update recommendations to be safer and consistent
This commit is contained in:
undergroundwires
@@ -521,6 +521,7 @@ actions:
|
|||||||
docs:
|
docs:
|
||||||
- https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964
|
- https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964
|
||||||
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork
|
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork
|
||||||
|
recommend: strict
|
||||||
code: |-
|
code: |-
|
||||||
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
|
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
|
||||||
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
|
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
|
||||||
@@ -535,6 +536,7 @@ actions:
|
|||||||
revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f
|
revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f
|
||||||
-
|
-
|
||||||
name: Disable active prompting (pings to MSFT NCSI server)
|
name: Disable active prompting (pings to MSFT NCSI server)
|
||||||
|
recommend: strict
|
||||||
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
|
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
|
||||||
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
|
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
|
||||||
-
|
-
|
||||||
@@ -1053,16 +1055,19 @@ actions:
|
|||||||
children:
|
children:
|
||||||
-
|
-
|
||||||
name: Do not allow the use of biometrics
|
name: Do not allow the use of biometrics
|
||||||
|
recommend: strict
|
||||||
docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio
|
docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio
|
||||||
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f
|
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f
|
||||||
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f
|
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f
|
||||||
-
|
-
|
||||||
name: Do not allow users to log on using biometrics
|
name: Do not allow users to log on using biometrics
|
||||||
|
recommend: strict
|
||||||
docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv
|
docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv
|
||||||
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f
|
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f
|
||||||
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f
|
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f
|
||||||
-
|
-
|
||||||
name: Do not start Windows Biometric Service
|
name: Do not start Windows Biometric Service
|
||||||
|
recommend: strict
|
||||||
docs:
|
docs:
|
||||||
- http://batcmd.com/windows/10/services/wbiosrvc/
|
- http://batcmd.com/windows/10/services/wbiosrvc/
|
||||||
- http://revertservice.com/10/wbiosrvc/
|
- http://revertservice.com/10/wbiosrvc/
|
||||||
@@ -1082,7 +1087,7 @@ actions:
|
|||||||
-
|
-
|
||||||
name: Disable App Launch Tracking
|
name: Disable App Launch Tracking
|
||||||
docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10
|
docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10
|
||||||
recommend: standard
|
recommend: strict
|
||||||
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 0 /t REG_DWORD /f
|
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 0 /t REG_DWORD /f
|
||||||
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 1 /t REG_DWORD /f
|
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 1 /t REG_DWORD /f
|
||||||
-
|
-
|
||||||
@@ -1817,6 +1822,7 @@ actions:
|
|||||||
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667
|
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667
|
||||||
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671
|
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671
|
||||||
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673
|
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673
|
||||||
|
recommend: standard
|
||||||
code: |-
|
code: |-
|
||||||
:: 255 (0xff) means all drives
|
:: 255 (0xff) means all drives
|
||||||
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f
|
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f
|
||||||
@@ -2364,13 +2370,13 @@ actions:
|
|||||||
children:
|
children:
|
||||||
-
|
-
|
||||||
name: Do not keep history of recently opened documents
|
name: Do not keep history of recently opened documents
|
||||||
recommend: standard
|
recommend: strict
|
||||||
docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory
|
docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory
|
||||||
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f
|
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f
|
||||||
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f
|
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f
|
||||||
-
|
-
|
||||||
name: Clear history of recently opened documents on exit
|
name: Clear history of recently opened documents on exit
|
||||||
recommend: standard
|
recommend: strict
|
||||||
docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit
|
docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit
|
||||||
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f
|
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f
|
||||||
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 01 /f
|
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 01 /f
|
||||||
@@ -2390,7 +2396,7 @@ actions:
|
|||||||
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 0 /f
|
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 0 /f
|
||||||
-
|
-
|
||||||
name: Do not show recently used files in Quick Access
|
name: Do not show recently used files in Quick Access
|
||||||
recommend: standard
|
recommend: strict
|
||||||
docs: https://www.tenforums.com/tutorials/2713-add-remove-recent-files-quick-access-windows-10-a.html
|
docs: https://www.tenforums.com/tutorials/2713-add-remove-recent-files-quick-access-windows-10-a.html
|
||||||
code: |-
|
code: |-
|
||||||
if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit?
|
if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit?
|
||||||
@@ -2512,10 +2518,12 @@ actions:
|
|||||||
children:
|
children:
|
||||||
-
|
-
|
||||||
name: User Data Storage (UnistoreSvc) Service
|
name: User Data Storage (UnistoreSvc) Service
|
||||||
|
recommend: strict
|
||||||
code: sc stop "UnistoreSvc" & sc config "UnistoreSvc" start=disabled
|
code: sc stop "UnistoreSvc" & sc config "UnistoreSvc" start=disabled
|
||||||
revertCode: sc config "UnistoreSvc" start=demand
|
revertCode: sc config "UnistoreSvc" start=demand
|
||||||
-
|
-
|
||||||
name: Sync Host (OneSyncSvc) Service Service
|
name: Sync Host (OneSyncSvc) Service Service
|
||||||
|
recommend: strict
|
||||||
code: sc stop "OneSyncSvc" & sc config "OneSyncSvc" start=disabled
|
code: sc stop "OneSyncSvc" & sc config "OneSyncSvc" start=disabled
|
||||||
revertCode: sc config "OneSyncSvc" start=auto & sc start "OneSyncSvc"
|
revertCode: sc config "OneSyncSvc" start=auto & sc start "OneSyncSvc"
|
||||||
-
|
-
|
||||||
@@ -2736,26 +2744,32 @@ actions:
|
|||||||
children:
|
children:
|
||||||
-
|
-
|
||||||
name: Xbox app
|
name: Xbox app
|
||||||
|
recommend: standard
|
||||||
code: PowerShell -Command "Get-AppxPackage "Microsoft.XboxApp" | Remove-AppxPackage"
|
code: PowerShell -Command "Get-AppxPackage "Microsoft.XboxApp" | Remove-AppxPackage"
|
||||||
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.XboxApp").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.XboxApp").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
||||||
-
|
-
|
||||||
name: Xbox TCUI app
|
name: Xbox TCUI app
|
||||||
|
recommend: standard
|
||||||
code: PowerShell -Command "Get-AppxPackage "Microsoft.Xbox.TCUI" | Remove-AppxPackage"
|
code: PowerShell -Command "Get-AppxPackage "Microsoft.Xbox.TCUI" | Remove-AppxPackage"
|
||||||
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.Xbox.TCUI").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.Xbox.TCUI").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
||||||
-
|
-
|
||||||
name: Xbox Game Bar app
|
name: Xbox Game Bar app
|
||||||
|
recommend: standard
|
||||||
code: PowerShell -Command "Get-AppxPackage "Microsoft.XboxGameOverlay" | Remove-AppxPackage"
|
code: PowerShell -Command "Get-AppxPackage "Microsoft.XboxGameOverlay" | Remove-AppxPackage"
|
||||||
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.XboxGameOverlay").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.XboxGameOverlay").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
||||||
-
|
-
|
||||||
name: Xbox Gaming Overlay app
|
name: Xbox Gaming Overlay app
|
||||||
|
recommend: standard
|
||||||
code: PowerShell -Command "Get-AppxPackage "Microsoft.XboxGamingOverlay" | Remove-AppxPackage"
|
code: PowerShell -Command "Get-AppxPackage "Microsoft.XboxGamingOverlay" | Remove-AppxPackage"
|
||||||
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.XboxGamingOverlay").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.XboxGamingOverlay").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
||||||
-
|
-
|
||||||
name: Xbox Identity Provider app
|
name: Xbox Identity Provider app
|
||||||
|
recommend: standard
|
||||||
code: PowerShell -Command "Get-AppxPackage "Microsoft.XboxIdentityProvider" | Remove-AppxPackage"
|
code: PowerShell -Command "Get-AppxPackage "Microsoft.XboxIdentityProvider" | Remove-AppxPackage"
|
||||||
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.XboxIdentityProvider").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.XboxIdentityProvider").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
||||||
-
|
-
|
||||||
name: Xbox Speech To Text Overlay app
|
name: Xbox Speech To Text Overlay app
|
||||||
|
recommend: standard
|
||||||
code: PowerShell -Command "Get-AppxPackage "Microsoft.XboxSpeechToTextOverlay" | Remove-AppxPackage"
|
code: PowerShell -Command "Get-AppxPackage "Microsoft.XboxSpeechToTextOverlay" | Remove-AppxPackage"
|
||||||
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.XboxSpeechToTextOverlay").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.XboxSpeechToTextOverlay").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
||||||
-
|
-
|
||||||
@@ -2929,7 +2943,7 @@ actions:
|
|||||||
children:
|
children:
|
||||||
-
|
-
|
||||||
name: Bio enrollment app
|
name: Bio enrollment app
|
||||||
recommend: standard
|
recommend: strict
|
||||||
code: PowerShell -Command "Get-AppxPackage "Microsoft.BioEnrollment" | Remove-AppxPackage"
|
code: PowerShell -Command "Get-AppxPackage "Microsoft.BioEnrollment" | Remove-AppxPackage"
|
||||||
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.BioEnrollment").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
revertCode: PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage "Microsoft.BioEnrollment").InstallLocation + '\AppxManifest.xml'; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
|
||||||
-
|
-
|
||||||
@@ -3318,6 +3332,7 @@ actions:
|
|||||||
revertCode: Powershell -Command "$capability = Get-WindowsCapability -Online -Name \"MathRecognizer*\"; Add-WindowsCapability -Name \"$capability.Name\" -Online"
|
revertCode: Powershell -Command "$capability = Get-WindowsCapability -Online -Name \"MathRecognizer*\"; Add-WindowsCapability -Name \"$capability.Name\" -Online"
|
||||||
-
|
-
|
||||||
name: OneSync capability (breaks Mail, People, and Calendar)
|
name: OneSync capability (breaks Mail, People, and Calendar)
|
||||||
|
recommend: strict
|
||||||
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#onesync
|
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#onesync
|
||||||
code: Powershell -Command "Get-WindowsCapability -Online -Name "OneCoreUAP.OneSync*" | Remove-WindowsCapability -Online"
|
code: Powershell -Command "Get-WindowsCapability -Online -Name "OneCoreUAP.OneSync*" | Remove-WindowsCapability -Online"
|
||||||
revertCode: Powershell -Command "$capability = Get-WindowsCapability -Online -Name \"OneCoreUAP.OneSync*\"; Add-WindowsCapability -Name \"$capability.Name\" -Online"
|
revertCode: Powershell -Command "$capability = Get-WindowsCapability -Online -Name \"OneCoreUAP.OneSync*\"; Add-WindowsCapability -Name \"$capability.Name\" -Online"
|
||||||
@@ -3542,6 +3557,7 @@ actions:
|
|||||||
-
|
-
|
||||||
name: Change NTP (time) server to pool.ntp.org
|
name: Change NTP (time) server to pool.ntp.org
|
||||||
docs: https://www.pool.ntp.org/en/use.html
|
docs: https://www.pool.ntp.org/en/use.html
|
||||||
|
recommend: strict
|
||||||
code: |-
|
code: |-
|
||||||
:: Configure time source
|
:: Configure time source
|
||||||
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
|
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
|
||||||
|
|||||||
Reference in New Issue
Block a user