name: privacy.sexy repositoryUrl: https://github.com/undergroundwires/privacy.sexy actions: - category: Privacy cleanup children: - category: Clear application history children: - name: Clear Listary indexes recommend: false code: del /f /s /q %appdata%\Listary\UserData > nul - name: Clear Java cache recommend: true code: rd /s /q "%APPDATA%\Sun\Java\Deployment\cache" - name: Clear Flash traces recommend: true code: rd /s /q "%APPDATA%\Macromedia\Flash Player" - name: Clear Steam dumps, logs and traces recommend: true code: |- del /f /q %ProgramFiles(x86)%\Steam\Dumps del /f /q %ProgramFiles(x86)%\Steam\Traces del /f /q %ProgramFiles(x86)%\Steam\appcache\*.log - name: Clear Visual Studio telemetry & feedback data recommend: true code: |- rmdir /s /q "%AppData%\vstelemetry" 2>nul rmdir /s /q "%LocalAppData%\Microsoft\VSApplicationInsights" 2>nul rmdir /s /q "%ProgramData%\Microsoft\VSApplicationInsights" 2>nul rmdir /s /q "%Temp%\Microsoft\VSApplicationInsights" 2>nul rmdir /s /q "%Temp%\VSFaultInfo" 2>nul rmdir /s /q "%Temp%\VSFeedbackPerfWatsonData" 2>nul rmdir /s /q "%Temp%\VSFeedbackVSRTCLogs" 2>nul rmdir /s /q "%Temp%\VSRemoteControl" 2>nul rmdir /s /q "%Temp%\VSTelem" 2>nul rmdir /s /q "%Temp%\VSTelem.Out" 2>nul - category: Clear most recently used lists (MRU) children: - name: Clear windows recent files recommend: true docs: https://www.tenforums.com/tutorials/3476-reset-clear-recent-items-frequent-places-windows-10-a.html code: |- rd /s /q "%USERPROFILE%\Recent" rd /s /q "%APPDATA%\Microsoft\Windows\Recent" del /f /q %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\* del /f /q %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\* - name: Clear regedit last key recommend: true code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f - name: Clear regedit favorites recommend: true code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f - name: Clear list of recent programs opened recommend: true code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f - name: Clear Adobe Media Browser MRU recommend: true code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f - name: Clear MSPaint MRU recommend: true code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f - name: Clear Wordpad MRU recommend: true code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f - name: Clear Map Network Drive MRU MRU recommend: true code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f - name: Clear Windows Search Assistant history recommend: true code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f - name: Clear list of Recent Files Opened, by Filetype recommend: true code: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f - name: Clear windows media player recent files and urls recommend: true code: |- reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f - name: Clear Most Recent Application's Use of DirectX recommend: true code: |- reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f - name: Clear Windows Run MRU & typedpaths recommend: true code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f - category: Clear browser history children: - name: Clear Internet Explorer traces recommend: true code: |- del /f /q "%localappdata%\Microsoft\Windows\INetCache\IE\*" reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f rd /s /q "%localappdata%\Microsoft\Internet Explorer" rd /s /q "%APPDATA%\Microsoft\Windows\Cookies" rd /s /q "%USERPROFILE%\Cookies" rd /s /q "%USERPROFILE%\Local Settings\Traces" rd /s /q "%localappdata%\Temporary Internet Files" rd /s /q "%localappdata%\Microsoft\Windows\Temporary Internet Files" rd /s /q "%localappdata%\Microsoft\Windows\INetCookies\PrivacIE" rd /s /q "%localappdata%\Microsoft\Feeds Cache" rd /s /q "%localappdata%\Microsoft\InternetExplorer\DOMStore" - name: Clear Google Chrome traces recommend: true code: |- del /f /q "%localappdata%\Google\Software Reporter Tool\*.log" rd /s /q "%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data" rd /s /q "%localappdata%\Google\Chrome\User Data" rd /s /q "%localappdata%\Google\CrashReports\"" rd /s /q "%localappdata%\Google\Chrome\User Data\Crashpad\reports\"" - category: Clear Firefox traces children: - name: Clear browsing history and caches recommend: true code: |- set ignoreFiles="content-prefs.sqlite" "permissions.sqlite" "favicons.sqlite" for %%d in ("%APPDATA%\Mozilla\Firefox\Profiles\" "%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\" ) do ( IF EXIST %%d ( FOR /d %%p IN (%%d*) DO ( for /f "delims=" %%f in ('dir /b /s "%%p\*.sqlite" 2^>nul') do ( set "continue=" for %%i in (%ignoreFiles%) do ( if %%i == "%%~nxf" ( set continue=1 ) ) if not defined continue ( del /q /s /f %%f ) ) ) ) ) - name: Clear all user settings and data recommend: false enables: Clear browsing history and caches code: |- rd "%localappdata%\Local\Mozilla\Firefox\Profiles" rd /s /q "%APPDATA%\Mozilla\Firefox\Profiles" - name: Clear Opera traces recommend: true code: |- rd /s /q "%USERPROFILE%\AppData\Local\Opera\Opera" rd /s /q "%APPDATA%\Opera\Opera" rd /s /q "%USERPROFILE%\Local Settings\Application Data\Opera\Opera" - name: Clear Safari traces recommend: true code: |- rd /s /q "%USERPROFILE%\AppData\Local\Apple Computer\Safari\Traces" rd /s /q "%APPDATA%\Apple Computer\Safari" del /q /s /f "%USERPROFILE%\AppData\Local\Apple Computer\Safari\Cache.db" del /q /s /f "%USERPROFILE%\AppData\Local\Apple Computer\Safari\WebpageIcons.db" rd /s /q "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Traces" del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db" del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db" - category: Clear windows logs & caches children: - name: Clear thumbnail cache recommend: false code: del /f /s /q /a %LocalAppData%\Microsoft\Windows\Explorer\*.db - name: Clear Windows log files recommend: true code: |- del /f /q %SystemRoot%\Temp\CBS\* del /f /q %SystemRoot%\comsetup.log del /f /q %SystemRoot%\DtcInstall.log del /f /q %SystemRoot%\PFRO.log del /f /q %SystemRoot%\setupact.log del /f /q %SystemRoot%\setuperr.log del /f /q %SystemRoot%\Debug\PASSWD.LOG del /f /q %SystemRoot%\security\Traces\*.log del /f /q %SystemRoot%\security\Traces\*.old del /f /q %SystemRoot%\SoftwareDistribution\ReportingEvents.log del /f /q %SystemRoot%\Traces\CBS\* del /f /q %SystemRoot%\Traces\DISM\* del /f /q %SystemRoot%\Traces\NetSetup\* del /f /q %SystemRoot%\Traces\SIH\* del /f /q %SystemRoot%\Traces\waasmedic\* del /f /q %SystemRoot%\Traces\WindowsUpdate\* del /f /q %LOCALAPPDATA%\Microsoft\Windows\WebCache\*.log del /f /q /s %SystemRoot%\Microsoft.NET\Framework\*.log del /f /q %SystemRoot%\inf\setupapi.dev.log del /f /q %SystemRoot%\inf\setupapi.offline.log del /f /q %SystemRoot%\Panther\* del /f /q %localappdata%\Microsoft\CLR_v4.0\UsageTraces\* del /f /q %localappdata%\Microsoft\CLR_v4.0_32\UsageTraces\* del f /q %localappdata%\Microsoft\Windows\WebCache\* del /f /q %SystemRoot%\System32\catroot2\dberr.txt del /f /q %SystemRoot%\System32\LogFiles\WMI\*.etl del /f /q %SystemRoot%\System32\LogFiles\setupcln\* del /f /q %SystemRoot%\appcompat\Programs\Install\* del /f /q %SystemRoot%\SoftwareDistribution\DataStore\Traces\*.log del /f /q %SystemRoot%\Performance\WinSAT\winsat.log del /f /q %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.log rd /s /q "%localappdata%\Microsoft\Windows\Traces" - name: Clear Windows temp files recommend: true code: |- del /f /q %localappdata%\Temp\* rd /s /q "%WINDIR%\Temp" rd /s /q "%TEMP%" - name: Clear main telemetry file recommend: true code: echo "" > %ProgramData%\Microsoft\Diagnosis\ETLTraces\AutoLogger\AutoLogger-Diagtrack-Listener.etl - name: Clear credentials from Windows Credential Manager recommend: false code: |- cmdkey.exe /list > "%TEMP%\List.txt" findstr.exe Target "%TEMP%\List.txt" > "%TEMP%\tokensonly.txt" FOR /F "tokens=1,2 delims= " %%G IN (%TEMP%\tokensonly.txt) DO cmdkey.exe /delete:%%H del "%TEMP%\List.txt" /s /f /q del "%TEMP%\tokensonly.txt" /s /f /q - name: Empty trash bin recommend: false code: rd /s %systemdrive%\$Recycle.bin - name: Enable Reset Base in Dism Component Store recommend: true code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f - category: Disable OS data collection children: - category: Disable Windows telemetry & data collection children: - name: Disable Customer Experience Improvement (CEIP/SQM) recommend: true code: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f - name: Disable Application Impact Telemetry (AIT) recommend: true code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f - name: Disable diagnostics telemetry recommend: true code: |- reg add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f reg add "HKLM\SYSTEM\ControlSet001\Services\dmwappushsvc" /v "Start" /t REG_DWORD /d 4 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice" /v "Start" /t REG_DWORD /d 4 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d 4 /f sc config DiagTrack start=disabled sc config dmwappushservice start=disabled sc config diagnosticshub.standardcollector.service start=disabled sc config diagsvc start=disabled - name: Disable Customer Experience Improvement Program recommend: true code: |- schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE - name: Disabling Data Logging Services recommend: true code: |- schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE - name: Disable telemetry in data collection policy recommend: true code: |- reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /d 0 /t REG_DWORD /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "LimitEnhancedDiagnosticDataWindowsAnalytics" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f - name: Disable license telemetry recommend: true code: reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t "REG_DWORD" /d "1" /f - name: Disable error reporting recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f sc config WerSvc start=disabled sc config wercplsupport start=disabled - name: Disable online device metadata collection recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f - name: Opt out from Windows privacy consent recommend: true code: |- reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f - name: Disable Windows feedback recommend: true code: |- reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f :: removing this value sets feedback frequency to never reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f - name: Disable text and handwriting collection recommend: true code: |- reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f - category: Deny app access to personal information children: - name: Deny app access to location recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /t REG_DWORD /d 2 /f - name: Deny app access to motion data recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /t REG_DWORD /d 2 /f - name: Deny app access to phone recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /t REG_DWORD /d 2 /f - name: Deny app access to trusted devices recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /t REG_DWORD /d 2 /f - name: Deny app sync with devices recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /t REG_DWORD /d 2 /f - name: Deny app access to camera recommend: false code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /t REG_DWORD /d 2 /f - name: Deny app access to microphone recommend: false code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f - name: Deny app access to diagnostics info about your other apps recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /t REG_DWORD /d 2 /f - name: Deny app access to your file system recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Deny" /t REG_SZ /f - name: Deny app access to your contacts recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /t REG_DWORD /d 2 /f - name: Deny app access to Notifications recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /t REG_DWORD /d 2 /f - name: Deny app access to Account Information recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /t REG_DWORD /d 2 /f - name: Deny app access to Calendar recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /t REG_DWORD /d 2 /f - name: Deny app access to call history recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD /d 2 /f - name: Deny app access to email recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f - name: Deny app access to tasks recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /t REG_DWORD /d 2 /f - name: Deny app access to messaging recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /t REG_DWORD /d 2 /f - name: Deny app access to radios recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /t REG_DWORD /d 2 /f - name: Deny app access to videos recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Deny" /t REG_SZ /f - name: Deny app access to pictures recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Deny" /t REG_SZ /f - name: Deny app access to documents recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Deny" /t REG_SZ /f - name: Deny app access to bluetooth devices recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Deny" /t REG_SZ /f - name: Deny location access recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Deny" /t REG_SZ /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f - name: Deny sensor access recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v Value /t REG_SZ /d Deny /f - category: Disable windows search data collection children: - name: Disable cortana recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /d 0 /t REG_DWORD /f - name: Disable web search in search bar recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v DisableWebSearch /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /d 0 /t REG_DWORD /f - name: Disable search web when searching pc recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v ConnectedSearchUseWeb /t REG_DWORD /d 0 /f - name: Disable search indexing encrypted items / stores recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowIndexingEncryptedStoresOrItems /t REG_DWORD /d 0 /f - name: Disable location based info in searches recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowSearchToUseLocation /t REG_DWORD /d 0 /f - name: Disable language detection recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AlwaysUseAutoLangDetection /t REG_DWORD /d 0 /f - category: Disable targeted ads & marketing children: - name: Disable ad customization with Advertising ID recommend: true code: |- reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d 1 /f - name: Disable targeted tips recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f - name: Turn Off Suggested Content in Settings app recommend: true docs: https://www.tenforums.com/tutorials/100541-turn-off-suggested-content-settings-app-windows-10-a.html code: |- reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v "SubscribedContent-338393Enabled" /d "0" /t REG_DWORD /f reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f - name: Disable biometrics recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d 4 /f - name: Disable Wi-Fi sense recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f - name: Disable App Launch Tracking docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10 recommend: true code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f - name: Disable Inventory Collector recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f - name: Disable Website Access of Language List recommend: true code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f - name: Disable Auto Downloading Maps recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f - name: Disable steps recorder recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f - name: Disable game screen recording recommend: true code: |- reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 0 /f - name: Disable Windows DRM internet access docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f - name: Disable feedback on write (sending typing info) recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f - name: Disable Activity Feed recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f - name: Disable Windows Insider Program recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /t "REG_DWORD" /d "1" /f sc config wisvc start=disabled - name: Disable the Windows Connect Now wizard recommend: false docs: - https://docs.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now - https://www.windows-security.org/f637a705712eb59f8cd410673c96472e/prohibit-access-of-the-windows-connect-now-wizards code: reg add "HKCU\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f - category: Disable cloud sync children: - name: Disable all settings sync recommend: true enabler: all those bottom code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f - name: Disable Application Setting Sync recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable App Sync Setting Sync recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Credentials Setting Sync recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f - name: Disable Desktop Theme Setting Sync recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Personalization Setting Sync recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Start Layout Setting Sync recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Web Browser Setting Sync recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Windows Setting Sync recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f - category: Configure programs children: - category: Disable Visual Studio data collection children: - category: Disable Experience Improvement Program (PerfWatson) children: - name: Disable SQM 64 bit OS key recommend: true code: |- reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v OptIn /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v OptIn /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v OptIn /t REG_DWORD /d 0 /f - name: Disable SQM 32 bit OS key recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v OptIn /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v OptIn /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v OptIn /t REG_DWORD /d 0 /f - name: Disable SQM group policy recommend: true code: reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v OptIn /t REG_DWORD /d 0 /f - name: Disable visual studio telemetry recommend: true code: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v TurnOffSwitch /t REG_DWORD /d 1 /f - name: Disable Visual Studio feedback recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableFeedbackDialog /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableEmailInput /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableScreenshotCapture /t REG_DWORD /d 1 /f - name: Stop and disable Visual Studio Standard Collector Service recommend: true code: |- sc stop "VSStandardCollectorService150" net stop VSStandardCollectorService150 2>nul sc config "VSStandardCollectorService150" start=disabled - category: Configure Windows Defender children: - name: Disable Microsoft SpyNet (Windows Defender cloud export for analysis) recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f - name: Disable sending infection information recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f - name: Disable NetCore Cli telemetry recommend: true code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1 - name: Disable NVIDIA telemetry recommend: true code: |- :: Uninstall telemetry tasks rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry :: Delete residual files cd %systemdrive%\System32\DriverStore\FileRepository\ del /s NvTelemetry*.dll rmdir /s /q "%ProgramFiles(x86)%\NVIDIA Corporation\NvTelemetry" 2>nul rmdir /s /q "%ProgramFiles%\NVIDIA Corporation\NvTelemetry" 2>nul :: Opt out reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\services\NvTelemetryContainer" /v "Start" /t REG_DWORD /d 4 /f :: Disable telemetry services schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable docs: - https://github.com/CHEF-KOCH/nVidia-modded-Inf - https://github.com/NateShoffner/Disable-Nvidia-Telemetry - https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20 - name: Disable Visual Studio Code telemetry recommend: true docs: https://code.visualstudio.com/docs/getstarted/telemetry code: |- mkdir %appdata%\Code\User del %appdata%\Code\User\settings.json echo { "telemetry.enableCrashReporter": false, "telemetry.enableTelemetry": false } > %appdata%\Code\User\settings.json - name: Disable Microsoft Office telemetry recommend: true docs: https://docs.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office code: |- reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\osm" /v "Enablelogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\osm" /v "EnableUpload" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\osm" /v "Enablelogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\osm" /v "EnableUpload" /t REG_DWORD /d 0 /f - category: Configure browsers children: - category: Configure Edge children: - name: Disable live tile data collection recommend: true code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f - name: Disable MFU tracking recommend: true code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f - name: Disable recent apps recommend: true code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f - name: Turn off backtracking recommend: true code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f - name: Disable Search Suggestions in Edge recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f - category: Configure Internet Explorer children: - name: Disable Geolocation in Internet Explorer recommend: true code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f - name: Disable Internet Explorer InPrivate logging recommend: true code: |- reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f - name: Disable Internet Explorer CEIP recommend: true code: |- reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f - name: Disable calling legacy WCM policies recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f - name: Disable SSLv3 fallback recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f - name: Disable ignoring cert errors recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f - category: Configure Google Chrome children: - name: Disable Chrome Software Reporter Tool recommend: true code: |- icacls "%localappdata%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)" cacls "%localappdata%\Google\Chrome\User Data\SwReporter" /e /c /d %username% reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "software_reporter_tool.exe" /f - name: Disable Chrome metrics reporting recommend: true code: |- reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f - name: Disable Google update service recommend: true code: |- sc config gupdate start=disabled sc config gupdatem start=disabled schtasks /Change /DISABLE /TN "GoogleUpdateTaskMachineCore" schtasks /Change /DISABLE /TN "GoogleUpdateTaskMachineUA" - name: Disable Adobe Acrobat update service recommend: true code: |- sc config AdobeARMservice start=disabled sc config adobeupdateservice start=disabled sc config adobeflashplayerupdatesvc start=disabled schtasks /change /tn "Adobe Acrobat Update Task" /disable schtasks /change /tn "Adobe Flash Player Updater" /disable - name: Disable Razer Game Scanner Service recommend: true code: |- sc stop "Razer Game Scanner Service" sc config "Razer Game Scanner Service" start=disabled - name: Disable Logitech Gaming Registry Service recommend: true code: |- sc stop "LogiRegistryService" sc config "LogiRegistryService" start=disabled - name: Disable Dropbox auto update service recommend: true code: |- sc config dbupdate start=disabled sc config dbupdatem start=disabled schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineCore" schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA" - category: Disable Media Player data collection children: - name: Do not send Windows Media Player statistics recommend: true code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f - name: Disable meta data retrieval recommend: true code: |- reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f - name: Disable dows Media Player Network Sharing Service recommend: true code: sc config WMPNetworkSvc start=disabled - category: Security improvements children: - category: Meltdown and Spectre protection docs: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot children: - name: Spectre variant 2 and meltdown (Intel) recommend: false code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f - name: Spectre variant 2 and meltdown (AMD) recommend: false code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f - name: Spectre variant 2 and meltdown (HyperV) recommend: false code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f - name: Disable administrative shares recommend: true code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f - name: Force enable data execution prevention (DEP) recommend: false code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f - name: Disable AutoPlay and AutoRun recommend: false docs: - https://en.wikipedia.org/wiki/AutoRun - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673 code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f - name: Disable remote Assistance recommend: true docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f - name: Disable lock screen camera recommend: true docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f - name: Prevent the storage of the LAN Manager hash of passwords recommend: true docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f - name: Disable Windows Installer Always install with elevated privileges recommend: true docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f - name: Prevent WinRM from using Basic Authentication recommend: true docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f - name: Restrict anonymous enumeration of shares recommend: true docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f - name: Systems must be maintained at a supported (security) level recommend: true docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63349 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f - name: Refuse less secure authentication recommend: true docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 5 /f - name: Enable Structured Exception Handling Overwrite Protection (SEHOP) recommend: true docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f - name: Block Anonymous enumeration of SAM accounts recommend: true docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f - name: Restrict anonymous access to Named Pipes and Shares recommend: true docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759 code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f - category: Privacy over security children: - name: Disable Windows Defender recommend: false code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f - name: Disable Smart Screen recommend: false code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f - name: Disable scheduled On Demand anti malware scanner (MRT) recommend: false code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f - name: Disable automatic updates recommend: false code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f - category: UI for privacy children: - name: Disable lock screen app notifications recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f - name: Disable online content in explorer recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f - name: Disable & auto-clear recent documents in explorer recommend: true code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f - name: Disable Live Tiles push notifications recommend: true code: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 1 /f - name: Turn off "Look For An App In The Store" option recommend: true code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 1 /f - name: Do not show recently used files in Quick Access recommend: true docs: https://www.tenforums.com/tutorials/2713-add-remove-recent-files-quick-access-windows-10-a.html code: |- if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d 0 /t REG_DWORD /f ) else ( reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5} /f reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5} /f ) - name: Disable Sync Provider Notifications recommend: false code: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 0 /t REG_DWORD /f - category: Disable OS services children: - name: Delivery Optimization (P2P Windows Updates) recommend: true code: sc config DoSvc start=disabled - name: Microsoft Windows Live ID Service recommend: true code: sc config wlidsvc start=demand - name: Program Compatibility Assistant Service recommend: true code: sc config PcaSvc start=disabled - name: Downloaded Maps Manager recommend: true code: sc config MapsBroker start=disabled - name: Microsoft Retail Demo experience recommend: true code: sc config RetailDemo start=disabled - name: Mail, contact, calendar & user data synchronization. recommend: false code: |- sc config OneSyncSvc start=disabled sc config UnistoreSvc start=disabled - name: Contact data indexing recommend: false code: |- sc config PimIndexMaintenanceSvc start=disabled - name: App user data access recommend: false code: sc config UserDataSvc start=disabled - name: Text messaging recommend: false code: sc config MessagingService start=disabled - category: Uninstall apps children: - category: Provisioned Windows apps children: - name: Microsoft 3D Builder code: PowerShell -Command "Get-AppxPackage Microsoft.3DBuilder | Remove-AppxPackage" - category: Bing children: - name: Bing Weather recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage" - name: Bing Sports recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage" - name: Bing News recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage" - name: Bing Finance recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage" - name: App Installer code: PowerShell -Command "Get-AppxPackage Microsoft.DesktopAppInstaller | Remove-AppxPackage" - name: Get Help code: PowerShell -Command "Get-AppxPackage Microsoft.GetHelp | Remove-AppxPackage" - name: Microsoft Tips code: PowerShell -Command "Get-AppxPackage Microsoft.Getstarted | Remove-AppxPackage" - category: Extensions children: - name: HEIF Image Extensions code: PowerShell -Command "Get-AppxPackage Microsoft.HEIFImageExtension | Remove-AppxPackage" - name: VP9 Video Extensions code: PowerShell -Command "Get-AppxPackage Microsoft.VP9VideoExtensions | Remove-AppxPackage" - name: Web Media Extensions code: PowerShell -Command "Get-AppxPackage Microsoft.WebMediaExtensions | Remove-AppxPackage" - name: Webp Image Extension code: PowerShell -Command "Get-AppxPackage Microsoft.WebpImageExtension | Remove-AppxPackage" - name: Microsoft Messaging code: PowerShell -Command "Get-AppxPackage Microsoft.Messaging | Remove-AppxPackage" - category: Mixed Reality children: - name: Mixed Reality Portal code: PowerShell -Command "Get-AppxPackage Microsoft.MixedReality.Portal | Remove-AppxPackage" - name: Mixed Reality Viewer code: PowerShell -Command "Get-AppxPackage Microsoft.Microsoft3DViewer | Remove-AppxPackage" - category: Microsoft Office children: - name: My Office recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage" - name: OneNote code: PowerShell -Command "Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage" - name: Sway docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 code: PowerShell -Command "Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage" - name: Feedback Hub recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsFeedbackHub | Remove-AppxPackage" - name: Windows Alarms & Clock code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsAlarms | Remove-AppxPackage" - name: Windows Camera code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsCamera | Remove-AppxPackage" - name: Paint 3D code: PowerShell -Command "Get-AppxPackage Microsoft.MSPaint | Remove-AppxPackage" - name: Windows Maps recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsMaps | Remove-AppxPackage" - name: Minecraft code: PowerShell -Command "Get-AppxPackage Microsoft.MinecraftUWP | Remove-AppxPackage" - name: Microsoft Store code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsStore | Remove-AppxPackage" - name: Microsoft People code: PowerShell -Command "Get-AppxPackage Microsoft.People | Remove-AppxPackage" - name: Microsoft Pay code: PowerShell -Command "Get-AppxPackage Microsoft.Wallet | Remove-AppxPackage" - name: Store Purchase App code: PowerShell -Command "Get-AppxPackage Microsoft.StorePurchaseApp | Remove-AppxPackage" - name: Snip & Sketch code: PowerShell -Command "Get-AppxPackage Microsoft.ScreenSketch | Remove-AppxPackage" - name: Print3D code: PowerShell -Command "Get-AppxPackage Microsoft.Print3D | Remove-AppxPackage" - name: Paid Wi-Fi & Cellular code: PowerShell -Command "Get-AppxPackage Microsoft.OneConnect | Remove-AppxPackage" - name: Microsoft Solitaire Collection code: PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftSolitaireCollection | Remove-AppxPackage" - name: Microsoft Sticky Notes code: PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage" - category: Xbox children: - name: Xbox code: PowerShell -Command "Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage" - name: Xbox TCUI code: PowerShell -Command "Get-AppxPackage Microsoft.Xbox.TCUI | Remove-AppxPackage" - name: Xbox Game Bar code: PowerShell -Command "Get-AppxPackage Microsoft.XboxGameOverlay | Remove-AppxPackage" - name: Xbox Gaming Overlay code: PowerShell -Command "Get-AppxPackage Microsoft.XboxGamingOverlay | Remove-AppxPackage" - name: Xbox Identity Provider code: PowerShell -Command "Get-AppxPackage Microsoft.XboxIdentityProvider | Remove-AppxPackage" - name: Xbox Speech To Text Overlay code: PowerShell -Command "Get-AppxPackage Microsoft.XboxSpeechToTextOverlay | Remove-AppxPackage" - name: Mail and Calendar code: PowerShell -Command "Get-AppxPackage microsoft.windowscommunicationsapps | Remove-AppxPackage" - category: Zune children: - name: Music code: PowerShell -Command "Get-AppxPackage Microsoft.ZuneMusic | Remove-AppxPackage" - name: Video code: PowerShell -Command "Get-AppxPackage Microsoft.ZuneVideo | Remove-AppxPackage" - name: Windows Calculator code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsCalculator | Remove-AppxPackage" - name: Microsoft Photos code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.Photos | Remove-AppxPackage" - name: Skype code: PowerShell -Command "Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage" - name: Windows Voice Recorder code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsSoundRecorder | Remove-AppxPackage" - category: Phone children: - name: Windows Phone code: |- PowerShell -Command "Get-AppxPackage Microsoft.WindowsPhone | Remove-AppxPackage" PowerShell -Command "Get-AppxPackage Microsoft.Windows.Phone | Remove-AppxPackage" - name: Comms Phone code: PowerShell -Command "Get-AppxPackage Microsoft.CommsPhone | Remove-AppxPackage" - name: Your Phone code: PowerShell -Command "Get-AppxPackage Microsoft.YourPhone | Remove-AppxPackage" - category: Installed Windows apps children: - name: Microsoft Advertising recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Advertising.Xaml | Remove-AppxPackage" - name: Remote Desktop code: PowerShell -Command "Get-AppxPackage Microsoft.RemoteDesktop | Remove-AppxPackage" - name: Network Speed Test recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.NetworkSpeedTest | Remove-AppxPackage" - category: Third party children: - name: Shazam code: PowerShell -Command "Get-AppxPackage ShazamEntertainmentLtd.Shazam | Remove-AppxPackage" - name: Candy Crush Saga code: |- PowerShell -Command "Get-AppxPackage king.com.CandyCrushSaga | Remove-AppxPackage" PowerShell -Command "Get-AppxPackage king.com.CandyCrushSodaSaga | Remove-AppxPackage" - name: Flipboard code: PowerShell -Command "Get-AppxPackage Flipboard.Flipboard | Remove-AppxPackage" - name: Twitter code: PowerShell -Command "Get-AppxPackage 9E2F88E3.Twitter | Remove-AppxPackage" - name: iHeartRadio code: PowerShell -Command "Get-AppxPackage ClearChannelRadioDigital.iHeartRadio | Remove-AppxPackage" - name: Duolingo code: PowerShell -Command "Get-AppxPackage D5EA27B7.Duolingo-LearnLanguagesforFree | Remove-AppxPackage" - name: Photoshop Express code: PowerShell -Command "Get-AppxPackage AdobeSystemIncorporated.AdobePhotoshop | Remove-AppxPackage" - name: Pandora code: PowerShell -Command "Get-AppxPackage PandoraMediaInc.29680B314EFC2 | Remove-AppxPackage" - name: Eclipse Manager code: PowerShell -Command "Get-AppxPackage 46928bounde.EclipseManager | Remove-AppxPackage" - name: Code Writer code: PowerShell -Command "Get-AppxPackage ActiproSoftwareLLC.562882FEEB491 | Remove-AppxPackage" - category: System apps children: - name: File Picker code: PowerShell -Command "Get-AppxPackage 1527c705-839a-4832-9118-54d4Bd6a0c89 | Remove-AppxPackage" - name: File Explorer code: PowerShell -Command "Get-AppxPackage c5e2524a-ea46-4f67-841f-6a9465d9d515 | Remove-AppxPackage" - name: App Resolver UX code: PowerShell -Command "Get-AppxPackage E2A4F912-2574-4A75-9BB0-0D023378592B | Remove-AppxPackage" - name: Add Suggested Folders To Library recommend: true code: |- PowerShell -Command "Get-AppxPackage F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | Remove-AppxPackage" PowerShell -Command "Get-AppxPackage InputApp | Remove-AppxPackage" - name: Microsoft.AAD.Broker.Plugin recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.AAD.Broker.Plugin | Remove-AppxPackage" - name: Microsoft.AccountsControl code: PowerShell -Command "Get-AppxPackage Microsoft.AccountsControl | Remove-AppxPackage" - name: Microsoft.AsyncTextService code: PowerShell -Command "Get-AppxPackage Microsoft.AsyncTextService | Remove-AppxPackage" - category: Hello setup UI children: - name: Bio enrollment recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.BioEnrollment | Remove-AppxPackage" - name: Cred Dialog Host code: PowerShell -Command "Get-AppxPackage Microsoft.CredDialogHost | Remove-AppxPackage" - name: EC App code: PowerShell -Command "Get-AppxPackage Microsoft.ECApp | Remove-AppxPackage" - name: Lock App code: PowerShell -Command "Get-AppxPackage Microsoft.LockApp | Remove-AppxPackage" - category: Microsoft Edge children: - name: Microsoft Edge recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftEdge | Remove-AppxPackage" - name: Microsoft Edge Dev Tools Client recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftEdgeDevToolsClient | Remove-AppxPackage" - name: Microsoft PPI Projection recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.PPIProjection | Remove-AppxPackage" - name: Win32 Web View Host recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Win32WebViewHost | Remove-AppxPackage" - name: ChxApp recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.Apprep.ChxApp | Remove-AppxPackage" - name: Assigned Access Lock App recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.AssignedAccessLockApp | Remove-AppxPackage" - name: Capture Picker recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.CapturePicker | Remove-AppxPackage" - name: Cloud Experience Host recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.CloudExperienceHost | Remove-AppxPackage" - name: Content Delivery Manager recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.ContentDeliveryManager | Remove-AppxPackage" - category: Cortana children: - name: Cortana recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.Cortana | Remove-AppxPackage" - name: Holographic First Run recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.Holographic.FirstRun | Remove-AppxPackage" - name: OOBE Network Captive Port recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.OOBENetworkCaptivePort | Remove-AppxPackage" - name: OOBE Network Connection Flow recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.OOBENetworkConnectionFlow | Remove-AppxPackage" - name: Parental Controls recommend: true code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.ParentalControls | Remove-AppxPackage" - category: People Hub children: - name: People Experience Host recommend: true code: PowerShell -Command "Microsoft.Windows.PeopleExperienceHost | Remove-AppxPackage" - name: Pinning Confirmation Dialog recommend: true code: PowerShell -Command "Microsoft.Windows.PinningConfirmationDialog | Remove-AppxPackage" - name: Sec Health UI recommend: true code: PowerShell -Command "Microsoft.Windows.SecHealthUI | Remove-AppxPackage" - name: Secondary Tile Experience recommend: true code: PowerShell -Command "Microsoft.Windows.SecondaryTileExperience | Remove-AppxPackage" - name: Secure Assessment Browser recommend: true code: PowerShell -Command "Microsoft.Windows.SecureAssessmentBrowser | Remove-AppxPackage" - name: Start code: PowerShell -Command "Microsoft.Windows.ShellExperienceHost | Remove-AppxPackage" - category: Windows Feedback children: - name: Windows Feedback recommend: true code: PowerShell -Command "Microsoft.WindowsFeedback | Remove-AppxPackage" - name: Xbox Game Callable UI recommend: true code: PowerShell -Command "Microsoft.XboxGameCallableUI | Remove-AppxPackage" - name: CBS Preview recommend: true code: PowerShell -Command "Windows.CBSPreview | Remove-AppxPackage" - name: Contact Support code: PowerShell -Command "Windows.ContactSupport | Remove-AppxPackage" - name: Settings code: PowerShell -Command "Windows.immersivecontrolpanel | Remove-AppxPackage" - name: Windows Print 3D code: PowerShell -Command "Windows.Print3D | Remove-AppxPackage" - name: Print UI code: PowerShell -Command "Windows.PrintDialog | Remove-AppxPackage" - name: App Connector code: PowerShell -Command "Get-AppxPackage Microsoft.Appconnector | Remove-AppxPackage" - category: Advanced settings children: - name: Change NTP (time) server to pool.ntp.org recommend: false code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\Parameters" /v "NtpServer" /t REG_SZ /d "pool.ntp.org, 0x8" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\Parameters" /v "Type" /t REG_SZ /d "NTP" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "CrossSiteSyncFlags" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "EventLogFlags" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "ResolvePeerBackoffMaxTimes" /t REG_DWORD /d 7 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "ResolvePeerBackoffMinutes" /t REG_DWORD /d 15 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "SpecialPollInterval" /t REG_DWORD /d 1024 /f - name: Run script on start-up [EXPERIMENTAL] recommend: false code: |- del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat copy "%~dpnx0" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat" - name: Apply settings for all future users [EXPERIMENTAL] recommend: false code: |- REG UNLOAD HKU\DefaultUser reg load HKU\DefaultUser %SystemDrive%\Users\Default\NTUSER.DAT