dev/null rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History-journal &>/dev/null - - name: Google Chrome Cache Files + name: Clear Chrome cache code: sudo rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/Application\ Cache/* &>/dev/null - category: Clear Safari history @@ -165,7 +165,7 @@ actions: docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html code: rm -f ~/Library/Safari/Downloads.plist - - name: Clear Safari top sites + name: Clear Safari frequently visited sites docs: https://davidkoepi.wordpress.com/2013/04/20/safariforensic/ code: rm -f ~/Library/Safari/TopSites.plist - @@ -182,7 +182,7 @@ actions: docs: https://davidkoepi.wordpress.com/2013/04/20/safariforensic/ code: rm -f ~/Library/Caches/com.apple.Safari/Cache.db - - name: Clear Safari web page icons displayed on URL bar + name: Clear Safari URL bar web page icons docs: - https://davidkoepi.wordpress.com/2013/04/20/safariforensic/ - https://lifehacker.com/safaris-private-browsing-mode-saves-urls-in-an-easily-a-1691944343 @@ -194,11 +194,11 @@ actions: - https://www.reddit.com/r/apple/comments/18lp92/your_apple_computer_keeps_a_screen_shot_of_nearly/ code: rm -rfv ~/Library/Caches/com.apple.Safari/Webpage\ Previews - - name: Clear copy of the Safari history + name: Clear Safari history copy docs: https://forensicsfromthesausagefactory.blogspot.com/2010/06/safari-history-spotlight-webhistory.html code: rm -rfv ~/Library/Caches/Metadata/Safari/History - - name: Clear search history embedded in Safari preferences + name: Clear search term history embedded in Safari preferences docs: https://krypted.com/tag/recentsearchstrings/ code: defaults write ~/Library/Preferences/com.apple.Safari RecentSearchStrings '( )' - @@ -215,11 +215,11 @@ actions: docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html code: rm -f ~/Library/Safari/PerSiteZoomPreferences.plist - - name: Clear URLs that are allowed to display notifications in Safari + name: Clear allowed URLs for Safari notifications docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html code: rm -f ~/Library/Safari/UserNotificationPreferences.plist - - name: Clear Safari per-site preferences for Downloads, Geolocation, PopUps, and Autoplays + name: Clear Safari preferences for downloads, geolocation, pop-ups, and autoplay per site docs: https://blog.d204n6.com/2020/09/macos-safari-preferences-and-privacy.html code: rm -f ~/Library/Safari/PerSitePreferences.db - @@ -231,15 +231,15 @@ actions: sudo rm -rf ~/Library/Caches/Mozilla/ rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/netpredictions.sqlite - - name: Delete Firefox form history + name: Clear Firefox form history code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.dat - - name: Delete Firefox site preferences + name: Clear Firefox site preferences code: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/content-prefs.sqlite - - name: Delete Firefox session restore data (loads after the browser closes or crashes) + name: Clear Firefox session restore data (loads after the browser closes or crashes) code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionCheckpoints.json rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore*.js* @@ -250,7 +250,7 @@ actions: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.bak* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/upgrade.js*-20* - - name: Delete Firefox passwords + name: Clear Firefox passwords docs: https://web.archive.org/web/20210425202923/http://kb.mozillazine.org/Password_Manager code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.txt @@ -259,20 +259,20 @@ actions: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/logins.json - - name: Delete Firefox HTML5 cookies + name: Clear Firefox HTML5 cookies code: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/webappsstore.sqlite - - name: Delete Firefox crash reports + name: Clear Firefox crash reports code: |- rm -rfv ~/Library/Application\ Support/Firefox/Crash\ Reports/ rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/minidumps/*.dmp - - name: Delete Firefox backup files + name: Clear Firefox backup files code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.json rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.jsonlz4 - - name: Delete Firefox cookies + name: Clear Firefox cookies code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite @@ -280,7 +280,7 @@ actions: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-wal rm -rfv ~/Library/Application\ Support/Firefox/Profiles/*/storage/default/http* - - category: Clear third party application data + category: Clear third-party application data children: - name: Clear Adobe cache @@ -290,18 +290,18 @@ actions: name: Clear Gradle cache recommend: strict code: |- - if [ -d "/Users/${HOST}/.gradle/caches" ]; then + if [ -d "~/.gradle/caches" ]; then rm -rfv ~/.gradle/caches/ &> /dev/null fi - name: Clear Dropbox cache recommend: standard code: |- - if [ -d "/Users/${HOST}/Dropbox" ]; then + if [ -d "~/Dropbox/.dropbox.cache" ]; then sudo rm -rfv ~/Dropbox/.dropbox.cache/* &>/dev/null fi - - name: Clear Google Drive file stream cache + name: Clear Google Drive File Stream cache recommend: standard code: |- killall "Google Drive File Stream" @@ -323,21 +323,54 @@ actions: brew tap --repair &>/dev/null fi - - name: Clear any old versions of Ruby gems + name: Clear old Ruby gem versions recommend: strict code: |- if type "gem" &> /dev/null; then gem cleanup &>/dev/null fi - - name: Clear Docker + name: Clear unused Docker data recommend: strict + docs: |- + This script frees up disk space, but also improves user privacy by: + + 1. **Removal of stopped containers**: Containers often run applications or services that might process sensitive + or personal data. Even if a container is stopped, its filesystem remains intact, and potentially sensitive data inside + it can be accessed. By removing stopped containers, we eliminate this potential privacy risk. + + 2. **Deletion of unused images**: Images can sometimes contain sensitive information, especially if they were built + from `Dockerfile`s that copied local files or were used in scenarios where sensitive data was processed. Deleting unused + images ensures that any inadvertent sensitive information embedded in those images is eradicated. + + 3. **Cleanup of network configurations**: Networks, especially custom ones, can contain configurations that reveal details + about system architecture, inter-container communication, or even hardcoded secrets. Removing unused networks mitigates + risks associated with lingering, outdated, or insecure configurations. + + 4. **Elimination of build cache**: The Docker build process uses a cache to speed up image creation. This cache can contain + remnants of previous builds, including potentially sensitive data or files. Pruning the build cache ensures that these remnants + are deleted, further safeguarding privacy. + + 5. **Footprint reduction**: By consistently pruning unused Docker objects, the overall footprint of Docker on the system is + reduced. This makes it harder for malicious actors to exploit any lingering or overlooked vulnerabilities in the system or Docker + itself. + + This script runs `docker system prune -af` command to clean up unused Docker data [1]. + + Specifically, the command will [1]: + + - Remove all stopped containers. + - Remove all networks not used by at least one container. + - Remove all images not used by any container. + - Remove all build cache. + + [1]: https://web.archive.org/web/20230810171526/https://docs.docker.com/engine/reference/commandline/system_prune/ "docker system prune | Docker Documentation" code: |- if type "docker" &> /dev/null; then docker system prune -af fi - - name: Clear Pyenv-VirtualEnv cache + name: Clear Pyenv-Virtualenv cache recommend: strict code: |- if [ "$PYENV_VIRTUALENV_CACHE_PATH" ]; then @@ -359,22 +392,22 @@ actions: yarn cache clean --force fi - - category: iOS Cleanup + category: Clear iOS usage data children: - - name: Clear iOS applications + name: Clear iOS app copies from iTunes recommend: strict code: rm -rfv ~/Music/iTunes/iTunes\ Media/Mobile\ Applications/* &>/dev/null - - name: Clear iOS photo caches + name: Clear iOS photo cache recommend: standard code: rm -rf ~/Pictures/iPhoto\ Library/iPod\ Photo\ Cache/* - - name: Remove iOS Device Backups + name: Clear iOS Device Backups recommend: strict code: rm -rfv ~/Library/Application\ Support/MobileSync/Backup/* &>/dev/null - - name: Clear iOS Simulators + name: Clear iOS simulators recommend: strict code: |- if type "xcrun" &>/dev/null; then @@ -385,7 +418,7 @@ actions: xcrun simctl erase all fi - - name: Clear the list of iOS devices connected + name: Clear list of connected iOS devices recommend: strict code: |- sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" @@ -394,7 +427,7 @@ actions: sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices sudo rm -rfv /var/db/lockdown/* - - name: Clear XCode Derived Data and Archives + name: Clear Xcode's derived data and archives recommend: strict code: |- rm -rfv ~/Library/Developer/Xcode/DerivedData/* &>/dev/null @@ -407,51 +440,51 @@ actions: sudo dscacheutil -flushcache sudo killall -HUP mDNSResponder - - name: Purge inactive memory + name: Clear inactive memory recommend: standard code: sudo purge - - category: Reset privacy permissions for all applications + category: Clear all privacy permissions for applications children: - - name: Reset camera permissions + name: Clear "camera" permissions code: tccutil reset Camera - - name: Reset microphone permissions + name: Clear "microphone" permissions code: tccutil reset Microphone - - name: Reset accessibility permissions + name: Clear "accessibility" permissions code: tccutil reset Accessibility - - name: Reset screen capture permissions + name: Clear "screen capture" permissions code: tccutil reset ScreenCapture - - name: Reset reminders permissions + name: Clear "reminders" permissions code: tccutil reset Reminders - - name: Reset photos permissions + name: Clear "photos" permissions code: tccutil reset Photos - - name: Reset calendar permissions + name: Clear "calendar" permissions code: tccutil reset Calendar - - name: Reset full disk access permissions + name: Clear "full disk access" permissions code: tccutil reset SystemPolicyAllFiles - - name: Reset contacts permissions + name: Clear "contacts" permissions code: tccutil reset SystemPolicyAllFiles - - name: Reset desktop folder permissions + name: Clear "desktop folder" permissions code: tccutil reset SystemPolicyDesktopFolder - - name: Reset documents folder permissions + name: Clear "documents folder" permissions code: tccutil reset SystemPolicyDocumentsFolder - - name: Reset downloads permissions + name: Clear "downloads" permissions code: tccutil reset SystemPolicyDownloadsFolder - - name: Reset all app permissions - code: tccutil reset All + name: Clear all app permissions + code: tccutil reset All - category: Configure programs children: @@ -468,20 +501,20 @@ actions: sudo defaults delete /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled sudo defaults delete /Library/Preferences/org.mozilla.firefox DisableTelemetry - - name: Disable Microsoft Office diagnostics data sending + name: Disable Microsoft Office telemetry recommend: standard code: defaults write com.microsoft.office DiagnosticDataTypePreference -string ZeroDiagnosticData revertCode: defaults delete com.microsoft.office DiagnosticDataTypePreference - - name: Uninstall Google update + name: Remove Google Software Update service recommend: strict code: |- googleUpdateFile=~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ksinstall if [ -f "$googleUpdateFile" ]; then $googleUpdateFile --nuke - echo Uninstalled google update + echo 'Uninstalled Google update' else - echo Google update file does not exist + echo 'Google update file does not exist' fi - name: Disable Homebrew user behavior analytics @@ -514,12 +547,12 @@ actions: docs: |- Parallels Desktop for Mac is software providing hardware virtualization for macOS [1]. - When you use it, it collects and share your personal data to third parties [2]. Personal + When you use it, it collects and shares your personal data to third parties [2]. Personal data include IP address of your device, your broad geographical location (country, state (if applicable), and city) and used product [2]. - - It includes third-party ads [3] and automatic check for updates [4] by default. Both of these - behaviors communicate with online services that reveal data about you. + + It includes third-party advertisements [3] and automatic check for updates [4] by default. + Both of these behaviors communicate with online services that reveal personal data about you. [1]: https://web.archive.org/web/20221012155943/https://en.wikipedia.org/wiki/Parallels_Desktop_for_Mac "Parallels Desktop for Mac - Wikipedia | en.wikipedia.org" [2]: https://web.archive.org/web/20221012155829/https://www.parallels.com/about/legal/privacy/ "Privacy Statement | parallels.com" @@ -527,7 +560,7 @@ actions: [4]: https://web.archive.org/web/20221012151953/http://download.parallels.com/stm/docs/en/Parallels_Desktop_Users_Guide/22220.htm "Automatic Updating | Parallels Desktop Users Guide | download.parallels.com" children: - - name: Turn off ads in Parallels Desktop + name: Disable Parallels Desktop advertisements recommend: standard docs: |- Parallels Desktop in-product notifications to show ads from Parallels or other third @@ -544,7 +577,7 @@ actions: default). It's undocumented but still kept disabled by this script. [1]: https://web.archive.org/save/https://forum.parallels.com/threads/unable-to-process-the-upgrade-request.345603/ "Unable to process the upgrade request | Parallels Forums | forum.parallels.com" - [2]: https://web.archive.org/web/20221012151800/https://kb.parallels.com/114422 "How do I turn off notifications in Parallels Desktop and Parallels Access? | Knowledge Base | parallels.com" + [2]: https://web.archive.org/web/20221012151800/https://kb.parallels.com/114422 "How do I turn off notifications in Parallels Desktop and Parallels Access? | Knowledge Base | parallels.com" code: |- defaults write 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff' -bool yes defaults write 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff' -bool yes @@ -552,16 +585,16 @@ actions: defaults write 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff' -bool no defaults write 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff' -bool yes - - category: Disable Parallels Desktop auto-updates + category: Disable Parallels Desktop automatic updates docs: |- Parallels Desktop by default checks for updates frequently and automatically downloads them [1]. - This reveal personal data about [2] you without your control. + This reveal personal data about you [2] without your control. [1]: https://web.archive.org/web/20221012151953/http://download.parallels.com/stm/docs/en/Parallels_Desktop_Users_Guide/22220.htm "Automatic Updating | Parallels Desktop Users Guide | download.parallels.com" [2]: https://web.archive.org/web/20221012155829/https://www.parallels.com/about/legal/privacy/ "Privacy Statement | parallels.com" children: - - name: Disable automatically downloading Parallels Desktop updates + name: Disable automatic downloads for Parallels Desktop updates docs: |- Automatic downloads are enabled by default, and this script disables automatic downloads. @@ -570,11 +603,11 @@ actions: - Check: `defaults read 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically'` - Values: 0 - Disabled, 1 - Enabled (default) - [1]: https://web.archive.org/web/20221012153810/https://download.parallels.com/desktop/v18/docs/en_US/Parallels-Desktop-Business-Edition-Administrators-Guide/37744.htm "Parallels Desktop Business Edition Administrator's Guide v18 - Configuring individual Macs | download.parallels.com" + [1]: https://web.archive.org/web/20221012153810/https://download.parallels.com/desktop/v18/docs/en_US/Parallels-Desktop-Business-Edition-Administrators-Guide/37744.htm "Parallels Desktop Business Edition Administrator's Guide v18 - Configuring individual Macs | download.parallels.com" code: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically' -bool no revertCode: defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically' -bool yes - - name: Disable automatically checking for Parallels Desktop updates + name: Disable automatic checks for Parallels Desktop updates docs: |- Automatic checks are weekly by default, and this script disables the checks completely. @@ -593,7 +626,7 @@ actions: category: Configure Apple Remote Desktop children: - - name: Deactivate the Remote Management Service + name: Disable remote management service recommend: strict code: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop revertCode: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -restart -agent -console @@ -604,26 +637,26 @@ actions: sudo rm -rf /var/db/RemoteManagement sudo defaults delete /Library/Preferences/com.apple.RemoteDesktop.plist defaults delete ~/Library/Preferences/com.apple.RemoteDesktop.plist - sudo rm -r /Library/Application\ Support/Apple/Remote\ Desktop/ + sudo rm -rf /Library/Application\ Support/Apple/Remote\ Desktop/ rm -r ~/Library/Application\ Support/Remote\ Desktop/ rm -r ~/Library/Containers/com.apple.RemoteDesktop - - name: Disable Internet based spell correction + name: Disable online spell correction code: defaults write NSGlobalDomain WebAutomaticSpellingCorrectionEnabled -bool false revertCode: defaults delete NSGlobalDomain WebAutomaticSpellingCorrectionEnabled - - name: Disable Remote Apple Events + name: Disable remote Apple events recommend: strict code: sudo systemsetup -setremoteappleevents off revertCode: sudo systemsetup -setremoteappleevents on - - name: Do not store documents to iCloud Drive by default + name: Disable automatic storage of documents in iCloud Drive docs: https://macos-defaults.com/finder/nsdocumentsavenewdocumentstocloud.html recommend: standard code: defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false revertCode: defaults delete NSGlobalDomain NSDocumentSaveNewDocumentsToCloud - - name: Do not show recent items on dock + name: Disable display of recent applications on Dock docs: https://developer.apple.com/documentation/devicemanagement/dock code: defaults write com.apple.dock show-recents -bool false revertCode: defaults delete com.apple.dock show-recents @@ -636,7 +669,7 @@ actions: category: Configure Siri children: - - name: Opt-out from Siri data collection + name: Disable participation in Siri data collection recommend: standard code: defaults write com.apple.assistant.support 'Siri Data Sharing Opt-In Status' -int 2 revertCode: defaults delete com.apple.assistant.support 'Siri Data Sharing Opt-In Status' @@ -683,7 +716,7 @@ actions: launchctl enable "gui/$UID/com.apple.Siri.agent" sudo launchctl enable 'system/com.apple.Siri.agent' if [ $(/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//') = "enabled" ]; then - >&2 echo 'This script requires SIP to be disabled. Read more: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection'' + >&2 echo 'This script requires SIP to be disabled. Read more: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection' fi - name: Disable "Do you want to enable Siri?" pop-up @@ -694,15 +727,15 @@ actions: code: defaults write com.apple.SetupAssistant 'DidSeeSiriSetup' -bool True revertCode: defaults delete com.apple.SetupAssistant 'DidSeeSiriSetup' - - category: Hide Siri + category: Remove Siri from user interface children: - - name: Hide Siri from menu bar + name: Remove Siri from menu bar recommend: strict code: defaults write com.apple.systemuiserver 'NSStatusItem Visible Siri' 0 revertCode: defaults write com.apple.systemuiserver 'NSStatusItem Visible Siri' 1 - - name: Hide Siri from status menu + name: Remove Siri from status menu recommend: strict docs: https://derflounder.wordpress.com/2016/09/20/blocking-siri-on-macos-sierra/ code: |- @@ -712,11 +745,11 @@ actions: defaults delete com.apple.Siri 'StatusMenuVisible' defaults delete com.apple.Siri 'UserHasDeclinedEnable' - - name: Disable Spotlight indexing + name: Disable Spotlight indexing code: sudo mdutil -i off -d / revertCode: sudo mdutil -i on / - - name: Disable Personalized advertisements and identifier collection + name: Disable personalized advertisements and identifier tracking recommend: standard docs: |- This script enhances your privacy by deactivating Personalized Ads and disabling the collection @@ -746,7 +779,7 @@ actions: Please note: The `forceLimitAdTracking` key limits ad tracking [3] [4] and is found in CIS benchmarks for macOS [4]. However, the official macOS documentation specifies that it is - applicable only to iOS 7 and later versions, not to macOS [3]. The key does not exist on the OS + applicable only to iOS 7 and newer versions, not to macOS [3]. The key does not exist on the OS by default. [1]: https://web.archive.org/web/20230731152633/https://www.apple.com/legal/privacy/data/en/apple-advertising/ "Legal - Apple Advertising & Privacy - Apple" @@ -789,7 +822,7 @@ actions: sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool false defaults write com.apple.security.firewall EnableFirewall -bool false - - name: Turn on firewall logging + name: Enable firewall logging recommend: standard docs: - https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81671 @@ -801,7 +834,7 @@ actions: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode off sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool false - - name: Turn on stealth mode + name: Enable stealth mode recommend: standard docs: - https://www.stigviewer.com/stig/apple_os_x_10.8_mountain_lion_workstation/2015-02-10/finding/V-51327 @@ -816,16 +849,16 @@ actions: sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false defaults write com.apple.security.firewall EnableStealthMode -bool false - - category: Disable auto-permitting incoming traffic for apps + category: Disable automatic permission for incoming traffic in applications children: - - name: Prevent automatically allowing incoming connections to signed apps + name: Disable automatic incoming connections for signed apps docs: https://daiderd.com/nix-darwin/manual/index.html recommend: strict code: sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false revertCode: sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool true - - name: Prevent automatically allowing incoming connections to downloaded signed apps + name: Disable automatic incoming connections for downloaded signed apps docs: https://daiderd.com/nix-darwin/manual/index.html recommend: strict code: sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool false @@ -845,18 +878,18 @@ actions: code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false revertCode: sudo defaults delete /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active - - category: Use screen saver for protection + category: Enable protective screen saver children: - - name: Require a password to wake the computer from sleep or screen saver + name: Enable password requirement for waking from sleep or screen saver # The screen saver acts as a session lock and prevents unauthorized users from accessing the current user's account. docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2020-11-27/finding/V-230744 code: sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver askForPassword - - name: Initiate session lock five seconds after screen saver is started + name: Enable session lock five seconds after screen saver initiation docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2020-11-27/finding/V-230745 - # An unattended system with an excessive grace period is vulnerable to a malicious user. + # An unattended system with an excessive grace period is vulnerable to a malicious user. code: sudo defaults write /Library/Preferences/com.apple.screensaver 'askForPasswordDelay' -int 5 revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver 'askForPasswordDelay' - @@ -864,36 +897,36 @@ actions: docs: - https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230823 - https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81615 - children: - - - name: Disables signing in as Guest from the login screen - code: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO - revetCode: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool YES - - - name: Disables Guest access to file shares over AF - code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool NO - revetCode: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool YES - - - name: Disables Guest access to file shares over SMB - code: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NO - revetCode: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool YES - - - category: Prevent unauthorized connections children: - - name: Disable remote login (incoming SSH and SFTP connections) + name: Disable guest sign-in from login screen + code: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NO + revertCode: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool YES + - + name: Disable guest access to file shares over AF + code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool NO + revertCode: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool YES + - + name: Disable guest access to file shares over SMB + code: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NO + revertCode: sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool YES + - + category: Disable unauthorized connections + children: + - + name: Disable incoming SSH and SFTP remote logins recommend: standard docs: https://osxdaily.com/2016/08/16/enable-ssh-mac-command-line/ # Check if enabled: sudo systemsetup -getremotelogin, returns "Remote Login: On" or "Off" code: echo 'yes' | sudo systemsetup -setremotelogin off revertCode: sudo systemsetup -setremotelogin on - - name: Disable insecure TFTP service + name: Disable the insecure TFTP service recommend: standard # If the system does not require Trivial File Transfer Protocol (TFTP), then support for # it is non-essential and should be disabled. The information system should be configured to # provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection - # of devices and the unauthorized transfer of information. + # of devices and the unauthorized transfer of information. docs: https://www.stigviewer.com/stig/apple_macos_11_big_sur/2021-06-16/finding/V-230813 code: sudo launchctl disable 'system/com.apple.tftpd' revertCode: sudo launchctl enable 'system/com.apple.tftpd' @@ -921,13 +954,13 @@ actions: - https://www.cups.org/doc/security.html # Security risks children: - - name: Disable sharing of local printers with other computers + name: Disable local printer sharing with other computers recommend: standard docs: https://www.cups.org/doc/man-cupsctl.html code: cupsctl --no-share-printers revertCode: cupsctl --share-printers - - name: Disable printing from any address including the Internet + name: Disable printing from external addresses, including the internet recommend: standard docs: https://www.cups.org/doc/man-cupsctl.html code: cupsctl --no-remote-any @@ -952,7 +985,7 @@ actions: category: Clean File Quarantine from downloaded files children: - - name: Clear File Quarantine logs of all downloaded files + name: Clear logs of all downloaded files from File Quarantine recommend: strict docs: - https://www.macobserver.com/tips/how-to/your-mac-remembers-everything-you-download-heres-how-to-clear-download-history/ @@ -969,7 +1002,7 @@ actions: if ls -lO "$db_file" | grep --silent 'schg'; then sudo chflags noschg "$db_file" echo "Found and removed system immutable flag" - has_sytem_immutable_flag=true + has_system_immutable_flag=true fi if ls -lO "$db_file" | grep --silent 'uchg'; then sudo chflags nouchg "$db_file" @@ -978,7 +1011,7 @@ actions: fi sqlite3 "$db_file" "$db_query" echo "Executed the query \"$db_query\"" - if [ "$has_sytem_immutable_flag" = true ] ; then + if [ "$has_system_immutable_flag" = true ] ; then sudo chflags schg "$db_file" echo "Added system immutable flag back" fi @@ -1012,10 +1045,10 @@ actions: ' \ {} \; - - category: Disable File Quarantine from tracking downloaded files + category: Disable macOS File Quarantine tracking for downloaded files children: - - name: Prevent quarantine from logging downloaded files + name: Disable downloaded file logging in quarantine docs: - https://eclecticlight.co/2019/04/25/%F0%9F%8E%97-quarantine-apps/ - https://eclecticlight.co/2017/12/11/xattr-com-apple-quarantine-the-quarantine-flag/ @@ -1038,7 +1071,7 @@ actions: >&2 echo "Cannot revert immutability, file does not exist at\"$file_to_lock\"" fi - - name: Disable using extended quarantine attribute on downloaded files (disables warning) + name: Disable extended quarantine attribute for downloaded files (disables warning) # Disables dialogs shown when opening an application for the first time # i.e. "Application Downloaded from Internet" quarantine warning. docs: @@ -1054,7 +1087,7 @@ actions: # Can protect against unknown threats. children: - - name: Prevent Gatekeeper from automatically reactivating itself + name: Disable Gatekeeper's automatic reactivation docs: - https://osxdaily.com/2015/11/05/stop-gatekeeper-auto-rearm-mac-os-x/ - https://www.cnet.com/tech/computing/how-to-disable-gatekeeper-permanently-on-os-x/ @@ -1071,8 +1104,8 @@ actions: code: |- os_major_ver=$(sw_vers -productVersion | awk -F "." '{print $1}') os_minor_ver=$(sw_vers -productVersion | awk -F "." '{print $2}') - if [[ $os_major_ver -le 10 \ - || ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \ + if [[ $os_major_ver -le 10 \ + || ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \ ]]; then echo "No action needed, Gatekeeper is not available this OS version" else @@ -1090,8 +1123,8 @@ actions: revertCode: |- os_major_ver=$(sw_vers -productVersion | awk -F "." '{print $1}') os_minor_ver=$(sw_vers -productVersion | awk -F "." '{print $2}') - if [[ $os_major_ver -le 10 \ - || ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \ + if [[ $os_major_ver -le 10 \ + || ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \ ]]; then >&2 echo "Gatekeeper is not available in this OS version" else @@ -1107,7 +1140,7 @@ actions: fi fi - - name: Disable Library Validation Entitlement (checks signature of libraries) + name: Disable library validation entitlement (library signature validation) docs: - https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-library-validation - https://www.macenhance.com/docs/general/sip-library-validation.html @@ -1121,25 +1154,25 @@ actions: - https://macadminsdoc.readthedocs.io/en/master/Profiles-and-Settings/OS-X-Updates.html children: - - name: Disable automatically checking for updates + name: Disable automatic checks for updates docs: https://developer.apple.com/documentation/devicemanagement/softwareupdate code: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticCheckEnabled' -bool false revertCode: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticCheckEnabled' -bool true - - name: Disable automatically downloading new updates when available + name: Disable automatic downloads for updates docs: https://developer.apple.com/documentation/devicemanagement/softwareupdate code: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticDownload' -bool false revertCode: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticDownload' -bool true - - name: Disable automatically installing macOS updates + name: Disable automatic installation of macOS updates docs: # References for AutoUpdateRestartRequired - https://kb.vmware.com/s/article/2960635 @@ -1149,48 +1182,48 @@ actions: code: |- # For OS X Yosemite through macOS High Sierra (>= 10.10 && < 10.14) sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdateRestartRequired' -bool false - # For Mojave and later (>= 10.14) + # For Mojave and newer (>= 10.14) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallMacOSUpdates' -bool false revertCode: |- # For OS X Yosemite through macOS High Sierra (>= 10.10 && < 10.14) sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdateRestartRequired' -bool true - # For Mojave and later (>= 10.14) + # For Mojave and newer (>= 10.14) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallMacOSUpdates' -bool true - - name: Disable automatically updating app from the App Store + name: Disable automatic app updates from the App Store docs: - https://kb.vmware.com/s/article/2960635 - https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/ code: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdate' -bool false - # For Mojave and later (>= 10.14) + # For Mojave and newer (>= 10.14) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallAppUpdates' -bool false revertCode: |- - # For OS X Yosemite and later + # For OS X Yosemite and newer sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdate' -bool true - # For Mojave and later (>= 10.14) + # For Mojave and newer (>= 10.14) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallAppUpdates' -bool true - - name: Disable installation of macOS beta releases + name: Disable macOS beta release installation docs: https://support.apple.com/en-gb/HT203018 code: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AllowPreReleaseInstallation' -bool false revertCode: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AllowPreReleaseInstallation' -bool true - - name: Disable automatically installing configuration data (e.g. XProtect, Gatekeeper, MRT) + name: Disable automatic installation for configuration data (e.g. XProtect, Gatekeeper, MRT) docs: https://derflounder.wordpress.com/2018/12/28/enabling-automatic-macos-software-updates-for-os-x-yosemite-through-macos-mojave/ code: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'ConfigDataInstall' -bool false revertCode: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'ConfigDataInstall' -bool true - - name: Disable automatically installing system data files and security updates + name: Disable automatic installation for system data files and security updates docs: # References for CriticalUpdateInstall - https://derflounder.wordpress.com/2014/12/24/managing-os-xs-automatic-security-updates/ @@ -1198,10 +1231,10 @@ actions: # References for softwareupdate --background-critical - https://managingosx.wordpress.com/2013/04/30/undocumented-options/ code: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'CriticalUpdateInstall' -bool false revertCode: |- - # For OS X Yosemite and later (>= 10.10) + # For OS X Yosemite and newer (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'CriticalUpdateInstall' -bool true # Trigger background check with normal scan (critical updates only) sudo softwareupdate --background-critical diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index 086ea9a8..8902f01f 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -1,4 +1,4 @@ -# Structure documented in "docs/collection-files.md" +# Structure is documented in "docs/collection-files.md" os: windows scripting: language: batchfile @@ -21,18 +21,18 @@ actions: - category: Privacy cleanup children: - - - category: Clear application history + - + category: Clear third-party application data children: - - name: Clear Listary indexes + name: Clear Listary search index code: del /f /s /q %appdata%\Listary\UserData > nul - name: Clear Java cache recommend: strict code: rd /s /q "%APPDATA%\Sun\Java\Deployment\cache" - - name: Clear Flash traces + name: Clear Flash Player traces recommend: standard code: rd /s /q "%APPDATA%\Macromedia\Flash Player" - @@ -43,7 +43,7 @@ actions: del /f /q %ProgramFiles(x86)%\Steam\Traces del /f /q %ProgramFiles(x86)%\Steam\appcache\*.log - - category: Clear Visual Studio data + category: Clear Visual Studio usage data docs: |- Visual Studio is an integrated development environment (IDE) from Microsoft that is used to develop software [1]. Visual Studio store data such as your usage of the software and also information about your hardware [2]. @@ -63,25 +63,25 @@ actions: deleting data waiting to be sent. children: - - name: Delete offline Visual Studio telemetry files + name: Clear offline Visual Studio usage telemetry data recommend: standard docs: |- SQM files are text files that are created and used by Microsoft [1]. SQM stands for "Service Quality Monitoring" [1]. - When unable to connect to internet Visual Studio stores SQM files in `%LocalAppData%\Microsoft\VSCommon\\SQM` [2]. + When unable to connect to internet Visual Studio stores SQM files in `%LOCALAPPDATA%\Microsoft\VSCommon\\SQM` [2]. The number of files grows continuously and it can get to thousands. Cleaning these files speeds up Visual Studio significantly according to community reports [2]. [1]: https://techshift.net/how-to-open-sqm-file/ "What is a .SQM File And How To Open It - Microsoft (Visual Guide) | TechShift.net" [2]: https://stackoverflow.com/a/38862596 "Process monitor - Slow Visual Studio, related to SQMClient? | Stack Overflow" code: |- - rmdir /s /q %LocalAppData%\Microsoft\VSCommon\14.0\SQM - rmdir /s /q %LocalAppData%\Microsoft\VSCommon\15.0\SQM - rmdir /s /q %LocalAppData%\Microsoft\VSCommon\16.0\SQM - rmdir /s /q %LocalAppData%\Microsoft\VSCommon\17.0\SQM + rmdir /s /q %LOCALAPPDATA%\Microsoft\VSCommon\14.0\SQM + rmdir /s /q %LOCALAPPDATA%\Microsoft\VSCommon\15.0\SQM + rmdir /s /q %LOCALAPPDATA%\Microsoft\VSCommon\16.0\SQM + rmdir /s /q %LOCALAPPDATA%\Microsoft\VSCommon\17.0\SQM - - name: Delete Visual Studio Application Insights logs + name: Clear Visual Studio Application Insights logs recommend: standard docs: |- Application Insights for Visual Studio stores diagnostic data for e.g. exceptions and performance [1]. @@ -92,11 +92,11 @@ actions: [2]: https://developercommunity.visualstudio.com/t/visual-studio-freezes-randomly/224181#T-N257722-N277241-N407607 "Visual Studio freezes randomly | Visual Studio Feedback" [3]: https://stackoverflow.com/a/53754481 "Visual Studio 2017 (15.3.1) keeps hanging/freezing | Stack Overflow" code: |- - rmdir /s /q "%LocalAppData%\Microsoft\VSApplicationInsights" 2>nul + rmdir /s /q "%LOCALAPPDATA%\Microsoft\VSApplicationInsights" 2>nul rmdir /s /q "%ProgramData%\Microsoft\VSApplicationInsights" 2>nul rmdir /s /q "%Temp%\Microsoft\VSApplicationInsights" 2>nul - - name: Delete Visual Studio telemetry folders + name: Clear Visual Studio telemetry data recommend: standard docs: |- `vstelemetry` is a folder created by both Visual Studio [1] and also by SQL Server Management Studio [2] to @@ -110,7 +110,7 @@ actions: rmdir /s /q "%AppData%\vstelemetry" 2>nul rmdir /s /q "%ProgramData%\vstelemetry" 2>nul - - name: Delete Visual Studio temporary telemetry and log data + name: Clear Visual Studio temporary telemetry and log data recommend: standard docs: |- These logs area created by different tools that Visual Studio uses such as its launcher, installer or @@ -124,7 +124,7 @@ actions: implications. These files can be useful for faster loading, so this script removes only the sensitive data stored instead of cleaning all the cache completely. - [1]: https://developercommunity.visualstudio.com/t/visual-studio-installer-crashes-after-updating-to/1356122 "Visual Studio Installer crashes after updating to version 16.9.0 - Visual Studio Feedback | Visual Studio Develoepr Community" + [1]: https://developercommunity.visualstudio.com/t/visual-studio-installer-crashes-after-updating-to/1356122 "Visual Studio Installer crashes after updating to version 16.9.0 - Visual Studio Feedback | Visual Studio Developer Community" [2]: https://developercommunity.visualstudio.com/t/microsoft-visual-studio-1/588200#T-N588861-N594783 "MSTF help | Visual Studio Developer Community" [3]: https://github.com/MicrosoftDocs/live-share/issues/3584 "Agent logs in %TEMP%\VSFeedbackVSRTCLogs taking up over 87GB · Issue #3584 · MicrosoftDocs/live-share | GitHub" [4]: https://developercommunity.visualstudio.com/t/please-keep-my-temp-folder-clean/731637 "Please keep my TEMP folder clean! - Visual Studio Feedback | Visual Studio Developer Community" @@ -139,7 +139,7 @@ actions: rmdir /s /q "%Temp%\VSRemoteControl" 2>nul rmdir /s /q "%Temp%\Microsoft\VSFeedbackCollector" 2>nul rmdir /s /q "%Temp%\VSTelem" 2>nul - rmdir /s /q "%Temp%\VSTelem.Out" 2>nul + rmdir /s /q "%Temp%\VSTelem.Out" 2>nul - category: Clear Visual Studio licenses docs: |- @@ -172,7 +172,7 @@ actions: The latest reported key is `1299B4B9-DFCC-476D-98F0-F65A2B46C96D` [2] [3]. I have tested and verified this along with some other keys of preview versions. This scripts deletes all mentioned keys. - [1]: https://github.com/beatcracker/VSCELicense/issues/14 "VS 2022 key discussion | beatcracker/VSCELicense | GitHub" + [1]: https://github.com/beatcracker/VSCELicense/issues/14 "VS 2022 Key Discussion | beatcracker/VSCELicense | GitHub" [2]: https://learn.microsoft.com/en-us/answers/questions/673243/how-do-i-remove-a-license-from-visual-studio-2022.html "MSFT Answer | Microsoft Learn" [3]: https://stackoverflow.com/a/71624750 "How to change Visual Studio 2017 License Key? | Stack Overflow" code: |- @@ -180,70 +180,79 @@ actions: reg delete "HKCR\Licenses\10D17DBA-761D-4CD8-A627-984E75A58700" /va /f reg delete "HKCR\Licenses\1299B4B9-DFCC-476D-98F0-F65A2B46C96D" /va /f - - category: Clear most recently used lists (MRU) + category: Clear most recently used (MRU) lists children: - category: Clear Quick Access (jump) lists docs: https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf children: - - name: Clear recently accessed files + name: Clear recently accessed files list recommend: standard code: del /f /q "%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\*" - - name: Clear user pins + name: Clear pinned items for the user code: del /f /q "%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\*" - - name: Clear regedit last key - recommend: standard - code: |- - reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f - reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f + category: Clear Windows Registry usage data + docs: |- + The Windows Registry is a hierarchical database that stores settings, configurations, and options for the operating system, installed + applications, and user preferences. Over time, as users interact with their system and software, usage data and traces get stored in + the registry. + + This category focuses on clearing specific types of this usage data, ensuring privacy and potentially improving system responsiveness. + children: + - + name: Clear last `regedit` key + recommend: standard + code: |- + reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f + reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f + - + name: Clear favorite keys in `regedit` + recommend: standard + code: |- + reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f + reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f - - name: Clear regedit favorites - recommend: standard - code: |- - reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f - reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f - - - name: Clear list of recent programs opened + name: Clear recently opened applications list recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f - - name: Clear Adobe Media Browser MRU + name: Clear "Adobe Media Browser" most recently used (MRU) list recommend: standard code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f - - name: Clear MSPaint MRU + name: Clear "MSPaint" most recently used (MRU) list recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f - - name: Clear Wordpad MRU + name: Clear "Wordpad" most recently used (MRU) list recommend: standard code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f - - name: Clear Map Network Drive MRU MRU + name: Clear "Map Network Drive" most recently used (MRU) list recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f - - name: Clear Windows Search Assistant history + name: Clear "Windows Search Assistant" history recommend: standard code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f - - name: Clear list of Recent Files Opened, by Filetype + name: Clear recently opened files list for each file type recommend: standard code: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f - - name: Clear windows media player recent files and URLs + name: Clear Windows Media Player recent files and URLs recommend: standard code: |- reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f @@ -251,13 +260,13 @@ actions: reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f - - name: Clear Most Recent Application's Use of DirectX + name: Clear most recent DirectX application usage recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f - - name: Clear Windows Run MRU & typedpaths + name: Clear "Windows Run" most recently used (MRU) list and typed paths recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f @@ -266,14 +275,14 @@ actions: name: Clear Dotnet CLI telemetry recommend: standard code: rmdir /s /q "%USERPROFILE%\.dotnet\TelemetryStorageService" 2>nul - - + - category: Clear browser history children: - category: Clear Internet Explorer history children: - - name: Clear Internet Explorer caches + name: Clear Internet Explorer cache recommend: standard docs: # INetCache @@ -282,8 +291,8 @@ actions: # WebCache - https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache code: |- - del /f /q "%localappdata%\Microsoft\Windows\INetCache\IE\*" - rd /s /q "%localappdata%\Microsoft\Windows\WebCache" + del /f /q "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\*" + rd /s /q "%LOCALAPPDATA%\Microsoft\Windows\WebCache" - name: Clear Internet Explorer recent URLs recommend: strict @@ -296,27 +305,27 @@ actions: reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f - - name: Clear Temporary Internet Files (browser cache) + name: Clear "Temporary Internet Files" (browser cache) recommend: standard docs: - https://en.wikipedia.org/wiki/Temporary_Internet_Files - - https://www.windows-commandline.com/delete-temporary-internet-files/ # %localappdata%\Temporary Internet Files - - https://www.thewindowsclub.com/temporary-internet-files-folder-location # %localappdata%\Microsoft\Windows\Temporary Internet Files and INetCache + - https://www.windows-commandline.com/delete-temporary-internet-files/ # %LOCALAPPDATA%\Temporary Internet Files + - https://www.thewindowsclub.com/temporary-internet-files-folder-location # %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files and INetCache code: |- :: Windows XP rd /s /q %userprofile%\Local Settings\Temporary Internet Files :: Windows 7 - rd /s /q "%localappdata%\Microsoft\Windows\Temporary Internet Files" - takeown /f "%localappdata%\Temporary Internet Files" /r /d y - icacls "%localappdata%\Temporary Internet Files" /grant administrators:F /t - rd /s /q "%localappdata%\Temporary Internet Files" + rd /s /q "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files" + takeown /f "%LOCALAPPDATA%\Temporary Internet Files" /r /d y + icacls "%LOCALAPPDATA%\Temporary Internet Files" /grant administrators:F /t + rd /s /q "%LOCALAPPDATA%\Temporary Internet Files" :: Windows 8 and above - rd /s /q "%localappdata%\Microsoft\Windows\INetCache" + rd /s /q "%LOCALAPPDATA%\Microsoft\Windows\INetCache" - - name: Clear Internet Explorer Feeds Cache + name: Clear Internet Explorer feeds cache recommend: standard docs: https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data - code: rd /s /q "%localappdata%\Microsoft\Feeds Cache" + code: rd /s /q "%LOCALAPPDATA%\Microsoft\Feeds Cache" - name: Clear Internet Explorer cookies recommend: strict @@ -328,14 +337,14 @@ actions: :: Windows 7 browsers rd /s /q "%APPDATA%\Microsoft\Windows\Cookies" :: Windows 8 and higher - rd /s /q "%localappdata%\Microsoft\Windows\INetCookies" + rd /s /q "%LOCALAPPDATA%\Microsoft\Windows\INetCookies" - name: Clear Internet Explorer DOMStore recommend: standard docs: https://web.archive.org/web/20100416135352/http://msdn.microsoft.com/en-us/library/cc197062(VS.85).aspx - code: rd /s /q "%localappdata%\Microsoft\InternetExplorer\DOMStore" + code: rd /s /q "%LOCALAPPDATA%\Microsoft\InternetExplorer\DOMStore" - - name: Clear all Internet Explorer user data + name: Clear Internet Explorer usage data docs: - https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+Data - https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data @@ -347,35 +356,35 @@ actions: # EUPP\, EmieUserList\, EmieSiteList\, EmieBrowserModeList\ # Files: brndlog.txt, brndlog.bak, ie4uinit-ClearIconCache.log, ie4uinit-UserConfig.log, # MSIMGSIZ.DAT - code: rd /s /q "%localappdata%\Microsoft\Internet Explorer" + code: rd /s /q "%LOCALAPPDATA%\Microsoft\Internet Explorer" - - category: Clear Google Chrome history + category: Clear Chrome history children: - - name: Clear Google Chrome crash reports + name: Clear Chrome crash reports recommend: standard docs: https://www.chromium.org/developers/crash-reports code: |- - rd /s /q "%localappdata%\Google\Chrome\User Data\Crashpad\reports\" - rd /s /q "%localappdata%\Google\CrashReports\" + rd /s /q "%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports\" + rd /s /q "%LOCALAPPDATA%\Google\CrashReports\" - name: Clear Software Reporter Tool logs recommend: standard docs: https://support.google.com/chrome/forum/AAAAP1KN0B0T8qnffV5gwM/ - code: del /f /q "%localappdata%\Google\Software Reporter Tool\*.log" + code: del /f /q "%LOCALAPPDATA%\Google\Software Reporter Tool\*.log" - - name: Clear all Chrome user data + name: Clear Chrome user data docs: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md code: |- :: Windows XP rd /s /q "%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data" - :: Windows Vista and later - rd /s /q "%localappdata%\Google\Chrome\User Data" + :: Windows Vista and newer + rd /s /q "%LOCALAPPDATA%\Google\Chrome\User Data" - category: Clear Firefox history children: - - name: Clear browsing history and caches + name: Clear browsing history and cache recommend: standard code: |- set ignoreFiles="content-prefs.sqlite" "permissions.sqlite" "favicons.sqlite" @@ -386,7 +395,7 @@ actions: FOR /d %%p IN (%%d*) DO ( for /f "delims=" %%f in ('dir /b /s "%%p\*.sqlite" 2^>nul') do ( set "continue=" - for %%i in (%ignoreFiles%) do ( + for %%i in (%ignoreFiles%) do ( if %%i == "%%~nxf" ( set continue=1 ) @@ -399,17 +408,17 @@ actions: ) ) - - name: Clear all Firefox user profiles, settings, and data + name: Clear Firefox user profiles, settings, and data code: |- - rd /s /q "%localappdata%\Mozilla\Firefox\Profiles" + rd /s /q "%LOCALAPPDATA%\Mozilla\Firefox\Profiles" rd /s /q "%APPDATA%\Mozilla\Firefox\Profiles" - - name: Clear all Opera data (user profiles, settings, and data) + name: Clear Opera history (user profiles, settings, and data) code: |- :: Windows XP rd /s /q "%USERPROFILE%\Local Settings\Application Data\Opera\Opera" - :: Windows Vista and later - rd /s /q "%localappdata%\Opera\Opera" + :: Windows Vista and newer + rd /s /q "%LOCALAPPDATA%\Opera\Opera" rd /s /q "%APPDATA%\Opera\Opera" - category: Clear Safari history @@ -421,8 +430,8 @@ actions: code: |- :: Windows XP del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db" - :: Windows Vista and later - del /q /s /f "%localappdata%\Apple Computer\Safari\WebpageIcons.db" + :: Windows Vista and newer + del /q /s /f "%LOCALAPPDATA%\Apple Computer\Safari\WebpageIcons.db" - name: Clear Safari cache recommend: standard @@ -430,8 +439,8 @@ actions: code: |- :: Windows XP del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db" - :: Windows Vista and later - del /q /s /f "%localappdata%\Apple Computer\Safari\Cache.db" + :: Windows Vista and newer + del /q /s /f "%LOCALAPPDATA%\Apple Computer\Safari\Cache.db" - name: Clear Safari cookies recommend: strict @@ -439,8 +448,8 @@ actions: code: |- :: Windows XP del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cookies.db" - :: Windows Vista and later - del /q /s /f "%localappdata%\Apple Computer\Safari\Cookies.db" + :: Windows Vista and newer + del /q /s /f "%LOCALAPPDATA%\Apple Computer\Safari\Cookies.db" - name: Clear all Safari data (user profiles, settings, and data) docs: @@ -450,7 +459,7 @@ actions: code: |- :: Windows XP rd /s /q "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari" - :: Windows Vista and later + :: Windows Vista and newer rd /s /q "%AppData%\Apple Computer\Safari" - category: Clear temporary Windows files @@ -510,7 +519,7 @@ actions: name: Clear temporary user folder recommend: standard docs: |- - This script deles the contents of the `%TEMP%\` (or `%LocalAppData%\Temp\` [1], `%TMP%\` [2]) directory, used by applications + This script deletes the contents of the `%TEMP%\` (or `%LOCALAPPDATA%\Temp\` [1], `%TMP%\` [2]) directory, used by applications and processes to store temporary files. This directory is situated within the user profile `%SystemDrive%\Users\\AppData\Local\Temp` [1] [2] [3]. Only the respective profile user can read and write to this folder [4]. @@ -575,17 +584,17 @@ actions: [5]: https://web.archive.org/web/20231001151150/https://www.justice.gov/sites/default/files/usao/legacy/2008/02/04/usab5601.pdf "Computer Forensics | justice.gov" [6]: https://web.archive.org/web/20231001151207/https://par.nsf.gov/servlets/purl/10333089 "Malware Family Classification via Residual Prefetch Artifacts | par.nsf.gov" code: del /s /f /q "%WINDIR%\Prefetch\*" - - - category: Clear Windows logs & caches + - + category: Clear Windows log and caches children: - name: Clear thumbnail cache - code: del /f /s /q /a %LocalAppData%\Microsoft\Windows\Explorer\*.db + code: del /f /s /q /a %LOCALAPPDATA%\Microsoft\Windows\Explorer\*.db - - category: Clear Windows log files + category: Clear Windows system log files children: - - category: Clear Windows Update logs + category: Clear Windows Update system logs children: - name: Clear Windows update and SFC scan logs @@ -601,7 +610,7 @@ actions: icacls %SystemRoot%\Logs\waasmedic /grant administrators:F /t rd /s /q %SystemRoot%\Logs\waasmedic - - name: Clear Cryptographic Services Traces + name: Clear Cryptographic Services diagnostic traces recommend: standard docs: https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows code: |- @@ -611,30 +620,43 @@ actions: del /f /q %SystemRoot%\System32\catroot2.edb del /f /q %SystemRoot%\System32\catroot2.chk - - name: Windows Update Events Logs + name: Clear Windows Update events logs code: del /f /q "%SystemRoot%\Logs\SIH\*" - - name: Windows Update Logs + name: Clear Windows Update logs code: del /f /q "%SystemRoot%\Traces\WindowsUpdate\*" - name: Clear Optional Component Manager and COM+ components logs recommend: standard code: del /f /q %SystemRoot%\comsetup.log - - name: Clear Distributed Transaction Coordinator logs + name: Clear "Distributed Transaction Coordinator (`Dtc`)" logs recommend: standard code: del /f /q %SystemRoot%\DtcInstall.log - - name: Clear Pending File Rename Operations logs + name: Clear logs for pending/unsuccessful file rename operations + docs: |- + This script is used to clear the log files created by Windows whenever there are pending file rename operations + that are not successfully completed. The logged operations might include renaming, moving or deleting a file that is + currently in use [1]. + + [1]: https://web.archive.org/web/20230806191624/https://support.microsoft.com/en-us/topic/how-to-install-multiple-windows-updates-or-hotfixes-with-only-one-reboot-6247def4-7f39-c1a0-efe5-61f82849fb7c "How to install multiple Windows updates or hotfixes with only one reboot - Microsoft Support" code: del /f /q %SystemRoot%\PFRO.log - - name: Clear Windows Deployment Upgrade Process Logs + name: Clear Windows update installation logs recommend: standard + docs: |- + This script is used to clear the log files created during the Windows update installation process. This includes both + the actions log (`setupact.log`) and the error log (`setuperr.log`). + + These files contains information about initializing setup and typically used if setup fails to launch [1]. + + [1]: https://web.archive.org/web/20230806191844/https://learn.microsoft.com/en-us/windows/deployment/upgrade/log-files "Log files and resolving upgrade errors - Windows Deployment | Microsoft Learn" code: |- del /f /q %SystemRoot%\setupact.log del /f /q %SystemRoot%\setuperr.log - - name: Clear Windows Setup Logs + name: Clear Windows setup Logs recommend: standard docs: https://support.microsoft.com/en-gb/help/927521/windows-vista-windows-7-windows-server-2008-r2-windows-8-1-and-windows code: |- @@ -644,35 +666,35 @@ actions: del /f /q %SystemRoot%\inf\setupapi.dev.log del /f /q %SystemRoot%\inf\setupapi.offline.log - - name: Clear Windows System Assessment Tool logs + name: Clear "Windows System Assessment Tool (`WinSAT`)" logs recommend: standard docs: https://docs.microsoft.com/en-us/windows/win32/winsat/windows-system-assessment-tool-portal code: del /f /q %SystemRoot%\Performance\WinSAT\winsat.log - - name: Clear Password change events + name: Clear password change events recommend: standard code: del /f /q %SystemRoot%\debug\PASSWD.LOG - name: Clear user web cache database recommend: standard docs: https://support.microsoft.com/en-gb/help/4056823/performance-issue-with-custom-default-user-profile - code: del /f /q %localappdata%\Microsoft\Windows\WebCache\*.* + code: del /f /q %LOCALAPPDATA%\Microsoft\Windows\WebCache\*.* - - name: Clear system temp folder when no one is logged in + name: Clear system temp folder when not logged in recommend: standard code: del /f /q %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.* - - name: Clear DISM (Deployment Image Servicing and Management) Logs + name: Clear DISM (Deployment Image Servicing and Management) system logs recommend: standard docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files code: |- - del /f /q %SystemRoot%\Logs\CBS\CBS.log - del /f /q %SystemRoot%\Logs\DISM\DISM.log + del /f /q %SystemRoot%\Logs\CBS\CBS.log + del /f /q %SystemRoot%\Logs\DISM\DISM.log - - name: Clear WUAgent (Windows Update History) logs + name: Clear Windows Update History (`WUAgent`) system logs docs: https://social.technet.microsoft.com/Forums/ie/en-US/f5744a18-d4ca-4631-8324-878b9225251d/windowssoftwaredistribution-folder-cleanup-automation?forum=winserverwsus - code: |- # `sc queryex` output is same in every OS language - setlocal EnableDelayedExpansion + code: |- # `sc queryex` output is the same in every OS language + setlocal EnableDelayedExpansion SET /A wuau_service_running=0 SC queryex "wuauserv"|Find "STATE"|Find /v "RUNNING">Nul||( SET /A wuau_service_running=1 @@ -684,23 +706,33 @@ actions: ) endlocal - - name: Clear Server-initiated Healing Events Logs + name: Clear Server-initiated Healing Events system logs code: del /f /q "%SystemRoot%\Logs\SIH\*" - - name: Common Language Runtime Logs + name: Clear Common Language Runtime system logs recommend: standard code: |- - del /f /q "%LocalAppData%\Microsoft\CLR_v4.0\UsageTraces\*" - del /f /q "%LocalAppData%\Microsoft\CLR_v4.0_32\UsageTraces\*" + del /f /q "%LOCALAPPDATA%\Microsoft\CLR_v4.0\UsageTraces\*" + del /f /q "%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageTraces\*" - - name: Network Setup Service Events Logs + name: Clear Network Setup Service Events system logs recommend: standard code: del /f /q "%SystemRoot%\Logs\NetSetup\*" - - name: Disk Cleanup tool (Cleanmgr.exe) Logs + name: Clear logs generated by Disk Cleanup Tool (`cleanmgr.exe`) + docs: |- + This script is used to clear the log files generated by the Disk Cleanup Tool (cleanmgr.exe). These logs are + generated when the Disk Cleanup Tool is used to free up disk space. Log files for this tool are stored in + `C:\Windows\System32\LogFiles\setupcln\` [1]. + + Erasing these logs can enhance user privacy by removing traces of the cleanup process. These logs are known to + be used in forensic analysis [2]. + + [1]: https://web.archive.org/web/20230806192546/https://ss64.com/nt/cleanmgr.html "Cleanmgr - Delete Junk and Temp files - Windows CMD - SS64.com" + [2]: https://web.archive.org/web/20230806192800/https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ "Beyond good ol’ Run key, Part 86 | Hexacorn" code: del /f /q "%SystemRoot%\System32\LogFiles\setupcln\*" - - name: Clear main telemetry file + name: Clear primary Windows telemetry file recommend: standard code: |- if exist "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" ( @@ -712,7 +744,7 @@ actions: echo "Main telemetry file does not exist. Good!" ) - - name: Clear Event Logs in Event Viewer + name: Clear event logs in Event Viewer application docs: https://serverfault.com/questions/407838/do-windows-events-from-the-windows-event-log-have-sensitive-information code: |- REM https://social.technet.microsoft.com/Forums/en-US/f6788f7d-7d04-41f1-a64e-3af9f700e4bd/failed-to-clear-log-microsoftwindowsliveidoperational-access-is-denied?forum=win10itprogeneral @@ -724,7 +756,7 @@ actions: - name: Clear Defender scan (protection) history docs: |- - This script deletes the scan history kept by Windows Defender on your computer. Windows Defender logs detected threats but also gathers + This script deletes the scan history kept by Microsoft Defender on your computer. Microsoft Defender logs detected threats but also gathers and stores data about various other files it scans [1] [2]. While removing this history enhances your privacy, it might decrease security, as these logs assist in monitoring threats. By eliminating traces of your system's files, activities and any threats detected, you ensure no residual data can be utilized to study or analyze your computer's activities, thus protecting your privacy. @@ -742,15 +774,15 @@ actions: - **File Size**: The size of the file. When you first set up Windows, it conducts an initial scan [1]. This scan identifies system files that won't require future - scans [1]. These 'safe' files are saved in a unique folder, which becomes a part of the scan history [1]. + scans [1]. These 'safe' files are saved in a unique folder, which becomes a part of the scan history [1]. - If a threat is recognized, Windows Defender will notify you [4]. Regardless of whether you choose to run the file or not, a + If a threat is recognized, Microsoft Defender will notify you [4]. Regardless of whether you choose to run the file or not, a `DetectionHistory` file is created [2]. This file is stored in a specific folder (`%ProgramData%\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\[numbered folder]\`), and it contains a system-generated ID for the event [2]. > **Caution**: Deleting these logs may decrease your security. These logs help in keeping track of potential threats and their sources, - allowing for a more proactive response in future encounters. Without this history, Windows Defender might not recognize recurring threats + allowing for a more proactive response in future encounters. Without this history, Microsoft Defender might not recognize recurring threats as quickly, possibly leaving your system more vulnerable. It's essential to understand that you're making a trade-off between enhanced privacy and potentially reduced security. @@ -759,11 +791,11 @@ actions: [3]: https://web.archive.org/web/20230829144957/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/defender/msft-mpthreatdetection "MSFT\_MpThreatDetection class | Microsoft Learn" [4]: https://web.archive.org/web/20230829144434/https://forensafe.com/blogs/windows_defender.html "Windows Defender | Forensafe" call: - function: RunInlineCodeAsTrustedInstaller # Otherwise it cannot access/delete files under `Scans\History`, see https://github.com/undergroundwires/privacy.sexy/issues/246 + function: RunInlineCodeAsTrustedInstaller # Otherwise it cannot access/delete files under `Scans\History`, see https://github.com/undergroundwires/privacy.sexy/issues/246 parameters: code: del "%ProgramData%\Microsoft\Windows Defender\Scans\History" /s /f /q - - name: Clear credentials from Windows Credential Manager + name: Clear credentials in Windows Credential Manager code: |- cmdkey.exe /list > "%TEMP%\List.txt" findstr.exe Target "%TEMP%\List.txt" > "%TEMP%\tokensonly.txt" @@ -771,12 +803,12 @@ actions: del "%TEMP%\List.txt" /s /f /q del "%TEMP%\tokensonly.txt" /s /f /q - - name: Delete controversial default0 user + name: Remove the controversial `default0` user docs: https://github.com/undergroundwires/privacy.sexy/issues/30 recommend: standard code: net user defaultuser0 /delete 2>nul - - name: Empty trash bin + name: Empty trash (Recycle Bin) call: function: RunPowerShell parameters: @@ -787,23 +819,45 @@ actions: Remove-Item $_.Path -Recurse -Force } - - name: Enable Reset Base in Dism Component Store + name: Minimize DISM "Reset Base" update data recommend: standard + docs: |- + This script diminishes unnecessary system data, thus enhancing your privacy and performance. + + The **DISM tool** is used to manage Windows images and is often used to fix issues with the Windows operating system [1]. + + The **"Reset Base"** option can help to reduce the size of the WinSxS folder [2]. Once, "Reset Base" is enabled, you cannot + uninstall any previous updates [2]. This script activates the **"Reset Base"** feature, minimizing the size of WinSxS folder. + It contributes to the reduction of redundant data, enhancing both the performance of your system and your privacy. + + The **WinSxS folder**, also known as the "Windows Side by Side" folder, is a component of the Windows operating system [3]. + It is located in the Windows directory (for example, `C:\Windows\WinSxS`) [3]. The WinSxS folder is used to store system + components that are required for the installation of Windows [3]. It also stores components that are added to the system + through Windows updates [3]. + + **Windows Component Store** contains all the files that are required to Windows features on demand [3]. + + WARNING: Once the "Reset Base" operation is activated, you will not be able to uninstall previous updates. However, this + small trade-off improves your privacy and control over system data. + + [1]: https://web.archive.org/web/20230806160623/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/what-is-dism?view=windows-11 "DISM Overview | Microsoft Learn" + [2]: https://web.archive.org/web/20230806160827/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder?view=windows-11 "Clean Up the WinSxS Folder | Microsoft Learn" + [3]: https://web.archive.org/web/20230710000943/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/manage-the-component-store?view=windows-11 "Manage the Component Store | Microsoft Learn" code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f - - name: Clear Windows Product Key from Registry + name: Remove Windows product key from registry # Helps to protect it from being stolen and used for identity theft or identifying you. docs: https://winaero.com/blog/remove-windows-10-product-key-from-registry-and-protect-it-from-being-stolen/ # We use cscript.exe to execute instead of `slmgr` command directly to keep the output but surpress the dialogs. code: cscript.exe //nologo "%SystemRoot%\system32\slmgr.vbs" /cpky - name: Clear volume backups (shadow copies) - docs: + docs: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods code: vssadmin delete shadows /all /quiet - - - name: Remove Default Apps Associations + - + name: Remove associations of default apps recommend: standard code: dism /online /Remove-DefaultAppAssociations - @@ -820,7 +874,7 @@ actions: Deleting this file can enhance user privacy as it contains usage data and is often used for forensic analysis of user behavior [1] [6]. - [1]: https://web.archive.org/web/20231004161122/https://github.com/libyal/esedb-kb/blob/main/documentation/System%20Resource%20Usage%20Monitor%20%28SRUM%29.asciidoc "esedb-kb/documentation/System Resource Usage Monitor (SRUM).asciidoc at main · libyal/esedb-kb | github.com" + [1]: https://web.archive.org/web/20231013164746/https://raw.githubusercontent.com/libyal/esedb-kb/main/documentation/System%20Resource%20Usage%20Monitor%20%28SRUM%29.asciidoc "esedb-kb/documentation/System Resource Usage Monitor (SRUM).asciidoc at main · libyal/esedb-kb | github.com" [2]: https://web.archive.org/web/20231004161112/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809 "Windows 10, version 1809 basic diagnostic events and fields (Windows 10) - Windows Privacy | Microsoft Learn" [3]: https://web.archive.org/web/20231004161132/https://security.opentext.com/appDetails/SRUM-Database-Parser "SRUM Database Parser | security.opentext.com" [4]: https://web.archive.org/web/20231004161147/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#diagnostic-policy-service "Security guidelines for system services in Windows Server 2016 | Microsoft Learn" @@ -876,14 +930,14 @@ actions: icacls "%SystemDrive%\Windows.old" /grant administrators:F /t rd /s /q "%SystemDrive%\Windows.old" echo Deleted previous installation from "%SystemDrive%\Windows.old\" - ) else ( + ) else ( echo No previous Windows installation has been found ) - category: Disable OS data collection children: - - - category: Disable Application Compatibility framework + - + category: Disable Application Compatibility Framework docs: |- This category disables the Application Compatibility (AppCompat) framework on Windows. @@ -892,11 +946,11 @@ actions: compatibility of applications on Windows [1]. It is controlled by a set of policies within the Microsoft Windows operating system aimed at enabling applications designed - for older versions of Windows to function properly on newer versions [1]. + for older versions of Windows to function properly on newer versions [1]. However, the Application Compatibility framework involves various forms of data collection that may be considered invasive from a privacy standpoint [1]. It can potentially be exploited to reveal more data about your application usage or to inject your - computer with malware [2] [3] [4]. + computer with malware [2] [3] [4]. By disabling the AppCompat framework, this script contributes to enhancing users' privacy by limiting potential data collection and exposure to malware exploitation. @@ -965,20 +1019,20 @@ actions: name: Remove "Program Compatibility" tab from file properties (context menu) recommend: strict docs: |- - This script removes the "Program Compatibility" tab from the file properties context menu. This tab is visible on the property context-m - nu of any program shortcut or executable file, and displays options that can be applied to the application to solve common issues affecting + This script removes the "Program Compatibility" tab from the file properties context menu. This tab is visible on the property context menu + of any program shortcut or executable file, and displays options that can be applied to the application to solve common issues affecting older applications [1]. When enabled, this script prevents the compatibility property page from appearing in the context menus, though it does not impact any prior compatibility settings applied to applications through this interface [1]. - + This script achieves its functionality by modifying a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePropPage` [1]. This setting is often used in organizational environments to prevent end-users from modifying the compatibility settings of applications. It ensures that applications operate with the settings considered most suitable by the system administrator or IT department. This restriction aids in upholding system stability and security by ensuring users cannot run applications in modes recognized to be insecure or unstable. - + This script assists in upholding a more secure and stable environment by barring unauthorized changes to application compatibility settings. The security benefits include: @@ -1039,23 +1093,23 @@ actions: The Inventory Collector is a feature in Windows that gathers data about the applications, files, devices, and drivers on your system and sends this information to Microsoft [1]. This process is used to help solve compatibility problems, ensuring that your software and hardware work together without issues [1]. - + Running this script will turn off the Inventory Collector, ensuring no data is sent to Microsoft [1]. It also stops the collection of installation data through the Program Compatibility Assistant [1]. By disabling these features, you prevent potentially sensitive information from being shared and avoid uncontrolled updates to your system [2] [3]. If not disabled, the Inventory Collector remains active, continuing to send data [1]. - + If the Customer Experience Improvement Program is turned off, the Inventory Collector will already be inactive, and running this script will have no effect [1]. - + Disabling Inventory Collector is advised by several organizations and authorities for enhanced security: - + - The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) [4] - The Department of Defense (DoD) information systems in the USA [2] - Microsoft, as part of Windows security baseline for Azure [3] - National Institute of Standards and Technology (NIST) in the USA [5] - + This advice is based on the principle of limiting the amount of data shared, contributing to better privacy and security. - + When you run this script, it modifies a specific registry key (`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableInventory`) to turn off the Inventory Collector [1]. Note that disabling the Inventory Collector could impact the functionality of certain features that rely on system information and updates [2] [3]. @@ -1074,7 +1128,7 @@ actions: category: Disable Program Compatibility Assistant (PCA) docs: |- This category covers disabling the Program Compatibility Assistant (PCA) in Windows. - + The PCA is designed to help users run desktop applications created for earlier versions of Windows by tracking and identifying known compatibility issues [1]. When an issue is detected, PCA offers the user a recommended fix to help the app run better on Windows [1]. @@ -1121,7 +1175,7 @@ actions: docs: |- This script disables the Program Compatibility Assistant (PCA) feature in Windows [1]. - The purpose include: + The purposes include: - Enhances privacy by stopping the continuous monitoring and data collection by PCA. The PCA monitors applications run by the user [1]. - Users gain more control over their system by manually managing application compatibility issues. When a potential compatibility issue with an @@ -1136,13 +1190,13 @@ actions: By default, if you do not run this script or disable PCA manually, the PCA will be turned on [1]. - Once this script is executed and PCA is turned off, the user won't be presented with solutions to known compatibility issues when running applications [1] + Once this script is executed and PCA is turned off, the user won't be presented with solutions to known compatibility issues when running applications [1]. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffprogramcompatibilityassistant_2 "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 - - name: Disable "Program Compatibility Assistant Service" (`PcaSvc`) service + name: Disable "Program Compatibility Assistant Service" (`PcaSvc`) recommend: standard docs: |- This script disables the "Program Compatibility Assistant Service" (`PcaSvc`) in Windows [1]. @@ -1169,7 +1223,7 @@ actions: category: Disable Windows telemetry and data collection children: - - name: Disable Customer Experience Improvement (CEIP/SQM) + name: Disable Customer Experience Improvement Program (CEIP) docs: https://docs.microsoft.com/en-us/windows/win32/devnotes/ceipenable recommend: standard code: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f @@ -1178,7 +1232,7 @@ actions: category: Disable diagnostics telemetry services children: - - name: Disable connected user experiences and telemetry service # Connected User Experiences and Telemetry + name: Disable "Connected User Experiences and Telemetry" (`DiagTrack`) service # Connected User Experiences and Telemetry recommend: standard docs: http://batcmd.com/windows/10/services/diagtrack/ call: @@ -1187,7 +1241,7 @@ actions: serviceName: DiagTrack # Check: (Get-Service -Name DiagTrack).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - - name: Disable WAP push message routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service + name: Disable WAP push notification routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service recommend: standard docs: http://batcmd.com/windows/10/services/dmwappushservice/ call: @@ -1196,7 +1250,7 @@ actions: serviceName: dmwappushservice # Check: (Get-Service -Name dmwappushservice).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - name: Disable diagnostics hub standard collector service # Microsoft (R) Diagnostics Hub Standard Collector + name: Disable "Diagnostics Hub Standard Collector" service docs: http://batcmd.com/windows/10/services/diagnosticshub-standardcollector-service/ call: function: DisableService @@ -1204,7 +1258,7 @@ actions: serviceName: diagnosticshub.standardcollector.service # Check: (Get-Service -Name diagnosticshub.standardcollector.service).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - name: Disable diagnostic execution service # Diagnostic Execution Service + name: Disable "Diagnostic Execution Service" (`diagsvc`) docs: http://batcmd.com/windows/10/services/diagsvc/ call: function: DisableService @@ -1223,18 +1277,18 @@ actions: schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /ENABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /ENABLE - - category: Disable Webcam Telemetry (devicecensus.exe) + category: Disable Webcam Telemetry (`devicecensus.exe`) docs: - https://www.ghacks.net/2019/09/23/what-is-devicecensus-exe-on-windows-10-and-why-does-it-need-internet-connectivity/ - https://answers.microsoft.com/en-us/windows/forum/windows_10-security/devicecensusexe-and-host-process-for-windows-task/520d42a2-45c1-402a-81de-e1116ecf2538 children: - - name: Disable devicecensus.exe (telemetry) task + name: Disable `devicecensus.exe` (telemetry) task recommend: standard code: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /enable - - name: Disable devicecensus.exe (telemetry) process + name: Disable `devicecensus.exe` (telemetry) process recommend: standard call: function: KillProcessWhenItStarts @@ -1274,7 +1328,7 @@ actions: code: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /enable - - name: Disable "Disable apps to improve performance" reminder + name: Disable the reminder to "Disable apps to improve performance" recommend: strict docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/ code: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /disable @@ -1283,10 +1337,10 @@ actions: category: Disable enterprise/business focused data collection docs: |- This category contains scripts to disable data collection capabilities focused on enterprise/business uses. - + The scripts target various Windows features like Desktop Analytics, Windows Update for Business, and Azure services. These capabilities are meant to provide insights for IT administrators but collect and transmit data from end user devices. - + By disabling these enterprise/business focused data collection features, you can increase privacy and reduce data sharing from your personal device. However, note that some functionality expected by business IT administrators may be reduced. @@ -1306,9 +1360,9 @@ actions: To enable data collection, Desktop Analytics configures settings on the device registry and group policies related to commercial ID, telemetry levels, and data sharing [2]. - - While this data sharing raises potential privacy concerns, Microsoft states that privacy controls allow organizations - o limit data collection [1]. + + While this data sharing raises potential privacy concerns, Microsoft states that privacy controls allow organizations + to limit data collection [1]. Desktop Analytics is retired since November 30, 2022 in favor of Microsoft Intune and Configuration Manager [3]. @@ -1317,7 +1371,7 @@ actions: [3]: https://web.archive.org/web/20230601065209/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/whats-new "What's new in Desktop Analytics - Configuration Manager | Microsoft Learn" children: - - name: Disable Desktop Analytics Processing + name: Disable processing of Desktop Analytics recommend: strict docs: |- This script ensures that Microsoft does not process Windows diagnostic data from your device [1]. @@ -1330,11 +1384,11 @@ actions: that information about the usage and performance of your device will not be sent to Microsoft's Desktop Analytics service [1][2]. [1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowdesktopanalyticsprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs" - [2]: https://web.archive.org/web/20211127031547/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDesktopAnalyticsProcessing "Allow Desktop Analytics Processing"" + [2]: https://web.archive.org/web/20211127031547/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDesktopAnalyticsProcessing "Allow Desktop Analytics Processing | admx.help" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /f - - name: Prevent device name to be sent in Windows diagnostic data + name: Disable sending device name in Windows diagnostic data recommend: strict docs: |- This script enhances privacy by ensuring that the name of your device is anonymized in any diagnostic data collected by Microsoft Desktop Analytics [1]. @@ -1343,7 +1397,7 @@ actions: Since the release of Windows 10, version 1803, the device name is not included in the diagnostic data by default [1]. This script guarantees that this privacy-enhancing measure remains in place [1]. - When implemented, it changes a specific registry setting, `AllowDeviceNameInTelemetry`, which controls whether the device name is included + When implemented, it changes a specific registry setting, `AllowDeviceNameInTelemetry`, which controls whether the device name is included in Windows diagnostic data [2]. The script sets this value to `0`, thus disabling the inclusion of the device name in the data [2]. [1]: https://web.archive.org/web/20220903043346/https://docs.microsoft.com/en-US/mem/configmgr/desktop-analytics/enroll-devices#device-name "Enroll devices in Desktop Analytics - Configuration Manager | Microsoft Docs" @@ -1356,15 +1410,15 @@ actions: docs: |- This script configures Microsoft Edge to prevent it from sending your browsing history data to Desktop Analytics [1]. This browsing data can include information from either your intranet or internet history, or both [1]. - + When you use Microsoft Edge for browsing, it can collect and send your browsing history to Desktop Analytics, a Microsoft service that helps enterprises to analyze and improve their IT environment. If this setting is disabled, Microsoft Edge does not send any browsing history data, thereby enhancing your privacy. - + The script achieves this by modifying a specific value in the Windows Registry. The specific value that the script modifies is `MicrosoftEdgeDataOptIn` located at `HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection`. The script sets this value to `0`, which indicates to Microsoft Edge that it should not send browsing history data to Desktop Analytics [1]. - + While enhancing privacy, this could limit the functionality of Desktop Analytics for enterprises that rely on this service for IT insights. However, for individual users, this script can help prevent unwanted data collection and transmission, contributing to an overall safer browsing experience [1]. @@ -1376,7 +1430,7 @@ actions: name: Disable diagnostics data processing for Business cloud recommend: strict docs: |- - This script controls whether diagnostic data from your device is processed by Windows Update for Business cloud [1] [2]. + This script controls whether diagnostic data from your device is processed by Windows Update for Business cloud [1] [2]. If enabled, the script can enhance privacy by ensuring that diagnostic data from your device is not processed by the Windows Update for Business cloud (WufB) [1], an update management service provided by Microsoft [3]. This service @@ -1402,26 +1456,26 @@ actions: Update Compliance is a service provided by Microsoft hosted in Azure, which uses Windows diagnostic data [1]. This service doesn't meet the US Government community compliance (GCC) requirements [1], and is utilized by both Desktop Analytics and Azure Update Management [1]. - + This script is designed to disable the Update Compliance processing of diagnostic data on your device. When this script is run, it modifies the system registry to prevent diagnostic data from your device being processed by Update Compliance. This change in settings increases the privacy of your device by limiting the diagnostic data that can be accessed and analyzed by Microsoft's services. - + Diagnostic data, in this context, includes information about device health, system events, and usage metrics. By disabling the processing of this data, the script helps protect the privacy of your activities on your device [1]. - + This script can be reversed at any time by using the provided `revertCode` if you decide to re-enable the processing of diagnostic data by Update Compliance. - + In technical terms, the script sets the `AllowUpdateComplianceProcessing` value in the `HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection` registry path to 0, which disables the processing of diagnostic data by Update Compliance [2]. [1]: https://web.archive.org/web/20220703201221/https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started "Get started with Update Compliance - Windows Deployment | Microsoft Docs" [2]: https://web.archive.org/web/20220610123725/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowUpdateComplianceProcessing "Allow Update Compliance Processing" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /f + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowUpdateComplianceProcessing" /t REG_DWORD /d 0 /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowUpdateComplianceProcessing" /f - name: Disable commercial usage of collected data recommend: standard @@ -1432,7 +1486,7 @@ actions: In the default setting, Microsoft operates as the controller of this diagnostic data, thus enabling it to use the data for commercial purposes. This script alters that setting to limit the commercial usage of your data [1] [2]. - + This script does not affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. Moreover, it doesn't change whether diagnostic data is collected or the ability of the user to change the level. @@ -1442,9 +1496,9 @@ actions: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /f - - name: Disable diagnostic and usage telemetry data transmission + name: Disable diagnostic and usage telemetry recommend: standard - docs: |- + docs: |- This script improves your privacy by blocking the transmission of diagnostic and usage telemetry data from your Windows device [1]. This includes data about your device's usage, app compatibility, and system performance, which can be sensitive in nature. By stopping this data from being sent, you reduce @@ -1456,8 +1510,7 @@ actions: Upon executing this script, Desktop Analytics will be disabled, as it relies on basic diagnostic data to function [2]. Desktop Analytics is a cloud-based service provided by Microsoft [4]. It provides insights - and intelligence for IT administrators [4]. It is deprecated Desktop Analytics and retired since November - 30, 2022. + and intelligence for IT administrators [4]. Desktop Analytics is deprecated and was retired on November 30, 2022. Once this script is executed, even if the policy permits a telemetry setting of Security or Basic, users will not have the capability to opt for a higher data sharing level [3]. This restriction is limited to the @@ -1485,10 +1538,10 @@ actions: This script turns off the OneSettings service, a feature from Microsoft that downloads configuration settings [1]. This action can enhance the privacy and security of your Windows desktop environment by managing a feature called the Services Configuration [1]. - + Services Configuration is a mechanism that various Windows components and apps use to update their settings dynamically [2] [3]. By default, Windows periodically tries to connect with the OneSettings service to download configuration settings [1]. - This script turns off that function, reducing the chance of data being shared with third-party vendors [1]. + This script turns off that function, reducing the chance of data being shared with third-party vendors [1]. This script is recommended by CIS Microsoft Windows Desktop Benchmarks [1]. Please be aware that turning off this service might affect how certain apps that rely on this service work [3]. @@ -1499,7 +1552,7 @@ actions: If you want to limit how much data is sent to Microsoft, turning off the OneSettings service can help enhance your privacy [1]. For more information about the impact of OneSettings on privacy, visit [docs.microsoft.com](https://web.archive.org/web/20230803030919/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809). - + This script lets you manage your privacy by restricting the automatic configuration updates of Windows components and apps, including telemetry services, from the cloud [3] [1]. @@ -1589,13 +1642,13 @@ actions: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f - - name: Do not include drivers with Windows Updates + name: Disable inclusion of drivers with Windows updates docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::ExcludeWUDriversInQualityUpdate recommend: strict code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 0 /f - - name: Prevent Windows Update for device driver search + name: Disable Windows Update device driver search docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965 recommend: strict code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f @@ -1656,7 +1709,7 @@ actions: [3]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov" [4]: https://web.archive.org/web/20230914171410/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-65681 "Windows Update must not obtain updates from other PCs on the Internet | stigviewer.com" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t "REG_DWORD" /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /f 2>nul # Key does not exists since Windows 10 21H2, Windows 11 22H2 + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /f 2>nul # Key does not exist since Windows 10 21H2, Windows 11 22H2 - name: Disable "Delivery Optimization" service (breaks Microsoft Store downloads) recommend: strict @@ -1690,38 +1743,38 @@ actions: [8]: https://github.com/undergroundwires/privacy.sexy/issues/173 "[BUG] Error 0x80004002 on Microsoft Store when attempting to download an app · Issue #173 · undergroundwires/privacy.sexy" call: function: DisableServiceInRegistry - # Using registry way because because other options such as "sc config" or + # Using registry way because other options such as "sc config" or # "Set-Service" returns "Access is denied" since Windows 10 1809. parameters: serviceName: DoSvc # Check: (Get-Service -Name 'DoSvc').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - - name: Disable cloud speech recognition + name: Disable cloud-based speech recognition recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f - - name: Disable active probing (pings to MSFT NCSI server) + name: Disable active probing to Microsoft NCSI server recommend: strict code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f - - name: Opt out from Windows privacy consent + name: Opt out of Windows privacy consent recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 1 /f - - name: Disable Windows feedback + name: Disable Windows feedback collection recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics code: |- - reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f + reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f - - name: Disable text and handwriting collection + name: Disable text and handwriting data collection recommend: standard code: |- reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f @@ -1735,12 +1788,12 @@ actions: reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f - - category: Deny app access to personal information + category: Disable app access to personal information children: - - name: Deny app access to location + name: Disable app access to location recommend: standard - docs: + docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesslocation # LetAppsAccessLocation - https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ # ConsentStore\location - https://social.technet.microsoft.com/Forums/en-US/63904312-04af-41e5-8b57-1dd446ea45c5/ # lfsvc\Service\Configuration @@ -1763,7 +1816,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /f - - name: Deny app access to account info, name, and picture + name: Disable app access to account information, name, and picture recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo code: |- @@ -1785,7 +1838,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /f - - name: Deny app access to motion data + name: Disable app access to motion data recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion code: |- @@ -1803,7 +1856,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /f - - name: Deny app access to phone + name: Disable app access to phone recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone code: |- @@ -1819,7 +1872,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /f - - name: Deny app access to trusted devices + name: Disable app access to trusted devices docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices recommend: standard code: |- @@ -1839,7 +1892,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /f - - name: Deny app sync with devices (unpaired, beacons, TVs, etc.) + name: Disable app sync with devices (unpaired, beacons, TVs, etc.) recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices code: |- @@ -1855,8 +1908,8 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /f - - name: Deny app access to camera - docs: + name: Disable app access to camera + docs: - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kscategory-video-camera - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscamera code: |- @@ -1878,8 +1931,8 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /f - - name: Deny app access to microphone - docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophonee + name: Disable app access to microphone + docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) @@ -1899,11 +1952,11 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /f - - name: Deny apps share and sync non-explicitly paired wireless devices over uPnP + name: Disable app share and sync for non-explicitly paired wireless devices code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Deny" /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Allow" /f - - name: Deny app access to diagnostics info about your other apps + name: Disable app access to diagnostic information about other apps recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo code: |- @@ -1921,30 +1974,30 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /f - - category: Deny app access to your file system + category: Disable app access to your file system children: - - name: Deny app access to Document folder + name: Disable app access to "Documents" folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Allow" /t REG_SZ /f - - name: Deny app access to Pictures folder + name: Disable app access to "Pictures" folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Allow" /t REG_SZ /f - - name: Deny app access to Videos folder + name: Disable app access to "Videos" folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Allow" /t REG_SZ /f - - name: Deny app access to other filesystem + name: Disable app access to other filesystems recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Allow" /t REG_SZ /f - - name: Deny app access to your contacts + name: Disable app access to your contacts recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts code: |- @@ -1966,7 +2019,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /f - - name: Deny app access to Notifications + name: Disable app access to Notifications recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications code: |- @@ -1988,7 +2041,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /f - - name: Deny app access to Calendar + name: Disable app access to Calendar recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar code: |- @@ -2010,7 +2063,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /f - - name: Deny app access to call history + name: Disable app access to call history recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory code: |- @@ -2033,13 +2086,13 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /f - - name: Deny app access to email + name: Disable app access to email recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d DENY /f + reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /t REG_MULTI_SZ /f @@ -2055,7 +2108,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /f - - name: Deny app access to tasks + name: Disable app access to tasks recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks code: |- @@ -2073,9 +2126,9 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /f - - name: Deny app access to messaging (SMS / MMS) - docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging + name: Disable app access to messaging (SMS / MMS) recommend: standard + docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) @@ -2097,7 +2150,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /f - - name: Deny app access to radios + name: Disable app access to radios recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios code: |- @@ -2119,7 +2172,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /f - - name: Deny app access to bluetooth devices + name: Disable app access to Bluetooth devices recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Allow" /t REG_SZ /f @@ -2127,7 +2180,7 @@ actions: category: Disable app access to voice activation children: - - name: Disable apps and Cortana to activate with voice + name: Disable voice activation for apps including Cortana recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoice code: |- @@ -2139,7 +2192,7 @@ actions: :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /f - - name: Disable apps and Cortana to activate with voice when sytem is locked + name: Disable voice activation for apps including Cortana on locked system recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoiceAboveLock code: |- @@ -2154,16 +2207,16 @@ actions: category: Disable location access children: - - name: Turn off Windows Location Provider + name: Disable Windows Location Provider code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "0" /f + revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "0" /f - - name: Turn off location scripting + name: Disable location scripting recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "0" /f - - name: Turn off location + name: Disable location recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f @@ -2176,18 +2229,18 @@ actions: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Allow" /f - - name: Turn off sensors + name: Disable device sensors recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "0" /f - - category: Disable windows search data collection + category: Disable Windows search data collection children: - - category: Disable cortana + category: Disable Cortana children: - - name: Do not allow Cortana + name: Disable Cortana when searching recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowCortana @@ -2195,12 +2248,12 @@ actions: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /f - - name: Do not allow Cortana experience + name: Disable Cortana experience recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 1 /f - - name: Do not allow search and Cortana to search cloud sources like OneDrive and SharePoint + name: Disable Cortana's access to cloud services such as OneDrive and SharePoint recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f @@ -2212,12 +2265,12 @@ actions: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /f - - name: Opt out from Cortana consent + name: Disable participation in Cortana data collection recommend: standard code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 10 /f - - name: Do not allow Cortana to be enabled + name: Disable enabling of Cortana recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 1 /f @@ -2225,26 +2278,26 @@ actions: name: Disable Cortana (Internet search results in start menu) recommend: standard code: |- - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f + reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f revertCode: |- - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f - category: Disable Cortana history children: - - name: Prevent Cortana from displaying history + name: Disable Cortana's history display recommend: standard - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /t REG_DWORD /d 0 /f - revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /f + code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /t REG_DWORD /d 0 /f + revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /f - - name: Prevent Cortana from using device history + name: Disable Cortana's device history usage recommend: standard - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d 0 /f - revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /f + code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d 0 /f + revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /f - - name: Remove the Cortana taskbar icon + name: Remove Cortana taskbar icon recommend: standard code: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /t REG_DWORD /d 0 /f revertCode: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /f @@ -2271,7 +2324,7 @@ actions: code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 1 /f - - name: Disable using Cortana even when device is locked + name: Disable Cortana on locked device recommend: standard code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 1 /f @@ -2289,19 +2342,19 @@ actions: category: Configure Windows search indexing children: - - name: Disable search indexing encrypted items / stores + name: Disable indexing of encrypted items and stores recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowindexingencryptedstoresoritems code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /f - - name: Do not use automatic language detection when indexing + name: Disable automatic language detection when indexing recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-alwaysuseautolangdetection code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 1 /f - - name: Do not allow search to use location + name: Disable search's access to location recommend: standard docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation @@ -2317,9 +2370,9 @@ actions: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 0 /f - - name: Do not search the web or display web results in Search + name: Disable web search and results in search docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies - recomend: standard + recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 1 /f - @@ -2328,20 +2381,20 @@ actions: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 1 /f - - category: Disable targeted ads and marketing - children: + category: Disable targeted advertisements and marketing + children: - name: Disable ad customization with Advertising ID recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general code: |- - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f + reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f revertCode: |- - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f + reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "0" /f - - category: Disable cloud-based tips and ads + category: Disable cloud-based advertising and tips children: - name: Disable Windows Tips @@ -2350,7 +2403,7 @@ actions: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "0" /f - - name: Disable Windows Spotlight (random wallpaper on lock screen) + name: Disable Windows Spotlight (shows random wallpapers on lock screen) recommend: strict docs: |- The script disables the Windows Spotlight feature. Windows Spotlight is a feature in Windows 10 and Windows 11 [1] that automatically downloads @@ -2370,9 +2423,9 @@ actions: [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [4]: https://web.archive.org/web/20230911110921/https://download.microsoft.com/download/8/F/B/8FBD2E85-8852-45EC-8465-92756EBD9365/Windows10andWindowsServer2016PolicySettings.xlsx "Group Policy Settings Reference - Microsoft" code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /f 2>nul # Key does not exists since Windows 10 21H2, Windows 11 22H2 + revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /f 2>nul # Key does not exist since Windows 10 21H2, Windows 11 22H2 - - name: Disable Microsoft consumer experiences + name: Disable Microsoft Consumer Experiences recommend: standard docs: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-71771 @@ -2381,7 +2434,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "0" /f - - name: Turn Off Suggested Content in Settings app + name: Disable suggested content in Settings app recommend: standard docs: - https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 @@ -2398,13 +2451,13 @@ actions: category: Disable biometrics (breaks fingerprinting/facial login) children: - - name: Do not allow the use of biometrics + name: Disable use of biometrics recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f - - name: Do not allow users to log on using biometrics + name: Disable biometric logon recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f @@ -2421,14 +2474,14 @@ actions: serviceName: WbioSrvc # Check: (Get-Service -Name WbioSrvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - name: Disable Wi-Fi sense + name: Disable Wi-Fi Sense recommend: standard code: |- - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f - - name: Hide most used apps (tracks app launch) + name: Disable app launch tracking (hides most-used apps) docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10 recommend: strict code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 0 /t REG_DWORD /f @@ -2437,10 +2490,10 @@ actions: name: Disable Website Access of Language List recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general - code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f - revertCode: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 0 /f + code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f + revertCode: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 0 /f - - name: Disable Auto Downloading Maps + name: Disable automatic map downloads recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f @@ -2449,24 +2502,24 @@ actions: name: Disable game screen recording recommend: standard code: |- - reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f + reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 0 /f - - name: Disable Windows DRM internet access + name: Disable internet access for Windows DRM docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f - - name: Disable feedback on write (sending typing info) + name: Disable typing feedback (sends typing data) recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f - - - name: Disable Activity Feed + - + name: Disable Activity Feed feature recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f - - + - category: Disable Windows Insider Program children: - @@ -2481,7 +2534,7 @@ actions: serviceName: wisvc # Check: (Get-Service -Name wisvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - name: Do not let Microsoft try features on this build + name: Disable Microsoft feature trials docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation recommend: standard code: |- @@ -2493,13 +2546,13 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /f reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /f - - name: Disable getting preview builds of Windows + name: Disable receipt of Windows preview builds docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /f - - name: Remove "Windows Insider Program" from Settings + name: Remove "Windows Insider Program" from Settings docs: https://winaero.com/how-to-hide-the-windows-insider-program-page-from-the-settings-app-in-windows-10/ code: reg add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /t "REG_DWORD" /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /f @@ -2508,65 +2561,65 @@ actions: docs: https://support.microsoft.com/en-us/help/4026102/windows-10-about-sync-settings children: - - name: Disable all settings sync + name: Disable all settings synchronization recommend: standard - enabler: all those bottom + # This script is a master switch that disables all other types of setting synchronizations in this category. code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f - - name: Disable Application Setting Sync + name: Disable "Application" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f - - name: Disable App Sync Setting Sync + name: Disable "App Sync" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f - - name: Disable Credentials Setting Sync + name: Disable "Credentials" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f - - name: Disable Desktop Theme Setting Sync + name: Disable "Desktop Theme" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f - - name: Disable Personalization Setting Sync + name: Disable "Personalization" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f - - name: Disable Start Layout Setting Sync + name: Disable "Start Layout" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f - - name: Disable Web Browser Setting Sync + name: Disable "Web Browser" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f - - name: Disable Windows Setting Sync + name: Disable "Windows" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f - - name: Disable Language Setting Sync + name: Disable "Language" setting synchronization recommend: standard docs: - https://winaero.com/turn-on-off-sync-settings-windows-10/ @@ -2576,7 +2629,7 @@ actions: revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 1 /f - category: Configure programs - children: + children: - category: Disable Visual Studio data collection docs: |- @@ -2584,7 +2637,7 @@ actions: These do not clean existing data collected about you locally or on cloud servers. children: - - name: Opt-out from Visual Studio Customer Experience Improvement Program (VSCEIP) + name: Disable participation in Visual Studio Customer Experience Improvement Program (VSCEIP) recommend: standard docs: |- `VSCEIP` collects information about errors, computer hardware, and how people use Visual Studio [1]. @@ -2600,7 +2653,7 @@ actions: - 32bit: `HKLM\SOFTWARE\Microsoft\VSCommon` - 64bit: `HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon` - + Key `OptIn` can have two different values [1]: - `0` is opted out (turn off) @@ -2700,7 +2753,7 @@ actions: name: Disable Diagnostics Hub log collection docs: |- Diagnostics Hub is online data collection point for diagnostic tools used by Visual Studio. - It can be disabled by deleting `LogLevel` and `LogDirectory` registery keys [1] and enabled by adding them [2] [3] [4] [5]. + It can be disabled by deleting `LogLevel` and `LogDirectory` registry keys [1] and enabled by adding them [2] [3] [4] [5]. The registry keys are not set after installation since Visual Studio 2022. @@ -2716,12 +2769,12 @@ actions: reg add "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /t REG_SZ /d "All" /f ) - - name: Opt-out from IntelliCode data collection + name: Disable participation in IntelliCode data collection recommend: standard docs: |- [IntelliCode for Visual Studio](https://learn.microsoft.com/en-us/visualstudio/intellicode/intellicode-visual-studio) provides AI based suggestions for the code. - + IntelliCode does not send any code to Microsoft servers as long as team completion model training is not used [1] [2]. This script opts-out from it without breaking the functionality of IntelliCode for local models. @@ -2747,20 +2800,20 @@ actions: code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1 revertCode: setx DOTNET_CLI_TELEMETRY_OPTOUT 0 - - name: Disable PowerShell 7+ telemetry + name: Disable PowerShell telemetry recommend: standard docs: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry code: setx POWERSHELL_TELEMETRY_OPTOUT 1 revertCode: setx POWERSHELL_TELEMETRY_OPTOUT 0 - - category: Disable NVIDIA telemetry + category: Disable Nvidia telemetry docs: - https://github.com/privacysexy-forks/nVidia-modded-Inf - https://github.com/privacysexy-forks/Disable-Nvidia-Telemetry - https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20 children: - - name: Uninstall NVIDIA telemetry tasks + name: Remove Nvidia telemetry tasks recommend: standard code: |- if exist "%ProgramFiles%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL" ( @@ -2768,29 +2821,29 @@ actions: rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry ) - - name: Delete NVIDIA residual telemetry files + name: Clear Nvidia residual telemetry files recommend: standard code: |- del /s %SystemRoot%\System32\DriverStore\FileRepository\NvTelemetry*.dll rmdir /s /q "%ProgramFiles(x86)%\NVIDIA Corporation\NvTelemetry" 2>nul rmdir /s /q "%ProgramFiles%\NVIDIA Corporation\NvTelemetry" 2>nul - - name: Opt out from NVIDIA telemetry + name: Disable participation in Nvidia telemetry recommend: standard call: function: RunInlineCode parameters: code: |- - reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d 0 /f revertCode: |- - reg delete "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /f - reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /f - reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /f - reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /f + reg delete "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /f + reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /f + reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /f + reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /f - name: Disable Nvidia Telemetry Container service @@ -2803,7 +2856,7 @@ actions: # Description: "Container service for NVIDIA Telemetry" defaultStartupMode: Automatic - - name: Disable NVIDIA telemetry services + name: Disable Nvidia telemetry services recommend: standard code: |- schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE @@ -2838,7 +2891,7 @@ actions: setting: telemetry.enableCrashReporter powerShellValue: $false - - name: Do not run Microsoft online experiments + name: Disable online experiments by Microsoft in Visual Studio Code docs: https://github.com/privacysexy-forks/vscode/blob/1aee0c194cff72d179b9f8ef324e47f34555a07d/src/vs/workbench/contrib/experiments/node/experimentService.ts#L173 recommend: standard call: @@ -2847,14 +2900,14 @@ actions: setting: workbench.enableExperiments powerShellValue: $false - - name: Choose manual updates over automatic updates + name: Disable Visual Studio Code automatic updates in favor of manual updates call: function: SetVsCodeSetting parameters: setting: update.mode powerShellValue: manual - - name: Show Release Notes from Microsoft online service after an update + name: Disable fetching release notes from Microsoft servers after an update call: function: SetVsCodeSetting parameters: @@ -2875,14 +2928,14 @@ actions: setting: extensions.showRecommendationsOnlyOnDemand powerShellValue: $true - - name: Automatically fetch git commits from remote repository + name: Disable automatic fetching of remote repositories in Visual Studio Code call: function: SetVsCodeSetting parameters: setting: git.autofetch powerShellValue: $false - - name: Fetch package information from NPM and Bower + name: Disable fetching package information from NPM and Bower in Visual Studio Code call: function: SetVsCodeSetting parameters: @@ -2918,7 +2971,7 @@ actions: reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f - - name: Disable client telemetry + name: Disable Microsoft Office client telemetry recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f @@ -2931,7 +2984,7 @@ actions: reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f - - name: Customer Experience Improvement Program + name: Disable Microsoft Office Customer Experience Improvement Program docs: https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612 recommend: standard code: |- @@ -2941,7 +2994,7 @@ actions: reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f - - name: Disable feedback + name: Disable Microsoft Office feedback recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f @@ -2950,7 +3003,7 @@ actions: reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f - - name: Disable telemetry agent + name: Disable Microsoft Office telemetry agent recommend: standard code: |- schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /DISABLE @@ -2977,7 +3030,7 @@ actions: # serviceName: ClickToRunSvc # Check: (Get-Service -Name ClickToRunSvc).StartType # defaultStartupMode: Automatic # Allowed values: Automatic | Manual - - name: Disable Subscription Heartbeat + name: Disable Microsoft Office Subscription Heartbeat code: |- schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /DISABLE schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /DISABLE @@ -2986,24 +3039,24 @@ actions: schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /ENABLE - category: Configure browsers - children: + children: - category: Configure Edge - children: + children: - - category: Chromium Edge settings + category: Configure Edge (Chromium) settings children: - name: Disable Edge diagnostic data sending (shows "Your browser is managed") recommend: standard - docs: + docs: - http://archive.today/2023.08.26-152941/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::DiagnosticData - https://learn.microsoft.com/DeployEdge/microsoft-edge-policies#diagnosticdata - http://archive.today/2023.08.26-152952/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::MetricsReportingEnabled - https://learn.microsoft.com/en-gb/DeployEdge/microsoft-edge-policies#metricsreportingenabled - http://archive.today/2023.08.26-153019/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SendSiteInfoToImproveServices - https://learn.microsoft.com/DeployEdge/microsoft-edge-policies#sendsiteinfotoimproveservices - code: |- + code: |- :: Disabling metrics and site info sending for Edge v88 ≥ reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /t REG_DWORD /d 0 /f @@ -3014,20 +3067,20 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "DiagnosticData" /f 2>nul - - name: Disable Automatic Installation of Microsoft Edge Chromium + name: Disable automatic installation of Edge (Chromium) docs: - https://admx.help/?Category=EdgeChromium_Blocker&Policy=Microsoft.Policies.EdgeUpdate::NoUpdate - https://web.archive.org/web/20210118230052/https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit code: reg add "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /f - - name: Disable live tile data collection + name: Disable Live Tile data collection recommend: standard - docs: + docs: - https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection - code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f - revertCode: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 0 /f + code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f + revertCode: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 0 /f - name: Disable MFU tracking recommend: standard @@ -3041,14 +3094,14 @@ actions: code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 0 /f - - name: Turn off backtracking + name: Disable backtracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::TurnOffBackstack code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 0 /f - name: Disable Search Suggestions in Edge - docs: + docs: - https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/address-bar-settings-gp - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar recommend: standard @@ -3056,9 +3109,9 @@ actions: revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 1 /f - category: Configure Internet Explorer - children: + children: - - name: Disable Geolocation in Internet Explorer + name: Disable Internet Explorer geolocation recommend: standard code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 0 /f @@ -3068,13 +3121,13 @@ actions: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 0 /f - - name: Disable Internet Explorer CEIP + name: Disable Internet Explorer CEIP (Customer Experience Improvement Program) recommend: standard docs: https://www.stigviewer.com/stig/internet_explorer_8/2014-07-03/finding/V-15492 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 1 /f - - name: Disable calling legacy WCM policies + name: Disable legacy WCM policy calls recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 1 /f @@ -3083,40 +3136,40 @@ actions: recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-04-02/finding/V-64729 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f - revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v EnableSSL3Fallback /t REG_DWORD /d 3 /f + revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 3 /f - - name: Disable ignoring cert errors + name: Disable certificate error ignoring recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2017-03-01/finding/V-64717 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 0 /f - - category: Configure Google Chrome - children: + category: Configure Chrome + children: - name: Disable Chrome Software Reporter Tool recommend: standard code: |- - icacls "%localappdata%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)" - cacls "%localappdata%\Google\Chrome\User Data\SwReporter" /e /c /d %username% + icacls "%LOCALAPPDATA%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)" + cacls "%LOCALAPPDATA%\Google\Chrome\User Data\SwReporter" /e /c /d %username% reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "software_reporter_tool.exe" /f revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /f - - category: Chrome cleanup + category: Configure Chrome cleanup children: - - - name: Do not share scanned software data to Google (shows "Your browser is managed") + - + name: Disable sharing scanned software data with Google (shows "Your browser is managed") recommend: standard - docs: + docs: - https://www.chromium.org/administrators/policy-list-3#ChromeCleanupReportingEnabled - https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81593 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /f - - - name: Prevent Chrome from scanning the system for cleanup (shows "Your browser is managed") + - + name: Disable Chrome system cleanup scans (shows "Your browser is managed") recommend: standard - docs: + docs: - https://www.chromium.org/administrators/policy-list-3#ChromeCleanupEnabled - https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81591 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f @@ -3128,19 +3181,19 @@ actions: code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /f - - category: Configure Mozilla Firefox telemetry + category: Configure Firefox children: - category: Disable default browser agent reporting children: - - name: Disable default browser agent reporting policy + name: Disable default browser agent reporting recommend: standard docs: https://www.bleepingcomputer.com/news/software/firefox-now-tells-mozilla-what-your-default-browser-is-every-day/ code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 1 /f revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 0 /f - - name: Disable default browser agent reporting services + name: Disable services that report the default browser agent recommend: standard code: |- schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB" @@ -3155,7 +3208,7 @@ actions: code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 1 /f revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 0 /f - - name: Disable Google update service + name: Disable Google update services recommend: standard docs: - https://websetnet.net/how-to-disable-google-chrome-automatic-updates-in-windows-10/ @@ -3169,7 +3222,7 @@ actions: schtasks /change /disable /tn "GoogleUpdateTaskMachineCore" schtasks /change /disable /tn "GoogleUpdateTaskMachineUA" revertCode: |- - schtasks /Change /enable /tn "GoogleUpdateTaskMachineCore" + schtasks /change /enable /tn "GoogleUpdateTaskMachineCore" schtasks /change /enable /tn "GoogleUpdateTaskMachineUA" - function: DisableService @@ -3182,7 +3235,7 @@ actions: serviceName: gupdatem # Check: (Get-Service -Name gupdatem).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - - name: Disable Adobe Acrobat update service + name: Disable Adobe Acrobat update services recommend: standard call: - @@ -3210,7 +3263,7 @@ actions: schtasks /change /tn "Adobe Acrobat Update Task" /enable schtasks /change /tn "Adobe Flash Player Updater" /enable - - name: Disable Razer Game Scanner Service + name: Disable "Razer Game Scanner Service" recommend: standard call: function: DisableService @@ -3218,7 +3271,7 @@ actions: serviceName: Razer Game Scanner Service # Check: (Get-Service -Name 'Razer Game Scanner Service').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - name: Disable Logitech Gaming Registry Service + name: Disable "Logitech Gaming Registry Service" recommend: standard call: function: DisableService @@ -3226,7 +3279,7 @@ actions: serviceName: LogiRegistryService # Check: (Get-Service -Name 'LogiRegistryService').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - - name: Disable Dropbox auto update service + name: Disable Dropbox automatic update services recommend: standard call: - @@ -3244,15 +3297,15 @@ actions: parameters: code: |- schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineCore" - schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA" + schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA" revertCode: |- schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineCore" schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineUA" - category: Disable Media Player data collection - children: + children: - - name: Do not send Windows Media Player statistics + name: Disable sending Windows Media Player statistics recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f - @@ -3264,7 +3317,7 @@ actions: reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f - - name: Disable Windows Media Player Network Sharing Service + name: Disable "Windows Media Player Network Sharing Service" (`WMPNetworkSvc`) docs: http://batcmd.com/windows/10/services/wmpnetworksvc/ recommend: standard call: @@ -3273,7 +3326,7 @@ actions: serviceName: WMPNetworkSvc # Check: (Get-Service -Name 'WMPNetworkSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - name: Disable CCleaner Monitoring + name: Disable CCleaner data collection code: |- reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f @@ -3302,13 +3355,13 @@ actions: reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 1 /f - category: Security improvements - children: + children: - - category: Meltdown and Spectre protection + category: Enable protection against Meltdown and Spectre docs: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot children: - - name: Spectre variant 2 and meltdown (own OS) + name: Mitigate Spectre Variant 2 and Meltdown in host operating system code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f wmic cpu get name | findstr "Intel" >nul && ( @@ -3321,23 +3374,23 @@ actions: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f - - name: Spectre variant 2 and meltdown (HyperV) + name: Mitigate Spectre Variant 2 and Meltdown in Hyper-V code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f - - name: Disable administrative shares + name: Disable administrative shares recommend: standard code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 1 /f - - - name: Force enable data execution prevention (DEP) + - + name: Enable Data Execution Prevention (DEP) code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 1 /f - - + - name: Disable AutoPlay and AutoRun docs: - https://en.wikipedia.org/wiki/AutoRun @@ -3347,15 +3400,15 @@ actions: recommend: standard code: |- :: 255 (0xff) means all drives - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f revertCode: |- - reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f + reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 2 /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /f - - - name: Disable remote Assistance + - + name: Disable remote assistance feature recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651 code: |- @@ -3364,58 +3417,58 @@ actions: revertCode: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f - - - name: Disable lock screen camera + - + name: Disable lock screen camera access recommend: standard docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /f - - - name: Prevent the storage of the LAN Manager hash of passwords + - + name: Disable storage of the LAN Manager password hashes recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 10 /f - - - name: Disable Windows Installer Always install with elevated privileges + revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 0 /f + - + name: Disable "Always install with elevated privileges" in Windows Installer recommend: standard docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f - - - name: Prevent WinRM from using Basic Authentication + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f + revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f + - + name: Disable Basic Authentication usage in WinRM recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 1 /f - - - name: Restrict anonymous enumeration of shares + revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 1 /f + - + name: Disable anonymous enumeration of shares recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 1 /f + code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 0 /f - - - name: Refuse less secure authentication + - + name: Disable usage of insecure authentication recommend: standard docs: - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801 - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 5 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 3 /f - - + - name: Enable Structured Exception Handling Overwrite Protection (SEHOP) recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849 - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f - - - name: Block Anonymous enumeration of SAM accounts + code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f + revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f + - + name: Disable anonymous enumeration of SAM accounts recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 0 /f - - - name: Restrict anonymous access to Named Pipes and Shares + - + name: Disable anonymous access to named pipes and shares recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759 code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f @@ -3436,7 +3489,7 @@ actions: dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart - - name: Disable PowerShell 2.0 against downgrade attacks + name: Enable security against PowerShell 2.0 downgrade attacks recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637 code: |- @@ -3446,7 +3499,7 @@ actions: dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart - - name: Disable the Windows Connect Now wizard + name: Disable "Windows Connect Now" wizard recommend: standard docs: - https://docs.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now @@ -3466,10 +3519,10 @@ actions: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f - - category: Increase cryptography on ISS + category: Secure cryptography on IIS (Internet Information Services) server children: - - name: Increase Diffie-Hellman key (DHK) exchange to 4096-bit + name: Increase Diffie-Hellman key (DHK) exchange to 4096 bits code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ServerMinKeyBitLength /t REG_DWORD /d 0x00001000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00001000 @@ -3479,7 +3532,7 @@ actions: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ClientMinKeyBitLength" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "Enabled" /f - - name: Increase RSA key exchange to 2048-bit + name: Increase RSA key exchange to 2048 bits docs: |- In 2012, Microsoft began transitioning minimum RSA key length across various applications from 1024 to 2048 bits. 1024-Bit key exchange algorithms are still supported in Windows despite being considered deprecated for some time. @@ -3509,7 +3562,7 @@ actions: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v "Enabled" /f - - + - name: Disable RC4 cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000 @@ -3533,7 +3586,7 @@ actions: name: Disable 3DES (Triple DES) cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f /v Enabled /t REG_DWORD /d 0x00000000 - reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f /v Enabled /t REG_DWORD /d 0x00000000 + reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v "Enabled" /f @@ -3549,8 +3602,8 @@ actions: name: Disable null cipher code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v "Enabled" /f - - - name: Force not to respond to renegotiation requests + - + name: Disable response to renegotiation requests code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoClients /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoServers /t REG_DWORD /d 0x00000000 @@ -3585,8 +3638,8 @@ actions: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "DisabledByDefault" /f - - - name: Enable DTLS 1.3 # Windows 10 and Windows 10 Server version 1903 and newer supports DTLS 1.3 + - + name: Enable DTLS 1.3 # Windows 10 and Windows Server 10 version 1903 and newer support DTLS 1.3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 @@ -3597,7 +3650,7 @@ actions: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "DisabledByDefault" /f - - + - name: Disable TLS 1.0 docs: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls # After disabling TLS 1.0 must be (will be) activated SchUseStrongCrypto for .NET apps code: |- @@ -3634,7 +3687,7 @@ actions: reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f - - + - name: Disable TLS 1.1 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 @@ -3646,7 +3699,7 @@ actions: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /f - - + - name: Enable TLS 1.3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001 @@ -3658,8 +3711,8 @@ actions: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "DisabledByDefault" /f - - - name: Enabling Strong Authentication for .NET applications (TLS 1.2) + - + name: Enable strong authentication for .NET applications using TLS 1.2 docs: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications code: |- reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 @@ -3687,7 +3740,7 @@ actions: reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f - - + - name: Disable SSLv2 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 @@ -3699,7 +3752,7 @@ actions: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /f - - + - name: Disable SSLv3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 @@ -3713,20 +3766,20 @@ actions: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /f - category: Privacy over security - children: + children: - - category: Disable Windows Defender + category: Disable Microsoft Defender docs: https://en.wikipedia.org/wiki/Windows_Firewall # See defender status: Get-MpComputerStatus children: - - category: Disable Windows Defender Firewall # Also known as Windows Firewall, Microsoft Defender Firewall + category: Disable Microsoft Defender firewall # Also known as Windows Firewall, Microsoft Defender Firewall children: - - category: Disable Windows Defender Firewall Services and Drivers (breaks Microsoft Store and `netsh advfirewall` CLI) + category: Disable Microsoft Defender Firewall services and drivers (breaks Microsoft Store and `netsh advfirewall` CLI) children: - - name: Disable Windows Defender Firewall Authorization Driver service + name: Disable "Windows Defender Firewall Authorization Driver" service docs: - http://batcmd.com/windows/10/services/mpsdrv/ # ❗️ Breaks: `netsh advfirewall set` @@ -3748,7 +3801,7 @@ actions: parameters: filePath: '%SystemRoot%\System32\drivers\mpsdrv.sys' - - name: Disable Windows Defender Firewall service + name: Disable "Windows Defender Firewall" service docs: - http://batcmd.com/windows/10/services/mpssvc/ - https://en.wikipedia.org/wiki/Windows_Firewall @@ -3785,13 +3838,13 @@ actions: parameters: filePath: '%WinDir%\system32\mpssvc.dll' - - name: Disable Firewall through command-line utility + name: Disable firewall via command-line utility # ❗️ Following must be enabled and in running state: - # - mpsdrv (Windows Defender Firewall Authorization Driver) + # - mpsdrv ("Windows Defender Firewall Authorization Driver") # - bfe (Base Filtering Engine) - # - mpssvc (Windows Defender Firewall) + # - mpssvc ("Windows Defender Firewall") # If the dependent services are not running, the script fails with: - # "An error occurred while attempting to contact the Windows Defender Firewall service. Make sure that the service is running and try your request again." + # "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again." # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc docs: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior call: @@ -3826,7 +3879,7 @@ actions: } } - - name: Disable Firewall through registry # Lower-level, good in case command-line utility is not available/functioning + name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning docs: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 @@ -3846,7 +3899,7 @@ actions: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f # When reverting HKLM\SOFTWARE\Policies profiles are deleted as they are not included in clean installation - # On the other hand "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet + # On the other hand "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet # so they're not deleted but set to default state revertCode: |- # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy :: Policy based @@ -3860,12 +3913,25 @@ actions: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - - name: Hide the "Firewall and network protection" area from Windows Defender Security Center - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FirewallNetworkProtection_UILockdown + name: Disable "Firewall & network protection" section in "Windows Security" + docs: |- + This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was + called "Windows Defender Security Center" [1]. + + The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status + of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see + this section in the "Windows Security" interface [3]. + + This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry + key to hide the Firewall and network protection area [3]. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn" + [3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /f 2>nul - - name: Disable Microsoft Defender Antivirus # Depreciated since Windows 10 version 1903 + name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903 docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender @@ -3876,15 +3942,15 @@ actions: # Status: Get-MpPreference children: - - category: Disable Windows Defender Antivirus cloud protection service + category: Disable Defender Antivirus cloud protection service docs: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus # Also known as Microsoft MAPS (Microsoft Active Protection Service) or Microsoft SpyNet children: - - category: Disable cloud protection service features + category: Disable Defender cloud protection features children: - - name: Turn off block at first sight + name: Disable block at first sight docs: # What is block at first sight? How does it work? How to turn on/off? - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus @@ -3903,21 +3969,21 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /f 2>nul - - name: Set maximum time possible for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required" + name: Maximize time for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required" docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpBafsExtendedTimeout code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /f 2>nul - - name: Set lowest possible cloud protection level # Requires "Join Microsoft MAPS" + name: Minimize cloud protection level # Requires "Join Microsoft MAPS" docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpCloudBlockLevel code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /f 2>nul - - name: Disable receiving notifications to disable security intelligence # Requires "Join Microsoft MAPS" + name: Disable notifications to turn off security intelligence # Requires "Join Microsoft MAPS" docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureDisableNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /f 2>nul @@ -3925,7 +3991,7 @@ actions: category: Disable Defender cloud export for analysis children: - - name: Turn off Windows Defender SpyNet reporting + name: Disable Microsoft Defender SpyNet reporting recommend: strict docs: - https://www.stigviewer.com/stig/windows_7/2012-07-02/finding/V-15713 @@ -3949,8 +4015,8 @@ actions: parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /f 2>nul - - - name: Do not send file samples for further analysis + - + name: Disable sending file samples for further analysis recommend: strict docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent @@ -3972,10 +4038,21 @@ actions: parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /f 2>nul - - - name: Disable Malicious Software Reporting tool diagnostic data + - + name: Disable "Malicious Software Reporting" tool diagnostic data recommend: strict - docs: https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection + docs: |- + This script disables the diagnostic data sent by Microsoft's Malicious Software Removal Tool (MSRT) [1]. + + Starting from its version 5.39 in August 2016, MSRT was observed to transmit a "Heartbeat Report" to Microsoft every time it operated [2]. + This happens even when the Customer Experience Improvement Program (CEIP) is turned off, and even if "DiagTrack" is not installed on the + computer [2]. Such a report can be confirmed by viewing the MRT log located at `%windir%\debug\mrt.log` [2]. + + This script enhances user privacy by setting a specific system key, `HKLM\SOFTWARE\Policies\Microsoft\MRT!DontReportInfectionInformation`, + to halt this data sharing with Microsoft [1] [2]. + + [1]: https://web.archive.org/web/20231009135123/https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection "Disable Malicious Software Reporting tool diagnostic data | admx.help" + [2]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /f 2>nul - @@ -3985,7 +4062,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /f 2>nul - - name: Disable the Potentially Unwanted Application (PUA) feature # Already disabled as default + name: Disable Potentially Unwanted Application (PUA) feature # Already disabled as default docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus @@ -4016,13 +4093,13 @@ actions: :: For newer Windows versions reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /f 2>nul - - name: Turn off tamper protection # Added in Windows 10, version 1903 + name: Disable tamper protection # Added in Windows 10, version 1903 docs: - https://www.thewindowsclub.com/how-to-enable-tamper-protection-in-windows-10 - https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-tamperprotection call: - - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) + function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) # ❌ Fails with "ERROR: Access is denied." in Windows 11 21H2 | ✅ Works in Windows 10 >= 20H2 parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f @@ -4041,7 +4118,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /f 2>nul - - category: Disable Windows Defender Exploit Guard + category: Disable "Windows Defender Exploit Guard" docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ children: - @@ -4050,14 +4127,14 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /f 2>nul - - name: Disable Controlled folder access - docs: + name: Disable controlled folder access + docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /f 2>nul - - category: Disable Network Inspection System features + category: Disable network inspection system features children: - name: Disable protocol recognition @@ -4072,16 +4149,16 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /f 2>nul - - name: Limit detection events rate to minimum + name: Minimize rate of detection events docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /f 2>nul - - category: Disable Real-Time protection + category: Disable real-time protection children: - name: Disable real-time monitoring - docs: + docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227 # Managing with MpPreference module: @@ -4102,7 +4179,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /f 2>nul - - name: Disable Intrusion Prevention System (IPS) + name: Disable intrusion prevention system (IPS) docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem # Managing with MpPreference module: @@ -4156,10 +4233,10 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /f 2>nul - - category: Disable Defender monitoring of downloaded files and attachments + category: Disable monitoring of downloads and attachments in Defender children: - - name: Disable scanning for all downloaded files and attachments + name: Disable scanning of all downloaded files and attachments docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225 # Managing with MpPreference module: @@ -4179,7 +4256,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /f 2>nul - - name: Disable scanning files bigger than 1 KB (minimum possible) + name: Disable scanning files larger than 1 KB (minimum possible) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /f 2>nul @@ -4187,15 +4264,15 @@ actions: category: Disable Defender monitoring of file and program activity children: - - name: Disable monitoring file and program activity + name: Disable file and program activity monitoring docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /f 2>nul - - name: Disable bidirectional scanning of incoming and outgoing file and program activity - docs: + name: Disable bidirectional scan for incoming and outgoing file and program activities + docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference @@ -4216,7 +4293,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /f 2>nul - - name: Disable process scanning on real-time protection + name: Disable real-time protection process scanning docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable @@ -4231,7 +4308,7 @@ actions: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#admx-microsoftdefenderantivirus-disableroutinelytakingaction - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /f 2>nul + revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /f 2>nul - name: Disable running scheduled auto-remediation docs: @@ -4293,7 +4370,7 @@ actions: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /f 2>nul - - name: Auto-purge items from Quarantine folder + name: Enable automatically purging items from quarantine folder docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay # Managing with MpPreference module: @@ -4322,7 +4399,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /f 2>nul # - Too good to disable, also no reported privacy issues - # category: Disable Windows Defender Device Guard and Credential Guard + # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 # children: # - @@ -4340,8 +4417,8 @@ actions: # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f 2>nul # reg delete "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /f 2>nul # - - # name: Disable virtualization-based security (disabled by default) - # docs: + # name: Disable virtualization-based security (disabled by default) + # docs: # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity @@ -4416,7 +4493,7 @@ actions: category: Disable scan actions children: - - name: Disable checking for signatures before scan # Default configuration + name: Disable signature verification before scanning # Default configuration docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan # Managing with MpPreference module: @@ -4435,7 +4512,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /f 2>nul - - name: Disable creating system restore point on a daily basis # Default behavior + name: Disable creation of daily system restore points # Default behavior docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint # Managing with MpPreference module: @@ -4454,7 +4531,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /f 2>nul - - name: Set minimum time for keeping files in scan history folder + name: Minimize retention time for files in scan history docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay # Managing with MpPreference module: @@ -4476,7 +4553,7 @@ actions: category: Disable catch-up scans children: - - name: Set maximum days before a catch-up scan is forced + name: Maximize days until mandatory catch-up scan docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup # Default and minumum is 2, maximum is 20 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f @@ -4520,7 +4597,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /f 2>nul - - category: Turn off scan options + category: Disable Defender scan options children: - name: Disable scan heuristics @@ -4528,10 +4605,10 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /f 2>nul - - category: Limit CPU usage during scans + category: Minimize CPU usage during scans children: - - name: Limit CPU usage during scans to minimum + name: Minimize CPU usage during scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor # Managing with MpPreference module: @@ -4551,8 +4628,8 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /f 2>nul - - name: Limit CPU usage during idle scans to minumum - docs: + name: Minimize CPU usage during idle scans + docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: @@ -4569,7 +4646,7 @@ actions: revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /f 2>nul - name: Disable scanning when not idle # Default OS setting - docs: + docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference @@ -4587,11 +4664,21 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /f 2>nul - - name: Disable scheduled On Demand anti malware scanner (MRT) + name: Disable scheduled anti-malware scanner (MRT) + docs: |- + This script disables the scheduled scans by the Malicious Software Removal Tool (MSRT) provided by Microsoft. + + Starting from version 5.39 in August 2016, MSRT sends a "Heartbeat Report" to Microsoft every time it runs [1]. This behavior occurs even if certain user + preferences like the Customer Experience Improvement Program (CEIP) are turned off or if "DiagTrack" is not on the computer [1]. A record of this "Successfully + Submitted Heartbeat Report" can be checked in the MRT log, found at `%windir%\debug\mrt.log` [1]. + + By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft. + + [1]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /f 2>nul - - category: Limit scanned areas + category: Minimize scanned areas children: - name: Disable e-mail scanning # Disabled by default @@ -4631,7 +4718,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /f 2>nul - - name: Disable scanning on mapped network drives on full-scan + name: Disable scanning mapped network drives during full scan docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan # Managing with MpPreference module: @@ -4650,7 +4737,7 @@ actions: value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True - - name: Disable scanning network files + name: Disable network file scanning docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles # Managing with MpPreference module: @@ -4696,12 +4783,12 @@ actions: value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False - - name: Limit depth for scanning archive files to minimum + name: Minimize scanning depth of archive files docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /f 2>nul - - name: Limit file size for archive files to be scanned to minimum + name: Minimize file size for scanning archive files docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /f 2>nul @@ -4793,7 +4880,7 @@ actions: default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1' setDefaultOnWindows11: true # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11 - - name: Limit how many times quick scans run per day + name: Minimize daily quick scan frequency docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /f 2>nul @@ -4803,7 +4890,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /f 2>nul - - category: Limit Defender updates + category: Disable Defender updates children: - category: Disable Defender Security Intelligence (signature) updates @@ -4819,7 +4906,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /f 2>nul - - name: Disable checking for the latest virus and spyware security intelligence (signature) on startup + name: Disable startup check for latest virus and spyware security intelligence (signature) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /f 2>nul @@ -4844,7 +4931,7 @@ actions: value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0' default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1' - - name: Limit spyware security intelligence (signature) updates # default is one day, recommended is 7 days + name: Minimize spyware security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when spyware security intelligence (signature) is considered up-to-dates docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue @@ -4852,7 +4939,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /f 2>nul - - name: Limit virus security intelligence (signature) updates # default is one day, recommended is 7 days + name: Minimize virus security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when virus security intelligence (signature) is considered up-to-date docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue @@ -4879,7 +4966,7 @@ actions: value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False - - name: Disable automatically checking security intelligence (signature) updates # Already disabled by default + name: Disable automatic checks for security intelligence (signature) updates # Already disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay # Managing with MpPreference module: @@ -4901,7 +4988,7 @@ actions: value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8' default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8' - - name: Limit update checks for security intelligence (signature) updates + name: Minimize checks for security intelligence (signature) updates docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval @@ -4910,7 +4997,7 @@ actions: - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval call: # Valid values range from 1 (every hour) to 24 (once per day). - # If not specified (0), parameter, Windows Defender checks at the default interval + # If not specified (0), parameter, Microsoft Defender checks at the default interval - function: RunInlineCode parameters: @@ -4926,7 +5013,7 @@ actions: category: Disable alternate definition updates children: - - name: Disable definition updates through both WSUS and the Microsoft Malware Protection Center + name: Disable definition updates via WSUS and Microsoft Malware Protection Center docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /f 2>nul @@ -4936,7 +5023,7 @@ actions: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /f 2>nul - - name: Limit Defender updates to those that complete gradual release cycle + name: Minimize Defender updates to completed gradual release cycles docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference @@ -4949,7 +5036,7 @@ actions: default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease - - name: Limit Defender engine updates to those that complete gradual release cycle + name: Minimize Defender engine updates to completed release cycles docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference @@ -4964,7 +5051,7 @@ actions: # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'" - - name: Limit Defender platform updates to those that complete gradual release cycle + name: Minimize Defender platform updates to completed release cycles docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference @@ -4978,8 +5065,8 @@ actions: # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'" - - - name: Limit Defender definition updates to those that complete gradual release cycle + - + name: Minimize Defender definition updates to completed gradual release cycles docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference @@ -4993,11 +5080,11 @@ actions: # 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" - - - category: Disable Windows Defender reporting + - + category: Disable Microsoft Defender reporting children: - - name: Disable Windows Defender logging + name: Disable Microsoft Defender logging code: |- reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f @@ -5005,7 +5092,7 @@ actions: reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f - - name: Disable ETW Provider of Windows Defender (Windows Event Logs) + name: Disable Microsoft Defender ETW provider (Windows Event Logs) docs: - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-views @@ -5016,13 +5103,13 @@ actions: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f - - name: Do not send Watson events + name: Disable sending Watson events # Deprecated since February 2015 update http://support.microsoft.com/kb/3036437 docs: https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::reporting_disablegenericreports code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /f 2>nul - - - name: Send minimum Windows software trace preprocessor (WPP Software Tracing) levels + - + name: Minimize Windows software trace preprocessor (WPP Software Tracing) docs: - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel @@ -5036,15 +5123,16 @@ actions: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /f 2>nul - - category: Remove Defender from UI + category: Disable Defender user interface children: - - name: Hide Windows Defender Security Center icon - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray + name: Remove "Windows Security" system tray icon + docs: |- + https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /f 2>nul - - name: Remove "Scan with Windows Defender" option from context menu + name: Remove "Scan with Microsoft Defender" from context menu docs: - https://windowsreport.com/remove-right-click-windows-defender-scan-windows-10/ - https://twigstechtips.blogspot.com/2010/06/windows-remove-with-microsoft-security.html @@ -5062,107 +5150,166 @@ actions: reg add "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f reg add "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f - - name: Remove Windows Defender Security Center from taskbar - docs: https://www.alfintechcomputer.com/what-is-securityhealthsystray-exe-windows-security-notification-icon/ - code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809 + name: Remove "Windows Security" icon from taskbar + docs: |- + This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 + and was originally named "Windows Defender Security Center" [1]. + + The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. + + The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes + `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 + and Windows 10 22H2) with default value of `%windir%\system32\SecurityHealthSystray.exe`. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" + [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" + code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809 revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "%windir%\system32\SecurityHealthSystray.exe" /f - - category: Hide Defender UI + name: Disable Microsoft Defender Antimalware (AM) user interface + docs: |- + This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially + preventing user interactions with the Microsoft Defender Antivirus interface. + + Several reasons to hide the antivirus interface: + + 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing + its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more + in control of their data when they aren't constantly reminded of a running security service. + 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. + Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share + more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. + 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender + Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to + a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently + triggering options that might share data. + 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface + but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that + access has been restricted by the system administrator [2]. + + The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the + `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. + + [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" + [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" + code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /f 2>nul + - + name: Minimize threat history access to administrators + docs: + # Managing with MpPreference module: + - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference + - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode + call: + - + function: SetMpPreference + parameters: + property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode + value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True + default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False + - + function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /f 2>nul + - + category: Disable sections in "Windows Security" + docs: |- + This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in + Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. + + "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display + in a restricted mode [1]. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" children: - - name: Enable headless UI mode - docs: - - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /f 2>nul + name: Disable "Virus and threat protection" section in "Windows Security" + docs: |- + - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) + - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /f 2>nul - - name: Restrict threat history to administrators - docs: - # Managing with MpPreference module: - - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode - call: - - - function: SetMpPreference - parameters: - property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode - value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True - default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - - - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) - parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /f 2>nul + name: Disable "Ransomware data recovery" section in "Windows Security" + docs: |- + [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /f 2>nul - - category: Hide areas in Windows Defender Security Center + name: Disable "Family options" section in "Windows Security" + docs: |- + - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) + - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /f 2>nul + - + name: Disable "Device performance and health" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) + - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /f 2>nul + - + name: Disable "Account protection" section in "Windows Security" + docs: |- + - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) + - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /f 2>nul + - + name: Disable "App and browser control" section in "Windows Security" + docs: |- + - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) + - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /f 2>nul + - + category: Disable device security sections children: - - name: Hide the "Virus and threat protection" area - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /f 2>nul + name: Disable "Device security" section in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) + - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /f 2>nul - - name: Hide the "Ransomware data recovery" area - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /f 2>nul + name: Disable "Clear TPM" button in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) + - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /f 2>nul - - name: Hide the "Family options" area - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /f 2>nul + name: Disable "Secure boot" button in "Windows Security" + docs: |- + [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /f 2>nul - - name: Hide the "Device performance and health" area - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /f 2>nul + name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" + docs: |- + [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /f 2>nul - - name: Hide the "Account protection" area - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /f 2>nul - - - name: Hide the "App and browser protection" area - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /f 2>nul - - - category: Hide the Device security areas - children: - - - name: Hide the Device security area - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /f 2>nul - - - name: Disable the Clear TPM button - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /f 2>nul - - - name: Disable the Secure boot area button - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /f 2>nul - - - name: Hide the Security processor (TPM) troubleshooter page - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /f 2>nul - - - name: Hide the TPM Firmware Update recommendation - docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /f 2>nul + name: Disable "TPM Firmware Update" recommendation in "Windows Security" + docs: |- + - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) + - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) + code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f + revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /f 2>nul - - category: Hide Windows Defender notifications + category: Disable Defender notifications children: - - category: Hide Windows Defender Security Center notifications + category: Disable Windows Security notifications docs: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications children: - - name: Hide all notifications + name: Disable all Defender notifications docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disablenotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications @@ -5173,8 +5320,8 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul - - name: Hide non-critical notifications - docs: + name: Disable non-critical Defender notifications + docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disableenhancednotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications @@ -5187,12 +5334,12 @@ actions: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /f 2>nul - - name: Disable Windows Action Center security and maintenance notifications # For Windows 10 build 1607 and above + name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /f 2>nul - - name: Disable all Windows Defender Antivirus notifications + name: Disable all Defender Antivirus notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress code: |- reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f @@ -5201,7 +5348,7 @@ actions: reg delete "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul reg delete "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul - - name: Suppress reboot notifications + name: Disable Defender reboot notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /f 2>nul @@ -5212,33 +5359,33 @@ actions: category: Disable Defender tasks children: - - name: Disable Windows Defender ExploitGuard task + name: Disable "Windows Defender ExploitGuard" task docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ code: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Enable - - name: Disable Windows Defender Cache Maintenance task - # Cache Maintenance is the storage for temporary files that are being either quarantined by Windows Defender - # or being checked. Running this will clear the Cache. + name: Disable "Windows Defender Cache Maintenance" task + # Cache Maintenance is the storage for temporary files that are being either quarantined by Microsoft Defender + # or being checked. Running this will Clear Cache. docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable - - name: Disable Windows Defender Cleanup task + name: Disable "Windows Defender Cleanup" task docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae # Periodic cleanup task - # Clears up files that are not needed anymore by Windows Defender. + # Clears up files that are not needed anymore by Microsoft Defender. code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Enable - - name: Disable Windows Defender Scheduled Scan task # Does not exist in Windows 11 - docs: + name: Disable "Windows Defender Scheduled Scan" task # Does not exist in Windows 11 + docs: - https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d - https://winbuzzer.com/2020/05/26/windows-defender-how-to-perform-a-scheduled-scan-in-windows-10-xcxwbt/ code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Enable 2>nul - - name: Disable Windows Defender Verification task + name: Disable "Windows Defender Verification" task # Check if there are any problems with your Windows Defender like in updates, system files, etc,. # Creates daily restore points docs: @@ -5255,7 +5402,7 @@ actions: # 2. Some cannot be disabled even using DisableServiceInRegistry, must be disabled as TrustedInstaller using RunInlineCodeAsTrustedInstaller children: - - name: Disable Windows Defender Antivirus service + name: Disable "Microsoft Defender Antivirus Service" # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` @@ -5272,18 +5419,18 @@ actions: # parameters: # filePath: '%ProgramFiles%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - - category: Disable kernel-level Windows Defender drivers + category: Disable Defender kernel-level drivers children: - # - Skipping wdnsfltr "Windows Defender Network Stream Filter Driver" as it's Windows 1709 only + # - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only - - name: Disable Microsoft Defender Antivirus Network Inspection System Driver service + name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service docs: http://batcmd.com/windows/10/services/wdnisdrv/ call: - function: RunInlineCodeAsTrustedInstaller parameters: # "net stop" is used to stop dependend services as well, "sc stop" fails - code: net stop "WdNisDrv" /yes >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f + code: net stop "WdNisDrv" /yes >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "3" /f & sc start "WdNisDrv" >nul - function: RenameSystemFile @@ -5294,7 +5441,7 @@ actions: # parameters: # filePath: '%SystemRoot%\System32\drivers\wd\WdNisDrv.sys' - - name: Disable Microsoft Defender Antivirus Mini-Filter Driver service + name: Disable "Microsoft Defender Antivirus Mini-Filter Driver" service docs: - https://www.n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - http://batcmd.com/windows/10/services/wdfilter/ @@ -5302,7 +5449,7 @@ actions: - function: RunInlineCodeAsTrustedInstaller parameters: - code: sc stop "WdFilter" >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f + code: sc stop "WdFilter" >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "0" /f & sc start "WdFilter" >nul - function: RenameSystemFile @@ -5313,13 +5460,13 @@ actions: # parameters: # filePath: '%SystemRoot%\System32\drivers\wd\WdFilter.sys' - - name: Disable Microsoft Defender Antivirus Boot Driver service + name: Disable "Microsoft Defender Antivirus Boot Driver" service docs: http://batcmd.com/windows/10/services/wdboot/ call: - function: RunInlineCodeAsTrustedInstaller parameters: - code: sc stop "WdBoot" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f + code: sc stop "WdBoot" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "0" /f & sc start "WdBoot" >nul 2>&1 - function: RenameSystemFile @@ -5330,7 +5477,7 @@ actions: # parameters: # filePath: '%SystemRoot%\System32\drivers\wd\WdBoot.sys' - - name: Disable Microsoft Defender Antivirus Network Inspection service + name: Disable "Microsoft Defender Antivirus Network Inspection" service docs: - http://batcmd.com/windows/10/services/wdnissvc/ - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ @@ -5338,38 +5485,51 @@ actions: - function: RunInlineCodeAsTrustedInstaller parameters: - code: sc stop "WdNisSvc" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f + code: sc stop "WdNisSvc" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "2" /f & sc start "WdNisSvc" >nul 2>&1 # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%ProgramFiles%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - - name: Disable Windows Defender Advanced Threat Protection Service service + name: Disable "Windows Defender Advanced Threat Protection Service" service docs: http://batcmd.com/windows/10/services/sense/ call: - function: RunInlineCodeAsTrustedInstaller # We must disable it on registry level, "Access is denied" for sc config parameters: - code: sc stop "Sense" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f + code: sc stop "Sense" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "3" /f & sc start "Sense" >nul 2>&1 # Alowed values: Boot | System | Automatic | Manual - function: RenameSystemFile parameters: filePath: '%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe' - - name: Disable Windows Defender Security Center Service - docs: http://batcmd.com/windows/10/services/securityhealthservice/ + name: Disable "Windows Security Service" service + docs: |- + This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. + This service provides unified device protection and health information [2] [3]. + + It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. + Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. + By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. + + The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. + + [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" + [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" + [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" + [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states call: - # Windows 10: - # ❌ Cannot disable through sc config as Administrator; throws "Access is denied" - # ✅ Can disable using registry as Administrator; "DisableServiceInRegistry" function works - # ✅ Can disable using registry as TrustedInstaller + # ❌ Cannot disable through sc config as Administrator; throws "Access is denied" + # ✅ Can disable using registry as Administrator; "DisableServiceInRegistry" function works + # ✅ Can disable using registry as TrustedInstaller # Windows 11: - # ❌ Cannot disable through sc config as administrator; throws "Access is denied" - # ❌ Cannot disable using registry as Administrator; using DisableServiceInRegistry throws "Requested registry access is not allowed." - # ✅ Can disable using registry as TrustedInstaller + # ❌ Cannot disable through sc config as administrator; throws "Access is denied" + # ❌ Cannot disable using registry as Administrator; using DisableServiceInRegistry throws "Requested registry access is not allowed." + # ✅ Can disable using registry as TrustedInstaller function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "SecurityHealthService" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f @@ -5395,7 +5555,7 @@ actions: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /f 2>nul - - name: Disable SmartScreen in file explorer + name: Disable SmartScreen in File Explorer docs: - https://winaero.com/change-windows-smartscreen-settings-windows-10/ - https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/ @@ -5406,7 +5566,7 @@ actions: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul - - name: Disable SmartScreen preventing users from running applications + name: Disable SmartScreen's prevention of application execution docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 @@ -5416,12 +5576,12 @@ actions: category: Disable SmartScreen in Microsoft browsers children: - - name: Prevent Chromium Edge SmartScreen from blocking potentially unwanted apps + name: Disable SmartScreen in Edge (Chromium) for potentially unwanted apps docs: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /f 2>nul - - name: Disable SmartScreen in Edge + name: Disable Edge SmartScreen docs: - https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ # Privacy concerns - https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen @@ -5453,7 +5613,7 @@ actions: category: Disable SmartScreen for Windows Store apps children: - - name: Turn off SmartScreen App Install Control feature + name: Disable SmartScreen's "App Install Control" feature docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen @@ -5465,7 +5625,7 @@ actions: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /f 2>nul - - name: Turn off SmartScreen to check web content (URLs) that apps use + name: Disable SmartScreen's web content (URLs) checking for apps docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f @@ -5532,7 +5692,7 @@ actions: # Default value is `0` since Windows 10 21H2 and Windows 11 21H2 revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f - - name: Disable installing Windows updates without user approval + name: Disable automatic installation of Windows updates without user consent docs: |- This script changes how your Windows computer handles automatic updates by modifying the `AUOptions` registry key. After running this script, your computer will notify you before downloading any updates [1] [2] [3]. @@ -5680,7 +5840,7 @@ actions: making sure that parts related to Windows updates are working as they should [1] [2]. By default, the service is enabled and its startup setting is set to manual [3]. - + This service can undo any adjustments you've made to your Windows Update settings without your consent. For example, it can re-enable automatic Windows updates [4]. That can interfere if you've tailored these settings for better privacy or security. @@ -5702,15 +5862,15 @@ actions: serviceName: WaaSMedicSvc # Check: (Get-Service -Name 'WaaSMedicSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - category: Configure handling of downloaded files + category: Configure how downloaded files are handled docs: |- These scripts configures Attachment Manager included in Windows that that takes further actions for files that you receive or download such as storing classification metadata and notfying other software [1]. - [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" + [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" children: - - name: Prevent saving zone information in downloaded files + name: Disable saving of zone information in downloaded files docs: |- This script disables marking file attachments by using their zone information. @@ -5746,13 +5906,13 @@ actions: In clean Windows 10 and 11 installations, this key by default is missing for both `HKCU` and `HKLM`. [1]: https://www.stigviewer.com/stig/windows_10/2019-09-25/finding/V-63841 "Zone information must be preserved when saving attachments. | stigviewer.com" - [2]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" + [2]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_MarkZoneOnSavedAtttachments "Do not preserve zone information in file attachments | admx.help" [4]: https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /f 2>nul - - name: Prevent notifying antivirus programs of downloaded files + name: Disable notifications to antivirus programs for downloaded files docs: |- Prevents Windows from calling the registered antivirus programs when file attachments are opened [1] [2]. @@ -5768,7 +5928,7 @@ actions: - Increases privacy by not sharing your file data proactively with installed antiviruses. - Decreases by detecting and mitigating potential malicious software. Disabling it has **Moderate** criticality as it is not an appropriate antivirus configuration according to US government [4]. - + An updated antivirus program must be installed for this policy setting to function properly [4]. It is configured using `ScanWithAntiVirus` value in @@ -5779,14 +5939,14 @@ actions: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus`, and key is missing for `HKCU`. - [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" - [2]: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-09-02/finding/V-14270 "The system will notify antivirus when file attachments are opened. | stigviewer.com" + [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" + [2]: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-09-02/finding/V-14270 "The system will notify antivirus when file attachments are opened. | stigviewer.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_CallIOfficeAntiVirus "Notify antivirus programs when opening attachments | admx.help" [4]: https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "3" /f - - name: Remove "Windows Security app" (`SecHealthUI`) (breaks Windows Security user interface) + name: Remove "Windows Security" app (`SecHealthUI`) (breaks Windows Security user interface) docs: |- This script uninstalls the "Windows Security app" [1], also known as `SecHealthUI` [1] [2] [3]. @@ -5795,7 +5955,7 @@ actions: While this enhances privacy, there's a trade-off with security. It can make the computer more vulnerable to threats, as it will no longer alert the user about existing vulnerabilities and will not communicate updates to Action Center, where they are displayed to - the end user [4]. It will also break the user interface that allows you to configure other Windows security features, such as + the end user [4]. It will also break the user interface that allows you to configure other Windows security features, such as Tamper Protection [5]. Uninstalling the Windows Security app enhances privacy by reducing the digital footprints and amount of personal and system data collected and @@ -5818,7 +5978,7 @@ actions: This is a separate app from each of the individual Defender features [9], and it is updated independently from the OS [10]. Even after uninstallation, Windows will continue to send security notifications unless those notifications are separately disabled [11]. In a similar manner, - uninstalling the Windows Security app does not disable Microsoft Defender Antivirus or the Windows Defender Firewall [12]. + uninstalling the Windows Security app does not disable Microsoft Defender Antivirus or the Microsoft Defender Firewall [12]. > **Caution:** Uninstalling the Windows Security app is a significant action that should be undertaken with a clear understanding of the implications for the security and operation of your computer system. @@ -5831,7 +5991,7 @@ actions: [6]: https://web.archive.org/web/20231006115719/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows | Microsoft Learn" [7]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [8]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" - [9]: https://web.archive.org/web/20231006115745/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center#how-windows-security-works-with-windows-security-features "Windows Security - Windows Security | Microsoft Learn" + [9]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center#how-windows-security-works-with-windows-security-features "Windows Security - Windows Security | Microsoft Learn" [10]: https://web.archive.org/web/20231006115836/https://support.microsoft.com/en-us/topic/kb5020779-the-vulnerable-driver-blocklist-after-the-october-2022-preview-release-3fcbe13a-6013-4118-b584-fcfbc6a09936 "KB5020779 The vulnerable driver blocklist after the October 2022 preview release - Microsoft Support" [11]: https://web.archive.org/web/20231006115826/https://support.microsoft.com/en-us/windows/windows-security-notifications-6a59ce6a-e1e0-4795-b080-ba92d49644b2 "Windows Security notifications - Microsoft Support" [12]: https://web.archive.org/web/20231006115845/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-worldwide "Microsoft Defender Antivirus in the Windows Security app | Microsoft Learn" @@ -5844,7 +6004,7 @@ actions: packageName: Microsoft.Windows.SecHealthUI - category: UI for privacy - children: + children: - name: Disable lock screen app notifications recommend: standard @@ -5852,7 +6012,7 @@ actions: revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 0 /f docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687 - - category: Disable online content in explorer + category: Disable online content in File Explorer children: - name: Disable online tips @@ -5861,13 +6021,13 @@ actions: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 1 /f - - name: Turn off Internet File Association service + name: Disable "Internet File Association" service recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseInternetOpenWith_2 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 0 /f - - name: Turn off the "Order Prints" picture task + name: Disable "Order Prints" picture task recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellRemoveOrderPrints_2 @@ -5875,28 +6035,28 @@ actions: code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 0 /f - - name: Disable the file and folder Publish to Web option + name: Disable "Publish to Web" option for files and folders recommend: standard docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-14255 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 0 /f - - name: Prevent downloading a list of providers for wizards + name: Disable provider list downloads for wizards recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63621 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 0 /f - - category: Recent documents + category: Secure recent document lists children: - - name: Do not keep history of recently opened documents + name: Disable history of recently opened documents recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f - - name: Clear history of recently opened documents on exit + name: Clear recently opened document history upon exit recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f @@ -5908,7 +6068,7 @@ actions: code: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 0 /f - - name: Turn off "Look For An App In The Store" option + name: Disable the "Look For An App In The Store" option recommend: standard docs: - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000030 @@ -5916,7 +6076,7 @@ actions: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 0 /f - - name: Do not show recently used files in Quick Access + name: Disable the display of recently used files in Quick Access recommend: strict docs: - https://matthewhill.uk/windows/group-policy-disable-recent-files-frequent-folder-explorer/ # ShowRecent @@ -5935,12 +6095,25 @@ actions: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f ) - - name: Disable Sync Provider Notifications + name: Disable sync provider notifications code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 0 /t REG_DWORD /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 1 /t REG_DWORD /f - - name: Turn hibernate off to disable sleep for quick start - docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/compact-os#ram-pagefilesys-and-hiberfilsys + name: Disable hibernation for faster startup and to avoid sensitive data storage + docs: |- + This script commands your system to deactivate the hibernation feature. Hibernate is a power-saving state that saves your current work and turns + off the computer [1]. When your computer hibernates, it saves the contents of its RAM to your hard disk and powers off the machine [2]. Upon starting + again, your computer can restore all the open programs and documents from your hard disk to its RAM [1]. + + If hibernation mode is enabled, sensitive data stored in RAM are be written to disk [2]. The memory can contain private data, passwords, keys and so + on. This could be accessed by malicious software or people with physical access to the computer. By disabling hibernation, this script reduces the risk + of such potential privacy breaches. + + It configures hibernate by using `powercfg` command line tool [3]. + + [1]: https://web.archive.org/web/20230806164910/https://support.microsoft.com/en-us/windows/shut-down-sleep-or-hibernate-your-pc-2941d165-7d0a-a5e8-c5ad-8c972e8e6eff + [2]: https://web.archive.org/web/20230712211259/https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/system-sleeping-states + [3]: https://web.archive.org/web/20230806165041/https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options code: powercfg -h off revertCode: powercfg -h on - @@ -5952,10 +6125,10 @@ actions: code: reg add "HKLM\SOFTWARE\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /d 1 /t REG_DWORD /f revertCode: reg delete "HKLM\Software\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /f - - category: Hide from This PC and Browse in dialog boxes + category: Remove items from "This PC" and "Browse" in dialog boxes children: - - name: 3D Objects + name: Remove "3D Objects" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f @@ -5963,7 +6136,7 @@ actions: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - - name: Desktop + name: Remove "Desktop" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f @@ -5971,7 +6144,7 @@ actions: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - - name: Documents + name: Remove "Documents" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f @@ -5979,7 +6152,7 @@ actions: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - - name: Downloads + name: Remove "Downloads" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f @@ -5987,7 +6160,7 @@ actions: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - - name: Movies + name: Remove "Movies" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f @@ -5995,7 +6168,7 @@ actions: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - - name: Music + name: Remove "Music" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f @@ -6003,7 +6176,7 @@ actions: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - - name: Pictures + name: Remove "Pictures" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f @@ -6014,7 +6187,7 @@ actions: category: Disable OS services children: - - name: Microsoft Account Sign-in Assistant (breaks Microsoft Store and Microsoft Account sign-in) + name: Disable "Microsoft Account Sign-in Assistant" service (breaks Microsoft Store and Microsoft Account sign-in) recommend: strict docs: # **Summary** @@ -6068,7 +6241,7 @@ actions: serviceName: wlidsvc # Check: (Get-Service -Name 'wlidsvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - name: Downloaded Maps Manager + name: Disable "Downloaded Maps Manager" service recommend: standard docs: http://batcmd.com/windows/10/services/mapsbroker/ call: @@ -6077,7 +6250,7 @@ actions: serviceName: MapsBroker # Check: (Get-Service -Name 'MapsBroker').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - - name: Microsoft Retail Demo experience + name: Disable "Microsoft Retail Demo" service recommend: standard docs: http://batcmd.com/windows/10/services/retaildemo/ call: @@ -6086,10 +6259,10 @@ actions: serviceName: RetailDemo # Check: (Get-Service -Name 'RetailDemo').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - category: Mail, contact, calendar and user data synchronization + category: Disable synchronization of mail, contacts, calendar, and user data children: - - name: User Data Storage (UnistoreSvc) Service + name: Disable "User Data Storage" (`UnistoreSvc`) service docs: http://batcmd.com/windows/10/services/unistoresvc/ recommend: strict call: @@ -6100,7 +6273,7 @@ actions: serviceName: UnistoreSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - - name: Sync Host (OneSyncSvc) Service Service + name: Disable "Sync Host" (`OneSyncSvc`) service docs: http://batcmd.com/windows/10/services/onesyncsvc/ recommend: strict call: @@ -6111,7 +6284,7 @@ actions: serviceName: OneSyncSvc defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual - - name: Contact data indexing + name: Disable "Contact Data" service (disables contact data indexing) docs: http://batcmd.com/windows/10/services/pimindexmaintenancesvc/ call: function: DisablePerUserService @@ -6121,7 +6294,7 @@ actions: serviceName: PimIndexMaintenanceSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - - name: App user data access + name: Disable "User Data Access" service docs: http://batcmd.com/windows/10/services/userdatasvc/ call: function: DisablePerUserService @@ -6131,7 +6304,7 @@ actions: serviceName: UserDataSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - - name: Text messaging + name: Disable "MessagingService" docs: http://batcmd.com/windows/10/services/messagingservice/ call: function: DisablePerUserService @@ -6141,7 +6314,7 @@ actions: serviceName: MessagingService defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - - name: Windows Push Notification Service (breaks network settings view on Windows 10) + name: Disable "Windows Push Notification Service" (breaks network settings view on Windows 10) recommend: strict docs: # It enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. @@ -6180,31 +6353,34 @@ actions: category: Disable Xbox services children: - - name: Xbox Live Auth Manager + name: Disable "Xbox Live Auth Manager" service recommend: standard + docs: https://batcmd.com/windows/10/services/xblauthmanager/ call: function: DisableService parameters: serviceName: XblAuthManager # Check: (Get-Service -Name 'XblAuthManager').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - name: Xbox Live Game Save + name: Disable "Xbox Live Game Save" service recommend: standard + docs: https://batcmd.com/windows/10/services/xblgamesave/ call: function: DisableService parameters: serviceName: XblGameSave # Check: (Get-Service -Name 'XblGameSave').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - name: Xbox Live Networking Service + name: Disable "Xbox Live Networking Service" recommend: standard + docs: https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_v1.12.0.audit:413ad68866cc396f0bd1dd4ead7deb97 call: function: DisableService parameters: serviceName: XboxNetApiSvc # Check: (Get-Service -Name 'XboxNetApiSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - - name: Disable Volume Shadow Copy Service (breaks System Restore and Windows Backup) # Also known as • Volume Snapshot Service • VSS • VSC + name: Disable "Volume Shadow Copy Service" (breaks System Restore and Windows Backup) # Also known as • Volume Snapshot Service • VSS • VSC recommend: strict docs: - https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service @@ -6236,7 +6412,7 @@ actions: category: Remove bloatware children: - - category: Uninstall Windows apps + category: Remove Windows apps docs: |- This category focuses on the uninstallation of Windows apps. @@ -6255,7 +6431,7 @@ actions: # - Windows.immersivecontrolpanel # "Settings app", required for settings view. - - category: Uninstall provisioned Windows apps + category: Remove provisioned Windows apps docs: |- This category addresses the uninstallation of provisioned Windows apps. @@ -6271,7 +6447,7 @@ actions: [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" children: - - name: App Connector app + name: Remove "App Connector" app recommend: strict docs: |- This scripts unininstalls the "App Connector" Windows app. @@ -6302,7 +6478,7 @@ actions: packageName: Microsoft.Appconnector # Discontinued after Windows 10 1511 publisherId: 8wekyb3d8bbwe - - category: Uninstall 3D modeling apps + category: Remove 3D modeling apps docs: |- This category provides scripts for uninstalling pre-installed 3D modeling applications from Windows. @@ -6312,7 +6488,7 @@ actions: These apps, while useful for certain users, might not be required by everyone, thus providing the option to uninstall them. children: - - name: Microsoft 3D Builder app + name: Remove "Microsoft 3D Builder" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003172322/https://apps.microsoft.com/store/detail/3d-builder/9WZDNCRFJ3T6?hl=en-us) @@ -6328,7 +6504,7 @@ actions: packageName: Microsoft.3DBuilder publisherId: 8wekyb3d8bbwe - - name: 3D Viewer app + name: Remove "3D Viewer" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003172807/https://apps.microsoft.com/store/detail/3d-viewer/9NBLGGH42THS?hl=en-us) @@ -6347,7 +6523,7 @@ actions: packageName: Microsoft.Microsoft3DViewer publisherId: 8wekyb3d8bbwe - - category: Uninstall MSN (Bing) apps + category: Remove MSN (Bing) apps docs: |- This category covers scripts designed to uninstall MSN (sometimes branded as "Bing" or just "Microsoft") applications from Windows. @@ -6357,7 +6533,7 @@ actions: If users prefer other sources or tools for this information, they might wish to uninstall these default apps to declutter their system. children: - - name: MSN Weather app + name: Remove "MSN Weather" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003173207/https://apps.microsoft.com/store/detail/msn-weather/9WZDNCRFJ3Q2?hl=en-us) @@ -6377,7 +6553,7 @@ actions: packageName: Microsoft.BingWeather publisherId: 8wekyb3d8bbwe - - name: MSN Sports app + name: Remove "MSN Sports" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20221204144111/https://apps.microsoft.com/store/detail/msn-sports/9WZDNCRFHVH4?hl=en-us&gl=us) @@ -6395,7 +6571,7 @@ actions: packageName: Microsoft.BingSports publisherId: 8wekyb3d8bbwe - - name: Microsoft News app + name: Remove "Microsoft News" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003194608/https://apps.microsoft.com/store/detail/microsoft-news/9WZDNCRFHVFW?hl=en-us) @@ -6414,7 +6590,7 @@ actions: packageName: Microsoft.BingNews publisherId: 8wekyb3d8bbwe - - name: MSN Money app + name: Remove "MSN Money" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003195625/https://apps.microsoft.com/store/detail/msn-money/9WZDNCRFHV4V) @@ -6432,7 +6608,7 @@ actions: packageName: Microsoft.BingFinance publisherId: 8wekyb3d8bbwe - - name: Uninstall Cortana app + name: Remove "Cortana" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003195834/https://apps.microsoft.com/store/detail/cortana/9NFFX4SZZ23L) @@ -6444,7 +6620,7 @@ actions: packageName: Microsoft.549981C3F5F10 publisherId: 8wekyb3d8bbwe - - name: App Installer app + name: Remove "App Installer" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003200344/https://apps.microsoft.com/store/detail/app-installer/9NBLGGH4NNS1) @@ -6462,7 +6638,7 @@ actions: packageName: Microsoft.DesktopAppInstaller publisherId: 8wekyb3d8bbwe - - name: Get Help app + name: Remove "Get Help" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003200627/https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T) @@ -6478,7 +6654,7 @@ actions: packageName: Microsoft.GetHelp publisherId: 8wekyb3d8bbwe - - name: Microsoft Tips app + name: Remove "Microsoft Tips" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003200952/https://apps.microsoft.com/store/detail/microsoft-tips/9WZDNCRDTBJJ) @@ -6495,7 +6671,7 @@ actions: packageName: Microsoft.Getstarted publisherId: 8wekyb3d8bbwe - - category: Extensions + category: Remove extensions docs: |- This category focuses on scripts designed to uninstall specific extensions from Windows. @@ -6508,7 +6684,7 @@ actions: [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" children: - - name: HEIF Image Extensions app + name: Remove "HEIF Image Extensions" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003201158/https://apps.microsoft.com/store/detail/heif-image-extensions/9PMMSR1CGPWG) @@ -6524,7 +6700,7 @@ actions: packageName: Microsoft.HEIFImageExtension publisherId: 8wekyb3d8bbwe - - name: VP9 Video Extensions app + name: Remove "VP9 Video Extensions" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003201732/https://apps.microsoft.com/store/detail/vp9-video-extensions/9N4D0MSMP0PT) @@ -6540,7 +6716,7 @@ actions: packageName: Microsoft.VP9VideoExtensions publisherId: 8wekyb3d8bbwe - - name: Web Media Extensions app + name: Remove "Web Media Extensions" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003202207/https://apps.microsoft.com/store/detail/web-media-extensions/9N5TDP8VCMHS) @@ -6556,7 +6732,7 @@ actions: packageName: Microsoft.WebMediaExtensions publisherId: 8wekyb3d8bbwe - - name: Webp Image Extensions app + name: Remove "Webp Image Extensions" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003202310/https://apps.microsoft.com/store/detail/webp-image-extensions/9PG2DK419DRG) @@ -6572,7 +6748,7 @@ actions: packageName: Microsoft.WebpImageExtension publisherId: 8wekyb3d8bbwe - - name: Microsoft Messaging app + name: Remove "Microsoft Messaging" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003202812/https://apps.microsoft.com/store/detail/microsoft-messaging/9WZDNCRFJBQ6) @@ -6591,7 +6767,7 @@ actions: packageName: Microsoft.Messaging publisherId: 8wekyb3d8bbwe - - name: Mixed Reality Portal app + name: Remove "Mixed Reality Portal" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003202910/https://apps.microsoft.com/store/detail/mixed-reality-portal/9NG1H8B3ZC7M) @@ -6607,7 +6783,7 @@ actions: packageName: Microsoft.MixedReality.Portal publisherId: 8wekyb3d8bbwe - - category: Uninstall Microsoft Office apps + category: Remove Microsoft Office apps docs: |- This category focuses on scripts that help uninstall select Microsoft Office apps that may come pre-installed with Windows. @@ -6617,7 +6793,7 @@ actions: other preferred tools or the web versions suit their needs better. children: - - name: Microsoft 365 (Office) app + name: Remove "Microsoft 365 (Office)" app recommend: standard docs: |- [Microsoft Store Page](https://archive.ph/ZXfCl) @@ -6636,7 +6812,7 @@ actions: packageName: Microsoft.MicrosoftOfficeHub publisherId: 8wekyb3d8bbwe - - name: OneNote app + name: Remove "OneNote" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003203445/https://apps.microsoft.com/store/detail/onenote/9WZDNCRFHVJL) @@ -6655,7 +6831,7 @@ actions: packageName: Microsoft.Office.OneNote publisherId: 8wekyb3d8bbwe - - name: Sway app + name: Remove "Sway" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003204225/https://apps.microsoft.com/store/detail/sway/9WZDNCRD2G0J?hl=en-us) @@ -6670,7 +6846,7 @@ actions: packageName: Microsoft.Office.Sway publisherId: 8wekyb3d8bbwe - - name: Feedback Hub app + name: Remove "Feedback Hub" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003210719/https://apps.microsoft.com/store/detail/feedback-hub/9NBLGGH4R32N) @@ -6688,7 +6864,7 @@ actions: packageName: Microsoft.WindowsFeedbackHub publisherId: 8wekyb3d8bbwe - - name: Windows Clock app + name: Remove "Windows Alarms and Clock" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092407/https://apps.microsoft.com/store/detail/windows-clock/9WZDNCRFJ3PR) @@ -6706,7 +6882,7 @@ actions: packageName: Microsoft.WindowsAlarms publisherId: 8wekyb3d8bbwe - - name: Windows Camera app + name: Remove "Windows Camera" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092455/https://apps.microsoft.com/store/detail/windows-camera/9WZDNCRFJBBG) @@ -6725,7 +6901,7 @@ actions: packageName: Microsoft.WindowsCamera publisherId: 8wekyb3d8bbwe - - name: Paint 3D app + name: Remove "Paint 3D" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092446/https://apps.microsoft.com/store/detail/paint-3d/9NBLGGH5FV99) @@ -6741,7 +6917,7 @@ actions: packageName: Microsoft.MSPaint publisherId: 8wekyb3d8bbwe - - name: Windows Maps app + name: Remove "Windows Maps" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092559/https://apps.microsoft.com/store/detail/windows-maps/9WZDNCRDTBVB) @@ -6761,7 +6937,7 @@ actions: packageName: Microsoft.WindowsMaps publisherId: 8wekyb3d8bbwe - - name: Minecraft for Windows + name: Remove "Minecraft for Windows" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092835/https://apps.microsoft.com/store/detail/minecraft-for-windows/9nblggh2jhxj) call: @@ -6772,7 +6948,7 @@ actions: packageName: Microsoft.MinecraftUWP publisherId: 8wekyb3d8bbwe - - category: Uninstall Microsoft Store apps + category: Remove Microsoft Store apps docs: |- This category houses scripts dedicated to uninstalling specific applications related to the Microsoft Store. As the digital storefront for Microsoft, the Microsoft Store is a hub for apps, games, movies, and other content. @@ -6783,7 +6959,7 @@ actions: and act carefully. children: - - name: Microsoft Store app + name: Remove "Microsoft Store" app docs: |- This script aims to uninstall the Microsoft Store app (also known as Store [1]), which comes pre-installed on modern versions of Windows [1] [2] [3]. @@ -6818,7 +6994,7 @@ actions: packageName: Microsoft.WindowsStore publisherId: 8wekyb3d8bbwe - - name: Store Purchase app + name: Remove "Store Purchase" app docs: |- This script uninstalls the "Store Purchase" app. @@ -6838,7 +7014,7 @@ actions: packageName: Microsoft.StorePurchaseApp publisherId: 8wekyb3d8bbwe - - name: Microsoft People app + name: Remove "Microsoft People" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004105428/https://apps.microsoft.com/store/detail/microsoft-people/9NBLGGH10PG8) @@ -6855,7 +7031,7 @@ actions: packageName: Microsoft.People publisherId: 8wekyb3d8bbwe - - name: Microsoft Pay app + name: Remove "Microsoft Pay" app docs: |- This script is uninstalls the Microsoft Pay app. Microsoft Pay, previously known as "Microsoft Wallet" [1] [2] [3], is a cloud-based payment and wallet technology provided by Microsoft [2]. This system enables users to make secure payments through @@ -6882,7 +7058,7 @@ actions: packageName: Microsoft.Wallet publisherId: 8wekyb3d8bbwe - - name: Snipping Tool app + name: Remove "Snipping Tool" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004133447/https://apps.microsoft.com/store/detail/snipping-tool/9MZ95KL8MR0L) @@ -6900,7 +7076,7 @@ actions: packageName: Microsoft.ScreenSketch publisherId: 8wekyb3d8bbwe - - name: Print 3D app + name: Remove "Print 3D" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20220430015415/https://www.microsoft.com/en-us/p/print-3d/9pbpch085s3s?activetab=pivot:overviewtab) @@ -6916,7 +7092,7 @@ actions: packageName: Microsoft.Print3D publisherId: 8wekyb3d8bbwe - - name: Mobile Plans app + name: Remove "Mobile Plans" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004142628/https://apps.microsoft.com/store/detail/mobile-plans/9NBLGGH5PNB1) @@ -6932,7 +7108,7 @@ actions: packageName: Microsoft.OneConnect publisherId: 8wekyb3d8bbwe - - name: Microsoft Solitaire Collection app + name: Remove "Microsoft Solitaire Collection" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20230609084501/https://apps.microsoft.com/store/detail/microsoft-solitaire-collection/9wzdncrfhwd2) @@ -6948,7 +7124,7 @@ actions: packageName: Microsoft.MicrosoftSolitaireCollection publisherId: 8wekyb3d8bbwe - - name: Microsoft Sticky Notes app + name: Remove "Microsoft Sticky Notes" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20230806145300/https://apps.microsoft.com/store/detail/microsoft-sticky-notes/9NBLGGH4QGHW) @@ -6964,7 +7140,7 @@ actions: packageName: Microsoft.MicrosoftStickyNotes publisherId: 8wekyb3d8bbwe - - category: Xbox + category: Remove Xbox apps docs: |- This category contains scripts designed to uninstall specific Windows apps related to Xbox. Uninstalling these apps may enhance system performance and privacy, as fewer apps are running in the background, accessing personal data or utilizing system resources. @@ -6972,7 +7148,7 @@ actions: If you're not using these services or apps, it might be beneficial to disable them for a cleaner and more privacy-focused user experience. children: - - name: Xbox Console Companion app + name: Remove "Xbox Console Companion" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004143830/https://apps.microsoft.com/store/detail/xbox-console-companion/9WZDNCRFJBD8) @@ -6993,7 +7169,7 @@ actions: packageName: Microsoft.XboxApp publisherId: 8wekyb3d8bbwe - - name: Xbox Live in-game experience app + name: Remove "Xbox Live in-game experience" app recommend: standard docs: |- This script uninstalls the "Xbox Live in-game experience" app [1]. @@ -7020,7 +7196,7 @@ actions: packageName: Microsoft.Xbox.TCUI publisherId: 8wekyb3d8bbwe - - name: Xbox Game Bar app + name: Remove "Xbox Game Bar" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004144844/https://apps.microsoft.com/store/detail/xbox-game-bar/9NZKPSTSNW4P) @@ -7040,7 +7216,7 @@ actions: packageName: Microsoft.XboxGamingOverlay publisherId: 8wekyb3d8bbwe - - name: Xbox Game Bar Plugin + name: Remove "Xbox Game Bar Plugin" app recommend: standard docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7058,7 +7234,7 @@ actions: packageName: Microsoft.XboxGameOverlay publisherId: 8wekyb3d8bbwe - - name: Xbox Identity Provider app + name: Remove "Xbox Identity Provider" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004150131/https://apps.microsoft.com/store/detail/xbox-identity-provider/9WZDNCRD1HKW) @@ -7076,7 +7252,7 @@ actions: packageName: Microsoft.XboxIdentityProvider publisherId: 8wekyb3d8bbwe - - name: Xbox Speech To Text Overlay app + name: Remove "Xbox Speech To Text Overlay" app recommend: standard docs: |- This script uninstalls the "Xbox Speech To Text Overlay" app. @@ -7101,7 +7277,7 @@ actions: packageName: Microsoft.XboxSpeechToTextOverlay publisherId: 8wekyb3d8bbwe - - name: Mail and Calendar app + name: Remove "Mail and Calendar" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004175316/https://apps.microsoft.com/store/detail/mail-and-calendar/9WZDNCRFHVQM) @@ -7120,7 +7296,7 @@ actions: packageName: microsoft.windowscommunicationsapps publisherId: 8wekyb3d8bbwe - - name: Windows Media Player app + name: Remove "Windows Media Player" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231005124745/https://apps.microsoft.com/store/detail/windows-media-player/9WZDNCRFJ3PT) @@ -7139,7 +7315,7 @@ actions: packageName: Microsoft.ZuneMusic publisherId: 8wekyb3d8bbwe - - name: Movies & TV app + name: Remove "Movies & TV" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231005124924/https://apps.microsoft.com/store/detail/movies-tv/9WZDNCRFJ3P2) @@ -7158,7 +7334,7 @@ actions: packageName: Microsoft.ZuneVideo publisherId: 8wekyb3d8bbwe - - name: Windows Calculator app + name: Remove "Windows Calculator" app docs: |- [Microsoft Store Page](https://archive.ph/64EWx) @@ -7177,7 +7353,7 @@ actions: packageName: Microsoft.WindowsCalculator publisherId: 8wekyb3d8bbwe - - name: Microsoft Photos app + name: Remove "Microsoft Photos" app docs: |- [Microsoft Store Page](https://archive.ph/rBoCX) @@ -7196,7 +7372,7 @@ actions: packageName: Microsoft.Windows.Photos publisherId: 8wekyb3d8bbwe - - name: Skype app + name: Remove "Skype" app docs: |- [Microsoft Store Page](https://archive.ph/vL2FJ) @@ -7213,7 +7389,7 @@ actions: packageName: Microsoft.SkypeApp publisherId: kzf8qxf38zg5c - - name: GroupMe app + name: Remove "GroupMe" app docs: |- [Microsoft Store Page](https://archive.ph/ggBiX) call: @@ -7224,7 +7400,7 @@ actions: packageName: Microsoft.GroupMe10 publisherId: kzf8qxf38zg5c - - name: Windows Sound Recorder app + name: Remove "Windows Sound Recorder" app docs: |- [Microsoft Store Page](https://archive.ph/8Fe9K) @@ -7243,14 +7419,14 @@ actions: packageName: Microsoft.WindowsSoundRecorder publisherId: 8wekyb3d8bbwe - - category: Phone + category: Remove Phone apps docs: |- The "Phone" category contains scripts focused on managing phone-related Windows apps. These scripts cater to apps designed to connect smartphones with Windows, telecommunication tools like dialer apps, and older or substituted phone-associated apps. The scripts' objective is to provide users the flexibility to decide on the existence and functionalities of these apps, enhancing their control over personal preferences. children: - - name: Your Phone Companion app + name: Remove "Your Phone Companion" app docs: |- It was initially released in October 2018 [1]. It allows synchronization between your phone and PC [2]. @@ -7276,7 +7452,7 @@ actions: packageName: Microsoft.Windows.Phone publisherId: 8wekyb3d8bbwe - - name: Communications - Phone app # Depreciated in newer Windows 10 + name: Remove "Communications - Phone" app # Deprecated in newer Windows 10 docs: |- This app is also known as "Phone (dialer)" app [1]. @@ -7291,7 +7467,7 @@ actions: packageName: Microsoft.CommsPhone publisherId: 8wekyb3d8bbwe - - name: Phone Link app + name: Remove "Phone Link" app docs: |- [Microsoft Store Page](https://archive.ph/Z4q70) @@ -7310,7 +7486,7 @@ actions: packageName: Microsoft.YourPhone publisherId: 8wekyb3d8bbwe - - category: Uninstall installed Windows apps + category: Remove installed Windows apps docs: |- This category covers uninstallation of pre-installed Windows apps. @@ -7321,7 +7497,7 @@ actions: [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" children: - - name: Microsoft Advertising app + name: Remove "Microsoft Advertising" app recommend: standard docs: |- - [More about Microsoft Advertising SDK](https://web.archive.org/web/20231003190154/https://learn.microsoft.com/en-us/windows/uwp/monetize/install-the-microsoft-advertising-libraries) @@ -7334,7 +7510,7 @@ actions: packageName: Microsoft.Advertising.Xaml publisherId: 8wekyb3d8bbwe - - name: Microsoft Remote Desktop app + name: Remove "Microsoft Remote Desktop" app docs: |- [Microsoft Store Page](https://archive.ph/jGZBm) @@ -7351,7 +7527,7 @@ actions: packageName: Microsoft.RemoteDesktop publisherId: 8wekyb3d8bbwe - - name: Network Speed Test app + name: Remove "Network Speed Test" app recommend: standard docs: |- [Microsoft Store Page](https://archive.ph/EpJ1B) @@ -7367,7 +7543,7 @@ actions: packageName: Microsoft.NetworkSpeedTest publisherId: 8wekyb3d8bbwe - - name: "Microsoft To Do: Lists, Tasks & Reminders app" + name: 'Remove "Microsoft To Do: Lists, Tasks & Reminders" app' docs: |- [Microsoft Store Page](https://archive.ph/tOSDW) @@ -7382,13 +7558,13 @@ actions: packageName: Microsoft.Todos publisherId: 8wekyb3d8bbwe - - category: Third party + category: Remove third-party apps docs: |- This category provides options to uninstall third-party applications (not developed by Microsoft) that may come preinstalled or be available for installation on specific Windows versions. children: - - name: Shazam app + name: Remove "Shazam" app docs: |- [Microsoft Store Page](https://archive.ph/zjVBQ) @@ -7409,7 +7585,7 @@ actions: on certain versions of Windows. These actions help streamline the system by removing potentially unwanted games. children: - - name: Candy Crush Saga app + name: Remove "Candy Crush Saga" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231007015121/https://www.microsoft.com/en-us/p/candy-crush-saga/9nblggh18846) call: @@ -7420,7 +7596,7 @@ actions: packageName: king.com.CandyCrushSaga publisherId: kgqvnymyfvs32 - - name: Candy Crush Soda Saga app + name: Remove "Candy Crush Soda Saga" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231007015313/https://www.microsoft.com/en-us/p/candy-crush-soda-saga/9nblggh1zrpv) call: @@ -7431,7 +7607,7 @@ actions: packageName: king.com.CandyCrushSodaSaga publisherId: kgqvnymyfvs32 - - name: Flipboard app + name: Remove "Flipboard" app docs: |- [Microsoft Store Page](https://archive.ph/yEn8l) call: @@ -7442,7 +7618,7 @@ actions: packageName: Flipboard.Flipboard publisherId: 3f5azkryzdbc4 - - name: Twitter app + name: Remove "Twitter" app docs: |- [Microsoft Store Page](https://archive.ph/4xGBR) call: @@ -7453,7 +7629,7 @@ actions: packageName: 9E2F88E3.Twitter publisherId: wgeqdkkx372wm - - name: '"iHeart: Radio, Music, Podcasts" app' + name: 'Remove "iHeart: Radio, Music, Podcasts" app' docs: |- [Microsoft Store Page](https://archive.ph/qKiUM) call: @@ -7464,7 +7640,7 @@ actions: packageName: ClearChannelRadioDigital.iHeartRadio publisherId: a76a11dkgb644 - - name: '"Duolingo - Language Lessons" app' + name: 'Remove "Duolingo - Language Lessons" app' docs: |- [Microsoft Store Page](https://archive.ph/AgJOE) @@ -7479,7 +7655,7 @@ actions: packageName: D5EA27B7.Duolingo-LearnLanguagesforFree publisherId: yx6k7tf7xvsea - - name: Adobe Photoshop Express app + name: Remove "Adobe Photoshop Express" app docs: |- [Microsoft Store Page](https://archive.ph/213f5) @@ -7496,7 +7672,7 @@ actions: packageName: AdobeSystemsIncorporated.AdobePhotoshopExpress # Official docs is wrong (given as `AdobeSystemIncorporated.AdobePhotoshop`) publisherId: ynb6jyjzte8ga - - name: Pandora app + name: Remove "Pandora" app docs: |- [Microsoft Store Page](https://archive.ph/uKHGP) @@ -7511,7 +7687,7 @@ actions: packageName: PandoraMediaInc.29680B314EFC2 publisherId: n619g4d5j0fnw - - name: Eclipse Manager app + name: Remove "Eclipse Manager" app docs: |- [Microsoft Store Page](https://archive.ph/bnllD) @@ -7526,7 +7702,7 @@ actions: packageName: 46928bounde.EclipseManager publisherId: a5h4egax66k6y - - name: Code Writer app + name: Remove "Code Writer" app docs: |- [Microsoft Store Page](https://archive.ph/RZY0r) @@ -7541,7 +7717,7 @@ actions: packageName: ActiproSoftwareLLC.562882FEEB491 publisherId: 24pqs290vpjk0 - - name: '"Spotify - Music and Podcasts" app' + name: 'Remove "Spotify - Music and Podcasts" app' docs: |- [Microsoft Store Page](https://archive.ph/r3VwJ) call: @@ -7552,7 +7728,7 @@ actions: packageName: SpotifyAB.SpotifyMusic publisherId: zpdnekdrzrea0 - - category: Uninstall system apps + category: Remove system apps docs: |- This category includes scripts for uninstalling default system apps in Windows. @@ -7572,7 +7748,7 @@ actions: [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" children: - - name: File Picker app + name: Remove "File Picker" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7586,7 +7762,7 @@ actions: # More info : Get-AppxPackage 1527c705-839a-4832-9118-54d4Bd6a0c89 packageName: 1527c705-839a-4832-9118-54d4Bd6a0c89 - - name: File Explorer app + name: Remove "File Explorer" app docs: | This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7600,7 +7776,7 @@ actions: # More info : Get-AppxPackage c5e2524a-ea46-4f67-841f-6a9465d9d515 packageName: c5e2524a-ea46-4f67-841f-6a9465d9d515 - - name: App Resolver UX app + name: Remove "App Resolver UX" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7614,7 +7790,7 @@ actions: # More info : Get-AppxPackage E2A4F912-2574-4A75-9BB0-0D023378592B packageName: E2A4F912-2574-4A75-9BB0-0D023378592B - - name: Add Suggested Folders To Library app + name: Remove "Add Suggested Folders To Library" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7636,7 +7812,7 @@ actions: # More info : Get-AppxPackage InputApp packageName: InputApp - - name: Microsoft AAD Broker Plugin app (breaks Night Light settings, taskbar keyboard selection and Office app authentication) + name: Remove "Microsoft AAD Broker Plugin" app (breaks Night Light settings, taskbar keyboard selection and Office app authentication) # recommend: strict (Unrecommended due to too many side-effects) docs: |- This script uninstalls the "Microsoft AAD Broker Plugin" app. This app is also referred to as the "Work or school account" or "Broker plug-in" [1]. @@ -7671,7 +7847,7 @@ actions: # More info : Get-AppxPackage Microsoft.AAD.BrokerPlugin packageName: Microsoft.AAD.BrokerPlugin # Offical docs point to wrong "Microsoft.AAD.Broker.Plugin" - - name: Microsoft Accounts Control app + name: Remove "Microsoft Accounts Control" app docs: |- It is also known as "Email and accounts" [1]. @@ -7688,7 +7864,7 @@ actions: # More info : Get-AppxPackage Microsoft.AccountsControl packageName: Microsoft.AccountsControl - - name: Microsoft Async Text Service app + name: Remove "Microsoft Async Text Service" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7702,10 +7878,10 @@ actions: # More info : Get-AppxPackage Microsoft.AsyncTextService packageName: Microsoft.AsyncTextService - - category: Windows Hello setup UI + category: Remove Windows Hello setup UI apps children: - - name: Hello setup UI app (breaks biometric authentication) + name: Remove "Hello setup UI" app (breaks biometric authentication) recommend: strict docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7722,7 +7898,7 @@ actions: # More info : Get-AppxPackage Microsoft.BioEnrollment packageName: Microsoft.BioEnrollment - - name: Credentials Dialog Host app + name: Remove "Credentials Dialog Host" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2] [3]. @@ -7737,7 +7913,7 @@ actions: # More info : Get-AppxPackage Microsoft.CredDialogHost packageName: Microsoft.CredDialogHost - - name: EC app + name: Remove "EC" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7751,7 +7927,7 @@ actions: # More info : Get-AppxPackage Microsoft.ECApp packageName: Microsoft.ECApp - - name: Lock app (shows lock screen) + name: Remove "Lock" app (shows lock screen) docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7767,14 +7943,14 @@ actions: # More info : Get-AppxPackage Microsoft.LockApp packageName: Microsoft.LockApp - - category: Microsoft Edge + category: Remove Edge apps docs: |- These scripts disable Windows apps related to Microsoft Edge [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 children: - - category: Uninstall Microsoft Edge (Legacy) + category: Remove Edge (Legacy) docs: |- This category aids in the removal of Microsoft Edge Legacy. Microsoft introduced the Legacy version based on the EdgeHTML engine [1]. However, as of March 9, 2021, they stopped supporting this version, implying it no longer gets security updates or patches [1]. @@ -7794,7 +7970,7 @@ actions: [2]: https://web.archive.org/web/20231008125552/https://support.microsoft.com/en-us/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd "Windows activity history and your privacy - Microsoft Support" children: - - name: Microsoft Edge (Legacy) app + name: Remove "Microsoft Edge" app recommend: strict docs: |- This script uninstalls the "Microsoft Edge" Windows app. @@ -7820,7 +7996,7 @@ actions: # More info : Get-AppxPackage Microsoft.MicrosoftEdge packageName: Microsoft.MicrosoftEdge - - name: Microsoft Edge (Legacy) Dev Tools Client app + name: Remove "Microsoft Edge Dev Tools Client" app recommend: strict docs: |- This script removes the Developer Tools (DevTools) app that was paired with Microsoft Edge Legacy. These tools, now outdated, haven't @@ -7846,7 +8022,7 @@ actions: # More info : Get-AppxPackage Microsoft.MicrosoftEdgeDevToolsClient packageName: Microsoft.MicrosoftEdgeDevToolsClient - - name: Remove Microsoft Edge (legacy) file and URL associations + name: Remove Edge (legacy) file and URL associations recommend: strict docs: |- This script unlinks file and URL associations from the legacy Microsoft Edge, ensuring that it is not mistakenly recognized as @@ -7891,7 +8067,7 @@ actions: AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723_.pdf AppXq0fevzme2pys62n3e0fbqa7peapykr8v_http AppX90nv6nhay5n6a98fnetv7tpk64pp35es_https - - name: Win32 Web View Host app / Desktop App Web Viewer + name: Remove "Win32 Web View Host" / "Desktop App Web Viewer" app recommend: strict docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7906,7 +8082,7 @@ actions: # More info : Get-AppxPackage Microsoft.Win32WebViewHost packageName: Microsoft.Win32WebViewHost - - name: Microsoft PPI Projection app + name: Remove "Microsoft PPI Projection" app docs: |- [More about Perceptive Pixel](https://en.wikipedia.org/wiki/Perceptive_Pixel) @@ -7923,7 +8099,7 @@ actions: # More info : Get-AppxPackage Microsoft.PPIProjection packageName: Microsoft.PPIProjection - - name: ChxApp app + name: Remove "ChxApp" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7937,7 +8113,7 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.Apprep.ChxApp packageName: Microsoft.Windows.Apprep.ChxApp - - name: Assigned Access Lock App app + name: Remove "Assigned Access Lock App" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7951,7 +8127,7 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.AssignedAccessLockApp packageName: Microsoft.Windows.AssignedAccessLockApp - - name: Capture Picker app + name: Remove "Capture Picker" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -7965,7 +8141,7 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.CapturePicker packageName: Microsoft.Windows.CapturePicker - - name: Cloud Experience Host app (breaks Windows Hello password/PIN sign-in options, and Microsoft cloud/corporate sign in) + name: Remove "Cloud Experience Host" app (breaks Windows Hello password/PIN sign-in options, and Microsoft cloud/corporate sign in) # recommend: strict (Unrecommended due to too many side-effects) docs: |- This script uninstall the Microsoft Cloud Experience Host service. @@ -8008,7 +8184,7 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.CloudExperienceHost packageName: Microsoft.Windows.CloudExperienceHost - - name: Content Delivery Manager app + name: Remove "Content Delivery Manager" app recommend: strict docs: |- This script uninstalls the "Content Delivery Manager" app. @@ -8034,10 +8210,10 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.ContentDeliveryManager packageName: Microsoft.Windows.ContentDeliveryManager - - category: Uninstall Cortana system apps + category: Remove Cortana system apps children: - - name: Search app (breaks Windows search) + name: Remove "Search" app (breaks Windows search) docs: |- This script removes two specific apps from Windows: @@ -8073,7 +8249,7 @@ actions: packageName: Microsoft.Windows.Search # Added in version Windows 10 2004, it was called "Cortana" before now it's plain "Search" publisherId: cw5n1h2txyewy - - name: Holographic First Run app + name: Remove "Holographic First Run" app recommend: standard docs: |- The "Windows Holographic First Run" app is a diagnostic tool on Windows, designed for potential users of Microsoft's Hololens, an augmented reality headset [1]. @@ -8101,7 +8277,7 @@ actions: [1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details "Windows 10 OOBE screen details | Microsoft Learn" children: - - name: OOBE Network Captive Portal app + name: Remove "OOBE Network Captive Portal" app docs: |- This script uninstall the OOBE Network Captive Portal app. The app is part of the Out-of-Box Experience (OOBE) process in Windows [1]. When users set up their Windows system for the first time, they encounter the "Let's connect you to a network" screen [1]. This screen precedes the End User License Agreement @@ -8124,7 +8300,7 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.OOBENetworkCaptivePortal packageName: Microsoft.Windows.OOBENetworkCaptivePortal # Offical docs point to wrong "Microsoft.Windows.OOBENetworkCaptivePort" - - name: OOBE Network Connection Flow app + name: Remove "OOBE Network Connection Flow" app docs: |- This script uninstalls the "OOBE Network Connection Flow" app from Windows devices. The OOBE (Out-of-Box Experience) Network Connection Flow app assists users during their initial setup of a Windows device [1]. When setting up, users encounter the "Let's connect you to a network" screen, which lists available @@ -8152,7 +8328,7 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.OOBENetworkConnectionFlow packageName: Microsoft.Windows.OOBENetworkConnectionFlow - - name: Microsoft Family Safety / Parental control app + name: Remove "Microsoft Family Safety" / "Parental control" app recommend: standard docs: |- This script uninstalls the parental control app for Microsoft Family Safety. @@ -8186,10 +8362,10 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.ParentalControls packageName: Microsoft.Windows.ParentalControls - - category: People Hub + category: Remove People Hub apps children: - - name: My People app + name: Remove "My People" app recommend: strict docs: |- This script uninstalls the "My People" app. @@ -8217,7 +8393,7 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.PeopleExperienceHost packageName: Microsoft.Windows.PeopleExperienceHost - - name: Pinning Confirmation Dialog app + name: Remove "Pinning Confirmation Dialog" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -8231,7 +8407,7 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.PinningConfirmationDialog packageName: Microsoft.Windows.PinningConfirmationDialog - - name: Secondary Tile Experience app + name: Remove "Secondary Tile Experience" app recommend: strict docs: |- This script removes the Second Tile Experience app from your computer. The Second Tile Experience helps in providing a feature in Windows that lets users create quick access shortcuts, @@ -8255,7 +8431,7 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.SecondaryTileExperience packageName: Microsoft.Windows.SecondaryTileExperience - - name: Take a Test app + name: Remove "Take a Test" app recommend: strict docs: |- This script uninstalls the "Take a Test" application, also known as "secure assessment browser" [1] [2] [3]. It is a feature in Windows primarily used for online testing @@ -8285,10 +8461,10 @@ actions: # More info : Get-AppxPackage Microsoft.Windows.SecureAssessmentBrowser packageName: Microsoft.Windows.SecureAssessmentBrowser - - category: Windows Feedback + category: Remove Windows Feedback apps children: - - name: Windows Feedback app + name: Remove "Windows Feedback" app recommend: standard docs: |- This app comes pre-installed on certain versions of Windows [1]. @@ -8302,9 +8478,9 @@ actions: # More info : Get-AppxPackage Microsoft.WindowsFeedback packageName: Microsoft.WindowsFeedback - - name: Xbox Game Callable UI app (breaks Xbox Live games) - docs: |- # Fix docs - This script uninstall "Xbox Game Callable UI" (TCUI) app. + name: Remove "Xbox Game Callable UI" app (breaks Xbox Live games) + docs: |- + This script uninstalls the "Xbox Game Callable UI" (TCUI) app. This app acts as an intermediary tool that games can use to bring up common UI elements on the Xbox platform [1]. These displays, consistent with the RS5 Gamebar style, offer functionalities such as profile viewing, game invite sending, people selection, @@ -8325,7 +8501,7 @@ actions: # More info : Get-AppxPackage Microsoft.XboxGameCallableUI packageName: Microsoft.XboxGameCallableUI - - name: CBS Preview app + name: Remove "CBS Preview" app recommend: standard docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -8340,7 +8516,7 @@ actions: # More info : Get-AppxPackage Windows.CBSPreview packageName: Windows.CBSPreview - - name: Contact Support app + name: Remove "Contact Support" app docs: |- This app comes pre-installed on certain versions of Windows [1]. @@ -8353,7 +8529,7 @@ actions: # More info : Get-AppxPackage Windows.ContactSupport packageName: Windows.ContactSupport - - name: Windows Print 3D app + name: Remove "Windows Print 3D" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -8367,7 +8543,7 @@ actions: # More info : Get-AppxPackage Windows.Print3D packageName: Windows.Print3D - - name: Print UI app + name: Remove "Print UI" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. @@ -8380,7 +8556,7 @@ actions: # Publisher ID : cw5n1h2txyewy # More info : Get-AppxPackage Windows.PrintDialog packageName: Windows.PrintDialog - - + - category: Remove OneDrive docs: |- Microsoft OneDrive (formerly SkyDrive) is a file hosting service operated by Microsoft [1]. @@ -8426,7 +8602,7 @@ actions: code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /f 2>nul revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /t REG_SZ /d "\"%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe\" /background" /f - - name: Uninstall OneDrive + name: Remove OneDrive through official installer docs: |- This script will call official Microsoft uninstaller that will uninstall the application but residual files will be left. You won't lose data by uninstalling OneDrive from computer because they will be stored in cloud [1]. @@ -8436,7 +8612,7 @@ actions: On Windows 11, the setup package is always inside `System32` regarding of the CPU architecture. Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5]. - + [1]: https://support.microsoft.com/en-us/office/turn-off-disable-or-uninstall-onedrive-f32a17ce-3336-40fe-9c38-6efb09f944b0 "Turn off, disable, or uninstall OneDrive | support.microsoft.com" [2]: https://web.archive.org/web/20231002162805/https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016#method-2-uninstall-onedriveexe "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn" [3]: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/lists-and-libraries/cannot-open-onedrive-on-images-using-sysprep#how-to-correctly-deploy-onedrive-via-sysprep "Can't open OneDrive on images using Sysprep - SharePoint | Microsoft Learn" @@ -8464,7 +8640,7 @@ actions: ) ) - - name: Remove OneDrive files + name: Remove OneDrive residual files recommend: strict docs: |- This script cleans OneDrive files such as installation directories, application data, @@ -8488,8 +8664,8 @@ actions: rd "%UserProfile%\OneDrive" /q /s ) :: OneDrive installation directory - if exist "%LocalAppData%\Microsoft\OneDrive" ( - rd "%LocalAppData%\Microsoft\OneDrive" /q /s + if exist "%LOCALAPPDATA%\Microsoft\OneDrive" ( + rd "%LOCALAPPDATA%\Microsoft\OneDrive" /q /s ) :: OneDrive data if exist "%ProgramData%\Microsoft OneDrive" ( @@ -8544,10 +8720,10 @@ actions: function: RunPowerShell parameters: code: |- - Set-Location "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace" - Get-ChildItem | ForEach-Object {Get-ItemProperty $_.pspath} | ForEach-Object { - $leftnavNodeName = $_."(default)"; - if (($leftnavNodeName -eq "OneDrive") -Or ($leftnavNodeName -eq "OneDrive - Personal")) { + Set-Location "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace" + Get-ChildItem | ForEach-Object {Get-ItemProperty $_.pspath} | ForEach-Object { + $leftnavNodeName = $_."(default)"; + if (($leftnavNodeName -eq "OneDrive") -Or ($leftnavNodeName -eq "OneDrive - Personal")) { if (Test-Path $_.pspath) { Write-Host "Deleting $($_.pspath)." Remove-Item $_.pspath; @@ -8555,7 +8731,7 @@ actions: } } - - name: Block OneDrive usage + name: Disable OneDrive usage recommend: strict docs: |- This script prevents [1]: @@ -8581,7 +8757,7 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSync" /f 2>nul - - name: Prevent automatic OneDrive installation + name: Disable automatic OneDrive installation docs: |- Windows 10 comes with `OneDriveSetup` entry in startup for automatic reinstallations even though OneDrive is uninstalled. This entry is missing in Windows 11 by default. @@ -8605,7 +8781,7 @@ actions: } else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\System32\OneDriveSetup.exe /silent" /f } - } + } - name: Remove OneDrive folder from File Explorer recommend: strict @@ -8613,9 +8789,9 @@ actions: File Explorer shows OneDrive to allow you to access files stored in OneDrive (stored online and locally cached) [1]. [CLSID](https://learn.microsoft.com/en-us/windows/win32/com/clsid-key-hklm) for OneDrive is `018D5C66-4533-4307-9B53-224DE2ED1FE6` [2] for - both Windows 10 and 11. Changing pinning option for this key removed OneDrive from navigation file in File explorer [2]. + both Windows 10 and 11. Changing pinning option for this key removed OneDrive from navigation file in File Explorer [2]. - This CLSID includes `System.IsPinnedToNameSpaceTree` as value as `1` after clean installation in both Windows 10 and Windows 11. + This CLSID includes `System.IsPinnedToNameSpaceTree` as value as `1` after clean installation in both Windows 10 and Windows 11. [1]: https://support.microsoft.com/en-us/office/sync-files-with-onedrive-in-windows-615391c4-2bd3-4aae-a42a-858262e42a49 "Sync files with OneDrive in Windows | support.microsoft.com" [2]: https://answers.microsoft.com/en-us/windows/forum/all/remove-onedrive-from-file-explorer-navigation-pane/38ac7524-2b35-4ffc-baab-40ad61dc5d79 "Remove OneDrive from File Explorer navigation pane - Microsoft Community | answers.microsoft.com" @@ -8637,8 +8813,8 @@ actions: Both tasks are enabled by default. They are not documented officially either on Microsoft's website or inside Task Scheduler itself through any description. But one could find these tasks by running: - `Get-ScheduledTask 'OneDrive *' | Select -ExpandProperty TaskName`. - + `Get-ScheduledTask 'OneDrive *' | Select -ExpandProperty TaskName`. + The tasks are named accordingly: - OneDrive Reporting Task-S-1-5-21-994346235-3805487047-77196597-500 @@ -8667,7 +8843,7 @@ actions: ``` Even disabling this using Task Scheduler UI shows "Catastrophic failure (Exception from HRESULT: 0x80000FFF (E_UNEXPECTED))". - + Disabling tasks with user SID works fine, you can test it using (run as .bat file, not directly on terminal): ```batchfile @@ -8703,7 +8879,7 @@ actions: } } - - name: Delete OneDrive environment variable + name: Clear OneDrive environment variable recommend: strict docs: |- Since Windows 10 1809, Microsoft introduced `%OneDrive%` environment variable to @@ -8713,12 +8889,12 @@ actions: This script deletes `OneDrive` environment variable [2]. `OneDrive` key at `HKCU\Environment` is found on both Windows 10 and Windows 11. - + [1]: https://superuser.com/a/1397495 "Determine OneDrive synchronisation folders - Super User | superuser.com" [2]: https://stackoverflow.com/questions/46744840/export-registry-value-to-file-and-then-set-a-variable-in-batch "Export registry value to file and then set a variable in Batch - Stack Overflow | stackoverflow.com" code: reg delete "HKCU\Environment" /v "OneDrive" /f 2>nul - - category: Uninstall Edge (chromium-based) + category: Remove Edge (Chromium) docs: |- This category automates the uninstallation of Microsoft Edge (also known as "Chromium Edge" or "New Edge" [1]), the web browser that comes pre-installed with many versions of Windows. @@ -8735,7 +8911,7 @@ actions: [3]: https://web.archive.org/web/20230907002011/https://support.microsoft.com/en-us/microsoft-edge/why-can-t-i-uninstall-microsoft-edge-ee150b3b-7d7a-9984-6d83-eb36683d526d "Why can't I uninstall Microsoft Edge? - Microsoft Support" children: - - name: Uninstall Edge through official installer + name: Remove Edge through official installer docs: |- This script uninstalls the Microsoft Edge using the official installer. @@ -8792,7 +8968,7 @@ actions: Write-Error "Failed to reinstall Microsoft Edge. Installer failed with exit code $($process.ExitCode)." } - - name: Remove Edge (Chromium-based) file and URL associations + name: Remove Edge (Chromium) file and URL associations docs: |- This script disconnects file and URL associations related to the Microsoft Edge browser on your computer. When you uninstall Edge, these associations remain intact, leading to potential unexpected behaviors [1] and vulnerabilities when opening specific file types or URLs. @@ -8833,9 +9009,9 @@ actions: parameters: code: |- # reg delete HKCR\{extension}\OpenWithProgIds\MSEdge{..} for %%A in ( - htm:MSEdgeHTM, html:MSEdgeHTM, shtml:MSEdgeHTM, - pdf:MSEdgePDF, svg:MSEdgeHTM, xht:MSEdgeHTM, - xhtml:MSEdgeHTM, webp:MSEdgeHTM, xml:MSEdgeHTM, + htm:MSEdgeHTM, html:MSEdgeHTM, shtml:MSEdgeHTM, + pdf:MSEdgePDF, svg:MSEdgeHTM, xht:MSEdgeHTM, + xhtml:MSEdgeHTM, webp:MSEdgeHTM, xml:MSEdgeHTM, mht:MSEdgeMHT, mhtml:MSEdgeMHT ) do ( for /f "tokens=1,2 delims=:" %%B in ("%%A") do ( @@ -8845,9 +9021,9 @@ actions: ) revertCode: |- # Common defaults since Windows 10 21H2 and Windows 11 21H2 for %%A in ( - htm:MSEdgeHTM, html:MSEdgeHTM, shtml:MSEdgeHTM, - pdf:MSEdgePDF, svg:MSEdgeHTM, xht:MSEdgeHTM, - xhtml:MSEdgeHTM, webp:MSEdgeHTM, mht:MSEdgeMHT, + htm:MSEdgeHTM, html:MSEdgeHTM, shtml:MSEdgeHTM, + pdf:MSEdgePDF, svg:MSEdgeHTM, xht:MSEdgeHTM, + xhtml:MSEdgeHTM, webp:MSEdgeHTM, mht:MSEdgeMHT, mhtml:MSEdgeMHT ) do ( for /f "tokens=1,2 delims=:" %%B in ("%%A") do ( @@ -8900,13 +9076,13 @@ actions: category: Disable built-in Windows features children: - - name: Direct Play feature + name: Disable "Direct Play" feature call: function: DisableFeature parameters: featureName: DirectPlay - - name: Internet Explorer feature + name: Disable "Internet Explorer" feature call: - function: DisableFeature @@ -8921,183 +9097,183 @@ actions: parameters: featureName: Internet-Explorer-Optional-amd64 - - name: Legacy Components feature + name: Disable "Legacy Components" feature call: function: DisableFeature parameters: featureName: LegacyComponents - - category: Server features for developers & administrators + category: Disable server features children: - - category: Hyper-V Virtualization + category: Disable Hyper-V virtualization features children: - - name: Hyper-V feature + name: Disable "Hyper-V" feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-All - - name: Hyper-V GUI Management Tools feature + name: Disable "Hyper-V GUI Management Tools" feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Management-Clients - - name: Hyper-V Management Tools feature + name: Disable "Hyper-V Management Tools" feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Tools-All - - name: Hyper-V Module for Windows PowerShell feature + name: Disable "Hyper-V Module for Windows PowerShell" feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Management-PowerShell - - name: Telnet Client feature + name: Disable "Telnet Client" feature docs: https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx call: function: DisableFeature parameters: featureName: TelnetClient - - name: Net.TCP Port Sharing feature + name: Disable "Net.TCP Port Sharing" feature docs: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing call: function: DisableFeature parameters: featureName: WCF-TCP-PortSharing45 - - name: SMB Direct feature + name: Disable "SMB Direct" feature docs: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-direct call: function: DisableFeature parameters: featureName: SmbDirect - - name: TFTP Client feature + name: Disable "TFTP Client" feature call: function: DisableFeature parameters: featureName: TFTP - - category: Printing features + category: Disable printing features children: - - category: Printer networking + category: Disable printer networking children: - - name: Internet Printing Client + name: Disable "Internet Printing Client" feature call: function: DisableFeature parameters: featureName: Printing-Foundation-InternetPrinting-Client - - name: LPD Print Service + name: Disable "LPD Print Service" feature call: function: DisableFeature parameters: featureName: LPDPrintService - - name: LPR Port Monitor feature + name: Disable "LPR Port Monitor" feature call: function: DisableFeature parameters: featureName: Printing-Foundation-LPRPortMonitor - - name: Microsoft Print to PDF feature + name: Disable "Microsoft Print to PDF" feature call: function: DisableFeature parameters: featureName: Printing-PrintToPDFServices-Features - - name: Print and Document Services feature + name: Disable "Print and Document Services" feature call: function: DisableFeature parameters: featureName: Printing-Foundation-Features - - name: Work Folders Client feature + name: Disable "Work Folders Client" feature docs: https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview call: function: DisableFeature parameters: featureName: WorkFolders-Client - - category: XPS support + category: Disable XPS support features children: - - name: XPS Services feature + name: Disable "XPS Services" feature call: function: DisableFeature parameters: featureName: Printing-XPSServices-Features - - name: XPS Viewer feature + name: Disable "XPS Viewer" feature call: function: DisableFeature parameters: featureName: Xps-Foundation-Xps-Viewer - - name: Media Features feature + name: Disable "Media Features" feature call: function: DisableFeature parameters: featureName: MediaPlayback - - name: Scan Management feature + name: Disable "Scan Management" feature call: function: DisableFeature parameters: featureName: ScanManagementConsole - - name: Windows Fax and Scan feature + name: Disable "Windows Fax and Scan" feature call: function: DisableFeature parameters: featureName: FaxServicesClientPackage - - name: Windows Media Player feature + name: Disable "Windows Media Player" feature call: function: DisableFeature parameters: featureName: WindowsMediaPlayer - - name: Windows Search feature + name: Disable "Windows Search" feature call: function: DisableFeature parameters: featureName: SearchEngine-Client-Package - - category: Uninstall capabilities & features on demand + category: Remove on-demand capabilities and features docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#fods-that-are-not-preinstalled-but-may-need-to-be-preinstalled children: - - category: Preinstalled + category: Remove preinstalled features on demand children: - - name: DirectX Configuration Database capability + name: Remove "DirectX Configuration Database" capability call: function: UninstallCapability parameters: capabilityName: DirectX.Configuration.Database - - name: Internet Explorer 11 capability + name: Remove "Internet Explorer 11" capability call: function: UninstallCapability parameters: capabilityName: Browser.InternetExplorer - - name: Math Recognizer capability + name: Remove "Math Recognizer" capability call: function: UninstallCapability parameters: capabilityName: MathRecognizer - - name: OneSync capability (breaks Mail, People, and Calendar) + name: Remove "OneSync" capability (breaks Mail, People, and Calendar) recommend: strict docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#onesync call: @@ -9105,37 +9281,37 @@ actions: parameters: capabilityName: OneCoreUAP.OneSync - - name: OpenSSH client capability + name: Remove "OpenSSH client" capability call: function: UninstallCapability parameters: capabilityName: OpenSSH.Client - - name: PowerShell ISE capability + name: Remove "PowerShell ISE" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.Windows.PowerShell.ISE - - name: Print Management Console capability + name: Remove "Print Management Console" capability call: function: UninstallCapability parameters: capabilityName: Print.Management.Console - - name: Quick Assist capability + name: Remove "Quick Assist" capability call: function: UninstallCapability parameters: capabilityName: App.Support.QuickAssist - - name: Steps Recorder capability + name: Remove "Steps Recorder" capability call: function: UninstallCapability parameters: capabilityName: App.StepsRecorder - - name: Windows Fax and Scan capability + name: Remove "Windows Fax and Scan" capability call: function: UninstallCapability parameters: @@ -9163,256 +9339,256 @@ actions: # parameters: # capabilityName: Microsoft.Windows.Notepad - - category: Not preinstalled + category: Remove not preinstalled features on demand children: - - name: .NET Framework capability + name: Remove ".NET Framework" capability call: function: UninstallCapability parameters: capabilityName: NetFX3 - - name: Mixed Reality capability + name: Remove "Mixed Reality" capability call: function: UninstallCapability parameters: capabilityName: Analog.Holographic.Desktop - - name: Wireless Display capability + name: Remove "Wireless Display" capability call: function: UninstallCapability parameters: capabilityName: App.WirelessDisplay.Connect - - name: Accessibility - Braille Support capability + name: Remove "Accessibility - Braille Support" capability call: function: UninstallCapability parameters: capabilityName: Accessibility.Braille - - name: Developer Mode capability + name: Remove "Developer Mode" capability call: function: UninstallCapability parameters: capabilityName: Tools.DeveloperMode.Core - - name: Graphics Tools capability + name: Remove "Graphics Tools" capability call: function: UninstallCapability parameters: capabilityName: Tools.Graphics.DirectX - - name: IrDA capability + name: Remove "IrDA" capability call: function: UninstallCapability parameters: capabilityName: Network.Irda - - name: Microsoft WebDriver capability + name: Remove "Microsoft WebDriver" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.WebDriver - - name: MSIX Packaging Tool Driver capability + name: Remove "MSIX Packaging Tool Driver" capability call: function: UninstallCapability parameters: capabilityName: Msix.PackagingTool.Driver - - category: Networking tools + category: Remove networking capabilities children: - - name: RAS Connection Manager Administration Kit (CMAK) capability + name: Remove "RAS Connection Manager Administration Kit (CMAK)" capability call: function: UninstallCapability parameters: capabilityName: RasCMAK.Client - - name: RIP Listener capability + name: Remove "RIP Listener" capability call: function: UninstallCapability parameters: capabilityName: RIP.Listener - - name: Simple Network Management Protocol (SNMP) capability + name: Remove "Simple Network Management Protocol (SNMP)" capability call: function: UninstallCapability parameters: capabilityName: SNMP.Client - - name: SNMP WMI Provider capability + name: Remove "SNMP WMI Provider" capability call: function: UninstallCapability parameters: capabilityName: WMI-SNMP-Provider.Client - - name: OpenSSH Server capability + name: Remove "OpenSSH Server" capability call: function: UninstallCapability parameters: capabilityName: OpenSSH.Server - - category: Printing + category: Remove printing capabilities children: - - name: Enterprise Cloud Print capability + name: Remove "Enterprise Cloud Print" capability call: function: UninstallCapability parameters: capabilityName: Print.EnterpriseCloudPrint - - name: Mopria Cloud Service capability + name: Remove "Mopria Cloud Service" capability call: function: UninstallCapability parameters: capabilityName: Print.MopriaCloudService - - category: Remote server administration tools (RSAT) + category: Remove Remote Server Administration Tools (RSAT) children: - - name: Active Directory Domain Services and Lightweight Directory Services Tools capability + name: Remove "Active Directory Domain Services and Lightweight Directory Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.ActiveDirectory.DS-LDS.Tools - - name: BitLocker Drive Encryption Administration Utilities capability + name: Remove "BitLocker Drive Encryption Administration Utilities" capability call: function: UninstallCapability parameters: capabilityName: Rsat.BitLocker.Recovery.Tools - - name: Active Directory Certificate Services Tools + name: Remove "Active Directory Certificate Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.CertificateServices.Tools - - name: DHCP Server Tools capability + name: Remove "DHCP Server Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.DHCP.Tools - - name: DNS Server Tools capability + name: Remove "DNS Server Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.Dns.Tools - - name: Failover Clustering Tools capability + name: Remove "Failover Clustering Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.FailoverCluster.Management.Tools - - name: File Services Tools capability + name: Remove "File Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.FileServices.Tools - - name: Group Policy Management Tools capability + name: Remove "Group Policy Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.GroupPolicy.Management.Tools - - name: IP Address Management (IPAM) Client capability + name: Remove "IP Address Management (IPAM) Client" capability call: function: UninstallCapability parameters: capabilityName: Rsat.IPAM.Client.Tools - - name: Data Center Bridging LLDP Tools capability + name: Remove "Data Center Bridging LLDP Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.LLDP.Tools - - name: Network Controller Management Tools capability + name: Remove "Network Controller Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.NetworkController.Tools - - name: Network Load Balancing Tools capability + name: Remove "Network Load Balancing Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.NetworkLoadBalancing.Tools - - name: Remote Access Management Tools capability + name: Remove "Remote Access Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.RemoteAccess.Management.Tools - - name: Server Manager Tools + name: Remove "Server Manager Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.ServerManager.Tools - - name: Shielded VM Tools capability + name: Remove "Shielded VM Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.Shielded.VM.Tools - - name: Storage Replica Module for Windows PowerShell capability + name: Remove "Storage Replica Module for Windows PowerShell" capability call: function: UninstallCapability parameters: capabilityName: Rsat.StorageReplica.Tools - - name: Volume Activation Tools capability + name: Remove "Volume Activation Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.VolumeActivation.Tools - - name: Windows Server Update Services Tools capability + name: Remove "Windows Server Update Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.WSUS.Tools - - name: Storage Migration Service Management Tools capability + name: Remove "Storage Migration Service Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.StorageMigrationService.Management.Tools - - name: Systems Insights Module for Windows PowerShell capability + name: Remove "Systems Insights Module for Windows PowerShell" capability call: function: UninstallCapability parameters: capabilityName: Rsat.SystemInsights.Management.Tools - - category: Storage + category: Remove storage capabilities children: - - name: Windows Storage Management capability + name: Remove "Windows Storage Management" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.Windows.StorageManagement - - name: OneCore Storage Management capability + name: Remove "OneCore Storage Management" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.OneCore.StorageManagement - - name: Windows Emergency Management Services and Serial Console capability + name: Remove "Windows Emergency Management Services and Serial Console" capability call: function: UninstallCapability parameters: capabilityName: Windows.Desktop.EMS-SAC.Tools - - name: XPS Viewer capability + name: Remove "XPS Viewer" capability call: function: UninstallCapability parameters: @@ -9421,18 +9597,18 @@ actions: category: Remove Widgets docs: |- Windows 11 adds a new taskbar flyout named "Widgets", which displays a panel with Microsoft Start, a news aggregator - with personalized stories and content (expanding upon the "news and interests" panel introduced in later builds of Windows 10) [1]. + with personalized stories and content (expanding upon the "news and interests" panel introduced in later builds of Windows 10) [1]. It's rebranding/future version of older "Windows 10 News and Interests" feature [2]. The user can customize the panel by adding or removing widgets, rearranging, resizing, and personalizing the content [1]. - It has privacy implications as it collects data about your usage of the computer such as diagnostics data [3]. + It has privacy implications as it collects data about your usage of the computer such as diagnostics data [3]. [1]: https://en.wikipedia.org/wiki/Features_new_to_Windows_11#Windows_shell "Features new to Windows 11 | Wikipedia" [2]: https://www.bleepingcomputer.com/news/microsoft/windows-10-news-and-interests-enabled-for-everyone-in-latest-update/ "Windows 10 News and Interests enabled for everyone in latest update | Bleeping Computer" [3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "What data does Microsoft collect? | Widgets | Microsoft" children: - - name: Unpin Widgets from taskbar + name: Remove Widgets from taskbar docs: |- To control whether the Widgets button is visible on the taskbar, Microsoft introduced `TaskbarDa` registry value [1]. Possible `DWORD` 32-bit settings for the `TaskbarDa` value are [1] [2]: @@ -9448,7 +9624,7 @@ actions: code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d "0" /f revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /f 2>nul - - name: Uninstall Windows Web Experience Pack (breaks Widgets) + name: Remove "Windows Web Experience Pack" (breaks Widgets) recommend: strict docs: |- Windows Web Experience Pack is a store app that enables Widgets feature [1]. @@ -9480,9 +9656,9 @@ actions: revertCode: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /f - category: Advanced settings - children: + children: - - name: Change NTP (time) server to pool.ntp.org + name: Set NTP (time) server to `pool.ntp.org` docs: https://www.pool.ntp.org/en/use.html recommend: strict # `sc queryex` output is same in every OS language @@ -9509,8 +9685,8 @@ actions: w32tm /config /update w32tm /resync - - name: Disable Reserved Storage for updates # since 19H1 (1903) - docs: + name: Disable reserved storage for updates # since 19H1 (1903) + docs: - https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState - https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves @@ -9526,7 +9702,7 @@ actions: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f - - name: Run script on start-up [EXPERIMENTAL] + name: Run script on startup [EXPERIMENTAL] code: |- del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat copy "%~dpnx0" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat" @@ -9629,7 +9805,7 @@ functions: parameters: code: |- $package = Get-AppxPackage -AllUsers '{{ $packageName }}' - if (!$package) { + if (!$package) { Write-Host 'Not installed' exit 0 } @@ -9643,14 +9819,14 @@ functions: $files = Get-ChildItem -File -Path $dir -Recurse -Force foreach($file in $files) { if($file.Name.EndsWith('.OLD')) { continue } - $newName = $file.FullName + '.OLD' + $newName = $file.FullName + '.OLD' Write-Host "Rename '$($file.FullName)' to '$newName'" Move-Item -LiteralPath "$($file.FullName)" -Destination "$newName" -Force } } revertCode: |- $package = Get-AppxPackage -AllUsers '{{ $packageName }}' - if (!$package) { + if (!$package) { Write-Error 'App could not be found' -ErrorAction Stop } $directories = @($package.InstallLocation, "$env:LOCALAPPDATA\Packages\$($package.PackageFamilyName)") @@ -9790,9 +9966,9 @@ functions: {{ end }} - name: DisablePerUserService - parameters: + parameters: - name: serviceName - - name: defaultStartupMode # Alowed values: Boot | System | Automatic | Manual + - name: defaultStartupMode # Alowed values: Boot | System | Automatic | Manual # More about per-user services: https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows call: - # System-wide variant: every per-user service has also system-wide counterpart with same default startup mode @@ -9847,7 +10023,7 @@ functions: # because `Get-ScheduledTask `sometimes fails. # - ✅ Using `(Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009` where "267009" indicates running. # Deleting existing task: - # - ❌ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002` + # - ❌ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002` # - ✅ Using `schtasks.exe /delete /tn "$taskName" /f` with additional `| Out-Null` or `2>&1 | Out-Null` # to suppress errors. code: |- @@ -10006,7 +10182,7 @@ functions: Exit 1 } # -- 3. Enable if not already enabled - $defaultStartupRegValue = ` + $defaultStartupRegValue = ` if ($defaultStartupMode -eq 'Boot') { '0' } ` elseif($defaultStartupMode -eq 'System') { '1' } ` elseif($defaultStartupMode -eq 'Automatic') { '2' } ` @@ -10014,7 +10190,7 @@ functions: else { throw "Unknown start mode: $defaultStartupMode"} if( $(Get-ItemProperty -Path "$registryKey").Start -eq $defaultStartupRegValue) { Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start." - } else { + } else { try { Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer." @@ -10039,18 +10215,18 @@ functions: } - name: SetMpPreference - # Configures preferences for Windows Defender scans and updates. + # Configures preferences for Microsoft Defender scans and updates. # ❗️ Requires "WinDefend" service in running state, otherwise fails parameters: - - name: property - - name: value - - + - name: property + - name: value + - # When provided, it sets defaults using `Set-MpPreference`. # Used by default in Windows 10 as `Remove-MpPreference` cmdlet is very limited/poor in Windows 10. # Ignored by default in Windows 11 with providing a value for `setDefaultOnWindows11` name: default optional: true - - + - # When reverting in Windows 11, `Set-MpPreference` is called instead of `Remove-MpPreference` # Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11. name: setDefaultOnWindows11 @@ -10176,8 +10352,8 @@ functions: call: function: RunPowerShell # Careful with Set-Service cmdlet: - # 1. It exits with positive code even if service is disabled - # 2. It had breaking API change for `-StartupMode` parameter: + # 1. It exits with positive code even if service is disabled + # 2. It had breaking API change for `-StartupMode` parameter: # Powershell >= 6.0 : Automatic, AutomaticDelayedStart, Disabled, InvalidValue, Manual # PowerShell <= 5 : Boot, System, Automatic, Manual, Disabled # So "Disabled", "Automatic" and "Manual" are only consistent ones. @@ -10206,7 +10382,7 @@ functions: } else { Write-Host "`"$serviceName`" is not running, no need to stop." } - + # -- 3. Skip if already disabled $startupType = $service.StartType # Does not work before .NET 4.6.1 if(!$startupType) {