From cec0b4b4f63c3563a0e7923ce6324a38d71a3955 Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Tue, 14 May 2024 12:41:20 +0200 Subject: [PATCH] win: standardize registry edit + delete on revert This commit standardizes the management of registry keys and their corresponding revert on delete action across all scripts using `SetRegistryValue` function. It improves script reliability, addresses previous errors, and corrects the revert actions to match the default OS state when not explicitly set by the OS. Key changes: - Use SetRegistryValue for uniformity. - Remove error messages for non-existent registry keys, recognizing them as expected states rather than errors. - Add missing revert actions to scripts where they were absent. - Correct the revert logic in existing scripts to match the default OS configurations, particularly when the OS does not set a default value. - Update documentation about default OS state for the related scripts. This change improves maintainability by centralizing and standardizing registry interactions, reducing the risk of errors and inconsistencies in script behaviors. --- src/application/collections/windows.yaml | 4033 ++++++++++++++++------ 1 file changed, 2963 insertions(+), 1070 deletions(-) diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index 75f4a366..7ce3944a 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -1454,7 +1454,12 @@ actions: [1]: https://web.archive.org/web/20230806160623/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/what-is-dism?view=windows-11 "DISM Overview | Microsoft Learn" [2]: https://web.archive.org/web/20230806160827/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder?view=windows-11 "Clean Up the WinSxS Folder | Microsoft Learn" [3]: https://web.archive.org/web/20230710000943/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/manage-the-component-store?view=windows-11 "Manage the Component Store | Microsoft Learn" - code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f + call: + function: RunInlineCode + parameters: + code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f + revertCode: |- # Windows 10 21H1, 22H1: Key exists with value "1" | Windows 11 21H1: Key does not exist | Windows 11 22H2, 23H2: Key exists with value "1" + reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "1" /f - name: Remove Windows product key from registry # Helps to protect it from being stolen and used for identity theft or identifying you. @@ -1953,8 +1958,14 @@ actions: within the operating system [1]. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffapplicationimpacttelemetry "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" - code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat + valueName: AITEnable + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable Application Compatibility Engine recommend: standard @@ -1984,8 +1995,14 @@ actions: [2]: https://web.archive.org/web/20230927174559/https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf "Malicious Application Compatibility Shims | blackhat.com" [3]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com" [4]: https://web.archive.org/web/20230927174707/https://docplayer.net/15700963-The-active-use-and-exploitation-of-microsoft-s-application-compatibility-framework-jon-erickson.html "'The active use and exploitation of Microsoft's Application Compatibility Framework' by Jon Erickson" - code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableEngine" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableEngine" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat + valueName: DisableEngine + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - name: Remove "Program Compatibility" tab from file properties (context menu) recommend: strict @@ -2022,8 +2039,14 @@ actions: control and stability, this restriction indirectly contributes to privacy protection by reducing potential unwanted data transmission. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatremoveprogramcompatproppage "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" - code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePropPage" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePropPage" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat + valueName: DisablePropPage + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - name: Disable Steps Recorder (collects screenshots, mouse/keyboard input and UI data) recommend: standard @@ -2053,8 +2076,14 @@ actions: [3]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffuseractionrecord "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" [4]: https://web.archive.org/web/20230927120745/https://learn.microsoft.com/en-us/windows/win32/win7appqual/windows-error-reporting-problem-steps-recorder "Windows Error Reporting Problem Steps Recorder - Win32 apps | Microsoft Learn" [5]: https://web.archive.org/web/20210729125842/https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-1909-workstations "Hardening Microsoft Windows 10 version 1909 Workstations | Cyber.gov.au" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat + valueName: DisableUAR + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - name: Disable "Inventory Collector" task recommend: standard @@ -2092,8 +2121,14 @@ actions: [3]: https://web.archive.org/web/20231105200918/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#windows-components "Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20210729125842/https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-1909-workstations "Hardening Microsoft Windows 10 version 1909 Workstations | Cyber.gov.au" [5]: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls "USGCB Windows Settings | nist.gov" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat + valueName: DisableInventory + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - category: Disable Program Compatibility Assistant (PCA) docs: |- @@ -2163,8 +2198,14 @@ actions: Once this script is executed and PCA is turned off, the user won't be presented with solutions to known compatibility issues when running applications [1]. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffprogramcompatibilityassistant_2 "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat + valueName: DisablePCA + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - name: Disable "Program Compatibility Assistant Service" (`PcaSvc`) recommend: standard @@ -2202,8 +2243,14 @@ actions: name: Disable Customer Experience Improvement Program (CEIP) docs: https://web.archive.org/web/20240314130037/https://learn.microsoft.com/en-us/windows/win32/devnotes/ceipenable recommend: standard - code: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f - revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\SQMClient\Windows + valueName: CEIPEnable + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - category: Disable diagnostics telemetry services children: @@ -2454,8 +2501,14 @@ actions: [1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowdesktopanalyticsprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs" [2]: https://web.archive.org/web/20211127031547/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDesktopAnalyticsProcessing "Allow Desktop Analytics Processing | admx.help" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection + valueName: AllowDesktopAnalyticsProcessing + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable sending device name in Windows diagnostic data recommend: strict @@ -2471,8 +2524,14 @@ actions: [1]: https://web.archive.org/web/20220903043346/https://docs.microsoft.com/en-US/mem/configmgr/desktop-analytics/enroll-devices#device-name "Enroll devices in Desktop Analytics - Configuration Manager | Microsoft Docs" [2]: https://web.archive.org/web/20210228151919/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDeviceNameInDiagnosticData "Allow device name to be sent in Windows diagnostic data" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection + valueName: AllowDeviceNameInTelemetry + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable collection of Edge browsing data for Desktop Analytics recommend: strict @@ -2493,8 +2552,14 @@ actions: contributing to an overall safer browsing experience [1]. [1]: https://web.archive.org/web/20220524020212/https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.MicrosoftEdge::ConfigureTelemetryForMicrosoft365Analytics "Configure collection of browsing data for Desktop Analytics" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection + valueName: MicrosoftEdgeDataOptIn + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable diagnostics data processing for Business cloud recommend: strict @@ -2516,8 +2581,14 @@ actions: [1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowwufbcloudprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs" [2]: https://web.archive.org/web/20210307173837/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowWUfBCloudProcessing "Allow WUfB Cloud Processing" [3]: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-management-for-windows-on-a-windows-365-cloud-pc/ba-p/3452703 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowWUfBCloudProcessing" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowWUfBCloudProcessing" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection + valueName: AllowWUfBCloudProcessing + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable Update Compliance processing of diagnostics data recommend: standard @@ -2543,8 +2614,14 @@ actions: [1]: https://web.archive.org/web/20220703201221/https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started "Get started with Update Compliance - Windows Deployment | Microsoft Docs" [2]: https://web.archive.org/web/20220610123725/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowUpdateComplianceProcessing "Allow Update Compliance Processing" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowUpdateComplianceProcessing" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowUpdateComplianceProcessing" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection + valueName: AllowUpdateComplianceProcessing + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable commercial usage of collected data recommend: standard @@ -2562,8 +2639,14 @@ actions: [1]: https://web.archive.org/web/20230803142206/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline "System Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230330140620/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowCommercialDataPipeline "Allow commercial data pipeline" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection + valueName: AllowCommercialDataPipeline + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable diagnostic and usage telemetry recommend: standard @@ -2590,16 +2673,21 @@ actions: [2]: https://web.archive.org/web/20230731225319/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn" [3]: https://web.archive.org/web/20211129155126/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection%3A%3AAllowTelemetry "Allow Telemetry" [4]: https://web.archive.org/web/20230731225544/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn" - code: |- - # Using Local policy preference - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f - # Using Group policy object (GPO) - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f - revertCode: |- - # Using Local policy preference - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 1 /f - # Using Group policy object (GPO) - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /f + call: + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t "REG_DWORD" /d "0" /f + revertCode: |- # Key exists with value "1" since Windows 10 22H2, Windows 11 22H3 + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t "REG_DWORD" /d "1" /f + - + function: SetRegistryValue # Using Group policy object (GPO) + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection + valueName: AllowTelemetry + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable automatic cloud configuration downloads recommend: strict @@ -2635,12 +2723,25 @@ actions: [1]: https://web.archive.org/web/20230803030428/https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker_v1.12.0.audit:b3aec171f406cbe87f37e57bc9dd1411 "18.9.17.3 Ensure 'Disable OneSettings Downloads' is set to 'En... | Tenable" [2]: https://web.archive.org/web/20230803024926/https://learn.microsoft.com/en-us/windows/win32/services/service-configuration "Service Configuration - Win32 apps | Microsoft Learn" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" - code: reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableOneSettingsDownloads" /t "REG_DWORD" /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableOneSettingsDownloads" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\DataCollection + valueName: DisableOneSettingsDownloads + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable license telemetry recommend: standard - code: reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t "REG_DWORD" /d "1" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform + valueName: NoGenTicket + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable error reporting recommend: standard @@ -2705,31 +2806,67 @@ actions: [4]: https://web.archive.org/web/20231018135930/https://batcmd.com/windows/10/services/wersvc/ "Windows Error Reporting Service - Windows 10 Service - batcmd.com" [5]: https://web.archive.org/web/20231019222221/https://batcmd.com/windows/10/services/wercplsupport/ "Problem Reports Control Panel Support - Windows 10 Service - batcmd.com" call: + - + function: Comment + parameters: + codeComment: Disable Windows Error Reporting (WER) + revertCodeComment: Revert Windows Error Reporting (WER) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting + valueName: Disabled + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting + valueName: Disabled + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) + - + function: Comment + parameters: + codeComment: Disable Windows Error Reporting (WER) consent + revertCodeComment: Revert Windows Error Reporting (WER) consent - function: RunInlineCode parameters: - code: |- - :: Disable Windows Error Reporting (WER) - reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f - :: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data - reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f - reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f - :: Disable WER sending second-level data - reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f - :: Disable WER logging - reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f - revertCode: |- - :: Enable Windows Error Reporting (WER) - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f - reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f - :: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data - reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "1" /f - reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "0" /f - :: Enable WER sending second-level data - reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /f - :: Enable WER crash dialogs, popups - reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "0" /f + code: reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t "REG_DWORD" /d "1" /f + revertCode: >- # Key exists with value "4" (All data) since Windows 10 22H2, Windows 11 22H3 + reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t "REG_DWORD" /d "4" /f + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent + valueName: DefaultOverrideBehavior + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) + - + function: Comment + parameters: + codeComment: Disable WER sending second-level data + revertCodeComment: Revert WER sending second-level data + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting + valueName: DontSendAdditionalData + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting + valueName: LoggingDisabled + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - function: DisableScheduledTask parameters: @@ -2764,24 +2901,44 @@ actions: docs: - https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964 - https://web.archive.org/web/20240314125819/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#preventdevicemetadatafromnetwork - code: |- - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f - revertCode: |- - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f + call: + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f + revertCode: >- # Key exists as `0` since Windows 10 22H2, Windows 11 22H3 + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata + valueName: PreventDeviceMetadataFromNetwork + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable inclusion of drivers with Windows updates docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::ExcludeWUDriversInQualityUpdate recommend: strict - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: ExcludeWUDriversInQualityUpdate + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H3) - name: Disable Windows Update device driver search docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965 recommend: strict - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 1 /f + call: + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t "REG_DWORD" /d "1" /f + revertCode: |- + :: Key exists with value "4" (All data) since Windows 10 22H2, Windows 11 22H3 + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t "REG_DWORD" /d "1" /f - category: Disable obtaining updates from other PCs on the Internet (delivery optimization) docs: |- @@ -2837,8 +2994,14 @@ actions: [2]: https://web.archive.org/web/20230914171842/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference "Delivery Optimization reference - Windows Deployment | Microsoft Learn" [3]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov" [4]: https://web.archive.org/web/20230914171410/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-65681 "Windows Update must not obtain updates from other PCs on the Internet | stigviewer.com" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t "REG_DWORD" /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /f 2>nul # Key does not exist since Windows 10 21H2, Windows 11 22H2 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization + valueName: DODownloadMode + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable "Delivery Optimization" service (breaks Microsoft Store downloads) recommend: strict @@ -2888,41 +3051,117 @@ actions: name: Disable cloud-based speech recognition recommend: standard docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-priv-speech - code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 0 /f - revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy + valueName: HasAccepted + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable active probing to Microsoft NCSI server recommend: strict - code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f + call: + function: RunInlineCode + parameters: + code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t "REG_DWORD" /d "0" /f + revertCode: >- # Key exists with value "1" since Windows 10 21H2, Windows 11 22H2 + reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t "REG_DWORD" /d "1" /f - name: Opt out of Windows privacy consent recommend: standard - code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f - revertCode: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 1 /f + call: + function: RunInlineCode + parameters: + code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "EnableActiveProbing" /t "AcceptedPrivacyPolicy" /d "0" /f + revertCode: >- # Key exists with value "1" since Windows 10 21H2, Windows 11 22H2 + reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "EnableActiveProbing" /t "AcceptedPrivacyPolicy" /d "1" /f - name: Disable Windows feedback collection recommend: standard docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-priv-feedback - code: |- - reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f - reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Siuf\Rules + valueName: NumberOfSIUFInPeriod + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) + - + function: RunPowerShell + parameters: + code: reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f 2>nul + revertCode: >- # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) + reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f 2>nul + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection + valueName: DoNotShowFeedbackNotifications + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection + valueName: DoNotShowFeedbackNotifications + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) - name: Disable text and handwriting data collection recommend: standard - code: |- - reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f - reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f - reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f - reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f - reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization + valueName: RestrictImplicitInkCollection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization + valueName: RestrictImplicitTextCollection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports + valueName: PreventHandwritingErrorReports + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC + valueName: PreventHandwritingDataSharing + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization + valueName: AllowInputPersonalization + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2) + - + function: RunInlineCode + parameters: + code: reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f + revertCode: |- # Default value: `1` since Windows 10 21H2, Windows 11 23H2 + reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 1 /f - category: Disable app access to personal information children: @@ -3092,8 +3331,14 @@ actions: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /f - name: Disable app share and sync for non-explicitly paired wireless devices - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Deny" /f - revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Allow" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled + valueName: Value + dataType: REG_SZ + data: "Deny" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2) - name: Disable app access to diagnostic information about other apps recommend: standard @@ -3347,31 +3592,61 @@ actions: children: - name: Disable Windows Location Provider - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "0" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors + valueName: DisableWindowsLocationProvider + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable location scripting recommend: standard - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "0" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors + valueName: DisableLocationScripting + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable location recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f - :: For older Windows (before 1903) - reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Deny" /f - revertCode: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "0" /t REG_DWORD /f - :: For older Windows (before 1903) - reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Allow" /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors + valueName: DisableLocation + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44} + valueName: Value + dataType: REG_SZ + data: "Deny" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: RunInlineCode + code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f + revertCode: >- # Default value is `1` since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f - name: Disable device sensors recommend: standard - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "1" /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "0" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors + valueName: DisableSensors + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Windows search data collection docs: |- @@ -3430,11 +3705,13 @@ actions: - https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-cortana call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: AllowCortana + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3449,11 +3726,13 @@ actions: docs: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowcloudsearch call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: AllowCloudSearch + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3462,11 +3741,13 @@ actions: docs: https://web.archive.org/web/20240314125714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-abovelock call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: AllowCortanaAboveLock + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3474,38 +3755,46 @@ actions: recommend: standard call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /f 2>nul + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Search + valueName: CortanaConsent + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable enabling of Cortana recommend: standard call: - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /f 2>nul + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Search + valueName: CanCortanaBeEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Cortana in start menu recommend: standard call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /f 2>nul + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search + valueName: CortanaEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /f 2>nul + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search + valueName: CortanaEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3523,19 +3812,26 @@ actions: - name: Disable Cortana's history display recommend: standard - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /t REG_DWORD /d 0 /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search + valueName: HistoryViewEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Cortana's device history usage recommend: standard call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d 0 /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /f 2>nul + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search + valueName: DeviceHistoryEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3543,11 +3839,13 @@ actions: recommend: standard call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCortanaButton" /t "REG_DWORD" /d "0" /f - # This key does not exist on Windows 11 since 22H3, but exists with value `0` on Windows 10 since 22H2 - revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCortanaButton" /f 2>nul + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced + valueName: ShowCortanaButton + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Key exists with value `0` since Windows 10 22H2, missing key since Windows 11 23H2 - function: ShowExplorerRestartSuggestion - @@ -3555,11 +3853,13 @@ actions: recommend: standard call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /f 2>nul + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search + valueName: CortanaInAmbientMode + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3577,43 +3877,70 @@ actions: - name: Disable "Hey Cortana" voice activation recommend: standard - code: |- - reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 0 /f - reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 0 /f - # These keys do not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: |- - reg delete "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /f 2>nul - reg delete "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Speech_OneCore\Preferences + valueName: VoiceActivationOn + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Microsoft\Speech_OneCore\Preferences + valueName: VoiceActivationDefaultOn + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Cortana keyboard shortcut (**Windows logo key** + **C**) recommend: standard call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /f 2>nul + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search + valueName: VoiceShortcut + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable Cortana on locked device recommend: standard - code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Speech_OneCore\Preferences + valueName: VoiceActivationEnableAboveLockscreen + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)f - name: Disable automatic update of speech data recommend: standard - code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Speech_OneCore\Preferences + valueName: ModelDownloadAllowed + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Cortana voice support during Windows setup recommend: standard - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /t "REG_DWORD" /d "1" /f - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE + valueName: DisableVoice + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable privacy-invasive indexing docs: |- @@ -3635,11 +3962,13 @@ actions: docs: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowindexingencryptedstoresoritems call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: AllowIndexingEncryptedStoresOrItems + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3648,11 +3977,13 @@ actions: docs: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#alwaysuseautolangdetection call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: AlwaysUseAutoLangDetection + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3678,11 +4009,13 @@ actions: [5]: https://web.archive.org/web/20240120200943/https://www.scaprepo.com/control.jsp?command=relation&relationId=CCE-93119-6&search=CCE-93119-6 "SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF) | www.scaprepo.com" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "PreventRemoteQueries" /t REG_DWORD /d "1" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "PreventRemoteQueries" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: PreventRemoteQueries + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3707,11 +4040,13 @@ actions: [3]: https://web.archive.org/web/20240121002136/https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-registering-filters "Registering Filter Handlers - Win32 apps | Microsoft Learn | learn.microsoft.com" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "PreventUnwantedAddIns" /t "REG_SZ" /d " " /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "PreventUnwantedAddIns" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: PreventUnwantedAddIns + dataType: REG_SZ + data: " " + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3740,17 +4075,21 @@ actions: [4]: https://web.archive.org/web/20240120230024/https://www.neowin.net/news/the-windows-10-spring-update-no-longer-lets-you-disable-web-search-in-start/ "The Windows 10 spring update no longer lets you disable web search in Start - workaround - Neowin | www.neowin.net" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: AllowSearchToUseLocation + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /t "REG_DWORD" /d "1" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "AllowSearchToUseLocation" /f 2>nul + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search + valueName: AllowSearchToUseLocation + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3806,17 +4145,21 @@ actions: [9]: https://web.archive.org/web/20240120194547/https://www.deskmodder.de/phpBB3/viewtopic.php?t=23243 "Websuche in der Windows 10 Taskleiste deaktivieren - Deskmodder.de | www.deskmodder.de" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t "REG_DWORD" /d "1" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer + valueName: DisableSearchBoxSuggestions + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DisableSearchBoxSuggestions" /t "REG_DWORD" /d "1" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DisableSearchBoxSuggestions" /f 2>nul + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search + valueName: DisableSearchBoxSuggestions + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3840,11 +4183,13 @@ actions: [4]: https://web.archive.org/web/20240120182853/https://borncity.com/win/2020/10/05/windows-10-disable-bing-in-the-search/ "Windows 10: Disable Bing in the search | Born's Tech and Windows World | borncity.com" call: - - function: RunInlineCode - parameters: # HKCU key is needed, not HKLM - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /f 2>nul + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search # HKCU key is needed, not HKLM + valueName: BingSearchEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3866,11 +4211,13 @@ actions: [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t "REG_DWORD" /d "1" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: DisableWebSearch + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3898,17 +4245,21 @@ actions: [5]: https://web.archive.org/web/20240120135331/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DoNotUseWebResultsOnMeteredConnections "Don't search the web or display web results in Search over metered connections | admx.help" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: ConnectedSearchUseWeb + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: ConnectedSearchUseWebOverMeteredConnections + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3943,17 +4294,21 @@ actions: [8]: https://web.archive.org/web/20240120214331/https://www.howtogeek.com/895945/how-to-turn-off-search-highlights-on-windows-11/ "How to Turn Off Search Highlights on Windows 11 | www.howtogeek.com" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "EnableDynamicContentInWSB" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "EnableDynamicContentInWSB" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: EnableDynamicContentInWSB + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsDynamicSearchBoxEnabled" /t "REG_DWORD" /d "1" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsDynamicSearchBoxEnabled" /f 2>nul + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings + valueName: IsDynamicSearchBoxEnabled + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -3985,17 +4340,21 @@ actions: [7]: https://web.archive.org/web/20240120211444/https://www.thewindowsclub.com/clear-windows-10-search-history-and-remove-recent-activities "How to clear Windows Search History and remove Recent Activities | www.thewindowsclub.com" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows\Explorer" /v "DisableSearchHistory" /t REG_DWORD /d "1" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Explorer" /v "DisableSearchHistory" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows\Explorer + valueName: DisableSearchHistory + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsDeviceSearchHistoryEnabled" /t REG_DWORD /d "1" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsDeviceSearchHistoryEnabled" /f 2>nul + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings + valueName: IsDeviceSearchHistoryEnabled + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -4023,11 +4382,13 @@ actions: [5]: https://web.archive.org/web/20240120203149/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2_1_0.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark v2.1.0 | bobylive.com" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d "3" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search + valueName: ConnectedSearchPrivacy + dataType: REG_DWORD + data: "3" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -4063,17 +4424,21 @@ actions: [4]: https://web.archive.org/web/20240121010645/https://support.microsoft.com/en-us/windows/windows-search-and-privacy-99fb8251-7260-1cd6-1bbb-15c2370eb168 "Windows Search and privacy - Microsoft Support | support.microsoft.com" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsMSACloudSearchEnabled" /t REG_DWORD /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsMSACloudSearchEnabled" /f 2>nul + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings + valueName: IsMSACloudSearchEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsAADCloudSearchEnabled" /t REG_DWORD /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsAADCloudSearchEnabled" /f 2>nul + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings + valueName: IsAADCloudSearchEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -4083,12 +4448,21 @@ actions: name: Disable ad customization with Advertising ID recommend: standard docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general - code: |- - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f - revertCode: |- - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "0" /f + call: + - + function: RunInlineCode + parameters: + code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f + # `1` by default since Windows 10 22H2, and Windows 11 22H3 + revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo + valueName: DisabledByGroupPolicy + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable cloud-based advertising and tips children: @@ -4118,8 +4492,14 @@ actions: [2]: https://web.archive.org/web/20230911110748/https://learn.microsoft.com/en-us/windows/configuration/windows-spotlight "Configure Windows Spotlight on the lock screen - Configure Windows | Microsoft Learn" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [4]: https://web.archive.org/web/20230911110921/https://download.microsoft.com/download/8/F/B/8FBD2E85-8852-45EC-8465-92756EBD9365/Windows10andWindowsServer2016PolicySettings.xlsx "Group Policy Settings Reference - Microsoft" - code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /f 2>nul # Key does not exist since Windows 10 21H2, Windows 11 22H2 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CloudContent + valueName: DisableWindowsSpotlightFeatures + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable Microsoft Consumer Experiences recommend: standard @@ -4150,14 +4530,26 @@ actions: name: Disable use of biometrics recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Biometrics + valueName: Enabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable biometric logon recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider + valueName: Enabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable "Windows Biometric Service" recommend: strict @@ -4181,56 +4573,133 @@ actions: - name: Disable Wi-Fi Sense recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting + valueName: value + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f + # Default value: `1` since Windows 10 21H2, Windows 11 22H2 + revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 1 /f + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config + valueName: AutoConnectAllowedOEM + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2) - name: Disable app launch tracking (hides most-used apps) recommend: strict docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10 call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /f 2>nul + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced + valueName: Start_TrackProgs + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - name: Disable Website Access of Language List recommend: standard docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general - code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f - revertCode: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Control Panel\International\User Profile + valueName: HttpAcceptLanguageOptOut + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable automatic map downloads recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps + valueName: AllowUntriggeredNetworkTrafficOnSettingsPage + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps + valueName: AutoDownloadAndUpdateMapData + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable game screen recording recommend: standard - code: |- - reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 0 /f + call: + - + function: RunInlineCode + parameters: + code: reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f + revertCode: >- # `0` since Windows 11 23H2 and `1` since Windows 10 22H2 + reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR + valueName: AllowGameDVR + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable internet access for Windows DRM - docs: https://web.archive.org/web/20231206191323/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline recommend: standard - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f + docs: https://web.archive.org/web/20231206191323/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WMDRM + valueName: DisableOnline + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable typing feedback (sends typing data) recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f - reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f + call: + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f + # `1` since Windows 11 23H2 and `1` since Windows 10 22H2 + revertCode: reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 1 /f + - + function: RunInlineCode + parameters: + code: reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f + # `1` since Windows 11 23H2 and `1` since Windows 10 22H2 + revertCode: reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 1 /f - name: Disable Activity Feed feature recommend: standard - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System + valueName: EnableActivityFeed + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Windows Insider Program children: @@ -4258,25 +4727,52 @@ actions: name: Disable Microsoft feature trials docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /f - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /f - reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds + valueName: EnableExperimentation + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds + valueName: EnableConfigFlighting + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 / + # Default value is `1` since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 1 /f - name: Disable receipt of Windows preview builds docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview recommend: standard - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds + valueName: AllowBuildPreview + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Remove "Windows Insider Program" from Settings docs: https://winaero.com/how-to-hide-the-windows-insider-program-page-from-the-settings-app-in-windows-10/ - code: reg add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /t "REG_DWORD" /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility + valueName: HideInsiderPage + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable cloud sync docs: https://web.archive.org/web/20240314101013/https://support.microsoft.com/en-us/windows/about-windows-backup-and-sync-settings-deebcba2-5bc0-4e63-279a-329926955708 @@ -4285,60 +4781,205 @@ actions: name: Disable all settings synchronization recommend: standard # This script is a master switch that disables all other types of setting synchronizations in this category. - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableSettingSync + dataType: REG_DWORD + data: "2" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableSettingSyncUserOverride + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableSyncOnPaidNetwork + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: SyncPolicy + dataType: REG_DWORD + data: "5" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Application" setting synchronization recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableApplicationSettingSync + dataType: REG_DWORD + data: "2" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableApplicationSettingSyncUserOverride + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "App Sync" setting synchronization recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableAppSyncSettingSync + dataType: REG_DWORD + data: "2" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableAppSyncSettingSyncUserOverride + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Credentials" setting synchronization recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableCredentialsSettingSync + dataType: REG_DWORD + data: "2" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableCredentialsSettingSyncUserOverride + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials + valueName: Enabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Desktop Theme" setting synchronization recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableDesktopThemeSettingSync + dataType: REG_DWORD + data: "2" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableDesktopThemeSettingSyncUserOverride + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Personalization" setting synchronization recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisablePersonalizationSettingSync + dataType: REG_DWORD + data: "2" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisablePersonalizationSettingSyncUserOverride + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Start Layout" setting synchronization recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableStartLayoutSettingSync + dataType: REG_DWORD + data: "2" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableStartLayoutSettingSyncUserOverride + dataType: REG_DWORD + data: "1" - name: Disable "Web Browser" setting synchronization recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableWebBrowserSettingSync + dataType: REG_DWORD + data: "2" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableWebBrowserSettingSyncUserOverride + dataType: REG_DWORD + data: "1" - name: Disable "Windows" setting synchronization recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableWindowsSettingSync + dataType: REG_DWORD + data: "2" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync + valueName: DisableWindowsSettingSyncUserOverride + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Language" setting synchronization recommend: standard @@ -4346,8 +4987,14 @@ actions: - https://winaero.com/turn-on-off-sync-settings-windows-10/ - https://www.thewindowsclub.com/how-to-configure-windows-10-sync-settings-using-registry-editor - https://tuxicoman.jesuislibre.net/blog/wp-content/uploads/Windows10_Telemetrie_1709.pdf # from guide on confidentiality and privacy with Windows 10 distributed to the French police, previous version of guide: https://www.pmenier.net/dotclear/docext/win10/.Windows10-Presentation.pdf - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 0 /f - revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 1 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language + valueName: Enabled + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Configure programs children: @@ -4384,36 +5031,42 @@ actions: [1]: https://web.archive.org/web/20240314092010/https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program?view=vs-2022 "Customer Experience Improvement Program - Visual Studio (Windows) | Microsoft Learn | learn.microsoft.com" [2]: https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/ "How we use your PerfWatson data to identify Unresponsive areas | Visual Studio Blog" - code: |- - :: Using OS keys - if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - ) else ( - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - ) - :: Using GPO key - reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /t REG_DWORD /d 0 /f - revertCode: |- - :: Using OS keys - if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - ) else ( - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - ) - :: Using GPO key - reg delete "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /f 2>nul + call: + - + # Using OS keys + function: RunInlineCode + code: |- + if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? + reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f + ) else ( + reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f + reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f + ) + revertCode: |- + if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? + reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f + ) else ( + reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f + ) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\VisualStudio\SQM + valueName: OptIn + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - name: Disable Visual Studio telemetry docs: |- @@ -4425,10 +5078,17 @@ actions: [1]: https://developercommunity.visualstudio.com/t/bad-crashes-when-visualstudiotelemetryturnoffswitc/208693 "Bad crashes when VisualStudio\Telemetry\TurnOffSwitch is set to 0 | Visual Studio Feedback" [2]: https://web.archive.org/web/20231206212728/https://social.msdn.microsoft.com/Forums/vstudio/en-US/7796f0c5-ec9a-4fc8-9f62-584a663f9016/vs2015-pro-upd-3-quotthe-application-cannot-startquot-exception-in-obtainoptinstatus?forum=vssetup 'VS2015 (pro + upd 3): "Forum post showing logs for TurnOffSwitch key | MSDN Forums' recommend: standard - code: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\VisualStudio\Telemetry + valueName: TurnOffSwitch + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - name: Disable Visual Studio feedback + recommend: standard docs: |- Feedback tool in Visual Studio allows users to report a problem from either Visual Studio or its installer. It collects rich diagnostic information along with personally identifiable information [1]. Information includes large log files, @@ -4440,15 +5100,31 @@ actions: set imply that feedback is enabled. [1]: https://web.archive.org/web/20240314101616/https://learn.microsoft.com/en-us/visualstudio/ide/how-to-report-a-problem-with-visual-studio?view=vs-2022 "Report a problem with Visual Studio - Visual Studio (Windows) | Microsoft Learn | learn.microsoft.com" - recommend: standard - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /f 2>nul - reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /f 2>nul - reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback + valueName: DisableFeedbackDialog + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback + valueName: DisableEmailInput + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback + valueName: DisableScreenshotCapture + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - name: Disable "Visual Studio Standard Collector Service" recommend: standard @@ -4519,18 +5195,31 @@ actions: [3]: https://web.archive.org/web/20231112024639/https://raw.githubusercontent.com/MicrosoftDocs/intellicode/50ea60c91a7175e749ed5e094403568a583a292e/docs/intellicode-privacy.md "intellicode/docs/intellicode-privacy.md at 50ea60c91a7175e749ed5e094403568a583a292e · MicrosoftDocs/intellicode | github.com" [4]: https://web.archive.org/web/20231122105835/https://raw.githubusercontent.com/microsoft/vscode-docs/main/docs/csharp/intellicode.md "vscode-docs/docs/csharp/intellicode.md at main · microsoft/vscode-docs | github.com" [5]: https://web.archive.org/web/20240409110051/https://github.com/MicrosoftDocs/intellicode/issues/510#issuecomment-1982513204 "Is `DisableRemoteAnalysis` no longer supported? · Issue #510 · MicrosoftDocs/intellicode · GitHub | github.com" - code: |- - :: Global policy - reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode" /v "DisableRemoteAnalysis" /t "REG_DWORD" /d "1" /f - :: Local policy - reg add "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /t "REG_DWORD" /d "1" /f - reg add "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /t "REG_DWORD" /d "1" /f - revertCode: |- - :: Global policy - reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul - :: Local policy - reg delete "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul - reg delete "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode # Global policy + valueName: DisableRemoteAnalysis + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode # Local policy + valueName: DisableRemoteAnalysis + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode # Local policy + valueName: DisableRemoteAnalysis + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022 - name: Disable NET Core CLI telemetry recommend: standard @@ -4583,20 +5272,46 @@ actions: name: Disable participation in Nvidia telemetry recommend: standard call: - function: RunInlineCode - parameters: - code: |- - reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d 0 /f - revertCode: |- - reg delete "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /f - reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /f - reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /f - reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /f - reg delete "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /f + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client + valueName: OptInOrOutPreference + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS + valueName: EnableRID44231 + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS + valueName: EnableRID64640 + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS + valueName: EnableRID66610 + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup + valueName: SendTelemetryData + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' - name: Disable "Nvidia Telemetry Container" service docs: |- @@ -4991,93 +5706,176 @@ actions: - https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#metricsreportingenabled - https://archive.ph/2023.08.26-153019/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SendSiteInfoToImproveServices - https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#sendsiteinfotoimproveservices - code: |- - :: Disabling metrics and site info sending for Edge v88 ≥ - reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /t REG_DWORD /d 0 /f - :: Disabling diagnostic data (replacing metrics and site info sending since Edge v89 ≤) - reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "DiagnosticData" /t REG_DWORD /d 0 /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /f 2>nul - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /f 2>nul - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "DiagnosticData" /f 2>nul + call: + - + function: SetRegistryValue # Disable metrics for ≤ Edge v88 + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Edge + valueName: MetricsReportingEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue # Disable site info sending for ≤ Edge v88 + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Edge + valueName: SendSiteInfoToImproveServices + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue # Replace metrics and site info sending since Edge ≥ v89 + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Edge + valueName: DiagnosticData + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable automatic installation of Edge (Chromium) docs: - https://admx.help/?Category=EdgeChromium_Blocker&Policy=Microsoft.Policies.EdgeUpdate::NoUpdate - https://web.archive.org/web/20210118230052/https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit - code: reg add "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\EdgeUpdate + valueName: DoNotUpdateToEdgeWithChromium + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Live Tile data collection recommend: standard docs: - https://web.archive.org/web/20240314101034/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/group-policies/telemetry-management-gp - https://web.archive.org/web/20240314125209/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection - code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f - revertCode: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main + valueName: PreventLiveTileDataCollection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable MFU tracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableMFUTracking - code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f - revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Policies\Microsoft\Windows\EdgeUI + valueName: DisableMFUTracking + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable recent apps recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableRecentApps - code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f - revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Policies\Microsoft\Windows\EdgeUI + valueName: DisableRecentApps + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable backtracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::TurnOffBackstack - code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f - revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Policies\Microsoft\Windows\EdgeUI + valueName: TurnOffBackstack + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Search Suggestions in Edge + recommend: standard docs: - https://web.archive.org/web/20240314100851/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/group-policies/address-bar-settings-gp - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar - recommend: standard - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 1 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes + valueName: ShowSearchSuggestionsGlobal + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Configure Internet Explorer children: - name: Disable Internet Explorer geolocation recommend: standard - code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f - revertCode: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation + valueName: PolicyDisableGeolocation + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Internet Explorer InPrivate logging recommend: standard - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE + valueName: DisableLogging + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Internet Explorer CEIP (Customer Experience Improvement Program) recommend: standard docs: https://www.stigviewer.com/stig/internet_explorer_8/2014-07-03/finding/V-15492 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 1 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM + valueName: DisableCustomerImprovementProgram + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable legacy WCM policy calls recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 1 /f + revertCode: >- + :: Default value is `0` since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f - name: Disable SSLv3 fallback recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-04-02/finding/V-64729 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f - revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 3 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + valueName: EnableSSL3Fallback + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable certificate error ignoring recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2017-03-01/finding/V-64717 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings + valueName: PreventIgnoreCertErrors + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Configure Chrome children: @@ -5099,22 +5897,40 @@ actions: docs: - https://web.archive.org/web/20200606120247/https://www.chromium.org/administrators/policy-list-3#ChromeCleanupReportingEnabled - https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81593 - code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /f - - + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Google\Chrome + valueName: ChromeCleanupReportingEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' + - name: Disable Chrome system cleanup scans (shows "Your browser is managed") recommend: standard docs: - https://web.archive.org/web/20200606120247/https://www.chromium.org/administrators/policy-list-3#ChromeCleanupEnabled - https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81591 - code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Google\Chrome + valueName: ChromeCleanupEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' - name: Disable Chrome metrics reporting (shows "Your browser is managed") recommend: standard docs: https://www.stigviewer.com/stig/google_chrome_v23_windows/2013-01-11/finding/V-35780 - code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Google\Chrome + valueName: MetricsReportingEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' - category: Configure Firefox children: @@ -5577,15 +6393,45 @@ actions: - name: Disable sending Windows Media Player statistics recommend: standard - code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f + code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t "REG_DWORD" /d "0" /f + # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2), but key exists as `1` once Media Player in installed on Windows 10 22H2 + revertCode: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t "REG_DWORD" /d "1" /f - name: Disable metadata retrieval recommend: standard - code: |- - reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f - reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f - reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Policies\Microsoft\WindowsMediaPlayer + valueName: PreventCDDVDMetadataRetrieval + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Policies\Microsoft\WindowsMediaPlayer + valueName: PreventMusicFileMetadataRetrieval + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Policies\Microsoft\WindowsMediaPlayer + valueName: PreventRadioPresetsRetrieval + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WMDRM + valueName: DisableOnline + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Windows Media Player Network Sharing Service" (`WMPNetworkSvc`) recommend: standard @@ -5605,32 +6451,99 @@ actions: defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable CCleaner data collection - code: |- - reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f - reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f - reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f - reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f - reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f - reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 0 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f - revertCode: |- - reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 1 /f - reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 1 /f - reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 1 /f - reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 1 /f - reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 1 /f - reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 1 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 1 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 1 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 1 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 1 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 1 /f - reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: Monitoring + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: HelpImproveCCleaner + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) + - + function: RunInlineCode + parameters: + code: reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f + revertCode: >- # `1` by default on Windows 10 22H2, missing key on Windows 11 23H2 (CCleaner v6.23) + reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 1 /f + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: UpdateAuto + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: UpdateCheck + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) + - + function: RunInlineCode + parameters: + code: reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f + revertCode: >- # `0` by default on Windows 10 22H2, missing key on Windows 11 23H2 (CCleaner v6.23) + reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 1 /f + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: (Cfg)HealthCheck + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: (Cfg)QuickClean + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: (Cfg)QuickCleanIpm + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: (Cfg)GetIpmForTrial + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: (Cfg)SoftwareUpdater + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Piriform\CCleaner + valueName: (Cfg)SoftwareUpdaterIpm + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23) - category: Security improvements docs: |- @@ -6226,35 +7139,45 @@ actions: [5]: https://web.archive.org/web/20100212053756/http://www.microsoft.com/technet/security/advisory/977377.mspx "Microsoft Security Advisory (977377): Vulnerability in TLS/SSL Could Allow Spoofing | www.microsoft.com" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoClients" /t REG_DWORD /d "0" /f - revertCode: >- # Missing key since Windows 10 22H2 Pro and Windows 11 23H2 Pro - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoClients" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL + valueName: AllowInsecureRenegoClients + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoServers" /t REG_DWORD /d "0" /f - revertCode: >- # Missing key since Windows 10 22H2 Pro and Windows 11 23H2 Pro - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoServers" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL + valueName: AllowInsecureRenegoServers + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v "DisableRenegoOnServer" /t REG_DWORD /d "1" /f - revertCode: >- # Missing key since Windows 10 22H2 Pro and Windows 11 23H2 Pro - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "DisableRenegoOnServer" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL + valueName: DisableRenegoOnServer + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v "DisableRenegoOnClient" /t REG_DWORD /d "1" /f - revertCode: >- # Missing key since Windows 10 22H2 Pro and Windows 11 23H2 Pro - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "DisableRenegoOnClient" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL + valueName: DisableRenegoOnClient + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v "UseScsvForTls" /t REG_DWORD /d "1" /f - revertCode: >- # Missing key since Windows 10 22H2 Pro and Windows 11 23H2 Pro - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "UseScsvForTls" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL + valueName: UseScsvForTls + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - category: Disable insecure protocols docs: |- # refactor-with-variables: Same • Caution • authorities @@ -6432,11 +7355,13 @@ actions: code: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi revertCode: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMBv1" /t "REG_DWORD" /d "0" /f - revertCode: >- # Key does not exist (tested: Windows 10 22H2 and Windows 11 23H2) - reg delete "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMBv1" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + valueName: SMBv1 + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing value by default since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - function: ShowComputerRestartSuggestion - @@ -6688,8 +7613,8 @@ actions: keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa valueName: LmCompatibilityLevel dataType: REG_DWORD - data: 5 - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Windows 10 Pro (≥ 23H2) + data: "5" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable insecure connections from .NET apps recommend: strict # Default since .NET 4.6 and above, absence considered vulnerabiltiy, but can still break legacy apps @@ -6910,7 +7835,7 @@ actions: valueName: AllowBasic dataType: REG_DWORD data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Windows 10 Pro (≥ 23H2) + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable unauthorized user account discovery (anonymous SAM enumeration) recommend: standard @@ -7011,8 +7936,14 @@ actions: [3]: https://web.archive.org/web/20230831124304/https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/Business-Partner-System-Security-Manual-BPSSM.pdf "CMS Manual System | Pub 100-17 Medicare Business Partners | Department of Health & Human Services (DHHS) & Centers for Medicare & Medicaid Services (CMS) | cms.gov" [4]: https://web.archive.org/web/20230831124324/https://www.unifiedcompliance.com/products/search-authority-documents/authority-document/1071/ "Payment Card Organizations > PCI Security Standards Council | Unified Compliance | www.unifiedcompliance.com" [5]: https://web.archive.org/web/20240510180222/https://github.com/undergroundwires/privacy.sexy/issues/249 "Disabling administrative shares breaks PsTools | undergroundwires/privacy.sexy | github.com" - code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /f # Key does not exist since Windows 11 22H2 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + valueName: AutoShareWks + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable anonymous enumeration of shares recommend: standard @@ -7029,7 +7960,7 @@ actions: [1]: https://web.archive.org/web/20240510180528/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 "Anonymous enumeration of shares must be restricted. | www.stigviewer.com" code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d "1" /f - revertCode: |- # 0 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Windows 10 Pro (≥ 23H2) + revertCode: |- # 0 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d "0" /f - name: Disable "Telnet Client" feature @@ -7132,7 +8063,7 @@ actions: code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f - revertCode: |- # 1 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Windows 10 Pro (≥ 23H2) + revertCode: |- # 1 by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f - @@ -7142,7 +8073,7 @@ actions: valueName: AllowBasic dataType: REG_DWORD data: '0' - deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Windows 10 Pro (≥ 23H2) + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable non-essential network components docs: |- @@ -7380,17 +8311,21 @@ actions: [7]: https://web.archive.org/web/20240119145950/https://www.elevenforum.com/t/enable-or-disable-clipboard-sync-across-devices-in-windows-11.976/ "Enable or Disable Clipboard Sync Across Devices in Windows 11 Tutorial | Windows 11 Forum | elevenforum.com" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard" /t "REG_DWORD" /d "0" /f - # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System + valueName: AllowCrossDeviceClipboard + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Clipboard" /v "CloudClipboardAutomaticUpload" /t "REG_DWORD" /d "0" /f - # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 - revertCode: reg delete "HKCU\Software\Microsoft\Clipboard" /v "CloudClipboardAutomaticUpload" /f 2>nul + keyPath: HKCU\Software\Microsoft\Clipboard + valueName: CloudClipboardAutomaticUpload + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable clipboard history recommend: standard @@ -7432,17 +8367,21 @@ actions: [9]: https://web.archive.org/web/20240119153231/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OSPolicy::AllowClipboardHistory "Allow Clipboard History | admx.help" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Clipboard" /v "EnableClipboardHistory" /t REG_DWORD /d 0 /f - # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 - revertCode: reg delete "HKCU\Software\Microsoft\Clipboard" /v "EnableClipboardHistory" /f 2>nul + keyPath: HKCU\Software\Microsoft\Clipboard + valueName: EnableClipboardHistory + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory" /t "REG_DWORD" /d "0" /f - # This key does not exist by default since Windows 10 22H2 and Windows 11 23H2 - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System + valueName: AllowClipboardHistory + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable background clipboard data collection (`cbdhsvc`) (breaks clipboard history and sync) recommend: strict @@ -7492,57 +8431,110 @@ actions: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f - name: Mitigate Spectre Variant 2 and Meltdown in Hyper-V - code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f - revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization + valueName: MinVmVersionForCpuBasedMitigations + dataType: REG_SZ + data: "1.0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Enable Data Execution Prevention (DEP) - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f - revertCode: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer + valueName: NoDataExecutionPrevention + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System + valueName: DisableHHDEP + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable AutoPlay and AutoRun + recommend: standard docs: - https://en.wikipedia.org/wiki/AutoRun - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673 - recommend: standard - code: |- - :: 255 (0xff) means all drives - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 2 /f - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + valueName: NoDriveTypeAutoRun + dataType: REG_DWORD + data: "255" # 255 (0xff) + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + valueName: NoAutorun + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer + valueName: NoAutoplayfornonVolume + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable lock screen camera access recommend: standard docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /f - - + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization + valueName: NoLockScreenCamera + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - name: Disable storage of the LAN Manager password hashes recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 0 /f + code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d "1" /f + revertCode: |- + :: `1` as default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d "1" /f - name: Disable "Always install with elevated privileges" in Windows Installer recommend: standard docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer + valueName: AlwaysInstallElevated + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Enable Structured Exception Handling Overwrite Protection (SEHOP) recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849 - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel + valueName: DisableExceptionChainValidation + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Enable security against PowerShell 2.0 downgrade attacks recommend: standard @@ -7585,20 +8577,55 @@ actions: docs: - https://web.archive.org/web/20240314130322/https://learn.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now - https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698 - code: |- - reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 0 /f - revertCode: |- - reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\WCN\UI + valueName: DisableWcnUi + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars + valueName: DisableFlashConfigRegistrar + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars + valueName: DisableInBand802DOT11Registrar + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars + valueName: DisableUPnPRegistrar + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars + valueName: DisableWPDRegistrar + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars + valueName: EnableRegistrars + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Block tracking hosts docs: |- @@ -8713,31 +9740,53 @@ actions: - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 - code: |- - :: Policy based - reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - :: Non-policy based - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - # When reverting HKLM\SOFTWARE\Policies profiles are deleted as they are not included in clean installation - # On the other hand "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet - # so they're not deleted but set to default state - revertCode: |- # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy - :: Policy based - reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /f 2>nul - reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /f 2>nul - reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /f 2>nul - reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /f 2>nul - :: Non-policy based - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + valueName: EnableFirewall + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: RunInlineCode + parameters: + code: |- + reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f + # "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet they're not deleted but set to default state + revertCode: |- # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy + reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - name: Disable "Firewall & network protection" section in "Windows Security" docs: |- @@ -8754,15 +9803,27 @@ actions: [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" [2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn" [3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection + valueName: UILockdown + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903 docs: - https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender + valueName: DisableAntiSpyware + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender features # Status: Get-MpPreference @@ -8790,29 +9851,50 @@ actions: value: $True # Set: Set-MpPreference -Force -DisableBlockAtFirstSeen $True default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableBlockAtFirstSeen | Set-MpPreference -Force -DisableBlockAtFirstSeen $False - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet + valueName: DisableBlockAtFirstSeen + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Maximize time for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required" docs: - https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#cloudextendedtimeout - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpBafsExtendedTimeout - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine + valueName: MpBafsExtendedTimeout + dataType: REG_DWORD + data: "50" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize cloud protection level # Requires "Join Microsoft MAPS" docs: - https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#cloudblocklevel - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpCloudBlockLevel - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine + valueName: MpCloudBlockLevel + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable notifications to turn off security intelligence # Requires "Join Microsoft MAPS" docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureDisableNotification - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: SignatureDisableNotification + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender cloud export for analysis children: @@ -8837,11 +9919,14 @@ actions: value: "'0'" # Set: Set-MpPreference -Force -MAPSReporting 0 default: "'2'" # Default: 2 (Advanced) | Remove-MpPreference -Force -MAPSReporting | Set-MpPreference -Force -MAPSReporting 2 - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /f 2>nul - - + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet + valueName: SpynetReporting + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - name: Disable sending file samples for further analysis recommend: strict docs: @@ -8860,10 +9945,13 @@ actions: default: "'1'" # Default: 1 (Send safe samples automatically) | Remove-MpPreference -Force -SubmitSamplesConsent | Set-MpPreference -Force -SubmitSamplesConsent 1 setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 1 (OS default) in Windows 11 - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet + valueName: SubmitSamplesConsent + dataType: REG_DWORD + data: "2" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Malicious Software Reporting" tool diagnostic data recommend: strict @@ -8879,14 +9967,26 @@ actions: [1]: https://web.archive.org/web/20231009135123/https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection "Disable Malicious Software Reporting tool diagnostic data | admx.help" [2]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\MRT + valueName: DontReportInfectionInformation + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable uploading files for threat analysis in real-time # Requires "Join Microsoft MAPS" recommend: strict docs: https://web.archive.org/web/20231206191442/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_RealtimeSignatureDelivery - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: RealtimeSignatureDelivery + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Potentially Unwanted Application (PUA) feature # Already disabled as default docs: @@ -8906,18 +10006,21 @@ actions: value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 - - function: RunInlineCode + function: SetRegistryValue # For legacy versions: Windows 10 v1809 and Windows Server 2019 parameters: - code: |- - :: For legacy versions: Windows 10 v1809 and Windows Server 2019 - reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f - :: For newer Windows versions - reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f - revertCode: |- - :: For legacy versions: Windows 10 v1809 and Windows Server 2019 - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /f 2>nul - :: For newer Windows versions - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine + valueName: MpEnablePus + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue # For newer Windows versions + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: PUAProtection + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable tamper protection # Added in Windows 10, version 1903 docs: @@ -8941,8 +10044,14 @@ actions: - https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine + valueName: EnableFileHashComputation + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable "Windows Defender Exploit Guard" docs: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ @@ -8950,15 +10059,27 @@ actions: - name: Disable prevention of users and apps from accessing dangerous websites docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + valueName: EnableNetworkProtection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable controlled folder access docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access + valueName: EnableControlledFolderAccess + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable network inspection system features children: @@ -8967,18 +10088,36 @@ actions: docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS + valueName: DisableProtocolRecognition + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable definition retirement docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS + valueName: DisableSignatureRetirement + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize rate of detection events docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS + valueName: ThrottleDetectionEventsRate + dataType: REG_DWORD + data: "10000000" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable real-time protection children: @@ -9000,10 +10139,13 @@ actions: default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableRealtimeMonitoring + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable intrusion prevention system (IPS) docs: @@ -9021,15 +10163,24 @@ actions: default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False # ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableIntrusionPreventionSystem + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Information Protection Control (IPC) docs: https://web.archive.org/web/20231207105520/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableInformationProtectionControl + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender monitoring of behavior children: @@ -9049,15 +10200,24 @@ actions: # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableBehaviorMonitoring + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable sending raw write notifications to behavior monitoring docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableRawWriteNotification + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable monitoring of downloads and attachments in Defender children: @@ -9077,15 +10237,24 @@ actions: # ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableIOAVProtection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scanning files larger than 1 KB (minimum possible) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: IOAVMaxSize + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender monitoring of file and program activity children: @@ -9094,8 +10263,14 @@ actions: docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableWindowsSpotlightFeatures + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable bidirectional scan for incoming and outgoing file and program activities docs: @@ -9114,17 +10289,26 @@ actions: value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1 default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0 - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: RealTimeScanDirection + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable real-time protection process scanning docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + valueName: DisableScanOnRealtimeEnable + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender remediation children: @@ -9133,8 +10317,14 @@ actions: docs: - https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableroutinelytakingaction - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: DisableRoutinelyTakingAction + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable running scheduled auto-remediation docs: @@ -9145,10 +10335,13 @@ actions: call: # 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never' - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Remediation + valueName: Scan_ScheduleDay + dataType: REG_DWORD + data: "8" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9178,23 +10371,53 @@ actions: # Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction` # works on both Windows 10 and Windows 11 - - function: RunInlineCode + function: SetRegistryValue parameters: - code: |- - reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f - :: 1: Clean, 2: Quarantine, 3: Remove, 6: Allow, 8: Ask user, 9: No action, 10: Block, NULL: default (based on the update definition) - reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f - reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f - reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f - reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f - reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f - revertCode: |- - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /f 2>nul - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /f 2>nul - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /f 2>nul - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /f 2>nul - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /f 2>nul - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats + valueName: Threats_ThreatSeverityDefaultAction + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "5" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "4" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "3" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "2" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction + valueName: "1" + dataType: REG_SZ + data: "9" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Enable automatically purging items from quarantine folder docs: @@ -9215,16 +10438,25 @@ actions: default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90 setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11 - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine + valueName: PurgeItemsAfterDelay + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable always running antimalware service docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /f 2>nul - # - Too good to disable, also no reported privacy issues + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: ServiceKeepAlive + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - # Too good to disable # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 # children: @@ -9236,50 +10468,111 @@ actions: # - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool - # code: |- - # reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f - # reg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f - # revertCode: |- # Already disabled by default, so just delete the keys - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f 2>nul - # reg delete "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /f 2>nul + # call: + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa + # valueName: LsaCfgFlags + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\Software\Policies\Microsoft\Windows\DeviceGuard + # valueName: LsaCfgFlags + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # name: Disable virtualization-based security (disabled by default) # docs: # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity - # code: |- - # :: Virtualization features - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul - # :: Lock - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul - # :: HypervisorEnforcedCodeIntegrity - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f 2>nul - # revertCode: |- - # :: Virtualization features - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul - # :: Lock - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul - # :: HypervisorEnforcedCodeIntegrity - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f 2>nul - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f 2>nul - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul + # call: + # # Virtualization features + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + # valueName: EnableVirtualizationBasedSecurity + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + # valueName: RequirePlatformSecurityFeatures + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # # Lock: + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + # valueName: Locked + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + # valueName: NoLock + # dataType: REG_DWORD + # data: '1' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # # HypervisorEnforcedCodeIntegrity: + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard + # valueName: HypervisorEnforcedCodeIntegrity + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity + # valueName: Enabled + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity + # valueName: Locked + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # name: Disable System Guard Secure Launch # docs: # - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection # - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch - # code: |- - # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 2 /f - # reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /t REG_DWORD /d 0 /f - # revertCode: |- - # reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /f 2>nul - # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /f 2>nul + # call: + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + # valueName: ConfigureSystemGuardLaunch + # dataType: REG_DWORD + # data: '2' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + # - + # function: SetRegistryValue + # parameters: + # keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard + # valueName: Enabled + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # name: Disable Windows Defender Application Control Code Integrity Policy # docs: @@ -9287,10 +10580,13 @@ actions: # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # call: # - - # function: RunInlineCode + # function: SetRegistryValue # parameters: - # code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /t REG_DWORD /d 0 /f - # revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /v "Enabled" /f 2>nul + # keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + # valueName: DeployConfigCIPolicy + # dataType: REG_DWORD + # data: '0' + # deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) # - # function: DeleteFiles # parameters: @@ -9313,10 +10609,13 @@ actions: default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False setDefaultOnWindows11: true # `Remove-MpPreference` has no affect (does not change the value) in Windows 11 - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions + valueName: DisableAutoExclusions + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender scans children: @@ -9338,10 +10637,13 @@ actions: value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False - - function: RunInlineCode - parameters: # Default: Does not exist - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /f 2>nul + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: CheckForSignaturesBeforeRunningScan + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable creation of daily system restore points # Default behavior docs: @@ -9357,10 +10659,13 @@ actions: value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableRestorePoint + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize retention time for files in scan history docs: @@ -9376,10 +10681,13 @@ actions: value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15 - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: PurgeItemsAfterDelay + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable catch-up scans children: @@ -9387,8 +10695,14 @@ actions: name: Maximize days until mandatory catch-up scan docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup # Default and minimum is 2, maximum is 20 - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: MissedScheduledScanCountBeforeCatchup + dataType: REG_DWORD + data: '20' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable catch-up full scans # Disabled by default docs: @@ -9404,10 +10718,13 @@ actions: value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableCatchupFullScan + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable catch-up quick scans docs: @@ -9423,18 +10740,27 @@ actions: value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableCatchupQuickScan + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender scan options children: - name: Disable scan heuristics docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableHeuristics + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Minimize CPU usage during scans children: @@ -9454,10 +10780,13 @@ actions: value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1 default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50 - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: AvgCPULoadFactor + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize CPU usage during idle scans docs: @@ -9471,10 +10800,13 @@ actions: value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableCpuThrottleOnIdleScans + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scanning when not idle # Default OS setting docs: @@ -9490,10 +10822,13 @@ actions: value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ScanOnlyIfIdle + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scheduled anti-malware scanner (MRT) docs: |- @@ -9506,8 +10841,14 @@ actions: By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft. [1]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\MRT + valueName: DontOfferThroughWUAU + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Minimize scanned areas children: @@ -9526,10 +10867,13 @@ actions: value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableEmailScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable script scanning docs: @@ -9546,8 +10890,14 @@ actions: - name: Disable reparse point scanning docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableReparsePointScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scanning mapped network drives during full scan docs: @@ -9557,10 +10907,13 @@ actions: - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableScanningMappedNetworkDrivesForFullScan + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9576,10 +10929,13 @@ actions: - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableScanningNetworkFiles + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9589,8 +10945,14 @@ actions: - name: Disable scanning packed executables docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisablePackedExeScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable scanning archive files children: @@ -9603,10 +10965,13 @@ actions: - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableArchiveScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9616,13 +10981,25 @@ actions: - name: Minimize scanning depth of archive files docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ArchiveMaxDepth + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize file size for scanning archive files docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ArchiveMaxSize + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scanning removable drives docs: @@ -9633,10 +11010,13 @@ actions: - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: DisableRemovableDriveScanning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9659,10 +11039,13 @@ actions: # 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday', # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ScheduleDay + dataType: REG_DWORD + data: '8' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9678,10 +11061,13 @@ actions: - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender + valueName: RandomizeScheduleTaskTimes + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9699,10 +11085,13 @@ actions: call: # Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan' - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: ScanParameters + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9713,13 +11102,25 @@ actions: - name: Minimize daily quick scan frequency docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan + valueName: QuickScanInterval + dataType: REG_DWORD + data: '24' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable scanning after security intelligence (signature) update docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: DisableScanOnUpdate + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender updates children: @@ -9729,18 +11130,36 @@ actions: - name: Disable forced security intelligence (signature) updates from Microsoft Update docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: ForceUpdateFromMU + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable security intelligence (signature) updates when running on battery power docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: DisableScheduledSignatureUpdateOnBattery + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable startup check for latest virus and spyware security intelligence (signature) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: UpdateOnStartUp + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable catch-up security intelligence (signature) updates # default is one day docs: @@ -9751,10 +11170,13 @@ actions: call: # Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: SignatureUpdateCatchupInterval + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9767,16 +11189,28 @@ actions: docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241 - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: ASSignatureDue + dataType: REG_DWORD + data: '4294967295' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize virus security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when virus security intelligence (signature) is considered up-to-date docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243 - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: AVSignatureDue + dataType: REG_DWORD + data: '4294967295' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable security intelligence (signature) update on startup docs: @@ -9786,10 +11220,13 @@ actions: - https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: DisableUpdateOnStartupWithoutEngine + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9808,10 +11245,13 @@ actions: # 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday' # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: ScheduleDay + dataType: REG_DWORD + data: '8' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9830,10 +11270,13 @@ actions: # Valid values range from 1 (every hour) to 24 (once per day). # If not specified (0), parameter, Microsoft Defender checks at the default interval - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /f 2>nul + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: SignatureUpdateInterval + dataType: REG_DWORD + data: '24' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: SetMpPreference parameters: @@ -9846,13 +11289,25 @@ actions: - name: Disable definition updates via WSUS and Microsoft Malware Protection Center docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: CheckAlternateHttpLocation + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable definition updates through both WSUS and Windows Update docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates + valueName: CheckAlternateDownloadLocation + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize Defender updates to completed gradual release cycles docs: @@ -9937,22 +11392,40 @@ actions: name: Disable sending Watson events # Deprecated since February 2015 update http://support.microsoft.com/kb/3036437 docs: https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::reporting_disablegenericreports - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: DisableGenericRePorts + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize Windows software trace preprocessor (WPP Software Tracing) docs: - https://web.archive.org/web/20240314123926/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: WppTracingLevel + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable auditing events in Microsoft Defender Application Guard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI + valueName: AuditApplicationGuard + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender user interface children: @@ -9960,8 +11433,14 @@ actions: name: Remove "Windows Security" system tray icon docs: |- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray + valueName: HideSystray + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Remove "Scan with Microsoft Defender" from context menu docs: @@ -10024,8 +11503,14 @@ actions: [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Minimize threat history access to administrators docs: @@ -10060,42 +11545,78 @@ actions: docs: |- - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Ransomware data recovery" section in "Windows Security" docs: |- [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection + valueName: HideRansomwareRecovery + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Family options" section in "Windows Security" docs: |- - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Device performance and health" section in "Windows Security" docs: |- - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Account protection" section in "Windows Security" docs: |- - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "App and browser control" section in "Windows Security" docs: |- - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable device security sections children: @@ -10104,34 +11625,64 @@ actions: docs: |- - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: UILockdown + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Clear TPM" button in "Windows Security" docs: |- - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableClearTpmButton + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Secure boot" button in "Windows Security" docs: |- [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideSecureBoot + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" docs: |- [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: HideTPMTroubleshooting + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "TPM Firmware Update" recommendation in "Windows Security" docs: |- - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security + valueName: DisableTpmFirmwareUpdateWarning + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable Defender notifications children: @@ -10144,45 +11695,97 @@ actions: docs: - https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul - reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable non-critical Defender notifications docs: - http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f - reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul - reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting + valueName: DisableEnhancedNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable all Defender Antivirus notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress - code: |- - reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f - reg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f - revertCode: |- - reg delete "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul - reg delete "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration + valueName: Notification_Suppress + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration + valueName: Notification_Suppress + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Defender reboot notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification - code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration + valueName: SuppressRebootNotification + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable OS components for Defender # Hackers way of disabling Defender children: @@ -10511,34 +12114,63 @@ actions: docs: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnableSmartScreen - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System + valueName: EnableSmartScreen + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable SmartScreen in File Explorer docs: - https://winaero.com/change-windows-smartscreen-settings-windows-10/ - https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/ - code: |- - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f - reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul - reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer + valueName: SmartScreenEnabled + dataType: REG_SZ + data: 'Off' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer + valueName: SmartScreenEnabled + dataType: REG_SZ + data: 'Off' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable SmartScreen's prevention of application execution docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System + valueName: ShellSmartScreenLevel + dataType: REG_SZ + data: Warn + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable SmartScreen in Microsoft browsers children: - name: Disable SmartScreen in Edge (Chromium) for potentially unwanted apps docs: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Edge + valueName: SmartScreenPuaEnabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Edge SmartScreen docs: @@ -10547,27 +12179,66 @@ actions: - https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreen-settings - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63713 - https://web.archive.org/web/20231206191447/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenEnabled - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f - reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f - reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f - :: For Microsoft Edge version 77 or later - reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul - reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul - reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul - reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul - :: For Microsoft Edge version 77 or later - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /f 2>nul - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter + valueName: EnabledV9 + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter + valueName: PreventOverride + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter + valueName: EnabledV9 + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter + valueName: PreventOverride + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # For Microsoft Edge version 77 or later + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Edge + valueName: SmartScreenEnabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - # For Microsoft Edge version 77 or later + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Edge + valueName: PreventSmartScreenPromptOverride + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable SmartScreen in Internet Explorer docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 - code: reg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 + valueName: '2301' + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable SmartScreen for Windows Store apps children: @@ -10577,21 +12248,41 @@ actions: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl - https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen - https://web.archive.org/web/20240314103348/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen - code: |- - reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f - reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f - revertCode: |- - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /f 2>nul - reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen + valueName: ConfigurgeAppInstallControl + dataType: REG_SZ + data: Anywhere + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen + valueName: ConfigureAppInstallControlEnabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable SmartScreen's web content (URLs) checking for apps docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general - code: |- - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f - reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f - revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f - reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost + valueName: EnableWebContentEvaluation + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f + revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f - category: Disable automatic updates docs: |- @@ -12050,6 +13741,8 @@ actions: call: function: RunPowerShell parameters: + # Marked: refactor-with-variables + # - Getting `$currentTime` is used across multiple scripts. code: |- $currentTime = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ') # GPO @@ -12123,22 +13816,62 @@ actions: [1]: https://web.archive.org/web/20231206151045/https://learn.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb "Configure Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update "Update Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231209170224/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DeferUpgrade "Defer Upgrades and Updates | admx.help" - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdate" /t REG_DWORD /d "1" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "4" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "8" /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseDeferrals" /t REG_DWORD /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade" /v "value" /t "REG_DWORD" /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpdate" /v "value" /t "REG_DWORD" /d "1" /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdate" /f 2>null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /f 2>null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /f 2>null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /f 2>null - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseDeferrals" /f 2>null - reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade" /v "value" /t "REG_DWORD" /d "0" /f - reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpdate" /v "value" /f 2>null + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: DeferUpdate + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: DeferUpgrade + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: DeferUpdatePeriod + dataType: REG_DWORD + data: '4' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: DeferUpgradePeriod + dataType: REG_DWORD + data: '8' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + valueName: PauseDeferrals + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpdate + valueName: value + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: RunInlineCode + parameters: + code: |- + reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade" /v "value" /t "REG_DWORD" /d "1" /f + revertCode: >- # `0` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade" /v "value" /t "REG_DWORD" /d "0" /f - category: Configure how downloaded files are handled docs: |- @@ -12187,8 +13920,14 @@ actions: [2]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_MarkZoneOnSavedAtttachments "Do not preserve zone information in file attachments | admx.help" [4]: https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /f 2>nul + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments + valueName: SaveZoneInformation + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable notifications to antivirus programs for downloaded files docs: |- @@ -12315,9 +14054,15 @@ actions: - name: Disable lock screen app notifications recommend: standard - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 0 /f docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687 + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System + valueName: DisableLockScreenAppNotifications + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Disable online content in File Explorer children: @@ -12325,34 +14070,64 @@ actions: name: Disable online tips recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanel::AllowOnlineTips - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 1 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System + valueName: AllowOnlineTips + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Internet File Association" service recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseInternetOpenWith_2 - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + valueName: NoInternetOpenWith + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Order Prints" picture task recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellRemoveOrderPrints_2 - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000042 - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + valueName: NoOnlinePrintsWizard + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable "Publish to Web" option for files and folders recommend: standard docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-14255 - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + valueName: NoPublishingWizard + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable provider list downloads for wizards recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63621 - code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + valueName: NoWebServices + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Secure recent document lists children: @@ -12361,27 +14136,46 @@ actions: recommend: strict docs: https://web.archive.org/web/20231207105611/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f + # `0` by default on Windows 10 (22H2 and above), missing by default on Windows 11 (23H2 and above) revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f - name: Clear recently opened document history upon exit recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f - revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 01 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + valueName: ClearRecentDocsOnExit + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Live Tiles push notifications recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Notifications::NoTileNotification - code: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 1 /f - revertCode: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + valueName: NoTileApplicationNotification + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable the "Look For An App In The Store" option recommend: standard docs: - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000030 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseStoreOpenWith_1 - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 1 /f - revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 0 /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer + valueName: NoUseStoreOpenWith + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable the display of recently used files in Quick Access recommend: strict @@ -12389,27 +14183,39 @@ actions: - https://matthewhill.uk/windows/group-policy-disable-recent-files-frequent-folder-explorer/ # ShowRecent - https://web.archive.org/web/20231206191753/https://www.howto-connect.com/delete-recent-frequent-from-file-explorer-on-windows-10/ # 3134ef9c-6b18-4996-ad04-ed5912e00eb5 - https://web.archive.org/web/20240314130140/https://learn.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry # Wow6432Node - code: |- - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d 0 /t "REG_DWORD" /f - reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f - if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? - reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f - ) - revertCode: |- - reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d "1" /t "REG_DWORD" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f - if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? - reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f - ) + call: + - + function: SetRegistryValue + parameters: + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer + valueName: ShowRecent + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + - + function: RunInlineCode + parameters: + code: |- + reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f + if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? + reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f + ) + revertCode: |- + reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f + if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? + reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f + ) - name: Disable sync provider notifications call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /f 2>nul + keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced + valueName: ShowSyncProviderNotifications + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -12436,8 +14242,14 @@ actions: - https://web.archive.org/web/20240314130237/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-coremmres-nophysicalcameraled - https://archive.ph/2024.03.14-100859/https://www.reddit.com/r/Surface/comments/88nyln/the_webcamled_took_anyone_it_apart/dwm64p5/?rdt=41039 - https://web.archive.org/web/20231206191715/https://answers.microsoft.com/en-us/windows/forum/all/enable-osd-notification-for-webcam/caf1fff4-78d3-4b93-905b-ef657097a44e - code: reg add "HKLM\SOFTWARE\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /d 1 /t REG_DWORD /f - revertCode: reg delete "HKLM\Software\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + valueName: NoPhysicalCameraLED + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Remove items from "This PC" and "Browse" in dialog boxes children: @@ -16303,12 +18115,23 @@ actions: [1]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSync "Prevent the usage of OneDrive for file storage | admx.help" [2]: https://support.microsoft.com/en-us/office/onedrive-won-t-start-0c158fa6-0cd8-4373-98c8-9179e24f10f2 "OneDrive won't start | support.microsoft.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSyncForBlue "Prevent the usage of OneDrive for file storage on Windows 8.1 | admx.help" - code: |- - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSyncNGSC" /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSync" /d 1 /f - revertCode: |- - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /f 2>nul - reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSync" /f 2>nul + call: + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive + valueName: DisableFileSyncNGSC + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing key since Windows 10 21H2, Windows 11 21H2 + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive + valueName: DisableFileSync + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing key since Windows 10 21H2, Windows 11 21H2 - name: Disable automatic OneDrive installation docs: |- @@ -16349,7 +18172,7 @@ actions: [1]: https://web.archive.org/web/20231025220530/https://support.microsoft.com/en-us/office/sync-files-with-onedrive-in-windows-615391c4-2bd3-4aae-a42a-858262e42a49 "Sync files with OneDrive in Windows | support.microsoft.com" [2]: https://web.archive.org/web/20240322101857/https://answers.microsoft.com/en-us/windows/forum/all/remove-onedrive-from-file-explorer-navigation-pane/38ac7524-2b35-4ffc-baab-40ad61dc5d79 "Remove OneDrive from File Explorer navigation pane - Microsoft Community | answers.microsoft.com" - code: |- + code: |- # `1` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f revertCode: |- @@ -16489,10 +18312,13 @@ actions: through testing and community support to work as expected. call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdateDev" /v "AllowUninstall" /t REG_DWORD /d "1" /f - revertCode: reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdateDev" /v "AllowUninstall" /f 2>nul # It does not exists since Windows 10 21H2 and Windows 11 21H2 + keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdateDev + valueName: AllowUninstall + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing key since Windows 10 21H2, Windows 11 21H2 - function: RunPowerShell parameters: @@ -17362,11 +19188,13 @@ actions: [2]: https://www.bleepingcomputer.com/news/microsoft/new-windows-11-registry-hacks-to-customize-your-device/ "New Windows 11 registry hacks to customize your device | Bleeping Computer" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /f 2>nul + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced + valueName: TaskbarDa + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - function: ShowExplorerRestartSuggestion - @@ -17418,8 +19246,14 @@ actions: docs: # Skype feature, introduced in 20H2, KB4580364 update - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TaskBar2::HideSCAMeetNow - https://www.windowscentral.com/how-disable-meet-now-feature-windows-10 - code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /t REG_DWORD /d 1 /f - revertCode: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /f + call: + function: SetRegistryValue + parameters: + keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + valueName: HideSCAMeetNow + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - category: Remove Windows Copilot docs: |- @@ -17480,16 +19314,21 @@ actions: [4]: https://web.archive.org/web/20240122064046/https://www.elevenforum.com/t/enable-or-disable-windows-copilot-in-windows-11.17045/ "Enable or Disable Windows Copilot in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t "REG_DWORD" /d "1" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot + valueName: TurnOffWindowsCopilot + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Policies\Microsoft\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t "REG_DWORD" /d "0" /f - revertCode: reg delete "HKCU\Software\Policies\Microsoft\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /f 2>nul + keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot + valueName: TurnOffWindowsCopilot + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Disable Copilot access recommend: strict @@ -17515,11 +19354,13 @@ actions: [3]: https://web.archive.org/web/20240122065316/https://www.neowin.net/guides/how-to-enable-copilot-in-windows-10/ "How to enable Copilot in Windows 10 - Neowin | www.neowin.net" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\Shell\Copilot\BingChat" /v "IsUserEligible" /t "REG_DWORD" /d "0" /f - # Default value for this key varies, seen as `0` on some Windows 11 22H3, key does not exist on some Windows 10 22H2 - revertCode: reg delete "HKCU\Software\Microsoft\Windows\Shell\Copilot\BingChat" /v "IsUserEligible" /f 2>nul + keyPath: HKCU\Software\Microsoft\Windows\Shell\Copilot\BingChat + valueName: IsUserEligible + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # Default value for this key varies, seen as `0` on some Windows 11 22H3, key does not exist on some Windows 10 22H2 - function: ShowComputerRestartSuggestion - @@ -17543,11 +19384,13 @@ actions: [2]: https://web.archive.org/web/20240122071337/https://blogs.windows.com/windows-insider/2024/01/11/announcing-windows-11-insider-preview-build-23615-dev-channel/ "Announcing Windows 11 Insider Preview Build 23615 (Dev Channel) | Windows Insider Blog | blogs.windows.com" [3]: https://web.archive.org/web/20240122071352/https://geekrewind.com/how-to-turn-open-copilot-when-windows-starts-on-or-off-in-windows-11/ "How to Turn “Open Copilot when Windows Starts” On or Off in Windows 11 - Geek Rewind | geekrewind.com" call: - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "AutoOpenCopilotLargeScreens" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "AutoOpenCopilotLargeScreens" /f 2>nul + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings + valueName: AutoOpenCopilotLargeScreens + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - name: Remove "Copilot" icon from taskbar recommend: strict @@ -17573,11 +19416,13 @@ actions: [4]: https://web.archive.org/web/20240122071007/https://www.thewindowsclub.com/how-to-show-or-hide-copilot-button-on-taskbar-in-windows "How to remove Copilot from Taskbar in Windows 11 | www.thewindowsclub.com" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCopilotButton" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCopilotButton" /f 2>nul + keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced + valueName: ShowCopilotButton + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - function: ShowExplorerRestartSuggestion - @@ -18083,11 +19928,13 @@ actions: [3]: https://web.archive.org/web/20240424103901/https://www.thewindowsclub.com/disable-snipping-tool-in-windows-10 "How to Disable Snipping Tool or Print Screen in Windows 11/10 | www.thewindowsclub.com" [4]: https://web.archive.org/web/20240424103809/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994599(v=ws.11)#windows-cannot-open-a-program "Troubleshoot Software Restriction Policies | Microsoft Learn | learn.microsoft.com" call: - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Policies\Microsoft\TabletPC" /v "DisableSnippingTool" /t "REG_DWORD" /d "1" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\TabletPC" /v "DisableSnippingTool" /f 2>nul + keyPath: HKLM\SOFTWARE\Policies\Microsoft\TabletPC + valueName: DisableSnippingTool + dataType: REG_DWORD + data: "1" + deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - name: Disable Snipping Tool keyboard shortcut (**Windows logo key** + **Shift** + **S**) docs: |- @@ -18138,11 +19985,13 @@ actions: [5]: https://github.com/privacysexy-forks/10_0_22621_891/blob/fde7af7776698377aceb48a54bcf7bedaadd5c2d/C/Windows/explorer.exe.strings#L7645 "10_0_22621_891/C/Windows/explorer.exe.strings at fde7af7776698377aceb48a54bcf7bedaadd5c2d · WinDLLsExports/10_0_22621_891 · GitHub" call: - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKCU\Control Panel\Keyboard" /v "PrintScreenKeyForSnippingEnabled" /t "REG_DWORD" /d "0" /f - # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - revertCode: reg delete "HKCU\Control Panel\Keyboard" /v "PrintScreenKeyForSnippingEnabled" /f 2>nul + keyPath: HKCU\Control Panel\Keyboard + valueName: PrintScreenKeyForSnippingEnabled + dataType: REG_DWORD + data: "0" + deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 22H3) - function: ShowExplorerRestartSuggestion - @@ -18184,16 +20033,32 @@ actions: - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState - https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves - https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy - code: |- - dism /online /Set-ReservedStorageState /State:Disabled /NoRestart - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "2" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f - revertCode: |- - DISM /Online /Set-ReservedStorageState /State:Enabled /NoRestart - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f - reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f + call: + - + function: RunInlineCode + parameters: + code: dism /online /Set-ReservedStorageState /State:Disabled /NoRestart + revertCode: dism /online /Set-ReservedStorageState /State:Enabled /NoRestart + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f + # `1` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f + - + function: RunInlineCode + parameters: + code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f + # `1` by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) + revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager + valueName: MiscPolicyInfo + dataType: REG_DWORD + data: '2' + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - name: Run script on startup [EXPERIMENTAL] code: |- @@ -18254,6 +20119,8 @@ functions: It immediately terminates a specified process whenever it starts. The function adds `Debugger` registry value to point to the `taskkill.exe` utility, a command-line tool used for terminating processes. This effectively means that every time the process attempts to start, `taskkill.exe` is invoked instead, leading to the immediate termination of the process. + + Read more: [Image File Execution Options | Microsoft Learn](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options) call: - function: TerminateRunningProcess @@ -18265,10 +20132,13 @@ functions: codeComment: Configure termination of "{{ $executableNameWithExtension }}" immediately upon its startup revertCodeComment: Remove configuration preventing "{{ $executableNameWithExtension }}" from starting - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{{ $executableNameWithExtension }}" /v "Debugger" /t REG_SZ /d "%WINDIR%\System32\taskkill.exe" /f - revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{{ $executableNameWithExtension }}" /v "Debugger" /f 2>nul + keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{{ $executableNameWithExtension }} + valueName: Debugger + dataType: REG_SZ + data: '%WINDIR%\System32\taskkill.exe' + deleteOnRevert: 'true' # No executable has debugging enabled by default - name: DisableWindowsFeature docs: |- @@ -18475,7 +20345,7 @@ functions: # This script modifies the system registry to enable the uninstallation of a specified app. # Some apps (including system apps) are marked as non-removable, which prevents uninstallation and results in error 0x80070032 if an uninstall is attempted. # To bypass this, the script marks the app as 'EndOfLife' in the registry, tricking the system into allowing the uninstallation - keyName: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }} + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }} replaceSid: 'true' - function: UninstallStoreApp @@ -18490,7 +20360,7 @@ functions: # This script reverses the previous modification made to the Windows registry to enable its uninstallation. # By removing the 'EndOfLife' status from the registry entry, the app is restored to its default, non-removable state. # Restoring (removing) this key is important for maintaining the stability of Windows Updates (for details: https://github.com/undergroundwires/privacy.sexy/issues/287). - keyName: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }} + keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }} replaceSid: 'true' - name: UninstallNonRemovableStoreAppWithCleanup # ❗️ Prefer `UninstallNonRemovableStoreApp` for new scripts @@ -20384,7 +22254,7 @@ functions: - name: CreateRegistryKey parameters: - - name: keyName # Full path of the subkey or entry to be added. + - name: keyPath # Full path of the subkey or entry to be added. - name: replaceSid # Replaces "$CURRENT_USER_SID" string in registry key with user SID. optional: true - name: codeComment @@ -20397,10 +22267,10 @@ functions: function: RunPowerShell parameters: code: |- - $keyName='{{ $keyName }}' + $keyPath='{{ $keyPath }}' $replaceSid={{ with $replaceSid }} $true # {{ end }} $false - $registryHive = $keyName.Split('\')[0] - $registryPath = "$($registryHive):$($keyName.Substring($registryHive.Length))" + $registryHive = $keyPath.Split('\')[0] + $registryPath = "$($registryHive):$($keyPath.Substring($registryHive.Length))" {{ with $replaceSid }} $userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value $registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid) @@ -20420,7 +22290,7 @@ functions: - name: DeleteRegistryKey parameters: - - name: keyName # Full path of the subkey or entry to be added. + - name: keyPath # Full path of the subkey or entry to be added. - name: replaceSid # Replaces "$CURRENT_USER_SID" string in registry key with user SID. optional: true - name: codeComment @@ -20433,10 +22303,10 @@ functions: function: RunPowerShell parameters: code: |- - $keyName='{{ $keyName }}' + $keyPath='{{ $keyPath }}' $replaceSid={{ with $replaceSid }} $true # {{ end }} $false - $registryHive = $keyName.Split('\')[0] - $registryPath = "$($registryHive):$($keyName.Substring($registryHive.Length))" + $registryHive = $keyPath.Split('\')[0] + $registryPath = "$($registryHive):$($keyPath.Substring($registryHive.Length))" {{ with $replaceSid }} $userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value $registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid) @@ -20636,19 +22506,20 @@ functions: - function: RunInlineCode # Marked: refactor-with-if-syntax - # Only run if `ignoreServerSide !== false` + # Only run if `ignoreServerSide !== false`, then use `SetRegistryValue` parameters: code: >- {{ with $ignoreServerSide }}:: {{ end }} reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }}" /v "ServerMinKeyBitLength" /t "REG_DWORD" /d "{{ $keySizeInBits }}" /f - revertCode: >- # Missing key since Windows 10 22H2 Pro and Windows 11 23H2 Pro + revertCode: >- # Missing key since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) {{ with $ignoreServerSide }}:: {{ end }} reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }}" /v "ServerMinKeyBitLength" /f 2>nul - - function: RunInlineCode + function: SetRegistryValue parameters: - code: >- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }}" /v "ClientMinKeyBitLength" /t "REG_DWORD" /d "{{ $keySizeInBits }}" /f - revertCode: >- # Missing key since Windows 10 22H2 Pro and Windows 11 23H2 Pro - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }}" /v "ClientMinKeyBitLength" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }} + valueName: ClientMinKeyBitLength + dataType: REG_DWORD + data: '{{ $keySizeInBits }}' + deleteOnRevert: 'true' # Missing key since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - name: DisableTLSCipher parameters: @@ -20672,11 +22543,13 @@ functions: codeComment: Disable the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL connections revertCodeComment: Restore the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL connections - - function: RunInlineCode + function: SetRegistryValue parameters: - code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\{{ $algorithmName }}" /v "Enabled" /t REG_DWORD /d "0" /f - revertCode: >- # Missing subkeys under `Ciphers` since Windows 10 22H2 Pro and Windows 11 23H2 Pro - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\{{ $algorithmName }}" /v "Enabled" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\{{ $algorithmName }} + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - name: DisableWindowsKeyPlusCharacterHotkey parameters: @@ -20831,12 +22704,13 @@ functions: codeComment: Disable usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL connections revertCodeComment: Restore usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL connections - - function: RunInlineCode + function: SetRegistryValue parameters: - code: >- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\{{ $algorithmName }}" /v "Enabled" /t REG_DWORD /d "0" /f - revertCode: >- # Missing subkeys under `Hashes` since Windows 10 22H2 Pro and Windows 11 23H2 Pro - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\{{ $algorithmName }}" /v "Enabled" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\{{ $algorithmName }} + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing subkeys under `Hashes` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - name: DisableTLSProtocol parameters: @@ -20866,18 +22740,37 @@ functions: # Marked: refactor-with-if-syntax # - Rest of this function does the opposite of `EnableTLSProtocol`, introduce `ToggleTLSProtocolState`? - - function: RunInlineCode + function: SetRegistryValue parameters: - code: |- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "Enabled" /t "REG_DWORD" /d "0" /f - reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "DisabledByDefault" /t "REG_DWORD" /d "1" /f - reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "Enabled" /t "REG_DWORD" /d "0" /f - reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "DisabledByDefault" /t "REG_DWORD" /d "1" /f - revertCode: |- # Missing subkeys under `Ciphers` since Windows 10 22H2 Pro and Windows 11 23H2 Pro - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "Enabled" /f 2>nul - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server" /v "DisabledByDefault" /f 2>nul - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "Enabled" /f 2>nul - reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client" /v "DisabledByDefault" /f 2>nul + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server + valueName: DisabledByDefault + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client + valueName: Enabled + dataType: REG_DWORD + data: '0' + deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) + - + function: SetRegistryValue + parameters: + keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client + valueName: DisabledByDefault + dataType: REG_DWORD + data: '1' + deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2) - name: RunPowerShellWithSetup # 💡 Purpose: @@ -20987,7 +22880,7 @@ functions: valueName: Enabled dataType: REG_DWORD data: '1' - deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3 + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' - # Server -> Do not disable function: SetRegistryValue @@ -20996,7 +22889,7 @@ functions: valueName: DisabledByDefault dataType: REG_DWORD data: '0' - deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3 + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' - # Client -> Enable function: SetRegistryValue @@ -21005,7 +22898,7 @@ functions: valueName: Enabled dataType: REG_DWORD data: '1' - deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3 + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' - # Client -> Do not disable function: SetRegistryValue @@ -21014,7 +22907,7 @@ functions: valueName: DisabledByDefault dataType: REG_DWORD data: '0' - deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3 + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}' - name: SetDotNetRegistryKey @@ -21061,7 +22954,7 @@ functions: valueName: "{{ $valueName }}" dataType: REG_DWORD data: '{{ $valueData }}' - deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3 + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # x64 | = .NET Framework 3.5 function: SetRegistryValue parameters: @@ -21069,7 +22962,7 @@ functions: valueName: "{{ $valueName }}" dataType: REG_DWORD data: '{{ $valueData }}' - deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3 + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # x86 | ≥ .NET Framework 4 function: SetRegistryValue parameters: @@ -21077,7 +22970,7 @@ functions: valueName: "{{ $valueName }}" dataType: REG_DWORD data: '{{ $valueData }}' - deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3 + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) - # x64 | ≥ .NET Framework 4 function: SetRegistryValue parameters: @@ -21085,4 +22978,4 @@ functions: valueName: "{{ $valueName }}" dataType: REG_DWORD data: '{{ $valueData }}' - deleteOnRevert: 'true' # Missing key since Windows 10 Pro 22H2 an Windows 11 Pro 23H3 + deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)