# Structure documented in "docs/collection-files.md" os: windows scripting: language: batchfile startCode: |- @echo off :: {{ $homepage }} — v{{ $version }} — {{ $date }} :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) endCode: |- pause exit /b 0 actions: - category: Privacy cleanup children: - category: Clear application history children: - name: Clear Listary indexes code: del /f /s /q %appdata%\Listary\UserData > nul - name: Clear Java cache recommend: strict code: rd /s /q "%APPDATA%\Sun\Java\Deployment\cache" - name: Clear Flash traces recommend: standard code: rd /s /q "%APPDATA%\Macromedia\Flash Player" - name: Clear Steam dumps, logs, and traces recommend: standard code: |- del /f /q %ProgramFiles(x86)%\Steam\Dumps del /f /q %ProgramFiles(x86)%\Steam\Traces del /f /q %ProgramFiles(x86)%\Steam\appcache\*.log - category: Clear Visual Studio data docs: |- Visual Studio is an integrated development environment (IDE) from Microsoft that is used to develop software [1]. Visual Studio store data such as your usage of the software and also information about your hardware [2]. The data is stored both in Microsoft cloud [3] and locally on computer. These scripts allow you to delete the local data that might reveal your personally identifiable data about you or the way you use the product. [1]: https://en.wikipedia.org/wiki/Visual_Studio "Visual Studio | Wikipedia" [2]: https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program "Visual Studio Customer Experience Improvement Program | Microsoft Learn" [3]: https://www.infoworld.com/article/2609774/microsoft-reinvents-visual-studio-as-an-azure-cloud-service.html "Microsoft reinvents Visual Studio as an Azure cloud service | InfoWorld" children: - category: Clear Visual Studio telemetry and feedback data docs: |- These scripts delete data about you and your behavior that's locally stored by Visual Studio on your computer. These do not clear data that's already collected in Microsoft servers, but it can prevent sending more data by deleting data waiting to be sent. children: - name: Delete offline Visual Studio telemetry files recommend: standard docs: |- SQM files are text files that are created and used by Microsoft [1]. SQM stands for "Service Quality Monitoring" [1]. When unable to connect to internet Visual Studio stores SQM files in `%LocalAppData%\Microsoft\VSCommon\\SQM` [2]. The number of files grows continuously and it can get to thousands. Cleaning these files speeds up Visual Studio significantly according to community reports [2]. [1]: https://techshift.net/how-to-open-sqm-file/ "What is a .SQM File And How To Open It - Microsoft (Visual Guide) | TechShift.net" [2]: https://stackoverflow.com/a/38862596 "Process monitor - Slow Visual Studio, related to SQMClient? | Stack Overflow" code: |- rmdir /s /q %LocalAppData%\Microsoft\VSCommon\14.0\SQM rmdir /s /q %LocalAppData%\Microsoft\VSCommon\15.0\SQM rmdir /s /q %LocalAppData%\Microsoft\VSCommon\16.0\SQM rmdir /s /q %LocalAppData%\Microsoft\VSCommon\17.0\SQM - name: Delete Visual Studio Application Insights logs recommend: standard docs: |- Application Insights for Visual Studio stores diagnostic data for e.g. exceptions and performance [1]. Application Insights store `.TRN` files that might grow and exceed thousands [2] [3]. [1]: https://azuredevopslabs.com/labs/vsts/monitor/ "Monitoring Applications using Application Insights | Azure DevOps Hands-on-Labs" [2]: https://developercommunity.visualstudio.com/t/visual-studio-freezes-randomly/224181#T-N257722-N277241-N407607 "Visual Studio freezes randomly | Visual Studio Feedback" [3]: https://stackoverflow.com/a/53754481 "Visual Studio 2017 (15.3.1) keeps hanging/freezing | Stack Overflow" code: |- rmdir /s /q "%LocalAppData%\Microsoft\VSApplicationInsights" 2>nul rmdir /s /q "%ProgramData%\Microsoft\VSApplicationInsights" 2>nul rmdir /s /q "%Temp%\Microsoft\VSApplicationInsights" 2>nul - name: Delete Visual Studio telemetry folders recommend: standard docs: |- `vstelemetry` is a folder created by both Visual Studio [1] and also by SQL Server Management Studio [2] to store telemetry data. There has been security vulnerabilities through these folders that were patched in 2020 by Microsoft [2]. [1]: http://processchecker.com/file/VsHub.exe.html "What is VsHub.exe ? VsHub.exe info | Processchecker.com" [2]: https://herolab.usd.de/en/security-advisories/usd-2020-0030/ "usd-2020-0030 - usd HeroLab" code: |- rmdir /s /q "%AppData%\vstelemetry" 2>nul rmdir /s /q "%ProgramData%\vstelemetry" 2>nul - name: Delete Visual Studio temporary telemetry and log data recommend: standard docs: |- These logs area created by different tools that Visual Studio uses such as its launcher, installer or data collection agents. Folders include `VSFaultInfo` [1], `VSFeedbackPerfWatsonData` [2], `VSFeedbackCollector` [2], `VSFeedbackVSRTCLogs` [3], `VSRemoteControl` [4] [5], `VSFeedbackIntelliCodeLogs` [4] [5], `VSTelem` [6] [7], `VSTelem.Out` [6]. There are more log and cache data stored by Visual Studio, but not all of them come with privacy implications. These files can be useful for faster loading, so this script removes only the sensitive data stored instead of cleaning all the cache completely. [1]: https://developercommunity.visualstudio.com/t/visual-studio-installer-crashes-after-updating-to/1356122 "Visual Studio Installer crashes after updating to version 16.9.0 - Visual Studio Feedback | Visual Studio Develoepr Community" [2]: https://developercommunity.visualstudio.com/t/microsoft-visual-studio-1/588200#T-N588861-N594783 "MSTF help | Visual Studio Developer Community" [3]: https://github.com/MicrosoftDocs/live-share/issues/3584 "Agent logs in %TEMP%\VSFeedbackVSRTCLogs taking up over 87GB · Issue #3584 · MicrosoftDocs/live-share | GitHub" [4]: https://developercommunity.visualstudio.com/t/please-keep-my-temp-folder-clean/731637 "Please keep my TEMP folder clean! - Visual Studio Feedback | Visual Studio Developer Community" [5]: https://stackoverflow.com/q/60974427 "Reduce log and other temporary file creation in Visual Studio 2019 | Stack Overflow" [6]: https://stackoverflow.com/q/72341126 "Visual Studio 2022 - Telemetry | Stack Overflow" [7]: https://social.msdn.microsoft.com/Forums/vstudio/en-US/5b2a0baa-748f-40e0-b504-f6dfad9b7b4d/vstelem-folder-24000-files-2064kb?forum=msbuild "VSTELEM folder 24000 files 2064Kb | MSDN Forums" code: |- rmdir /s /q "%Temp%\VSFaultInfo" 2>nul rmdir /s /q "%Temp%\VSFeedbackPerfWatsonData" 2>nul rmdir /s /q "%Temp%\VSFeedbackVSRTCLogs" 2>nul rmdir /s /q "%Temp%\VSFeedbackIntelliCodeLogs" 2>nul rmdir /s /q "%Temp%\VSRemoteControl" 2>nul rmdir /s /q "%Temp%\Microsoft\VSFeedbackCollector" 2>nul rmdir /s /q "%Temp%\VSTelem" 2>nul rmdir /s /q "%Temp%\VSTelem.Out" 2>nul - category: Clear Visual Studio licenses docs: |- Visual Studio stores a local copy of your product key. This information is kept even though Visual Studio is uninstalled [1] which may reveal unnecessary data and not be desired. This key is not only stored for purchased Visual Studio products but also for the free trials. [1]: https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow" children: - name: Clear Visual Studio 2010 licenses docs: "[How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow](https://stackoverflow.com/a/14810695)" code: reg delete "HKCR\Licenses\77550D6B-6352-4E77-9DA3-537419DF564B" /va /f - name: Clear Visual Studio 2015 licenses docs: "[How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow](https://stackoverflow.com/a/32482322)" code: reg delete "HKCR\Licenses\4D8CFBCB-2F6A-4AD2-BABF-10E28F6F2C8F" /va /f - name: Clear Visual Studio 2017 licenses docs: "[Is Visual Studio Community a 30 day trial? | Stack Overflow](https://stackoverflow.com/a/51570570)" code: reg delete "HKCR\Licenses\5C505A59-E312-4B89-9508-E162F8150517" /va /f - name: Clear Visual Studio 2019 licenses docs: "[How to change Visual Studio 2017 License Key? | Stack Overflow](https://stackoverflow.com/a/46974337)" code: reg delete "HKCR\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA" /va /f - name: Clear Visual Studio 2022 licenses docs: |- Different keys have been reported by community for VS 2022 license [1]. This may depend on different preview versions. The latest reported key is `1299B4B9-DFCC-476D-98F0-F65A2B46C96D` [2] [3]. I have tested and verified this along with some other keys of preview versions. This scripts deletes all mentioned keys. [1]: https://github.com/beatcracker/VSCELicense/issues/14 "VS 2022 key discussion | beatcracker/VSCELicense | GitHub" [2]: https://learn.microsoft.com/en-us/answers/questions/673243/how-do-i-remove-a-license-from-visual-studio-2022.html "MSFT Answer | Microsoft Learn" [3]: https://stackoverflow.com/a/71624750 "How to change Visual Studio 2017 License Key? | Stack Overflow" code: |- reg delete "HKCR\Licenses\B16F0CF0-8AD1-4A5B-87BC-CB0DBE9C48FC" /va /f reg delete "HKCR\Licenses\10D17DBA-761D-4CD8-A627-984E75A58700" /va /f reg delete "HKCR\Licenses\1299B4B9-DFCC-476D-98F0-F65A2B46C96D" /va /f - category: Clear most recently used lists (MRU) children: - category: Clear Quick Access (jump) lists docs: https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf children: - name: Clear recently accessed files recommend: standard code: del /f /q "%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\*" - name: Clear user pins code: del /f /q "%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\*" - name: Clear regedit last key recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f - name: Clear regedit favorites recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f - name: Clear list of recent programs opened recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f - name: Clear Adobe Media Browser MRU recommend: standard code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f - name: Clear MSPaint MRU recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f - name: Clear Wordpad MRU recommend: standard code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f - name: Clear Map Network Drive MRU MRU recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f - name: Clear Windows Search Assistant history recommend: standard code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f - name: Clear list of Recent Files Opened, by Filetype recommend: standard code: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f - name: Clear windows media player recent files and URLs recommend: standard code: |- reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f - name: Clear Most Recent Application's Use of DirectX recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f - name: Clear Windows Run MRU & typedpaths recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f - name: Clear Dotnet CLI telemetry recommend: standard code: rmdir /s /q "%USERPROFILE%\.dotnet\TelemetryStorageService" 2>nul - category: Clear browser history children: - category: Clear Internet Explorer history children: - name: Clear Internet Explorer caches recommend: standard docs: # INetCache - https://support.microsoft.com/en-us/help/260897/how-to-delete-the-contents-of-the-temporary-internet-files-folder - https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache # WebCache - https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache code: |- del /f /q "%localappdata%\Microsoft\Windows\INetCache\IE\*" rd /s /q "%localappdata%\Microsoft\Windows\WebCache" - name: Clear Internet Explorer recent URLs recommend: strict docs: - https://web.archive.org/web/20160304232740/http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ - https://web.archive.org/web/20160321221849/http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/ - https://web.archive.org/web/20150601014235/http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html - http://sketchymoose.blogspot.com/2014/02/typedurls-registry-key.html code: |- reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f - name: Clear Temporary Internet Files (browser cache) recommend: standard docs: - https://en.wikipedia.org/wiki/Temporary_Internet_Files - https://www.windows-commandline.com/delete-temporary-internet-files/ # %localappdata%\Temporary Internet Files - https://www.thewindowsclub.com/temporary-internet-files-folder-location # %localappdata%\Microsoft\Windows\Temporary Internet Files and INetCache code: |- :: Windows XP rd /s /q %userprofile%\Local Settings\Temporary Internet Files :: Windows 7 rd /s /q "%localappdata%\Microsoft\Windows\Temporary Internet Files" takeown /f "%localappdata%\Temporary Internet Files" /r /d y icacls "%localappdata%\Temporary Internet Files" /grant administrators:F /t rd /s /q "%localappdata%\Temporary Internet Files" :: Windows 8 and above rd /s /q "%localappdata%\Microsoft\Windows\INetCache" - name: Clear Internet Explorer Feeds Cache recommend: standard docs: https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data code: rd /s /q "%localappdata%\Microsoft\Feeds Cache" - name: Clear Internet Explorer cookies recommend: strict docs: - https://docs.microsoft.com/en-us/windows/win32/wininet/managing-cookies - https://docs.microsoft.com/en-us/internet-explorer/kb-support/ie-edge-faqs - https://www.thewindowsclub.com/cookies-folder-location-windows code: |- :: Windows 7 browsers rd /s /q "%APPDATA%\Microsoft\Windows\Cookies" :: Windows 8 and higher rd /s /q "%localappdata%\Microsoft\Windows\INetCookies" - name: Clear Internet Explorer DOMStore recommend: standard docs: https://web.archive.org/web/20100416135352/http://msdn.microsoft.com/en-us/library/cc197062(VS.85).aspx code: rd /s /q "%localappdata%\Microsoft\InternetExplorer\DOMStore" - name: Clear all Internet Explorer user data docs: - https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+Data - https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data - https://www.forensafe.com/blogs/internetexplorer.html # Includes Internet Explorer cache, tab recovery data, persistance storage (DOMStore, indexed DB etc.) # Folders: CacheStorage\, Tracking Protection\, Tiles\, TabRoaming\, IECompatData\ # DOMStore\, Recovery\ (that includes browser history), DomainSuggestions\, # VersionManager\, UrlBlockManager\, Indexed DB\, imagestore\, IEFlipAheadCache\ # EUPP\, EmieUserList\, EmieSiteList\, EmieBrowserModeList\ # Files: brndlog.txt, brndlog.bak, ie4uinit-ClearIconCache.log, ie4uinit-UserConfig.log, # MSIMGSIZ.DAT code: rd /s /q "%localappdata%\Microsoft\Internet Explorer" - category: Clear Google Chrome history children: - name: Clear Google Chrome crash reports recommend: standard docs: https://www.chromium.org/developers/crash-reports code: |- rd /s /q "%localappdata%\Google\Chrome\User Data\Crashpad\reports\" rd /s /q "%localappdata%\Google\CrashReports\" - name: Clear Software Reporter Tool logs recommend: standard docs: https://support.google.com/chrome/forum/AAAAP1KN0B0T8qnffV5gwM/ code: del /f /q "%localappdata%\Google\Software Reporter Tool\*.log" - name: Clear all Chrome user data docs: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md code: |- :: Windows XP rd /s /q "%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data" :: Windows Vista and later rd /s /q "%localappdata%\Google\Chrome\User Data" - category: Clear Firefox history children: - name: Clear browsing history and caches recommend: standard code: |- set ignoreFiles="content-prefs.sqlite" "permissions.sqlite" "favicons.sqlite" for %%d in ("%APPDATA%\Mozilla\Firefox\Profiles\" "%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\" ) do ( IF EXIST %%d ( FOR /d %%p IN (%%d*) DO ( for /f "delims=" %%f in ('dir /b /s "%%p\*.sqlite" 2^>nul') do ( set "continue=" for %%i in (%ignoreFiles%) do ( if %%i == "%%~nxf" ( set continue=1 ) ) if not defined continue ( del /q /s /f %%f ) ) ) ) ) - name: Clear all Firefox user profiles, settings, and data code: |- rd /s /q "%localappdata%\Mozilla\Firefox\Profiles" rd /s /q "%APPDATA%\Mozilla\Firefox\Profiles" - name: Clear all Opera data (user profiles, settings, and data) code: |- :: Windows XP rd /s /q "%USERPROFILE%\Local Settings\Application Data\Opera\Opera" :: Windows Vista and later rd /s /q "%localappdata%\Opera\Opera" rd /s /q "%APPDATA%\Opera\Opera" - category: Clear Safari history children: - name: Clear Webpage Icons recommend: standard docs: https://www.sans.org/blog/safari-browser-forensics/ code: |- :: Windows XP del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db" :: Windows Vista and later del /q /s /f "%localappdata%\Apple Computer\Safari\WebpageIcons.db" - name: Clear Safari cache recommend: standard docs: https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari code: |- :: Windows XP del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db" :: Windows Vista and later del /q /s /f "%localappdata%\Apple Computer\Safari\Cache.db" - name: Clear Safari cookies recommend: strict docs: https://kb.digital-detective.net/display/BF/Location+of+Safari+Data code: |- :: Windows XP del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cookies.db" :: Windows Vista and later del /q /s /f "%localappdata%\Apple Computer\Safari\Cookies.db" - name: Clear all Safari data (user profiles, settings, and data) docs: - https://kb.digital-detective.net/display/BF/Location+of+Safari+Data - https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari - https://zerosecurity.org/2013/04/safari-forensic-tutorial code: |- :: Windows XP rd /s /q "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari" :: Windows Vista and later rd /s /q "%AppData%\Apple Computer\Safari" - category: Clear Windows logs & caches children: - name: Clear thumbnail cache code: del /f /s /q /a %LocalAppData%\Microsoft\Windows\Explorer\*.db - category: Clear Windows log files children: - category: Clear Windows Update logs children: - name: Clear Windows update and SFC scan logs docs: https://answers.microsoft.com/en-us/windows/forum/all/cwindowslogscbs/fe4e359a-bcb9-4988-954d-563ef83bac1c recommend: standard code: del /f /q %SystemRoot%\Temp\CBS\* - name: Clear Windows Update Medic Service logs recommend: standard docs: https://answers.microsoft.com/en-us/windows/forum/all/what-is-this-waasmedic-and-why-it-required-to/e5e55a95-d5bb-4bf4-a7ce-4783df371de4 code: |- takeown /f %SystemRoot%\Logs\waasmedic /r /d y icacls %SystemRoot%\Logs\waasmedic /grant administrators:F /t rd /s /q %SystemRoot%\Logs\waasmedic - name: Clear Cryptographic Services Traces recommend: standard docs: https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows code: |- del /f /q %SystemRoot%\System32\catroot2\dberr.txt del /f /q %SystemRoot%\System32\catroot2.log del /f /q %SystemRoot%\System32\catroot2.jrs del /f /q %SystemRoot%\System32\catroot2.edb del /f /q %SystemRoot%\System32\catroot2.chk - name: Windows Update Events Logs code: del /f /q "%SystemRoot%\Logs\SIH\*" - name: Windows Update Logs code: del /f /q "%SystemRoot%\Traces\WindowsUpdate\*" - name: Clear Optional Component Manager and COM+ components logs recommend: standard code: del /f /q %SystemRoot%\comsetup.log - name: Clear Distributed Transaction Coordinator logs recommend: standard code: del /f /q %SystemRoot%\DtcInstall.log - name: Clear Pending File Rename Operations logs code: del /f /q %SystemRoot%\PFRO.log - name: Clear Windows Deployment Upgrade Process Logs recommend: standard code: |- del /f /q %SystemRoot%\setupact.log del /f /q %SystemRoot%\setuperr.log - name: Clear Windows Setup Logs recommend: standard docs: https://support.microsoft.com/en-gb/help/927521/windows-vista-windows-7-windows-server-2008-r2-windows-8-1-and-windows code: |- del /f /q %SystemRoot%\setupapi.log del /f /q %SystemRoot%\Panther\* del /f /q %SystemRoot%\inf\setupapi.app.log del /f /q %SystemRoot%\inf\setupapi.dev.log del /f /q %SystemRoot%\inf\setupapi.offline.log - name: Clear Windows System Assessment Tool logs recommend: standard docs: https://docs.microsoft.com/en-us/windows/win32/winsat/windows-system-assessment-tool-portal code: del /f /q %SystemRoot%\Performance\WinSAT\winsat.log - name: Clear Password change events recommend: standard code: del /f /q %SystemRoot%\debug\PASSWD.LOG - name: Clear user web cache database recommend: standard docs: https://support.microsoft.com/en-gb/help/4056823/performance-issue-with-custom-default-user-profile code: del /f /q %localappdata%\Microsoft\Windows\WebCache\*.* - name: Clear system temp folder when no one is logged in recommend: standard code: del /f /q %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.* - name: Clear DISM (Deployment Image Servicing and Management) Logs recommend: standard docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files code: |- del /f /q %SystemRoot%\Logs\CBS\CBS.log del /f /q %SystemRoot%\Logs\DISM\DISM.log - name: Clear WUAgent (Windows Update History) logs docs: https://social.technet.microsoft.com/Forums/ie/en-US/f5744a18-d4ca-4631-8324-878b9225251d/windowssoftwaredistribution-folder-cleanup-automation?forum=winserverwsus code: |- # `sc queryex` output is same in every OS language setlocal EnableDelayedExpansion SET /A wuau_service_running=0 SC queryex "wuauserv"|Find "STATE"|Find /v "RUNNING">Nul||( SET /A wuau_service_running=1 net stop wuauserv ) del /q /s /f "%SystemRoot%\SoftwareDistribution" IF !wuau_service_running! == 1 ( net start wuauserv ) endlocal - name: Clear Server-initiated Healing Events Logs code: del /f /q "%SystemRoot%\Logs\SIH\*" - name: Common Language Runtime Logs recommend: standard code: |- del /f /q "%LocalAppData%\Microsoft\CLR_v4.0\UsageTraces\*" del /f /q "%LocalAppData%\Microsoft\CLR_v4.0_32\UsageTraces\*" - name: Network Setup Service Events Logs recommend: standard code: del /f /q "%SystemRoot%\Logs\NetSetup\*" - name: Disk Cleanup tool (Cleanmgr.exe) Logs code: del /f /q "%SystemRoot%\System32\LogFiles\setupcln\*" - name: Clear Windows temp files recommend: standard code: |- del /f /q %localappdata%\Temp\* rd /s /q "%WINDIR%\Temp" rd /s /q "%TEMP%" - name: Clear main telemetry file recommend: standard code: |- if exist "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" ( takeown /f "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" /r /d y icacls "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" /grant administrators:F /t echo "" > "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" echo Clear successful: "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" ) else ( echo "Main telemetry file does not exist. Good!" ) - name: Clear Event Logs in Event Viewer docs: https://serverfault.com/questions/407838/do-windows-events-from-the-windows-event-log-have-sensitive-information code: |- REM https://social.technet.microsoft.com/Forums/en-US/f6788f7d-7d04-41f1-a64e-3af9f700e4bd/failed-to-clear-log-microsoftwindowsliveidoperational-access-is-denied?forum=win10itprogeneral wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) for /f "tokens=*" %%i in ('wevtutil.exe el') DO ( echo Deleting event log: "%%i" wevtutil.exe cl %1 "%%i" ) - name: Clean Windows Defender scan history docs: https://www.thewindowsclub.com/clear-windows-defender-protection-history code: del "%ProgramData%\Microsoft\Windows Defender\Scans\History\" /s /f /q - name: Clear credentials from Windows Credential Manager code: |- cmdkey.exe /list > "%TEMP%\List.txt" findstr.exe Target "%TEMP%\List.txt" > "%TEMP%\tokensonly.txt" FOR /F "tokens=1,2 delims= " %%G IN (%TEMP%\tokensonly.txt) DO cmdkey.exe /delete:%%H del "%TEMP%\List.txt" /s /f /q del "%TEMP%\tokensonly.txt" /s /f /q - name: Delete controversial default0 user docs: https://github.com/undergroundwires/privacy.sexy/issues/30 recommend: standard code: net user defaultuser0 /delete 2>nul - name: Empty trash bin call: function: RunPowerShell parameters: code: |- $bin = (New-Object -ComObject Shell.Application).NameSpace(10) $bin.items() | ForEach { Write-Host "Deleting $($_.Name) from Recycle Bin" Remove-Item $_.Path -Recurse -Force } - name: Enable Reset Base in Dism Component Store recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f - name: Clear Windows Product Key from Registry # Helps to protect it from being stolen and used for identity theft or identifying you. docs: https://winaero.com/blog/remove-windows-10-product-key-from-registry-and-protect-it-from-being-stolen/ # We use cscript.exe to execute instead of `slmgr` command directly to keep the output but surpress the dialogs. code: cscript.exe //nologo "%SystemRoot%\system32\slmgr.vbs" /cpky - name: Clear volume backups (shadow copies) docs: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods code: vssadmin delete shadows /all /quiet - name: Remove Default Apps Associations recommend: standard code: dism /online /Remove-DefaultAppAssociations - name: Clear (Reset) Network Data Usage recommend: standard docs: https://www.windowslifestyle.com/reset-data-usage-tool-reset-network-data-usage-windows-10/ code: |- # `sc queryex` output is same in every OS language setlocal EnableDelayedExpansion SET /A dps_service_running=0 SC queryex "DPS"|Find "STATE"|Find /v "RUNNING">Nul||( SET /A dps_service_running=1 net stop DPS ) del /F /S /Q /A "%windir%\System32\sru*" IF !dps_service_running! == 1 ( net start DPS ) endlocal - name: Clear previous Windows installations code: |- if exist "%SystemDrive%\Windows.old" ( takeown /f "%SystemDrive%\Windows.old" /a /r /d y icacls "%SystemDrive%\Windows.old" /grant administrators:F /t rd /s /q "%SystemDrive%\Windows.old" echo Deleted previous installation from "%SystemDrive%\Windows.old\" ) else ( echo No previous Windows installation has been found ) - category: Disable OS data collection children: - category: Disable Windows telemetry and data collection children: - name: Disable Customer Experience Improvement (CEIP/SQM) docs: https://docs.microsoft.com/en-us/windows/win32/devnotes/ceipenable recommend: standard code: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f - name: Disable Application Impact Telemetry (AIT) recommend: standard code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f - category: Disable diagnostics telemetry services children: - name: Disable connected user experiences and telemetry service # Connected User Experiences and Telemetry recommend: standard docs: http://batcmd.com/windows/10/services/diagtrack/ call: function: DisableService parameters: serviceName: DiagTrack # Check: (Get-Service -Name DiagTrack).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable WAP push message routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service recommend: standard docs: http://batcmd.com/windows/10/services/dmwappushservice/ call: function: DisableService parameters: serviceName: dmwappushservice # Check: (Get-Service -Name dmwappushservice).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable diagnostics hub standard collector service # Microsoft (R) Diagnostics Hub Standard Collector docs: http://batcmd.com/windows/10/services/diagnosticshub-standardcollector-service/ call: function: DisableService parameters: serviceName: diagnosticshub.standardcollector.service # Check: (Get-Service -Name diagnosticshub.standardcollector.service).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable diagnostic execution service # Diagnostic Execution Service docs: http://batcmd.com/windows/10/services/diagsvc/ call: function: DisableService parameters: serviceName: diagsvc # Check: (Get-Service -Name diagsvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Customer Experience Improvement Program recommend: standard code: |- schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE revertCode: |- schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /ENABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /ENABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /ENABLE - category: Disable Webcam Telemetry (devicecensus.exe) docs: - https://www.ghacks.net/2019/09/23/what-is-devicecensus-exe-on-windows-10-and-why-does-it-need-internet-connectivity/ - https://answers.microsoft.com/en-us/windows/forum/windows_10-security/devicecensusexe-and-host-process-for-windows-task/520d42a2-45c1-402a-81de-e1116ecf2538 children: - name: Disable devicecensus.exe (telemetry) task recommend: standard code: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /enable - name: Disable devicecensus.exe (telemetry) process recommend: standard call: function: KillProcessWhenItStarts parameters: processName: DeviceCensus.exe - category: Disable Compatibility Telemetry (Application Experience) children: - category: Disable Microsoft Compatibility Appraiser docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/ children: - name: Disable Microsoft Compatibility Appraiser task recommend: standard code: schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /enable - name: Disable CompatTelRunner.exe (Microsoft Compatibility Appraiser) process recommend: standard call: function: KillProcessWhenItStarts parameters: processName: CompatTelRunner.exe - name: Disable sending information to Customer Experience Improvement Program recommend: standard docs: - https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/ - https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/permanently-disabling-windows-compatibility/6bf71583-81b0-4a74-ae2e-8fd73305aad1 code: schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /enable - name: Disable Application Impact Telemetry Agent task recommend: standard docs: https://www.shouldiblockit.com/aitagent.exe-6181.aspx code: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /enable - name: Disable "Disable apps to improve performance" reminder recommend: strict docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/ code: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /enable - category: Disable enterprise/business focused data collection docs: |- This category contains scripts to disable data collection capabilities focused on enterprise/business uses. The scripts target various Windows features like Desktop Analytics, Windows Update for Business, and Azure services. These capabilities are meant to provide insights for IT administrators but collect and transmit data from end user devices. By disabling these enterprise/business focused data collection features, you can increase privacy and reduce data sharing from your personal device. However, note that some functionality expected by business IT administrators may be reduced. These scripts can help limit enterprise/Microsoft visibility into your device, but may limit management capabilities on managed business devices. children: - category: Disable Desktop Analytics telemetry docs: |- Desktop Analytics is a cloud-based service that provides insights about Windows devices in an organization. The service provides insight and intelligence from user data [1]. Desktop Analytics collects diagnostic data from enrolled Windows devices and sends it to Microsoft cloud services [1]. It creates an inventory of apps running in an organization. This data provides insights about application compatibility and pilot identification to help IT administrators in organizations evaluate the readiness and compatibility of devices for Windows feature updates [1]. To enable data collection, Desktop Analytics configures settings on the device registry and group policies related to commercial ID, telemetry levels, and data sharing [2]. While this data sharing raises potential privacy concerns, Microsoft states that privacy controls allow organizations o limit data collection [1]. Desktop Analytics is retired since November 30, 2022 in favor of Microsoft Intune and Configuration Manager [3]. [1]: https://web.archive.org/web/20230528031527/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn" [2]: https://web.archive.org/web/20230531234446/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn" [3]: https://web.archive.org/web/20230601065209/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/whats-new "What's new in Desktop Analytics - Configuration Manager | Microsoft Learn" children: - name: Disable Desktop Analytics Processing recommend: strict docs: |- This script ensures that Microsoft does not process Windows diagnostic data from your device [1]. When activated, it modifies a setting known as the Group Policy object on your device. This object is a set of policies that determine how your system operates. The script disables a policy related to Microsoft's Desktop Analytics service. This service is designed to provide insights into the health and usage of your devices but may involve processing diagnostic data [2]. By disabling this policy, the script helps to enhance the privacy of your device by preventing the processing of its diagnostic data by Microsoft. This means that information about the usage and performance of your device will not be sent to Microsoft's Desktop Analytics service [1][2]. [1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowdesktopanalyticsprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs" [2]: https://web.archive.org/web/20211127031547/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDesktopAnalyticsProcessing "Allow Desktop Analytics Processing"" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /f - name: Prevent device name to be sent in Windows diagnostic data recommend: strict docs: |- This script enhances privacy by ensuring that the name of your device is anonymized in any diagnostic data collected by Microsoft Desktop Analytics [1]. In other words, instead of your actual device name, "Unknown" will appear in the data [1]. Since the release of Windows 10, version 1803, the device name is not included in the diagnostic data by default [1]. This script guarantees that this privacy-enhancing measure remains in place [1]. When implemented, it changes a specific registry setting, `AllowDeviceNameInTelemetry`, which controls whether the device name is included in Windows diagnostic data [2]. The script sets this value to `0`, thus disabling the inclusion of the device name in the data [2]. [1]: https://web.archive.org/web/20220903043346/https://docs.microsoft.com/en-US/mem/configmgr/desktop-analytics/enroll-devices#device-name "Enroll devices in Desktop Analytics - Configuration Manager | Microsoft Docs" [2]: https://web.archive.org/web/20210228151919/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDeviceNameInDiagnosticData "Allow device name to be sent in Windows diagnostic data" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /f - name: Disable collection of Edge browsing data for Desktop Analytics recommend: strict docs: |- This script configures Microsoft Edge to prevent it from sending your browsing history data to Desktop Analytics [1]. This browsing data can include information from either your intranet or internet history, or both [1]. When you use Microsoft Edge for browsing, it can collect and send your browsing history to Desktop Analytics, a Microsoft service that helps enterprises to analyze and improve their IT environment. If this setting is disabled, Microsoft Edge does not send any browsing history data, thereby enhancing your privacy. The script achieves this by modifying a specific value in the Windows Registry. The specific value that the script modifies is `MicrosoftEdgeDataOptIn` located at `HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection`. The script sets this value to `0`, which indicates to Microsoft Edge that it should not send browsing history data to Desktop Analytics [1]. While enhancing privacy, this could limit the functionality of Desktop Analytics for enterprises that rely on this service for IT insights. However, for individual users, this script can help prevent unwanted data collection and transmission, contributing to an overall safer browsing experience [1]. [1]: https://web.archive.org/web/20220524020212/https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.MicrosoftEdge::ConfigureTelemetryForMicrosoft365Analytics "Configure collection of browsing data for Desktop Analytics" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /f - name: Disable diagnostics data processing for Business cloud recommend: strict docs: |- This script controls whether diagnostic data from your device is processed by Windows Update for Business cloud [1] [2]. If enabled, the script can enhance privacy by ensuring that diagnostic data from your device is not processed by the Windows Update for Business cloud (WufB) [1], an update management service provided by Microsoft [3]. This service typically helps businesses manage updates on their devices efficiently. But if privacy is a concern, you can opt to disable it [3]. The policy is applicable to devices joined to Azure Active Directory [1]. Azure Active Directory is a Microsoft cloud service that provides identity and access capabilities. Disabling this policy means that some features of the Windows Update for Business deployment service might not be available. However, your device will gain an added layer of privacy as diagnostic data will not be processed by the business cloud [1]. [1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowwufbcloudprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs" [2]: https://web.archive.org/web/20210307173837/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowWUfBCloudProcessing "Allow WUfB Cloud Processing" [3]: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-management-for-windows-on-a-windows-365-cloud-pc/ba-p/3452703 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowWUfBCloudProcessing" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowWUfBCloudProcessing" /f - name: Disable Update Compliance processing of diagnostics data recommend: standard docs: |- Update Compliance is a service provided by Microsoft hosted in Azure, which uses Windows diagnostic data [1]. This service doesn't meet the US Government community compliance (GCC) requirements [1], and is utilized by both Desktop Analytics and Azure Update Management [1]. This script is designed to disable the Update Compliance processing of diagnostic data on your device. When this script is run, it modifies the system registry to prevent diagnostic data from your device being processed by Update Compliance. This change in settings increases the privacy of your device by limiting the diagnostic data that can be accessed and analyzed by Microsoft's services. Diagnostic data, in this context, includes information about device health, system events, and usage metrics. By disabling the processing of this data, the script helps protect the privacy of your activities on your device [1]. This script can be reversed at any time by using the provided `revertCode` if you decide to re-enable the processing of diagnostic data by Update Compliance. In technical terms, the script sets the `AllowUpdateComplianceProcessing` value in the `HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection` registry path to 0, which disables the processing of diagnostic data by Update Compliance [2]. [1]: https://web.archive.org/web/20220703201221/https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started "Get started with Update Compliance - Windows Deployment | Microsoft Docs" [2]: https://web.archive.org/web/20220610123725/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowUpdateComplianceProcessing "Allow Update Compliance Processing" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /f - name: Disable commercial usage of collected data recommend: standard docs: |- This protects your privacy by placing a limit on the commercial usage of your data. It manages how Windows diagnostic data is handled by controlling whether Microsoft is a processor or controller for Windows diagnostic data collected from your device [1] [2]. In the default setting, Microsoft operates as the controller of this diagnostic data, thus enabling it to use the data for commercial purposes. This script alters that setting to limit the commercial usage of your data [1] [2]. This script does not affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. Moreover, it doesn't change whether diagnostic data is collected or the ability of the user to change the level. [1]: https://web.archive.org/web/20230803142206/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline "System Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230330140620/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowCommercialDataPipeline "Allow commercial data pipeline" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /f - name: Disable diagnostic and usage telemetry data transmission recommend: standard docs: |- This script improves your privacy by blocking the transmission of diagnostic and usage telemetry data from your Windows device [1]. This includes data about your device's usage, app compatibility, and system performance, which can be sensitive in nature. By stopping this data from being sent, you reduce the amount of personal information that could potentially be accessed by third parties. The script works by configuring the Group Policy Object (GPO) and Local Policy preferences, which essentially govern your device's data sharing policies [2]. These modifications restrict the data that Windows and its built-in apps can collect and send. Upon executing this script, Desktop Analytics will be disabled, as it relies on basic diagnostic data to function [2]. Desktop Analytics is a cloud-based service provided by Microsoft [4]. It provides insights and intelligence for IT administrators [4]. It is deprecated Desktop Analytics and retired since November 30, 2022. Once this script is executed, even if the policy permits a telemetry setting of Security or Basic, users will not have the capability to opt for a higher data sharing level [3]. This restriction is limited to the operating system and apps included with Windows, and does not pertain to third-party apps installed on your device [3]. [1]: https://web.archive.org/web/20230731225232/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry "System Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230731225319/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn" [3]: https://web.archive.org/web/20211129155126/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection%3A%3AAllowTelemetry "Allow Telemetry" [4]: https://web.archive.org/web/20230731225544/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn" code: |- # Using Local policy preference reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f # Using Group policy object (GPO) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f revertCode: |- # Using Local policy preference reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 1 /f # Using Group policy object (GPO) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /f - name: Disable automatic cloud configuration downloads recommend: strict docs: |- This script turns off the OneSettings service, a feature from Microsoft that downloads configuration settings [1]. This action can enhance the privacy and security of your Windows desktop environment by managing a feature called the Services Configuration [1]. Services Configuration is a mechanism that various Windows components and apps use to update their settings dynamically [2] [3]. By default, Windows periodically tries to connect with the OneSettings service to download configuration settings [1]. This script turns off that function, reducing the chance of data being shared with third-party vendors [1]. This script is recommended by CIS Microsoft Windows Desktop Benchmarks [1]. Please be aware that turning off this service might affect how certain apps that rely on this service work [3]. The script changes a registry setting to disable OneSettings downloads [3] [1]. It also provides a revert code to undo this change, if needed, which returns the system to its previous state. If you want to limit how much data is sent to Microsoft, turning off the OneSettings service can help enhance your privacy [1]. For more information about the impact of OneSettings on privacy, visit [docs.microsoft.com](https://web.archive.org/web/20230803030919/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809). This script lets you manage your privacy by restricting the automatic configuration updates of Windows components and apps, including telemetry services, from the cloud [3] [1]. By using this script, Windows will not connect to OneSettings to fetch any configuration settings [1]. This reduces the amount of data sent to third-party vendors, which can help alleviate potential security concerns [1]. However, please be aware that while this setting can enhance privacy, turning off this service could lead to some applications not working properly. These applications may depend on dynamic configuration updates that will be stopped when the service is disabled [3] [1]. [1]: https://web.archive.org/web/20230803030428/https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker_v1.12.0.audit:b3aec171f406cbe87f37e57bc9dd1411 "18.9.17.3 Ensure 'Disable OneSettings Downloads' is set to 'En... | Tenable" [2]: https://web.archive.org/web/20230803024926/https://learn.microsoft.com/en-us/windows/win32/services/service-configuration "Service Configuration - Win32 apps | Microsoft Learn" [3]: https://web.archive.org/web/20230731230134/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" code: reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableOneSettingsDownloads" /t "REG_DWORD" /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableOneSettingsDownloads" /f - name: Disable license telemetry recommend: standard code: reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t "REG_DWORD" /d "1" /f - name: Disable error reporting recommend: standard docs: # Settings - https://docs.microsoft.com/en-us/windows/win32/wer/wer-settings - https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493 # Windows Error Reporting Service - http://batcmd.com/windows/10/services/wersvc/ # Problem Reports Control Panel Support - http://batcmd.com/windows/10/services/wercplsupport/ call: - function: RunInlineCode parameters: code: |- :: Disable Windows Error Reporting (WER) reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f :: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f :: Disable WER sending second-level data reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f :: Disable WER crash dialogs, popups reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable revertCode: |- :: Enable Windows Error Reporting (WER) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f :: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "0" /f :: Enable WER sending second-level data reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /f :: Enable WER crash dialogs, popups reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "0" /f schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Enable schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Enable - # Windows Error Reporting Service function: DisableService parameters: serviceName: wersvc # Check: (Get-Service -Name wersvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - # Problem Reports Control Panel Support function: DisableService parameters: serviceName: wercplsupport # Check: (Get-Service -Name wercplsupport).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - category: Disable automatic driver updates by Windows Update children: - name: Disable device metadata retrieval (breaks auto updates) recommend: strict docs: - https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964 - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f - name: Do not include drivers with Windows Updates docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::ExcludeWUDriversInQualityUpdate recommend: strict code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 0 /f - name: Prevent Windows Update for device driver search docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965 recommend: strict code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 1 /f - name: Disable cloud speech recognition recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f - name: Disable active probing (pings to MSFT NCSI server) recommend: strict code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f - name: Opt out from Windows privacy consent recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 1 /f - name: Disable Windows feedback recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics code: |- reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f - name: Disable text and handwriting collection recommend: standard code: |- reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f - category: Deny app access to personal information children: - name: Deny app access to location recommend: standard docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesslocation # LetAppsAccessLocation - https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ # ConsentStore\location - https://social.technet.microsoft.com/Forums/en-US/63904312-04af-41e5-8b57-1dd446ea45c5/ # lfsvc\Service\Configuration code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Deny" /f :: For older Windows (before 1903) reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Allow" /f :: For older Windows (before 1903) reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "1" /t REG_DWORD /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /f - name: Deny app access to account info, name, and picture recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Deny" /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Allow" /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /f - name: Deny app access to motion data recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /f - name: Deny app access to phone recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone code: |- :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /f - name: Deny app access to trusted devices docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices recommend: standard code: |- :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /f - name: Deny app sync with devices (unpaired, beacons, TVs, etc.) recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices code: |- :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /f - name: Deny app access to camera docs: - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kscategory-video-camera - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscamera code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /f - name: Deny app access to microphone docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophonee code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /f - name: Deny apps share and sync non-explicitly paired wireless devices over uPnP code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Deny" /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Allow" /f - name: Deny app access to diagnostics info about your other apps recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Deny" /t REG_SZ /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Allow" /t REG_SZ /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /f - category: Deny app access to your file system children: - name: Deny app access to Document folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Allow" /t REG_SZ /f - name: Deny app access to Pictures folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Allow" /t REG_SZ /f - name: Deny app access to Videos folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Allow" /t REG_SZ /f - name: Deny app access to other filesystem recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Allow" /t REG_SZ /f - name: Deny app access to your contacts recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /f - name: Deny app access to Notifications recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO (re-activation through GUI is not possible) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /f - name: Deny app access to Calendar recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /f - name: Deny app access to call history recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory code: |- :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /f - name: Deny app access to email recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d DENY /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /f - name: Deny app access to tasks recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Deny" /t REG_SZ /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Allow" /t REG_SZ /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /f - name: Deny app access to messaging (SMS / MMS) docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Deny" /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Allow" /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /f - name: Deny app access to radios recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d DENY /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /f - name: Deny app access to bluetooth devices recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Allow" /t REG_SZ /f - category: Disable app access to voice activation children: - name: Disable apps and Cortana to activate with voice recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoice code: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 0 /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /t REG_DWORD /d 2 /f revertCode: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 1 /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /f - name: Disable apps and Cortana to activate with voice when sytem is locked recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoiceAboveLock code: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 0 /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /t REG_DWORD /d 2 /f revertCode: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 1 /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /f - category: Disable location access children: - name: Turn off Windows Location Provider code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "0" /f - name: Turn off location scripting recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "0" /f - name: Turn off location recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f :: For older Windows (before 1903) reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Deny" /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "0" /t REG_DWORD /f :: For older Windows (before 1903) reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Allow" /f - name: Turn off sensors recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "0" /f - category: Disable windows search data collection children: - category: Disable cortana children: - name: Do not allow Cortana recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowCortana - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /f - name: Do not allow Cortana experience recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 1 /f - name: Do not allow search and Cortana to search cloud sources like OneDrive and SharePoint recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 1 /f - name: Disable Cortana speech interaction while the system is locked recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-abovelock code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /f - name: Opt out from Cortana consent recommend: standard code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 10 /f - name: Do not allow Cortana to be enabled recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 1 /f - name: Disable Cortana (Internet search results in start menu) recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f - category: Disable Cortana history children: - name: Prevent Cortana from displaying history recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /f - name: Prevent Cortana from using device history recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /f - name: Remove the Cortana taskbar icon recommend: standard code: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /t REG_DWORD /d 0 /f revertCode: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /f - name: Disable Cortana in ambient mode recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 1 /f - category: Disable Cortana voice listening children: - name: Disable "Hey Cortana" voice activation recommend: standard code: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 1 /f - name: Disable Cortana listening to commands on Windows key + C recommend: standard code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 1 /f - name: Disable using Cortana even when device is locked recommend: standard code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 1 /f - name: Disable automatic update of Speech Data recommend: standard code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d 0 /f revertCode: reg delete "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /f - name: Disable Cortana voice support during Windows setup recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /f - category: Configure Windows search indexing children: - name: Disable search indexing encrypted items / stores recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowindexingencryptedstoresoritems code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /f - name: Do not use automatic language detection when indexing recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-alwaysuseautolangdetection code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 1 /f - name: Do not allow search to use location recommend: standard docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 1 /f - name: Disable web search in search bar recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DisableWebSearch - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 0 /f - name: Do not search the web or display web results in Search docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies recomend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 1 /f - name: Disable Bing search recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 1 /f - category: Disable targeted ads and marketing children: - name: Disable ad customization with Advertising ID recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general code: |- reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "0" /f - category: Disable cloud-based tips and ads children: - name: Disable Windows Tips recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "0" /f - name: Disable Windows Spotlight (random wallpaper on lock screen) recommend: standard docs: - https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "0" /f - name: Disable Microsoft consumer experiences recommend: standard docs: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-71771 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "0" /f - name: Turn Off Suggested Content in Settings app recommend: standard docs: - https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 - https://www.blogsdna.com/28017/how-to-disable-turn-off-suggested-content-on-windows-10-setting-app.htm code: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "0" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f revertCode: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "1" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "1" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "1" /t REG_DWORD /f - category: Disable biometrics (breaks fingerprinting/facial login) children: - name: Do not allow the use of biometrics recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f - name: Do not allow users to log on using biometrics recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f - name: Disable Windows Biometric Service recommend: strict docs: - https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-biometric-service - http://batcmd.com/windows/10/services/wbiosrvc/ call: function: DisableService parameters: serviceName: WbioSrvc # Check: (Get-Service -Name WbioSrvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Wi-Fi sense recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f - name: Hide most used apps (tracks app launch) docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10 recommend: strict code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 0 /t REG_DWORD /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 1 /t REG_DWORD /f - name: Disable Inventory Collector recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 0 /f - name: Disable Website Access of Language List recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 0 /f - name: Disable Auto Downloading Maps recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f - name: Disable steps recorder recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f - name: Disable game screen recording recommend: standard code: |- reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 0 /f - name: Disable Windows DRM internet access docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f - name: Disable feedback on write (sending typing info) recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f - name: Disable Activity Feed recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f - category: Disable Windows Insider Program children: - name: Disable Windows Insider Service docs: - https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-insider-service - http://batcmd.com/windows/10/services/wisvc/ recommend: standard call: function: DisableService parameters: serviceName: wisvc # Check: (Get-Service -Name wisvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Do not let Microsoft try features on this build docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /f reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /f - name: Disable getting preview builds of Windows docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /f - name: Remove "Windows Insider Program" from Settings docs: https://winaero.com/how-to-hide-the-windows-insider-program-page-from-the-settings-app-in-windows-10/ code: reg add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /t "REG_DWORD" /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /f - category: Disable cloud sync docs: https://support.microsoft.com/en-us/help/4026102/windows-10-about-sync-settings children: - name: Disable all settings sync recommend: standard enabler: all those bottom code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f - name: Disable Application Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable App Sync Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Credentials Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f - name: Disable Desktop Theme Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Personalization Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Start Layout Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Web Browser Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Windows Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Language Setting Sync recommend: standard docs: - https://winaero.com/turn-on-off-sync-settings-windows-10/ - https://www.thewindowsclub.com/how-to-configure-windows-10-sync-settings-using-registry-editor - https://tuxicoman.jesuislibre.net/blog/wp-content/uploads/Windows10_Telemetrie_1709.pdf # from guide on confidentiality and privacy with Windows 10 distributed to the French police, previous version of guide: https://www.pmenier.net/dotclear/docext/win10/.Windows10-Presentation.pdf code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 1 /f - category: Configure programs children: - category: Disable Visual Studio data collection docs: |- These scripts disable future local and cloud data collection by Visual Studio about you and your behavior. These do not clean existing data collected about you locally or on cloud servers. children: - name: Opt-out from Visual Studio Customer Experience Improvement Program (VSCEIP) recommend: standard docs: |- `VSCEIP` collects information about errors, computer hardware, and how people use Visual Studio [1]. The information is sent to Microsoft servers for further analysis. This was previously known as Customer Experience Improvement Program (`PerfWatson`) for Visual Studio that primarily collected your personal usage and related performance data [2]. For more information about the information collected, processed, or transmitted by the `VSCEIP`, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). Visual Studio uses different keys based on CPU architecture of the host operating system (32bit or 64bit) [1]: - 32bit: `HKLM\SOFTWARE\Microsoft\VSCommon` - 64bit: `HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon` Key `OptIn` can have two different values [1]: - `0` is opted out (turn off) - `1` is opted in (turn on) The default installation sets the key as `1` (opt-in by default) since Visual Studio 2022. [1]: https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program "Customer Experience Improvement Program - Visual Studio (Windows) | Microsoft Learn" [2]: https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/ "How we use your PerfWatson data to identify Unresponsive areas | Visual Studio Blog" code: |- :: Using OS keys if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f ) else ( reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f ) :: Using GPO key reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /t REG_DWORD /d 0 /f revertCode: |- :: Using OS keys if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f ) else ( reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f ) :: Using GPO key reg delete "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /f 2>nul - name: Disable Visual Studio telemetry docs: |- This key was first seen to be used in Visual Studio 15 (2017) [1] [2]. By default (after clean installation) the registry key set by this script does not exist since Visual Studio 2022. [1]: https://developercommunity.visualstudio.com/t/bad-crashes-when-visualstudiotelemetryturnoffswitc/208693 "Bad crashes when VisualStudio\Telemetry\TurnOffSwitch is set to 0 | Visual Studio Feedback" [2]: https://social.msdn.microsoft.com/Forums/vstudio/en-US/7796f0c5-ec9a-4fc8-9f62-584a663f9016/vs2015-pro-upd-3-quotthe-application-cannot-startquot-exception-in-obtainoptinstatus 'VS2015 (pro + upd 3): "Forum post showing logs for TurnOffSwitch key | MSDN Forums' recommend: standard code: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f revertCode: reg delete "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /f 2>nul - name: Disable Visual Studio feedback docs: |- Feedback tool in Visual Studio allows users to report a problem from either Visual Studio or its installer. It collects rich diagnostic information along with personally identifiable information [1]. Information includes large log files, crash information, screenshots, repro recording, and other artifacts [1]. This script disables feedback dialog and screenshot capture/email input that's prompted to be sent as part of the feedback. By default (after clean installation) the registry keys are not configured/set since Visual Studio 2022. Having these settings no set imply that feedback is enabled. [1]: https://learn.microsoft.com/en-us/visualstudio/ide/how-to-report-a-problem-with-visual-studio "Report a problem with Visual Studio - Visual Studio (Windows) | Microsoft Learn" recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /f 2>nul - name: Stop and disable Visual Studio Standard Collector Service docs: |- Visual Studio Standard Collector Service is a service that is part of [Microsoft Visual Studio and .NET Log Collection Tool](https://www.microsoft.com/en-us/download/details.aspx?id=12493) [1]. This service collects logs for Diagnostics Hub just like Diagnostic Hub Standard Collector [2]. It has been known to be vulnerable to privilege elavation [3]. Disabling this service is recommended because otherwise it would: - Increase the attack surface of your computer, making it open to potential future vulnerabilities. - Use computer resources in favor of collecting more data about you and your behavior. [1]: https://learn.microsoft.com/en-us/answers/questions/891356/i-can39t-start-vsstandardcollectorservice150.html#answer-929168 "I can't start VSStandardCollectorService150 | Microsoft Q&A" [2]: https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service "CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service | Atredis Partners" [3]: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0952 "Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability" recommend: standard call: function: DisableService parameters: serviceName: VSStandardCollectorService150 # (Get-Service -Name VSStandardCollectorService150).StartType defaultStartupMode: Manual # Manual since Visual Studio 2022, allowed values: Automatic | Manual - name: Disable Diagnostics Hub log collection docs: |- Diagnostics Hub is online data collection point for diagnostic tools used by Visual Studio. It can be disabled by deleting `LogLevel` and `LogDirectory` registery keys [1] and enabled by adding them [2] [3] [4] [5]. The registry keys are not set after installation since Visual Studio 2022. [1]: https://developercommunity.visualstudio.com/t/cant-disable-diagnostics-hub-in-visual-stuido/1449322#T-N1449680 "Can't disable Diagnostics hub in visual stuido | Visual Studio Feedback" [2]: https://developercommunity.visualstudio.com/t/diagnostic-tool-no-registered-class/1099781#T-N1106849 "diagnostic tool No registered class | Visual Studio Feedback" [3]: https://stackoverflow.com/a/39380284 "c# - Visual Studio 2015 diagnostic tools no longer working | Stack Overflow" [4]: https://developercommunity.visualstudio.com/t/collectionstartfailedhubexception-on-profiler-laun/414212#T-N447791 "CollectionStartFailedHubException on profiler launch | Visual Studio Feedback" [5]: https://developercommunity.visualstudio.com/t/diagnostics-tools-failed-unexpectedly-unable-to-st/437117#T-N447777 "Diagnostics tools failed unexpectedly--unable to start standard collector | Visual Studio Feedback" code: |- reg delete "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /f 2>nul revertCode: |- "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -property catalog_productDisplayVersion >Nul | findstr "15." >nul && ( reg add "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /t REG_SZ /d "All" /f ) - name: Opt-out from IntelliCode data collection recommend: standard docs: |- [IntelliCode for Visual Studio](https://learn.microsoft.com/en-us/visualstudio/intellicode/intellicode-visual-studio) provides AI based suggestions for the code. IntelliCode does not send any code to Microsoft servers as long as team completion model training is not used [1] [2]. This script opts-out from it without breaking the functionality of IntelliCode for local models. The registry keys set by this script do not exist by default after installation since Visual Studio 2022. [1]: https://docs.microsoft.com/en-us/visualstudio/intellicode/intellicode-privacy "IntelliCode privacy - Visual Studio IntelliCode | Microsoft Learn" [2]: https://github.com/MicrosoftDocs/intellicode/blob/50ea60c91a7175e749ed5e094403568a583a292e/docs/intellicode-privacy.md code: |- :: Global policy reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f :: Local policy reg add "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f revertCode: |- :: Global policy reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul :: Local policy reg delete "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul reg delete "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul - name: Disable NET Core CLI telemetry recommend: standard code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1 revertCode: setx DOTNET_CLI_TELEMETRY_OPTOUT 0 - name: Disable PowerShell 7+ telemetry recommend: standard docs: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry code: setx POWERSHELL_TELEMETRY_OPTOUT 1 revertCode: setx POWERSHELL_TELEMETRY_OPTOUT 0 - category: Disable NVIDIA telemetry docs: - https://github.com/privacysexy-forks/nVidia-modded-Inf - https://github.com/privacysexy-forks/Disable-Nvidia-Telemetry - https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20 children: - name: Uninstall NVIDIA telemetry tasks recommend: standard code: |- if exist "%ProgramFiles%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL" ( rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry ) - name: Delete NVIDIA residual telemetry files recommend: standard code: |- del /s %SystemRoot%\System32\DriverStore\FileRepository\NvTelemetry*.dll rmdir /s /q "%ProgramFiles(x86)%\NVIDIA Corporation\NvTelemetry" 2>nul rmdir /s /q "%ProgramFiles%\NVIDIA Corporation\NvTelemetry" 2>nul - name: Opt out from NVIDIA telemetry recommend: standard call: function: RunInlineCode parameters: code: |- reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d 0 /f revertCode: |- reg delete "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /f reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /f reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /f reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /f - name: Disable Nvidia Telemetry Container service docs: https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/ call: function: DisableService parameters: serviceName: NvTelemetryContainer # Display name: "NVIDIA Telemetry Container" # Description: "Container service for NVIDIA Telemetry" defaultStartupMode: Automatic - name: Disable NVIDIA telemetry services recommend: standard code: |- schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE revertCode: |- schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE - category: Disable Visual Studio Code data collection docs: - https://code.visualstudio.com/updates/v1_26#_offline-mode - https://code.visualstudio.com/docs/getstarted/settings children: - name: Disable Visual Studio Code telemetry docs: https://code.visualstudio.com/docs/getstarted/telemetry recommend: standard call: function: SetVsCodeSetting parameters: setting: telemetry.enableTelemetry powerShellValue: $false - name: Disable Visual Studio Code crash reporting docs: https://code.visualstudio.com/docs/getstarted/telemetry recommend: standard call: function: SetVsCodeSetting parameters: setting: telemetry.enableCrashReporter powerShellValue: $false - name: Do not run Microsoft online experiments docs: https://github.com/privacysexy-forks/vscode/blob/1aee0c194cff72d179b9f8ef324e47f34555a07d/src/vs/workbench/contrib/experiments/node/experimentService.ts#L173 recommend: standard call: function: SetVsCodeSetting parameters: setting: workbench.enableExperiments powerShellValue: $false - name: Choose manual updates over automatic updates call: function: SetVsCodeSetting parameters: setting: update.mode powerShellValue: >- 'manual' - name: Show Release Notes from Microsoft online service after an update call: function: SetVsCodeSetting parameters: setting: update.showReleaseNotes powerShellValue: $false - name: Automatically check extensions from Microsoft online service call: function: SetVsCodeSetting parameters: setting: extensions.autoCheckUpdates powerShellValue: $false - name: Fetch recommendations from Microsoft only on demand call: function: SetVsCodeSetting parameters: setting: extensions.showRecommendationsOnlyOnDemand powerShellValue: $true - name: Automatically fetch git commits from remote repository call: function: SetVsCodeSetting parameters: setting: git.autofetch powerShellValue: $false - name: Fetch package information from NPM and Bower call: function: SetVsCodeSetting parameters: setting: npm.fetchOnlinePackageInfo powerShellValue: $false - category: Disable Microsoft Office telemetry docs: https://docs.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office children: - name: Disable Microsoft Office logging recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f - name: Disable client telemetry recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f - name: Customer Experience Improvement Program docs: https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612 recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f - name: Disable feedback recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f - name: Disable telemetry agent recommend: standard code: |- schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /DISABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /DISABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /DISABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /DISABLE revertCode: |- schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /ENABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /ENABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /ENABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /ENABLE # - (breaks office, see https://answers.microsoft.com/en-us/office/forum/office_2016-officeapps/office-2016-click-to-run-service-is-it-necessary/07f87963-7193-488a-9885-d6339105824b) # name: Disable ClickToRun Service Monitor # docs: https://web.archive.org/web/20180201221907/https://technet.microsoft.com/en-us/library/jj219427.aspx # call: # - # function: RunInlineCode # parameters: # code: schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /DISABLE # revertCode: schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /ENABLE # - # function: DisableService # parameters: # serviceName: ClickToRunSvc # Check: (Get-Service -Name ClickToRunSvc).StartType # defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable Subscription Heartbeat code: |- schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /DISABLE schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /DISABLE revertCode: |- schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /ENABLE schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /ENABLE - category: Configure browsers children: - category: Configure Edge children: - category: Chromium Edge settings children: - name: Disable Edge usage and crash-related data reporting (shows "Your browser is managed") # Obselete since Microsoft Edge version 89 recommend: standard docs: - https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::MetricsReportingEnabled - https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#metricsreportingenabled code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /f - name: Disable sending site information (shows "Your browser is managed") # Obselete since Microsoft Edge version 89 recommend: standard docs: - https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SendSiteInfoToImproveServices - https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#sendsiteinfotoimproveservices code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /f - name: Disable Automatic Installation of Microsoft Edge Chromium docs: - https://admx.help/?Category=EdgeChromium_Blocker&Policy=Microsoft.Policies.EdgeUpdate::NoUpdate - https://web.archive.org/web/20210118230052/https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit code: reg add "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /f - name: Disable live tile data collection recommend: standard docs: - https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 0 /f - name: Disable MFU tracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableMFUTracking code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 0 /f - name: Disable recent apps recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableRecentApps code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 0/f - name: Turn off backtracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::TurnOffBackstack code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 0 /f - name: Disable Search Suggestions in Edge docs: - https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/address-bar-settings-gp - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 1 /f - category: Configure Internet Explorer children: - name: Disable Geolocation in Internet Explorer recommend: standard code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 0 /f - name: Disable Internet Explorer InPrivate logging recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 0 /f - name: Disable Internet Explorer CEIP recommend: standard docs: https://www.stigviewer.com/stig/internet_explorer_8/2014-07-03/finding/V-15492 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 1 /f - name: Disable calling legacy WCM policies recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 1 /f - name: Disable SSLv3 fallback recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-04-02/finding/V-64729 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v EnableSSL3Fallback /t REG_DWORD /d 3 /f - name: Disable ignoring cert errors recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2017-03-01/finding/V-64717 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 0 /f - category: Configure Google Chrome children: - name: Disable Chrome Software Reporter Tool recommend: standard code: |- icacls "%localappdata%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)" cacls "%localappdata%\Google\Chrome\User Data\SwReporter" /e /c /d %username% reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "software_reporter_tool.exe" /f revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /f - category: Chrome cleanup children: - name: Do not share scanned software data to Google (shows "Your browser is managed") recommend: standard docs: - https://www.chromium.org/administrators/policy-list-3#ChromeCleanupReportingEnabled - https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81593 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /f - name: Prevent Chrome from scanning the system for cleanup (shows "Your browser is managed") recommend: standard docs: - https://www.chromium.org/administrators/policy-list-3#ChromeCleanupEnabled - https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81591 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /f - name: Disable Chrome metrics reporting (shows "Your browser is managed") recommend: standard docs: https://www.stigviewer.com/stig/google_chrome_v23_windows/2013-01-11/finding/V-35780 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /f - category: Configure Mozilla Firefox telemetry children: - category: Disable default browser agent reporting children: - name: Disable default browser agent reporting policy recommend: standard docs: https://www.bleepingcomputer.com/news/software/firefox-now-tells-mozilla-what-your-default-browser-is-every-day/ code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 1 /f revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 0 /f - name: Disable default browser agent reporting services recommend: standard code: |- schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB" schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD" revertCode: |- schtasks.exe /change /enable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB" schtasks.exe /change /enable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD" - name: Disable Firefox metrics reporting recommend: standard docs: https://github.com/privacysexy-forks/policy-templates#disabletelemetry code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 1 /f revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 0 /f - name: Disable Google update service recommend: standard docs: - https://websetnet.net/how-to-disable-google-chrome-automatic-updates-in-windows-10/ - https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-25791.html #gupdate - https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-26582.html #gupdatem call: - function: RunInlineCode parameters: code: |- schtasks /change /disable /tn "GoogleUpdateTaskMachineCore" schtasks /change /disable /tn "GoogleUpdateTaskMachineUA" revertCode: |- schtasks /Change /enable /tn "GoogleUpdateTaskMachineCore" schtasks /change /enable /tn "GoogleUpdateTaskMachineUA" - function: DisableService parameters: serviceName: gupdate # Check: (Get-Service -Name gupdate).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: gupdatem # Check: (Get-Service -Name gupdatem).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable Adobe Acrobat update service recommend: standard call: - function: DisableService parameters: serviceName: AdobeARMservice # Check: (Get-Service -Name AdobeARMservice).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: adobeupdateservice # Check: (Get-Service -Name adobeupdateservice).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: adobeflashplayerupdatesvc # Check: (Get-Service -Name adobeflashplayerupdatesvc).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: RunInlineCode parameters: code: |- schtasks /change /tn "Adobe Acrobat Update Task" /disable schtasks /change /tn "Adobe Flash Player Updater" /disable revertCode: |- schtasks /change /tn "Adobe Acrobat Update Task" /enable schtasks /change /tn "Adobe Flash Player Updater" /enable - name: Disable Razer Game Scanner Service recommend: standard call: function: DisableService parameters: serviceName: Razer Game Scanner Service # Check: (Get-Service -Name 'Razer Game Scanner Service').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Logitech Gaming Registry Service recommend: standard call: function: DisableService parameters: serviceName: LogiRegistryService # Check: (Get-Service -Name 'LogiRegistryService').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable Dropbox auto update service recommend: standard call: - function: DisableService parameters: serviceName: dbupdate # Check: (Get-Service -Name 'dbupdate').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: dbupdatem # Check: (Get-Service -Name 'dbupdatem').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: RunInlineCode parameters: code: |- schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineCore" schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA" revertCode: |- schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineCore" schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineUA" - category: Disable Media Player data collection children: - name: Do not send Windows Media Player statistics recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f - name: Disable metadata retrieval recommend: standard code: |- reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f - name: Disable Windows Media Player Network Sharing Service docs: http://batcmd.com/windows/10/services/wmpnetworksvc/ recommend: standard call: function: DisableService parameters: serviceName: WMPNetworkSvc # Check: (Get-Service -Name 'WMPNetworkSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable CCleaner Monitoring code: |- reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 1 /f - category: Security improvements children: - category: Meltdown and Spectre protection docs: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot children: - name: Spectre variant 2 and meltdown (own OS) code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f wmic cpu get name | findstr "Intel" >nul && ( reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 0 /f ) wmic cpu get name | findstr "AMD" >nul && ( reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 64 /f ) revertCode: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f - name: Spectre variant 2 and meltdown (HyperV) code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f - name: Disable administrative shares recommend: standard code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 1 /f - name: Force enable data execution prevention (DEP) code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 1 /f - name: Disable AutoPlay and AutoRun docs: - https://en.wikipedia.org/wiki/AutoRun - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673 recommend: standard code: |- :: 255 (0xff) means all drives reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f revertCode: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 2 /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /f - name: Disable remote Assistance recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f - name: Disable lock screen camera recommend: standard docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /f - name: Prevent the storage of the LAN Manager hash of passwords recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 10 /f - name: Disable Windows Installer Always install with elevated privileges recommend: standard docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f - name: Prevent WinRM from using Basic Authentication recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 1 /f - name: Restrict anonymous enumeration of shares recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 0 /f - name: Refuse less secure authentication recommend: standard docs: - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801 - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 5 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 3 /f - name: Enable Structured Exception Handling Overwrite Protection (SEHOP) recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f - name: Block Anonymous enumeration of SAM accounts recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 0 /f - name: Restrict anonymous access to Named Pipes and Shares recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759 code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 0 /f - category: Disable unsafe features children: - name: Disable unsafe SMBv1 protocol recommend: standard docs: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 code: |- dism /online /Disable-Feature /FeatureName:"SMB1Protocol" /NoRestart dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart revertCode: |- dism /online /Enable-Feature /FeatureName:"SMB1Protocol" /NoRestart dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart - name: Disable PowerShell 2.0 against downgrade attacks recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637 code: |- dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart revertCode: |- dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart - name: Disable the Windows Connect Now wizard recommend: standard docs: - https://docs.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now - https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698 code: |- reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f - category: Increase cryptography on ISS children: - name: Increase Diffie-Hellman key (DHK) exchange to 4096-bit code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ServerMinKeyBitLength /t REG_DWORD /d 0x00001000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00001000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v Enabled /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ServerMinKeyBitLength" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ClientMinKeyBitLength" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "Enabled" /f - name: Increase RSA key exchange to 2048-bit docs: |- In 2012, Microsoft began transitioning minimum RSA key length across various applications from 1024 to 2048 bits. 1024-Bit key exchange algorithms are still supported in Windows despite being considered deprecated for some time. NIST 800-131A Rev. 2 cites RSA Key Agreement and Key Transport schemes with len(n) < 2048 are disallowed. Generally, RSA 2048-bit+ key exchange algorithms are widely supported. While supported cipher suites remain a roundabout way to address supported key exchange algorithms, these can also be specified independently (although there are still constraints based on negotiated cipher suite) and provide a supplemental baseline to enforce using strong cryptography. This script works by creating the non-default key and value called PKCS at `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\` with a name of `ClientMinKeyBitLength` and value of `0x00000800` (2048). The revert deletes the `ClientMinKeyBitLength` value. See also: - [Transport Layer Security (TLS) registry settings | learn.microsoft.com](https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#keyexchangealgorithm---client-rsa-key-sizes) - [Pull request by bricedobson | undergroundwires/privacy.sexy | GitHub.com](https://github.com/undergroundwires/privacy.sexy/pull/165) code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00000800 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS" /v "ClientMinKeyBitLength" /f - name: Disable RC2 cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v "Enabled" /f - name: Disable RC4 cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v "Enabled" /f - name: Disable DES cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v "Enabled" /f - name: Disable 3DES (Triple DES) cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v "Enabled" /f - name: Disable MD5 hash function code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /v "Enabled" /f - name: Disable SHA1 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /v "Enabled" /f - name: Disable null cipher code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v "Enabled" /f - name: Force not to respond to renegotiation requests code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoClients /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoServers /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v DisableRenegoOnServer /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v UseScsvForTls /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoClients" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoServers" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "DisableRenegoOnServer" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "UseScsvForTls" /f - name: Disable DTLS 1.0 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "DisabledByDefault" /f - name: Disable DTLS 1.1 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "DisabledByDefault" /f - name: Enable DTLS 1.3 # Windows 10 and Windows 10 Server version 1903 and newer supports DTLS 1.3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "DisabledByDefault" /f - name: Disable TLS 1.0 docs: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls # After disabling TLS 1.0 must be (will be) activated SchUseStrongCrypto for .NET apps code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f - name: Disable TLS 1.1 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /f - name: Enable TLS 1.3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "DisabledByDefault" /f - name: Enabling Strong Authentication for .NET applications (TLS 1.2) docs: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications code: |- reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f - name: Disable SSLv2 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /f - name: Disable SSLv3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /f - category: Privacy over security children: - category: Disable Windows Defender docs: https://en.wikipedia.org/wiki/Windows_Firewall # See defender status: Get-MpComputerStatus children: - category: Disable Windows Defender Firewall # Also known as Windows Firewall, Microsoft Defender Firewall children: - category: Disable Windows Defender Firewall Services and Drivers (breaks Microsoft Store and `netsh advfirewall` CLI) children: - name: Disable Windows Defender Firewall Authorization Driver service docs: - http://batcmd.com/windows/10/services/mpsdrv/ # ❗️ Breaks: `netsh advfirewall set` # Disabling and stopping it breaks "netsh advfirewall set" commands such as # `netsh advfirewall set allprofiles state on`, `netsh advfirewall set allprofiles state off`. # More about `netsh firewall` context: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior # ! Breaks: Windows Store # The Windows Defender Firewall service depends on this service. # Disabling this will also disable the Windows Defender Firewall service, breaking Microsoft Store. # https://i.imgur.com/zTmtSwT.png call: - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: serviceName: mpsdrv # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\mpsdrv").Start defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - function: RenameSystemFile parameters: filePath: '%SystemRoot%\System32\drivers\mpsdrv.sys' - name: Disable Windows Defender Firewall service docs: - http://batcmd.com/windows/10/services/mpssvc/ - https://en.wikipedia.org/wiki/Windows_Firewall # More information about MpsSvc: - https://web.archive.org/web/20110203202612/http://technet.microsoft.com/en-us/library/dd364391(v=WS.10).aspx # More information about boot time protection and stopping the firewall service: - https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx # Stopping the service associated with Windows Firewall is not supported by Microsoft: - https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx # ❗️ Breaks Microsoft Store # Can no longer update nor install apps, they both fail with 0x80073D0A # Also breaks some of Store apps such as Photos: # - https://answers.microsoft.com/en-us/windows/forum/all/microsoft-store-windows-defender-windows-firewall/f2f68cd7-64ec-4fe1-ade4-9d12cde057f9 # - https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 # > The MpsSvc service host much more functionality than just windows firewall. For instance, Windows # Service hardening which is a windows protection of system services. It also host network isolatio # which is a crucial part of the confidence model for Windows Store based applications. 3rd party firewalls # know this fact and instead of disabling the firewall service they coordinate through public APIs with Windows # Firewall so that they can have ownership of the firewall policies of the computer. Hence you do not have to do # anything special once you install a 3rd party security product. # Source: https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ # ❗️ Breaks: `netsh advfirewall set` # Disabling and stopping it breaks "netsh advfirewall set" commands such as # `netsh advfirewall set allprofiles state on`, `netsh advfirewall set allprofiles state off`. # More about `netsh firewall` context: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior call: - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: serviceName: MpsSvc # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MpsSvc").Start defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual - function: RenameSystemFile parameters: filePath: '%WinDir%\system32\mpssvc.dll' - name: Disable Firewall through command-line utility # ❗️ Following must be enabled and in running state: # - mpsdrv (Windows Defender Firewall Authorization Driver) # - bfe (Base Filtering Engine) # - mpssvc (Windows Defender Firewall) # If the dependent services are not running, the script fails with: # "An error occurred while attempting to contact the Windows Defender Firewall service. Make sure that the service is running and try your request again." # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc docs: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior call: function: RunPowerShell parameters: code: |- if(!(Get-Command 'netsh' -ErrorAction Ignore)) { throw '"netsh" does not exist, is system installed correctly?' } $message=netsh advfirewall set allprofiles state off 2>&1 if($?) { Write-Host "Successfully disabled firewall." } else { if($message -like '*Firewall service*') { Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' } else { throw "Cannot disable: $message" } } revertCode: |- if(!(Get-Command 'netsh' -ErrorAction Ignore)) { throw '"netsh" does not exist, is system installed correctly?' } $message=netsh advfirewall set allprofiles state on 2>&1 if($?) { Write-Host "Successfully enabled firewall." } else { if($message -like '*Firewall service*') { Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' } else { throw "Cannot enable: $message" } } - name: Disable Firewall through registry # Lower-level, good in case command-line utility is not available/functioning docs: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 code: |- :: Policy based reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f :: Non-policy based reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f # When reverting HKLM\SOFTWARE\Policies profiles are deleted as they are not included in clean installation # On the other hand "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet # so they're not deleted but set to default state revertCode: |- # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy :: Policy based reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /f 2>nul :: Non-policy based reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - name: Hide the "Firewall and network protection" area from Windows Defender Security Center docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FirewallNetworkProtection_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /f 2>nul - name: Disable Microsoft Defender Antivirus # Depreciated since Windows 10 version 1903 docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f 2>nul - category: Disable Defender features # Status: Get-MpPreference children: - category: Disable Windows Defender Antivirus cloud protection service docs: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus # Also known as Microsoft MAPS (Microsoft Active Protection Service) or Microsoft SpyNet children: - category: Disable cloud protection service features children: - name: Turn off block at first sight docs: # What is block at first sight? How does it work? How to turn on/off? - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: - function: SetMpPreference parameters: property: DisableBlockAtFirstSeen # Status: Get-MpPreference | Select-Object -Property DisableBlockAtFirstSeen value: $True # Set: Set-MpPreference -Force -DisableBlockAtFirstSeen $True default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableBlockAtFirstSeen | Set-MpPreference -Force -DisableBlockAtFirstSeen $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /f 2>nul - name: Set maximum time possible for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required" docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpBafsExtendedTimeout code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /f 2>nul - name: Set lowest possible cloud protection level # Requires "Join Microsoft MAPS" docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpCloudBlockLevel code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /f 2>nul - name: Disable receiving notifications to disable security intelligence # Requires "Join Microsoft MAPS" docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureDisableNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /f 2>nul - category: Disable Defender cloud export for analysis children: - name: Turn off Windows Defender SpyNet reporting recommend: strict docs: - https://www.stigviewer.com/stig/windows_7/2012-07-02/finding/V-15713 # Manage with registry policy - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting # Managing with MDM policy - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#mapsreporting call: # 0: Disabled, 1: Basic, 2: Advanced (default) - function: SetMpPreference parameters: property: MAPSReporting # Status: Get-MpPreference | Select-Object -Property MAPSReporting value: "'0'" # Set: Set-MpPreference -Force -MAPSReporting 0 default: "'2'" # Default: 2 (Advanced) | Remove-MpPreference -Force -MAPSReporting | Set-MpPreference -Force -MAPSReporting 2 - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /f 2>nul - name: Do not send file samples for further analysis recommend: strict docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SubmitSamplesConsent # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#submitsamplesconsent call: # 0 = 'Always Prompt', 1 = 'Send safe samples automatically' (default), 2 = 'Never send', 3 = 'Send all samples automatically' - function: SetMpPreference parameters: property: SubmitSamplesConsent # Status: Get-MpPreference | Select-Object -Property SubmitSamplesConsent value: "'2'" # Set: Set-MpPreference -Force -SubmitSamplesConsent 2 default: "'1'" # Default: 1 (Send safe samples automatically) | Remove-MpPreference -Force -SubmitSamplesConsent | Set-MpPreference -Force -SubmitSamplesConsent 1 setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 1 (OS default) in Windows 11 - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /f 2>nul - name: Disable Malicious Software Reporting tool diagnostic data recommend: strict docs: https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /f 2>nul - name: Disable uploading files for threat analysis in real-time # Requires "Join Microsoft MAPS" recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_RealtimeSignatureDelivery code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /f 2>nul - name: Disable the Potentially Unwanted Application (PUA) feature # Already disabled as default docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus - https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/ - https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: - function: SetMpPreference parameters: # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 - function: RunInlineCode parameters: code: |- :: For legacy versions: Windows 10 v1809 and Windows Server 2019 reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f :: For newer Windows versions reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f revertCode: |- :: For legacy versions: Windows 10 v1809 and Windows Server 2019 reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /f 2>nul :: For newer Windows versions reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /f 2>nul - name: Turn off tamper protection # Added in Windows 10, version 1903 docs: - https://www.thewindowsclub.com/how-to-enable-tamper-protection-in-windows-10 - https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-tamperprotection call: - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) # ❌ Fails with "ERROR: Access is denied." in Windows 11 21H2 | ✅ Works in Windows 10 >= 20H2 parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /f 2>nul - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /f 2>nul - name: Disable file hash computation feature # Added in Windows 10, version 2004 docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /f 2>nul - category: Disable Windows Defender Exploit Guard docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ children: - name: Disable prevention of users and apps from accessing dangerous websites docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /f 2>nul - name: Disable Controlled folder access docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /f 2>nul - category: Disable Network Inspection System features children: - name: Disable protocol recognition docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /f 2>nul - name: Disable definition retirement docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /f 2>nul - name: Limit detection events rate to minimum docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /f 2>nul - category: Disable Real-Time protection children: - name: Disable real-time monitoring docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227 # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring call: # Enabled by default (DisableRealtimeMonitoring is false) - function: SetMpPreference parameters: property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /f 2>nul - name: Disable Intrusion Prevention System (IPS) docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem call: - function: SetMpPreference parameters: property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True # ❌ Windows 11 and Windows 10: Does not fail but does not change the value default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False # ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /f 2>nul - name: Disable Information Protection Control (IPC) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /f 2>nul - category: Disable Defender monitoring of behavior children: - name: Disable behavior monitoring docs: - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229 # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring call: - function: SetMpPreference parameters: property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /f 2>nul - name: Disable sending raw write notifications to behavior monitoring docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /f 2>nul - category: Disable Defender monitoring of downloaded files and attachments children: - name: Disable scanning for all downloaded files and attachments docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225 # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection call: - function: SetMpPreference parameters: property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True # ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /f 2>nul - name: Disable scanning files bigger than 1 KB (minimum possible) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /f 2>nul - category: Disable Defender monitoring of file and program activity children: - name: Disable monitoring file and program activity docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /f 2>nul - name: Disable bidirectional scanning of incoming and outgoing file and program activity docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection call: # 0='Both': bi-directional (full on-access, default) # 1='Incoming': scan only incoming (disable on-open) # 2='Outcoming': scan only outgoing (disable on-close) - function: SetMpPreference parameters: property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1 default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /f 2>nul - name: Disable process scanning on real-time protection docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /f 2>nul - category: Disable Defender remediation children: - name: Disable routine remediation docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#admx-microsoftdefenderantivirus-disableroutinelytakingaction - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /f 2>nul - name: Disable running scheduled auto-remediation docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday call: # 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never' - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /f 2>nul - function: SetMpPreference parameters: property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8 default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0 - name: Disable remediation actions docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference # None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10 call: # Not using ThreatIdDefaultAction as it requires known threat IDs - function: SetMpPreference # https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction parameters: property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction # Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value): # `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`. # E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed. # Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction` value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9 # Default: 0 (none) # Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction` # works on both Windows 10 and Windows 11 - function: RunInlineCode parameters: code: |- reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f :: 1: Clean, 2: Quarantine, 3: Remove, 6: Allow, 8: Ask user, 9: No action, 10: Block, NULL: default (based on the update definition) reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f revertCode: |- reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /f 2>nul - name: Auto-purge items from Quarantine folder docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay call: # Values: # Default: 90 on both Windows 10 21H1 and Windows 11 21H2 # Minimum: 1 # 0 means indefinitely - function: SetMpPreference parameters: property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1 default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90 setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /f 2>nul - name: Disable always running antimalware service docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /f 2>nul # - Too good to disable, also no reported privacy issues # category: Disable Windows Defender Device Guard and Credential Guard # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 # children: # - # name: Disable LSA protection (disabled by default) # docs: # - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection # - https://itm4n.github.io/lsass-runasppl/ # - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # code: |- # reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f # reg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f # revertCode: |- # Already disabled by default, so just delete the keys # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f 2>nul # reg delete "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /f 2>nul # - # name: Disable virtualization-based security (disabled by default) # docs: # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity # code: |- # :: Virtualization features # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul # :: Lock # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul # :: HypervisorEnforcedCodeIntegrity # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f 2>nul # revertCode: |- # :: Virtualization features # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul # :: Lock # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul # :: HypervisorEnforcedCodeIntegrity # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul # - # name: Disable System Guard Secure Launch # docs: # - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection # - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch # code: |- # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 2 /f # reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /t REG_DWORD /d 0 /f # revertCode: |- # reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /f 2>nul # - # name: Disable Windows Defender Application Control Code Integrity Policy # docs: # - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # code: |- # del "$env:windir\System32\CodeIntegrity\SIPolicy.p7b" # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /t REG_DWORD /d 0 /f # revertCode: |- # reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /v "Enabled" /f 2>nul - name: Disable auto-exclusions docs: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions call: - function: SetMpPreference parameters: property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False setDefaultOnWindows11: true # `Remove-MpPreference` has no affect (does not change the value) in Windows 11 - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /f 2>nul - category: Disable Defender scans children: - category: Disable scan actions children: - name: Disable checking for signatures before scan # Default configuration docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan call: - function: SetMpPreference parameters: property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False - function: RunInlineCode parameters: # Default: Does not exist code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /f 2>nul - name: Disable creating system restore point on a daily basis # Default behavior docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint call: - function: SetMpPreference parameters: property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /f 2>nul - name: Set minimum time for keeping files in scan history folder docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay call: # Default is 15, minimum is 0 which means never removing items - function: SetMpPreference parameters: property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /f 2>nul - category: Disable catch-up scans children: - name: Set maximum days before a catch-up scan is forced docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup # Default and minumum is 2, maximum is 20 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /f 2>nul - name: Disable catch-up full scans # Disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan call: - function: SetMpPreference parameters: property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /f 2>nul - name: Disable catch-up quick scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan call: - function: SetMpPreference parameters: property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /f 2>nul - category: Turn off scan options children: - name: Disable scan heuristics docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /f 2>nul - category: Limit CPU usage during scans children: - name: Limit CPU usage during scans to minimum docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor call: # Default: 50, minimum 1 - function: SetMpPreference parameters: property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1 default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /f 2>nul - name: Limit CPU usage during idle scans to minumum docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: - function: SetMpPreference parameters: property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /f 2>nul - name: Disable scanning when not idle # Default OS setting docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled call: - function: SetMpPreference parameters: property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /f 2>nul - name: Disable scheduled On Demand anti malware scanner (MRT) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /f 2>nul - category: Limit scanned areas children: - name: Disable e-mail scanning # Disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning call: - function: SetMpPreference parameters: property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /f 2>nul - name: Disable script scanning docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning call: function: SetMpPreference parameters: property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False - name: Disable reparse point scanning docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /f 2>nul - name: Disable scanning on mapped network drives on full-scan docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /f 2>nul - function: SetMpPreference parameters: property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True - name: Disable scanning network files docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /f 2>nul - function: SetMpPreference parameters: property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False - name: Disable scanning packed executables docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /f 2>nul - category: Disable scanning archive files children: - name: Disable scanning archive files docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /f 2>nul - function: SetMpPreference parameters: property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False - name: Limit depth for scanning archive files to minimum docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /f 2>nul - name: Limit file size for archive files to be scanned to minimum docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /f 2>nul - name: Disable scanning removable drives docs: # Disabled by default - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /f 2>nul - function: SetMpPreference parameters: property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True - category: Disable auto-scans children: - name: Disable scheduled scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday call: # Options are: # 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday', # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /f 2>nul - function: SetMpPreference parameters: property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8' default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0' - name: Disable randomizing scheduled task times docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /f 2>nul - function: SetMpPreference parameters: property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True - name: Disable scheduled full-scans docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters call: # Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan' - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /f 2>nul - function: SetMpPreference parameters: property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1' default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1' setDefaultOnWindows11: true # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11 - name: Limit how many times quick scans run per day docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /f 2>nul - name: Disable scanning after security intelligence (signature) update docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /f 2>nul - category: Limit Defender updates children: - category: Disable Defender Security Intelligence (signature) updates children: - name: Disable forced security intelligence (signature) updates from Microsoft Update docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /f 2>nul - name: Disable security intelligence (signature) updates when running on battery power docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /f 2>nul - name: Disable checking for the latest virus and spyware security intelligence (signature) on startup docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /f 2>nul - name: Disable catch-up security intelligence (signature) updates # default is one day docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval call: # Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /f 2>nul - function: SetMpPreference parameters: property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0' default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1' - name: Limit spyware security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when spyware security intelligence (signature) is considered up-to-dates docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /f 2>nul - name: Limit virus security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when virus security intelligence (signature) is considered up-to-date docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /f 2>nul - name: Disable security intelligence (signature) update on startup docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /f 2>nul - function: SetMpPreference parameters: property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False - name: Disable automatically checking security intelligence (signature) updates # Already disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday call: # Options: # 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday' # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default) - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /f 2>nul - function: SetMpPreference parameters: property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8' default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8' - name: Limit update checks for security intelligence (signature) updates docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval call: # Valid values range from 1 (every hour) to 24 (once per day). # If not specified (0), parameter, Windows Defender checks at the default interval - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /f 2>nul - function: SetMpPreference parameters: property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24' default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0' - category: Disable alternate definition updates children: - name: Disable definition updates through both WSUS and the Microsoft Malware Protection Center docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /f 2>nul - name: Disable definition updates through both WSUS and Windows Update docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /f 2>nul - name: Limit Defender updates to those that complete gradual release cycle docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: function: SetMpPreference parameters: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease - name: Limit Defender engine updates to those that complete gradual release cycle docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: function: SetMpPreference parameters: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad' # Valid values: # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'" - name: Limit Defender platform updates to those that complete gradual release cycle docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: function: SetMpPreference parameters: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad' # Valid values: # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'" - name: Limit Defender definition updates to those that complete gradual release cycle docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) function: SetMpPreference parameters: property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel # Its former name was "SignaturesUpdatesChannel" value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad' # 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" - category: Disable Windows Defender reporting children: - name: Disable Windows Defender logging code: |- reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f revertCode: |- # 1 as default in registry reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f - name: Disable ETW Provider of Windows Defender (Windows Event Logs) docs: - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-views code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f revertCode: |- # 1 as default in registry reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f - name: Do not send Watson events # Deprecated since February 2015 update http://support.microsoft.com/kb/3036437 docs: https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::reporting_disablegenericreports code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /f 2>nul - name: Send minimum Windows software trace preprocessor (WPP Software Tracing) levels docs: - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /f 2>nul - name: Disable auditing events in Microsoft Defender Application Guard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview code: reg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /f 2>nul - category: Remove Defender from UI children: - name: Hide Windows Defender Security Center icon docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /f 2>nul - name: Remove "Scan with Windows Defender" option from context menu docs: - https://windowsreport.com/remove-right-click-windows-defender-scan-windows-10/ - https://twigstechtips.blogspot.com/2010/06/windows-remove-with-microsoft-security.html code: |- reg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f 2>nul reg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f 2>nul reg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul reg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul reg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul revertCode: |- reg add "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f reg add "HKCR\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f reg add "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /ve /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f reg add "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f reg add "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f reg add "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f - name: Remove Windows Defender Security Center from taskbar docs: https://www.alfintechcomputer.com/what-is-securityhealthsystray-exe-windows-security-notification-icon/ code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809 revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "%windir%\system32\SecurityHealthSystray.exe" /f - category: Hide Defender UI children: - name: Enable headless UI mode docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /f 2>nul - name: Restrict threat history to administrators docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode call: - function: SetMpPreference parameters: property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /f 2>nul - category: Hide areas in Windows Defender Security Center children: - name: Hide the "Virus and threat protection" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /f 2>nul - name: Hide the "Ransomware data recovery" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /f 2>nul - name: Hide the "Family options" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /f 2>nul - name: Hide the "Device performance and health" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /f 2>nul - name: Hide the "Account protection" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /f 2>nul - name: Hide the "App and browser protection" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /f 2>nul - category: Hide the Device security areas children: - name: Hide the Device security area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /f 2>nul - name: Disable the Clear TPM button docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /f 2>nul - name: Disable the Secure boot area button docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /f 2>nul - name: Hide the Security processor (TPM) troubleshooter page docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /f 2>nul - name: Hide the TPM Firmware Update recommendation docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /f 2>nul - category: Hide Windows Defender notifications children: - category: Hide Windows Defender Security Center notifications docs: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications children: - name: Hide all notifications docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disablenotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul - name: Hide non-critical notifications docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disableenhancednotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /f 2>nul - name: Disable Windows Action Center security and maintenance notifications # For Windows 10 build 1607 and above docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /f 2>nul - name: Disable all Windows Defender Antivirus notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress code: |- reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f reg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f revertCode: |- reg delete "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul reg delete "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul - name: Suppress reboot notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /f 2>nul - category: Disable OS components for Defender # Hackers way of disabling Defender children: - category: Disable Defender tasks children: - name: Disable Windows Defender ExploitGuard task docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ code: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Enable - name: Disable Windows Defender Cache Maintenance task # Cache Maintenance is the storage for temporary files that are being either quarantined by Windows Defender # or being checked. Running this will clear the Cache. docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable - name: Disable Windows Defender Cleanup task docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae # Periodic cleanup task # Clears up files that are not needed anymore by Windows Defender. code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Enable - name: Disable Windows Defender Scheduled Scan task # Does not exist in Windows 11 docs: - https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d - https://winbuzzer.com/2020/05/26/windows-defender-how-to-perform-a-scheduled-scan-in-windows-10-xcxwbt/ code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Enable 2>nul - name: Disable Windows Defender Verification task # Check if there are any problems with your Windows Defender like in updates, system files, etc,. # Creates daily restore points docs: - https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae - https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 - https://www.windowsphoneinfo.com/threads/same-problems-with-windows-defender-verification-and-scan-tasks.121489/#Same_problems_with_Windows_Defender_Verification_and_Scan_Tasks code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Enable - category: Disable Defender services and drivers # Normally users can disable services on GUI or using commands like "sc config" # However Defender services are protected with different ways # 1. Some cannot be disabled (access error) normally but only with DisableServiceInRegistry # 2. Some cannot be disabled even using DisableServiceInRegistry, must be disabled as TrustedInstaller using RunInlineCodeAsTrustedInstaller children: - name: Disable Windows Defender Antivirus service # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` docs: http://batcmd.com/windows/10/services/windefend/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WinDefend" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "2" /f & sc start "WinDefend" >nul 2>&1 # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%ProgramFiles%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - category: Disable kernel-level Windows Defender drivers children: # - Skipping wdnsfltr "Windows Defender Network Stream Filter Driver" as it's Windows 1709 only - name: Disable Microsoft Defender Antivirus Network Inspection System Driver service docs: http://batcmd.com/windows/10/services/wdnisdrv/ call: - function: RunInlineCodeAsTrustedInstaller parameters: # "net stop" is used to stop dependend services as well, "sc stop" fails code: net stop "WdNisDrv" /yes >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "3" /f & sc start "WdNisDrv" >nul - function: RenameSystemFile parameters: filePath: '%SystemRoot%\System32\drivers\WdNisDrv.sys' # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%SystemRoot%\System32\drivers\wd\WdNisDrv.sys' - name: Disable Microsoft Defender Antivirus Mini-Filter Driver service docs: - https://www.n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - http://batcmd.com/windows/10/services/wdfilter/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdFilter" >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "0" /f & sc start "WdFilter" >nul - function: RenameSystemFile parameters: filePath: '%SystemRoot%\System32\drivers\WdFilter.sys' # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%SystemRoot%\System32\drivers\wd\WdFilter.sys' - name: Disable Microsoft Defender Antivirus Boot Driver service docs: http://batcmd.com/windows/10/services/wdboot/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdBoot" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "0" /f & sc start "WdBoot" >nul 2>&1 - function: RenameSystemFile parameters: filePath: '%SystemRoot%\System32\drivers\WdBoot.sys' # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%SystemRoot%\System32\drivers\wd\WdBoot.sys' - name: Disable Microsoft Defender Antivirus Network Inspection service docs: - http://batcmd.com/windows/10/services/wdnissvc/ - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdNisSvc" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "2" /f & sc start "WdNisSvc" >nul 2>&1 # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%ProgramFiles%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - name: Disable Windows Defender Advanced Threat Protection Service service docs: http://batcmd.com/windows/10/services/sense/ call: - function: RunInlineCodeAsTrustedInstaller # We must disable it on registry level, "Access is denied" for sc config parameters: code: sc stop "Sense" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "3" /f & sc start "Sense" >nul 2>&1 # Alowed values: Boot | System | Automatic | Manual - function: RenameSystemFile parameters: filePath: '%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe' - name: Disable Windows Defender Security Center Service docs: http://batcmd.com/windows/10/services/securityhealthservice/ call: - # Windows 10: # ❌ Cannot disable through sc config as Administrator; throws "Access is denied" # ✅ Can disable using registry as Administrator; "DisableServiceInRegistry" function works # ✅ Can disable using registry as TrustedInstaller # Windows 11: # ❌ Cannot disable through sc config as administrator; throws "Access is denied" # ❌ Cannot disable using registry as Administrator; using DisableServiceInRegistry throws "Requested registry access is not allowed." # ✅ Can disable using registry as TrustedInstaller function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "SecurityHealthService" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 3 /f & sc start "SecurityHealthService" >nul 2>&1 - function: RenameSystemFile parameters: filePath: '%WinDir%\system32\SecurityHealthService.exe' - category: Disable SmartScreen docs: - https://en.wikipedia.org/wiki/Microsoft_SmartScreen - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview children: - category: Disable SmartScreen for apps and files children: - name: Disable SmartScreen for apps and files docs: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnableSmartScreen code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /f 2>nul - name: Disable SmartScreen in file explorer docs: - https://winaero.com/change-windows-smartscreen-settings-windows-10/ - https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/ code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f revertCode: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul - name: Disable SmartScreen preventing users from running applications docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /f 2>nul - category: Disable SmartScreen in Microsoft browsers children: - name: Prevent Chromium Edge SmartScreen from blocking potentially unwanted apps docs: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /f 2>nul - name: Disable SmartScreen in Edge docs: - https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ # Privacy concerns - https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen - https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreen-settings - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63713 - https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenEnabled code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f :: For Microsoft Edge version 77 or later reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul :: For Microsoft Edge version 77 or later reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /f 2>nul - name: Disable SmartScreen in Internet Explorer docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 code: reg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /f 2>nul - category: Disable SmartScreen for Windows Store apps children: - name: Turn off SmartScreen App Install Control feature docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen code: |- reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f revertCode: |- reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /f 2>nul - name: Turn off SmartScreen to check web content (URLs) that apps use docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /f 2>nul - name: Disable automatic updates docs: - https://docs.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152 - http://batcmd.com/windows/10/services/usosvc/ call: - function: RunInlineCode parameters: code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "3" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul - function: DisableService parameters: serviceName: UsoSvc # Check: (Get-Service -Name 'UsoSvc').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - category: Configure handling of downloaded files docs: |- These scripts configures Attachment Manager included in Windows that that takes further actions for files that you receive or download such as storing classification metadata and notfying other software [1]. [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" children: - name: Prevent saving zone information in downloaded files docs: |- This script disables marking file attachments by using their zone information. The default behavior is for Windows to mark file attachments with their zone information [1]. The zone information of the origin describe whether the file was downloaded from internet, intranet, local, or restricted zone [1]. It is used by Attachment Manager that is included in Windows to help protect the computer from unsafe attachments that can be recieved with e-mail message or downloaded from Internet [2]. If the Attachment Manager identifies an attachment that might be unsafe, it prevents you from opening the file, or it warns you before you open the file [2]. Preventing this information to be saved: - Increases privacy by no longer leaking information of source. - Decreases security by preventing Windows to determine risks and take risk-based actions [1]. By not preserving the zone information, Windows cannot make proper risk assessments [3]. Disabling it has **Significant** criticality as the configuration introduces additional attack surface according to US government [4]. The Attachment Manager feature warns users when opening or executing files which are marked as being from an untrusted source, unless/until the file's zone information has been removed via the "Unblock" button on the file's properties or via a separate tool such as [Microsoft Sysinternals Streams](https://docs.microsoft.com/en-us/sysinternals/downloads/streams) [4]. It is configured using `SaveZoneInformation` value in `\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4]. The value is this setting is confusing, according to Microsoft documentation `1` turns it on [2] [3], `2` turns it off [2] [3]. However, according to STIG V-63841, `1` disables saving zone information and `2` enables it [3]. According to my tests, the STIG interprets it right and `1` disables this function off. In clean Windows 10 and 11 installations, this key by default is missing for both `HKCU` and `HKLM`. [1]: https://www.stigviewer.com/stig/windows_10/2019-09-25/finding/V-63841 "Zone information must be preserved when saving attachments. | stigviewer.com" [2]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_MarkZoneOnSavedAtttachments "Do not preserve zone information in file attachments | admx.help" [4]: https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /f 2>nul - name: Prevent notifying antivirus programs of downloaded files docs: |- Prevents Windows from calling the registered antivirus programs when file attachments are opened [1] [2]. Windows registered antivirus programs for downloaded files from Internet or through e-mail attachments [1]. If multiple programs are registered, they will all be notified [1] [3]. This is disabled by default, so even if you do not configure run this script, Windows does not call the registered antivirus programs when file attachments are opened [1]. If it is enabled, Windows blocks file from being opened when antivirus program fails [1]. It is the recommended setting by Microsoft [1]. Preventing calling antivirus: - Increases privacy by not sharing your file data proactively with installed antiviruses. - Decreases by detecting and mitigating potential malicious software. Disabling it has **Moderate** criticality as it is not an appropriate antivirus configuration according to US government [4]. An updated antivirus program must be installed for this policy setting to function properly [4]. It is configured using `ScanWithAntiVirus` value in `\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4]. `3` enables the scans [1] [2] [3], `1` disables it [1] [3], and `2` leaves it optional [1]. In clean Windows 10 and 11 installations, this key by default comes with `3` value in `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus`, and key is missing for `HKCU`. [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" [2]: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-09-02/finding/V-14270 "The system will notify antivirus when file attachments are opened. | stigviewer.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_CallIOfficeAntiVirus "Notify antivirus programs when opening attachments | admx.help" [4]: https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "3" /f - category: UI for privacy children: - name: Disable lock screen app notifications recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 0 /f docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687 - category: Disable online content in explorer children: - name: Disable online tips recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanel::AllowOnlineTips code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 1 /f - name: Turn off Internet File Association service recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseInternetOpenWith_2 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 0 /f - name: Turn off the "Order Prints" picture task recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellRemoveOrderPrints_2 - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000042 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 0 /f - name: Disable the file and folder Publish to Web option recommend: standard docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-14255 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 0 /f - name: Prevent downloading a list of providers for wizards recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63621 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 0 /f - category: Recent documents children: - name: Do not keep history of recently opened documents recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f - name: Clear history of recently opened documents on exit recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 01 /f - name: Disable Live Tiles push notifications recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Notifications::NoTileNotification code: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 0 /f - name: Turn off "Look For An App In The Store" option recommend: standard docs: - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000030 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseStoreOpenWith_1 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 0 /f - name: Do not show recently used files in Quick Access recommend: strict docs: - https://matthewhill.uk/windows/group-policy-disable-recent-files-frequent-folder-explorer/ # ShowRecent - https://www.howto-connect.com/delete-recent-frequent-from-file-explorer-on-windows-10/ # 3134ef9c-6b18-4996-ad04-ed5912e00eb5 - https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry # Wow6432Node code: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d 0 /t "REG_DWORD" /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f ) revertCode: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d "1" /t "REG_DWORD" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f ) - name: Disable Sync Provider Notifications code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 0 /t REG_DWORD /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 1 /t REG_DWORD /f - name: Turn hibernate off to disable sleep for quick start docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/compact-os#ram-pagefilesys-and-hiberfilsys code: powercfg -h off revertCode: powercfg -h on - name: Enable camera on/off OSD notifications docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-coremmres-nophysicalcameraled - https://www.reddit.com/r/Surface/comments/88nyln/the_webcamled_took_anyone_it_apart/dwm64p5 - https://answers.microsoft.com/en-us/windows/forum/all/enable-osd-notification-for-webcam/caf1fff4-78d3-4b93-905b-ef657097a44e code: reg add "HKLM\SOFTWARE\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /d 1 /t REG_DWORD /f revertCode: reg delete "HKLM\Software\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /f - category: Hide from This PC and Browse in dialog boxes children: - name: 3D Objects code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Desktop code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Documents code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Downloads code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Movies code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Music code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Pictures code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - category: Disable OS services children: - name: Delivery Optimization (P2P Windows Updates) recommend: standard docs: # Delivery Optimization is a cloud-managed solution to offer Windows updates through # other users' network (peer-to-peer). - https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization # Delivery Optimization service performs content delivery optimization tasks. - http://batcmd.com/windows/10/services/dosvc/ # Connects to various Microsoft service endpoints to get metadata, policies, content, device information # and information of other peers (Windows users). - https://docs.microsoft.com/en-us/windows/deployment/update/delivery-optimization-workflow call: function: DisableServiceInRegistry # Using registry way because because other options such as "sc config" or # "Set-Service" returns "Access is denied" since Windows 10 1809. parameters: serviceName: DoSvc # Check: (Get-Service -Name 'DoSvc').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Microsoft Account Sign-in Assistant (breaks Microsoft Store and Microsoft Account sign-in) recommend: strict docs: # **Summary** # This script gives you more privacy by preventing OS access to Azure AD to store your personal # and computer information that can be used to identify you and your computer. # However it breaks many OS features so you should make a decision based on how you'd like to use # your Windows. You can also apply and revert it once you need the broken functionality. # **Service** # This service communicates with Microsoft Account cloud authentication service # Many apps and system components that depend on Microsoft Account authentication may lose functionality. - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#12-microsoft-account # It includes following description: # > Enables user sign-in through Microsoft account identity services. # > If this service is stopped, users will not be able to logon to the computer with their Microsoft account. # Microsoft states it's OK to disable - https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#microsoft-account-sign-in-assistant # Formerly it was known as "Microsoft Windows Live ID Service" # And used only for applications like Office and Windows Live Messenger - https://www.howtogeek.com/howto/30348/what-are-wlidsvc.exe-and-wlidsvcm.exe-and-why-are-they-running/ # It's part of OS and used for Microsoft account (MSA) that's used to identify your computer - https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-configuration-manual#required-endpoints - https://docs.microsoft.com/en-us/troubleshoot/mem/intune/windows-feature-updates-never-offered # **Breaks** # ❗️ Breaks Azure AD sign-in # It may enrollment scenarios that rely on users to complete the enrollment. # E.g. typically, users are shown an Azure AD sign in window. # When set to Disable, the Azure AD sign in option may not show. # Instead, users are asked to accept the EULA, and create a local account, which may not be what you want. - https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#cloud-and-storage - https://docs.microsoft.com/en-us/mem/autopilot/pre-provision#user-flow # ❗️ Breaks Windows Autopilot - https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot # This service is required by Windows Autopilot to obtain the Windows Autopilot profile - https://docs.microsoft.com/en-us/mem/autopilot/policy-conflicts # ❗️ Breaks Microsoft Store # On Windows 11 it fails with `PUR-AuthenticationFailure v3ZtcNH7IECS00iL.36.1`` # On Windows 10 it fails with `0x800706d9` and `0x800704cf`` - https://github.com/undergroundwires/privacy.sexy/issues/100 # ❗️ Breaks feature updates (but other features are still offered) # Because it breaks Subscription Activation feature (license authentication) - https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates - https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#12-microsoft-account - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant # Feature updates are released annually. Feature updates add new features and functionality to Windows. # Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. - https://docs.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#types-of-updates call: function: DisableService parameters: serviceName: wlidsvc # Check: (Get-Service -Name 'wlidsvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Program Compatibility Assistant Service recommend: standard docs: http://batcmd.com/windows/10/services/pcasvc/ call: function: DisableService parameters: serviceName: PcaSvc # Check: (Get-Service -Name 'PcaSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Downloaded Maps Manager recommend: standard docs: http://batcmd.com/windows/10/services/mapsbroker/ call: function: DisableService parameters: serviceName: MapsBroker # Check: (Get-Service -Name 'MapsBroker').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Microsoft Retail Demo experience recommend: standard docs: http://batcmd.com/windows/10/services/retaildemo/ call: function: DisableService parameters: serviceName: RetailDemo # Check: (Get-Service -Name 'RetailDemo').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - category: Mail, contact, calendar and user data synchronization children: - name: User Data Storage (UnistoreSvc) Service docs: http://batcmd.com/windows/10/services/unistoresvc/ recommend: strict call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc_*").Start serviceName: UnistoreSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: Sync Host (OneSyncSvc) Service Service docs: http://batcmd.com/windows/10/services/onesyncsvc/ recommend: strict call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc_*").Start serviceName: OneSyncSvc defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual - name: Contact data indexing docs: http://batcmd.com/windows/10/services/pimindexmaintenancesvc/ call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_*").Start serviceName: PimIndexMaintenanceSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: App user data access docs: http://batcmd.com/windows/10/services/userdatasvc/ call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc_*").Start serviceName: UserDataSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: Text messaging docs: http://batcmd.com/windows/10/services/messagingservice/ call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService_*").Start serviceName: MessagingService defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: Windows Push Notification Service (breaks network settings view on Windows 10) recommend: strict docs: # It enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. # In the URL below you can read more about how it communicates with other sources. - https://docs.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview # Hosts Windows notification platform, which provides support for local and push notifications. # According the uncited Wikipedia article, it bypasses VPN and connects directly to Microsoft. # It reveals real IP address of the host which circumvents the anonymity provided by VPN. - https://en.wikipedia.org/w/index.php?title=Windows_Push_Notification_Service&oldid=1012335551#Privacy_Issue # System-wide service: - http://batcmd.com/windows/10/services/wpnservice/ # Per-user service: - http://batcmd.com/windows/10/services/wpnuserservice/ # Disabling system-wide user service "WpnUserService" breaks accessing access network settings on Windows 10. # It works fine on Windows 11. - https://github.com/undergroundwires/privacy.sexy/issues/110 call: - function: ShowWarning parameters: message: Disabling Network settings on Windows 10 is known to break Network settings. ignoreWindows11: true - # Windows Push Notifications System Service function: DisableService parameters: serviceName: WpnService # Check: (Get-Service -Name 'WpnService').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - # Windows Push Notifications User Service function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService_*").Start serviceName: WpnUserService defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual - category: Disable Xbox services children: - name: Xbox Live Auth Manager recommend: standard call: function: DisableService parameters: serviceName: XblAuthManager # Check: (Get-Service -Name 'XblAuthManager').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Xbox Live Game Save recommend: standard call: function: DisableService parameters: serviceName: XblGameSave # Check: (Get-Service -Name 'XblGameSave').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Xbox Live Networking Service recommend: standard call: function: DisableService parameters: serviceName: XboxNetApiSvc # Check: (Get-Service -Name 'XboxNetApiSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Volume Shadow Copy Service (breaks System Restore and Windows Backup) # Also known as • Volume Snapshot Service • VSS • VSC recommend: strict docs: - https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service - https://www.schneier.com/blog/archives/2009/12/the_security_im.html call: function: DisableService parameters: serviceName: VSS # Check: (Get-Service -Name 'VSS').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable NetBios for all interfaces docs: - https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/ - https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5f3c095-1ad2-4963-b075-787f800b81f2/ call: function: RunPowerShell parameters: code: |- $key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces' Get-ChildItem $key | ForEach { Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 2 -Verbose } revertCode: |- $key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces' Get-ChildItem $key | ForEach { Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 0 -Verbose } - category: Remove bloatware children: - category: Uninstall Windows store apps docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 children: - category: Uninstall provisioned Windows apps docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#provisioned-windows-apps children: - name: App Connector app recommend: strict docs: https://superuser.com/a/1003226 call: function: UninstallStoreApp parameters: packageName: Microsoft.Appconnector # Discontinued after Windows 10 1511 - category: Uninstall 3D modeling apps children: - name: Microsoft 3D Builder app docs: https://www.microsoft.com/en-us/p/3d-builder/9wzdncrfj3t6 call: function: UninstallStoreApp parameters: packageName: Microsoft.3DBuilder - name: 3D Viewer app docs: https://www.microsoft.com/en-us/p/3d-viewer/9nblggh42ths call: function: UninstallStoreApp parameters: packageName: Microsoft.Microsoft3DViewer - category: Uninstall MSN (Bing) apps children: - name: MSN Weather app docs: https://www.microsoft.com/en-us/p/msn-weather/9wzdncrfj3q2 recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.BingWeather - name: MSN Sports app recommend: standard docs: https://www.microsoft.com/en-us/p/msn-sports/9wzdncrfhvh4 call: function: UninstallStoreApp parameters: packageName: Microsoft.BingSports - name: MSN News app recommend: standard docs: https://www.microsoft.com/en-us/p/microsoft-news/9wzdncrfhvfw call: function: UninstallStoreApp parameters: packageName: Microsoft.BingNews - name: MSN Money app recommend: standard docs: https://www.microsoft.com/en-us/p/msn-money/9wzdncrfhv4v call: function: UninstallStoreApp parameters: packageName: Microsoft.BingFinance - name: Uninstall Cortana app recommend: standard docs: https://www.microsoft.com/en-us/p/msn-money/9wzdncrfhv4v call: function: UninstallStoreApp parameters: packageName: Microsoft.549981C3F5F10 - name: App Installer app docs: https://www.microsoft.com/en-us/p/app-installer/9nblggh4nns1 call: function: UninstallStoreApp parameters: packageName: Microsoft.DesktopAppInstaller - name: Get Help app docs: https://www.microsoft.com/en-us/p/get-help/9nblgggzhtbj call: function: UninstallStoreApp parameters: packageName: Microsoft.GetHelp - name: Microsoft Tips app docs: https://www.microsoft.com/en-us/p/microsoft-tips/9wzdncrdtbjj call: function: UninstallStoreApp parameters: packageName: Microsoft.Getstarted - category: Extensions children: - name: HEIF Image Extensions app docs: https://www.microsoft.com/en-us/p/heif-image-extensions/9pmmsr1cgpwg call: function: UninstallStoreApp parameters: packageName: Microsoft.HEIFImageExtension - name: VP9 Video Extensions app docs: https://www.microsoft.com/en-us/p/vp9-video-extensions/9n4d0msmp0pt call: function: UninstallStoreApp parameters: packageName: Microsoft.VP9VideoExtensions - name: Web Media Extensions app docs: https://www.microsoft.com/en-us/p/web-media-extensions/9n5tdp8vcmhs call: function: UninstallStoreApp parameters: packageName: Microsoft.WebMediaExtensions - name: Webp Image Extensions app docs: https://www.microsoft.com/en-us/p/webp-image-extensions/9pg2dk419drg call: function: UninstallStoreApp parameters: packageName: Microsoft.WebpImageExtension - name: Microsoft Messaging app docs: https://www.microsoft.com/en-us/p/microsoft-messaging/9wzdncrfjbq6 call: function: UninstallStoreApp parameters: packageName: Microsoft.Messaging - name: Mixed Reality Portal app docs: https://www.microsoft.com/en-us/p/mixed-reality-portal/9ng1h8b3zc7m call: function: UninstallStoreApp parameters: packageName: Microsoft.MixedReality.Portal - category: Uninstall Microsoft Office apps children: - name: My Office app recommend: standard docs: https://www.microsoft.com/en-us/p/my-office-app/9n8vd0f315mh call: function: UninstallStoreApp parameters: packageName: Microsoft.MicrosoftOfficeHub - name: OneNote app docs: https://www.microsoft.com/en-us/p/onenote-for-windows-10/9wzdncrfhvjl call: function: UninstallStoreApp parameters: packageName: Microsoft.Office.OneNote - name: Sway app docs: https://www.microsoft.com/en-us/p/sway/9wzdncrd2g0j call: function: UninstallStoreApp parameters: packageName: Microsoft.Office.Sway - name: Feedback Hub app recommend: standard docs: https://www.microsoft.com/en-us/p/feedback-hub/9nblggh4r32n call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsFeedbackHub - name: Windows Alarms and Clock app docs: https://www.microsoft.com/en-us/p/windows-alarms-clock/9wzdncrfj3pr call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsAlarms - name: Windows Camera app docs: https://www.microsoft.com/en-us/p/windows-camera/9wzdncrfjbbg call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsCamera - name: Paint 3D app docs: https://www.microsoft.com/en-us/p/paint-3d/9nblggh5fv99 call: function: UninstallStoreApp parameters: packageName: Microsoft.MSPaint - name: Windows Maps app recommend: standard docs: https://www.microsoft.com/en-us/p/windows-maps/9wzdncrdtbvb call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsMaps - name: Minecraft for Windows 10 app docs: https://www.microsoft.com/en-us/p/minecraft-for-windows-10/9nblggh2jhxj call: function: UninstallStoreApp parameters: packageName: Microsoft.MinecraftUWP - name: Microsoft Store app call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsStore - name: Microsoft People app docs: https://www.microsoft.com/en-us/p/microsoft-people/9nblggh10pg8 call: function: UninstallStoreApp parameters: packageName: Microsoft.People - name: Microsoft Pay app call: function: UninstallStoreApp parameters: packageName: Microsoft.Wallet - name: Store Purchase app docs: https://social.technet.microsoft.com/Forums/exchange/en-US/24b1088d-0fc5-4a82-8015-c9c964532603/store-purchase-app?forum=win10itproapps call: function: UninstallStoreApp parameters: packageName: Microsoft.StorePurchaseApp - name: Snip & Sketch app docs: https://www.microsoft.com/en-us/p/snip-sketch/9mz95kl8mr0l call: function: UninstallStoreApp parameters: packageName: Microsoft.ScreenSketch - name: Print 3D app docs: https://www.microsoft.com/en-us/p/print-3d/9pbpch085s3s call: function: UninstallStoreApp parameters: packageName: Microsoft.Print3D - name: Mobile Plans app docs: https://www.microsoft.com/en-us/p/mobile-plans/9nblggh5pnb1 call: function: UninstallStoreApp parameters: packageName: Microsoft.OneConnect - name: Microsoft Solitaire Collection app docs: https://www.microsoft.com/en-us/p/microsoft-solitaire-collection/9wzdncrfhwd2 call: function: UninstallStoreApp parameters: packageName: Microsoft.MicrosoftSolitaireCollection - name: Microsoft Sticky Notes app docs: https://www.microsoft.com/en-us/p/microsoft-sticky-notes/9nblggh4qghw call: function: UninstallStoreApp parameters: packageName: Microsoft.MicrosoftStickyNotes - category: Xbox children: - name: Xbox Console Companion app docs: https://www.microsoft.com/en-us/p/xbox-console-companion/9wzdncrfjbd8 recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxApp - name: Xbox Live in-game experience app recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.Xbox.TCUI - name: Xbox Game Bar app docs: https://www.microsoft.com/en-us/p/xbox-game-bar/9nzkpstsnw4p recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxGamingOverlay - name: Xbox Game Bar Plugin appcache docs: https://www.microsoft.com/en-us/p/xbox-game-bar/9nzkpstsnw4p recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxGameOverlay - name: Xbox Identity Provider app recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxIdentityProvider - name: Xbox Speech To Text Overlay app recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxSpeechToTextOverlay - name: Mail and Calendar app docs: https://www.microsoft.com/en-us/p/mail-and-calendar/9wzdncrfhvqm call: function: UninstallStoreApp parameters: packageName: microsoft.windowscommunicationsapps - category: Zune children: - name: Groove Music app docs: https://www.microsoft.com/en-us/p/groove-music/9wzdncrfj3pt call: function: UninstallStoreApp parameters: packageName: Microsoft.ZuneMusic - name: Movies and TV app docs: https://www.microsoft.com/en-us/p/movies-tv/9wzdncrfj3p2 call: function: UninstallStoreApp parameters: packageName: Microsoft.ZuneVideo - name: Windows Calculator app docs: https://www.microsoft.com/en-us/p/windows-calculator/9wzdncrfhvn5 call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsCalculator - name: Microsoft Photos app docs: https://www.microsoft.com/en-us/p/microsoft-photos/9wzdncrfjbh4 call: function: UninstallStoreApp parameters: packageName: Microsoft.Windows.Photos - name: Skype app docs: https://www.microsoft.com/en-us/p/skype/9wzdncrfj364 call: function: UninstallStoreApp parameters: packageName: Microsoft.SkypeApp - name: GroupMe app docs: https://www.microsoft.com/en-us/p/groupme/9nblggh5z4f2 call: function: UninstallStoreApp parameters: packageName: Microsoft.GroupMe10 - name: Windows Voice Recorder app docs: https://www.microsoft.com/en-us/p/windows-voice-recorder/9wzdncrfhwkn call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsSoundRecorder - category: Phone children: - name: Your Phone Companion app # Depreciated in newer Windows 10 call: - function: UninstallStoreApp parameters: packageName: Microsoft.WindowsPhone - function: UninstallStoreApp parameters: packageName: Microsoft.Windows.Phone - name: Communications - Phone app # Depreciated in newer Windows 10 call: function: UninstallStoreApp parameters: packageName: Microsoft.CommsPhone - name: Your Phone app docs: https://www.microsoft.com/en-us/p/your-phone/9nmpj99vjbwv call: function: UninstallStoreApp parameters: packageName: Microsoft.YourPhone - category: Uninstall installed Windows apps docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#installed-windows-apps children: - name: Microsoft Advertising app recommend: standard docs: - https://docs.microsoft.com/en-us/windows/uwp/monetize/install-the-microsoft-advertising-libraries - https://social.msdn.microsoft.com/Forums/windowsapps/en-US/db8d44cb-1381-47f7-94d3-c6ded3fea36f/microsoft-ad-monetization-platform-shut-down-as-of-june-1st?forum=aiamgr call: function: UninstallStoreApp parameters: packageName: Microsoft.Advertising.Xaml - name: Remote Desktop app docs: https://www.microsoft.com/en-us/p/microsoft-remote-desktop/9wzdncrfj3ps?activetab=pivot:overviewtab call: function: UninstallStoreApp parameters: packageName: Microsoft.RemoteDesktop - name: Network Speed Test app recommend: standard docs: https://www.microsoft.com/en-us/p/network-speed-test/9wzdncrfhx52 call: function: UninstallStoreApp parameters: packageName: Microsoft.NetworkSpeedTest - name: Microsoft To Do app docs: https://www.microsoft.com/en-us/p/microsoft-to-do-lists-tasks-reminders/9nblggh5r558 call: function: UninstallStoreApp parameters: packageName: Microsoft.Todos - category: Third party children: - name: Shazam app # Discontinued https://www.windowscentral.com/shazam-pulls-plug-windows-apps call: function: UninstallStoreApp parameters: packageName: ShazamEntertainmentLtd.Shazam - name: Candy Crush Saga app docs: https://www.microsoft.com/en-us/p/candy-crush-saga/9nblggh18846 call: - function: UninstallStoreApp parameters: packageName: king.com.CandyCrushSaga - function: UninstallStoreApp parameters: packageName: king.com.CandyCrushSodaSaga - name: Flipboard app docs: https://www.microsoft.com/en-us/p/flipboard/9wzdncrfj32q call: function: UninstallStoreApp parameters: packageName: Flipboard.Flipboard - name: Twitter app docs: https://www.microsoft.com/en-us/p/twitter/9wzdncrfj140 call: function: UninstallStoreApp parameters: packageName: 9E2F88E3.Twitter - name: iHeartRadio app docs: https://www.microsoft.com/en-us/p/iheartradio/9wzdncrfj223 call: function: UninstallStoreApp parameters: packageName: ClearChannelRadioDigital.iHeartRadio - name: Duolingo app docs: https://www.microsoft.com/en-us/p/duolingo-learn-languages-for-free/9wzdncrcv5xn call: function: UninstallStoreApp parameters: packageName: D5EA27B7.Duolingo-LearnLanguagesforFree - name: Photoshop Express app docs: https://www.microsoft.com/en-us/p/adobe-photoshop-express-image-editor-adjustments-filters-effects-borders/9wzdncrfj27n call: function: UninstallStoreApp parameters: packageName: AdobeSystemIncorporated.AdobePhotoshop - name: Pandora app docs: https://www.microsoft.com/en-us/p/pandora/9wzdncrfj46v call: function: UninstallStoreApp parameters: packageName: PandoraMediaInc.29680B314EFC2 - name: Eclipse Manager app docs: https://www.microsoft.com/en-us/p/eclipse-manager/9wzdncrdjmh1 call: function: UninstallStoreApp parameters: packageName: 46928bounde.EclipseManager - name: Code Writer app docs: https://www.microsoft.com/en-us/p/code-writer/9wzdncrfhzdt call: function: UninstallStoreApp parameters: packageName: ActiproSoftwareLLC.562882FEEB491 - name: Spotify app docs: https://www.microsoft.com/en-us/p/spotify-music/9ncbcszsjrsb call: function: UninstallStoreApp parameters: packageName: SpotifyAB.SpotifyMusic - category: Uninstall system apps docs: - https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#system-apps - https://github.com/privacysexy-forks/Windows10Debloater/blob/d4ede6d3225e7def087b389c7e8cf6be0d5e2cd7/Windows10Debloater.ps1#L43-L47 children: - name: File Picker app call: function: UninstallSystemApp parameters: packageName: 1527c705-839a-4832-9118-54d4Bd6a0c89 - name: File Explorer app call: function: UninstallSystemApp parameters: packageName: c5e2524a-ea46-4f67-841f-6a9465d9d515 - name: App Resolver UX app call: function: UninstallSystemApp parameters: packageName: E2A4F912-2574-4A75-9BB0-0D023378592B - name: Add Suggested Folders To Library app call: - function: UninstallSystemApp parameters: packageName: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE - function: UninstallSystemApp parameters: packageName: InputApp - name: Microsoft AAD Broker Plugin app (breaks Night Light settings, taskbar keyboard selection and Office app authentication) docs: # Azure Active Directory plugin, is needed for apps using Azure Active Directory authentication. # More about Azure Active Directory: - https://azure.microsoft.com/en-us/services/active-directory/ # ❗️ In some version it breaks selection of keyboard in taskbar. # Clicking on taskbar language selection icon does not show the selection dialog. - https://github.com/undergroundwires/privacy.sexy/issues/24 # ❗️ Uninstalling it breaks Night Light functionality and sign in for Office app.s # Reverting the script and rebooting solves the night light functionality. # About the issue: - https://github.com/undergroundwires/privacy.sexy/issues/54 # More about night light: - https://support.microsoft.com/en-us/windows/set-your-display-for-night-time-in-windows-18fe903a-e0a1-8326-4c68-fd23d7aaf136 # recommend: strict (Unrecommended until better warning mechanism is implemented) call: function: UninstallSystemApp parameters: packageName: Microsoft.AAD.BrokerPlugin # Offical docs point to wrong "Microsoft.AAD.Broker.Plugin" - name: Microsoft Accounts Control app call: function: UninstallSystemApp parameters: packageName: Microsoft.AccountsControl - name: Microsoft Async Text Service app call: function: UninstallSystemApp parameters: packageName: Microsoft.AsyncTextService - category: Windows Hello setup UI children: - name: Bio enrollment app (breaks biometric authentication) docs: https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_store-insiderplat_pc/what-is-bio-enrollment-app/53808b5a-8694-4128-a5bd-34e3b954434a recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.BioEnrollment - name: Cred Dialog Host app call: function: UninstallSystemApp parameters: packageName: Microsoft.CredDialogHost - name: EC app call: function: UninstallSystemApp parameters: packageName: Microsoft.ECApp - name: Lock app (shows lock screen) docs: https://www.getwox.com/what-is-lockapp-exe/ call: function: UninstallSystemApp parameters: packageName: Microsoft.LockApp - category: Microsoft Edge children: - name: Microsoft Edge (Legacy) app recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.MicrosoftEdge - name: Microsoft Edge (Legacy) Dev Tools Client app docs: https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.MicrosoftEdgeDevToolsClient - name: Win32 Web View Host app / Desktop App Web Viewer recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.Win32WebViewHost - name: Microsoft PPI Projection app docs: https://en.wikipedia.org/wiki/Perceptive_Pixel recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.PPIProjection - name: ChxApp app call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.Apprep.ChxApp - name: Assigned Access Lock App app call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.AssignedAccessLockApp - name: Capture Picker app call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.CapturePicker - name: Cloud Experience Host app (breaks Windows Hello password/PIN sign-in options, and Microsoft cloud/corporate sign in) docs: # Allows to connect to corporate domains or Microsoft cloud based services # ❗️ Uninstalling it breaks: # - Sign-in to Windows using Microsoft account (cloud-based sign-in) # https://github.com/undergroundwires/privacy.sexy/issues/99 # https://github.com/undergroundwires/privacy.sexy/issues/64 # - Password and PIN sign-in options in Settings > Sign-in Options # https://github.com/undergroundwires/privacy.sexy/issues/67 # Its functionalites include # - Microsoft accounts # Used to connect Microsoft accounts - https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp - https://answers.microsoft.com/en-us/windows/forum/all/cant-login-to-microsoft-account-because-of-cloud/0861c72d-3621-45bc-bae0-67d13121f526 # - Corporate login # Cloud Experience Host is an application used while joining the workplace environment or # Azure AD for rendering the experience when collecting your company-provided credentials. # Once you enroll your device to your workplace environment or Azure AD, your organization # will be able to manage your PC and collect information about you (including your location). # It might add or remove apps or content, change settings, disable features, prevent you # from removing your company account, or reset your PC. - https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology#cloud-experience-host # - PIN/Biometric/Device authentication # Used for Windows Hello, that allows authentication through device, or a biometric or PIN code # Allows joining a machine to Azure AD or on-premises AD domain - https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning # - OOBE troubleshooting # It also helps to detect blocking errors occurring during OOBE (Out-of-box experience) flow # OOBE consists of a series of screens for license agreement, internet connection, loggining in etc. - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe # More about OOBE - https://docs.microsoft.com/en-us/windows/privacy/required-windows-11-diagnostic-events-and-fields#cloud-experience-host-events # recommend: strict (Unrecommended until better warning mechanism is implemented) call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.CloudExperienceHost - name: Content Delivery Manager app (automatically installs apps) docs: https://www.ghacks.net/2019/12/23/how-to-block-the-automatic-installation-of-suggested-windows-10-apps/ recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.ContentDeliveryManager - category: Uninstall Cortana system apps children: - name: Search app (breaks Windows search) docs: https://thegeekpage.com/searchui-exe-suspended-error/ call: - function: UninstallSystemApp parameters: packageName: Microsoft.Windows.Cortana # Removed since version 2004 - function: UninstallStoreApp parameters: packageName: Microsoft.Windows.Search # Added in version 2004, it was called "Cortana" before now it's plain "Search" - name: Holographic First Run app recommend: standard docs: https://www.addictivetips.com/windows-tips/check-pc-windows-holographic-app-requirements/ call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.Holographic.FirstRun - name: OOBE Network Captive Port app docs: https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details#connect-users-to-the-network call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.OOBENetworkCaptivePortal # Offical docs point to wrong "Microsoft.Windows.OOBENetworkCaptivePort" - name: OOBE Network Connection Flow app docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details - https://www.windowscentral.com/windows-10-build-15019-pc-everything-you-need-know call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.OOBENetworkConnectionFlow - name: Windows 10 Family Safety / Parental Controls app recommend: standard docs: https://account.microsoft.com/family/about call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.ParentalControls - category: People Hub children: - name: My People / People Bar App on taskbar (People Experience Host) docs: https://winaero.com/pin-contacts-taskbar-windows-10/ recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.PeopleExperienceHost - name: Pinning Confirmation Dialog app call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.PinningConfirmationDialog - name: Windows Security GUI (Sec Health UI) app call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.SecHealthUI - name: Secondary Tile Experience app docs: https://docs.microsoft.com/en-us/windows/uwp/design/shell/tiles-and-notifications/secondary-tiles recommend: strict # Individual tiles may track e.g. like Firefox call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.SecondaryTileExperience - name: Secure Assessment Browser app (breaks Microsoft Intune/Graph) recommend: strict docs: https://docs.microsoft.com/en-us/graph/api/resources/intune-deviceconfig-windows10secureassessmentconfiguration?view=graph-rest-1.0 call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.SecureAssessmentBrowser # - # # Not a bloatware, required for different setting windows such as WiFi and battery panes in action bar # name: Start app # call: # function: UninstallSystemApp # parameters: # packageName: Microsoft.Windows.ShellExperienceHost - category: Windows Feedback children: - name: Windows Feedback app recommend: standard call: function: UninstallSystemApp parameters: packageName: Microsoft.WindowsFeedback - name: Xbox Game Callable UI app (breaks Xbox Live games) docs: https://docs.microsoft.com/en-us/gaming/xbox-live/features/general/tcui/live-tcui-overview recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.XboxGameCallableUI - name: CBS Preview app recommend: standard call: function: UninstallSystemApp parameters: packageName: Windows.CBSPreview - name: Contact Support app call: function: UninstallSystemApp parameters: packageName: Windows.ContactSupport # - # # Not a bloatware, required for core OS functinoality # name: Settings app # call: # function: UninstallSystemApp # parameters: # packageName: Windows.immersivecontrolpanel - name: Windows Print 3D app call: function: UninstallSystemApp parameters: packageName: Windows.Print3D - name: Print UI app call: function: UninstallSystemApp parameters: packageName: Windows.PrintDialog - category: Remove OneDrive docs: |- Microsoft OneDrive (formerly SkyDrive) is a file hosting service operated by Microsoft [1]. First launched in August 2007, it enables registered users to share and synchronize their files [1]. Data stored on OneDrive is subject to monitoring by Microsoft [2]. There's been reports of Microsoft accessing and altering your personal files when syncing on OneDrive [3] [4]. Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5]. [1]: https://en.wikipedia.org/wiki/OneDrive "OneDrive | Wikipedia" [2]: https://en.wikipedia.org/w/index.php?title=OneDrive&oldid=1111615560#Privacy_concerns "OneDrive | Privacy concerns | Wikipedia" [3]: https://web.archive.org/web/20191002180755/https://www.intralinks.com/blog/2014/04/microsoft-onedrive-business-can-alter-files-syncs "Microsoft OneDrive for Business can Alter Your Files as It Syncs | Intralinks" [4]: https://thehackernews.com/2014/04/microsoft-onedrive-secretly-modifies.html "Microsoft OneDrive Secretly Modifies your BackUp Files | thehackernews.com" [5]: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" children: - name: Kill OneDrive process recommend: strict docs: |- It stops the execution of OneDrive. Main OneDrive process is `OneDrive.exe` and it is installed in `\Microsoft\OneDrive\OneDrive.exe` [1] [2] [3] [4]. [1]: https://answers.microsoft.com/en-us/windows/forum/all/onedrive-wont-sync-and-wont-uninstall-so-i-can-re/6182d0a5-e7ea-46bb-a058-c0a4fd5e299a "Onedrive wont sync and wont uninstall so I can re-install the latest - Microsoft Community | answers.microsoft.com" [2]: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/9bd33f03-62dd-4c4f-9d29-970c1016f2f9/better-onedrive-detection-method?forum=configmanagerapps "Better OneDrive detection method | social.technet.microsoft.com" [3]: https://social.msdn.microsoft.com/Forums/en-US/072e3577-d0ff-4950-9e0b-40b037853881/starting-and-stopping-sharepoint-library-sync-with-onedrive?forum=sharepointdevelopmentprevious "Starting and stopping SharePoint library sync with OneDrive | social.msdn.microsoft.com" [4]: https://learn.microsoft.com/en-us/answers/questions/473995/onedrive-was-previously-disabled-and-now-i-can39t.html "OneDrive was previously disabled and now I can't enable it with GPO - Microsoft Q&A | learn.microsoft.com" call: function: KillProcess parameters: processName: OneDrive.exe processStartPath: '%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe' processStartArgs: /background - name: Remove OneDrive from startup recommend: strict docs: |- OneDrive starts on every boot in both Windows 10 and 11. It's started through `OneDrive` `REG_SZ` entry in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` [1]. The startup command is `"\Microsoft\OneDrive\OneDrive.exe" /background` [1]. [1]: https://techcommunity.microsoft.com/t5/azure-virtual-desktop/start-onedrive-when-using-a-remoteapp-in-wvd/m-p/899331 "Re: Start OneDrive when using a RemoteApp in WVD - Page 2 - Microsoft Tech Community | techcommunity.microsoft.com" code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /f 2>nul revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /t REG_SZ /d "\"%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe\" /background" /f - name: Uninstall OneDrive docs: |- This script will call official Microsoft uninstaller that will uninstall the application but residual files will be left. You won't lose data by uninstalling OneDrive from computer because they will be stored in cloud [1]. Running OneDrive client setup package (`OneDriveSetup.exe`) with the `/uninstall` command line switch uninstalls OneDrive [2] [3]. On Windows 10, the setup package is found on different folders (`System32` or `SysWOW64`) based on the CPU architecture [4]. On Windows 11, the setup package is always inside `System32` regarding of the CPU architecture. Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5]. [1]: https://support.microsoft.com/en-us/office/turn-off-disable-or-uninstall-onedrive-f32a17ce-3336-40fe-9c38-6efb09f944b0 "Turn off, disable, or uninstall OneDrive | support.microsoft.com" [2]: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016#method-2-uninstall-onedriveexe "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn" [3]: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/lists-and-libraries/cannot-open-onedrive-on-images-using-sysprep#how-to-correctly-deploy-onedrive-via-sysprep "Can't open OneDrive on images using Sysprep - SharePoint | Microsoft Learn" [4]: https://answers.microsoft.com/en-us/windows/forum/all/onedrive-on-windows-11-does-not-appear-in-file/250c679b-9d02-410f-8c8f-41cca112ccfa "OneDrive on Windows 11 - Does Not Appear in File Explorer - Microsoft Community | answers.microsoft.com" [5]: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" recommend: strict code: |- if exist "%SystemRoot%\System32\OneDriveSetup.exe" ( "%SystemRoot%\System32\OneDriveSetup.exe" /uninstall ) else ( if exist "%SystemRoot%\SysWOW64\OneDriveSetup.exe" ( "%SystemRoot%\SysWOW64\OneDriveSetup.exe" /uninstall ) else ( echo Failed to uninstall, uninstaller could not be found. 1>&2 ) ) revertCode: |- if exist "%SystemRoot%\System32\OneDriveSetup.exe" ( "%SystemRoot%\System32\OneDriveSetup.exe" /silent ) else ( if exist "%SystemRoot%\SysWOW64\OneDriveSetup.exe" ( "%SystemRoot%\SysWOW64\OneDriveSetup.exe" /silent ) else ( echo Failed to install, installer could not be found. 1>&2 ) ) - name: Remove OneDrive files recommend: strict docs: |- This script cleans OneDrive files such as installation directories, application data, and temporary files and cache. - `C:\OneDriveCache`: Temporary cache location [1]. - `C:\ProgramData\Microsoft OneDrive`: Program data, used during setup [2] [3], seen on both Windows 10 and 11. - `C:\Users\\Microsoft OneDrive`: OneDrive root directory [4], seen on both Windows 10 and 11. - `C:\Users\\AppData\Local\Microsoft\OneDrive`: OneDrive installation directory [5], seen on both Windows 10 and 11. The folders are reported by the community [1]. [1]: https://social.microsoft.com/Forums/en-US/53263a51-856f-4e64-bc0e-a689d4cc5a8b/release-notes-for-1907-build-29711727413?forum=FSLogix "Release Notes for 1907 - build 2.9.7117.27413 | social.microsoft.com" [2]: https://techcommunity.microsoft.com/t5/sharepoint/onedrive-setup-fails-to-complete/m-p/2072446 "OneDrive setup fails to complete - Microsoft Tech Community" [3]: https://answers.microsoft.com/en-us/msoffice/forum/all/why-does-onedrive-act-as-ransomware/288e5940-b92b-493c-91ff-dafd26279bee "Why does OneDrive act as Ransomware? - Microsoft Community" [4]: https://techcommunity.microsoft.com/t5/onedrive-for-business/change-onedrive-installation-location/m-p/225064 "Change OneDrive installation location - Microsoft Tech Community | techcommunity.microsoft.com" [5]: https://learn.microsoft.com/en-us/sharepoint/install/configure-syncing-with-the-onedrive-sync-app "Configure syncing with the new OneDrive sync app - SharePoint Server | Microsoft Learn | learn.microsoft.com" code: |- :: OneDrive root folder if exist "%UserProfile%\OneDrive" ( rd "%UserProfile%\OneDrive" /q /s ) :: OneDrive installation directory if exist "%LocalAppData%\Microsoft\OneDrive" ( rd "%LocalAppData%\Microsoft\OneDrive" /q /s ) :: OneDrive data if exist "%ProgramData%\Microsoft OneDrive" ( rd "%ProgramData%\Microsoft OneDrive" /q /s ) :: OneDrive cache if exist "%SystemDrive%\OneDriveTemp" ( rd "%SystemDrive%\OneDriveTemp" /q /s ) - name: Delete OneDrive shortcuts recommend: strict docs: |- Even after uninstall or cleaning files there may be shortcuts that links to OneDrive. This script ensures that all the shortcuts are removed from the system. Shortcuts are saved in different locations such as: - `Start Menu\Programs\Microsoft OneDrive.lnk`, `Start Menu\Programs\OneDrive.lnk`, `Links\OneDrive.lnk` [1], - `ServiceProfiles\LocalService` and `ServiceProfiles\NetworkService` [2] Windows 10 and higher requires additional scripts to delete the OneDrive icon from the navigation pane in Windows Explorer [1]. [1]: https://docs.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive.exe-from-being-advertised-after-install-office-2016 "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn" [2]: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" call: - function: RunInlineCode parameters: code: |- if exist "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk" ( del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk" /s /f /q ) if exist "%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" ( del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" /s /f /q ) if exist "%USERPROFILE%\Links\OneDrive.lnk" ( del "%USERPROFILE%\Links\OneDrive.lnk" /s /f /q ) if exist "%SystemDrive%\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" ( del "%SystemDrive%\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" /s /f /q ) if exist "%SystemDrive%\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" ( del "%SystemDrive%\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" /s /f /q ) - function: RunPowerShell parameters: code: |- Set-Location "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace" Get-ChildItem | ForEach-Object {Get-ItemProperty $_.pspath} | ForEach-Object { $leftnavNodeName = $_."(default)"; if (($leftnavNodeName -eq "OneDrive") -Or ($leftnavNodeName -eq "OneDrive - Personal")) { if (Test-Path $_.pspath) { Write-Host "Deleting $($_.pspath)." Remove-Item $_.pspath; } } } - name: Block OneDrive usage recommend: strict docs: |- This script prevents [1]: - Keeping OneDrive files in sync with the cloud. - Users from automatically uploading photos and videos from the camera roll folder. - Users from accessing OneDrive from the OneDrive app and file picker. - Windows Store apps from accessing OneDrive using the WinRT API. - OneDrive from appearing in the navigation pane in File Explorer. Setting `DisableFileSyncNGSC` group policy prevents OneDrive from working on both Windows 10 and 11 [1] [2]. Windows 8 uses older `DisableFileSync` key [3]. These policies do not exist by default in clean installations. [1]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSync "Prevent the usage of OneDrive for file storage | admx.help" [2]: https://support.microsoft.com/en-us/office/onedrive-won-t-start-0c158fa6-0cd8-4373-98c8-9179e24f10f2 "OneDrive won't start | support.microsoft.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSyncForBlue "Prevent the usage of OneDrive for file storage on Windows 8.1 | admx.help" code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSyncNGSC" /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSync" /d 1 /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSync" /f 2>nul - name: Prevent automatic OneDrive installation docs: |- Windows 10 comes with `OneDriveSetup` entry in startup for automatic reinstallations even though OneDrive is uninstalled. This entry is missing in Windows 11 by default. `OneDriveSetup` is registered to reinstall OneDrive and can be removed using registry [1], as recommended by Microsoft for optimizing Windows VDIs [1]. [1]: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" recommend: strict call: function: RunPowerShell parameters: code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f 2>$null revertCode: |- function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) } if (Test-IsWindows11) { Write-Host 'Skipping, no action needed on Windows 11.' } else { if([Environment]::Is64BitOperatingSystem) { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\SysWOW64\OneDriveSetup.exe /silent" /f } else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\System32\OneDriveSetup.exe /silent" /f } } - name: Remove OneDrive folder from File Explorer recommend: strict docs: |- File Explorer shows OneDrive to allow you to access files stored in OneDrive (stored online and locally cached) [1]. [CLSID](https://learn.microsoft.com/en-us/windows/win32/com/clsid-key-hklm) for OneDrive is `018D5C66-4533-4307-9B53-224DE2ED1FE6` [2] for both Windows 10 and 11. Changing pinning option for this key removed OneDrive from navigation file in File explorer [2]. This CLSID includes `System.IsPinnedToNameSpaceTree` as value as `1` after clean installation in both Windows 10 and Windows 11. [1]: https://support.microsoft.com/en-us/office/sync-files-with-onedrive-in-windows-615391c4-2bd3-4aae-a42a-858262e42a49 "Sync files with OneDrive in Windows | support.microsoft.com" [2]: https://answers.microsoft.com/en-us/windows/forum/all/remove-onedrive-from-file-explorer-navigation-pane/38ac7524-2b35-4ffc-baab-40ad61dc5d79 "Remove OneDrive from File Explorer navigation pane - Microsoft Community | answers.microsoft.com" code: |- reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f revertCode: |- reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "1" /t REG_DWORD /f reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "1" /t REG_DWORD /f - name: Disable OneDrive scheduled tasks docs: |- Scheduled tasks for OneDrive handle maintainence tasks such as auto-updates and data reporting. These tasks are left intact even after successful uninstall. Windows 10 and 11 comes with two tasks named: 1. `OneDrive Standalone Update Task` 2. `OneDrive Reporting Task` Both tasks are enabled by default. They are not documented officially either on Microsoft's website or inside Task Scheduler itself through any description. But one could find these tasks by running: `Get-ScheduledTask 'OneDrive *' | Select -ExpandProperty TaskName`. The tasks are named accordingly: - OneDrive Reporting Task-S-1-5-21-994346235-3805487047-77196597-500 - OneDrive Standalone Update Task-S-1-5-21-994346235-3805487047-77196597-500 - OneDrive Standalone Update Task-S-1-5-21-2040720125-3302134200-1644992326-500 The SID number (after `-`) changes per installation. SID of user accounts always start with `S-1-5-21` [1] so these are users. You can see all user accounts by running `wmic useraccount get Name,sid`, and you will find out that the first SID used belongs to your account (can verify using `whoami /user`). The other SID used does not belong to any user account even though it starts with `S-1-5-21`. It may be caused by `sysprep` behavior where it will use different SID for scheduled tasks to avoid duplication [2]. Third SID is unpredictable but also impossible to disable. Disabling using `schtasks` would result in: `schtasks : ERROR: Catastrophic failure`. You can try using: ```ps1 $tasks=$( Get-ScheduledTask 'OneDrive Reporting Task-*' Get-ScheduledTask 'OneDrive Standalone Update Task-*' ) foreach ($task in $tasks) { $fullPath = $task.TaskPath + $task.TaskName Write-Host "Disabling `"$fullPath`"" schtasks /Change /TN "$fullPath" /DISABLE } ``` Even disabling this using Task Scheduler UI shows "Catastrophic failure (Exception from HRESULT: 0x80000FFF (E_UNEXPECTED))". Disabling tasks with user SID works fine, you can test it using (run as .bat file, not directly on terminal): ```batchfile @echo off for /f "tokens=1,2 delims==" %%s IN ('wmic path win32_useraccount where name^='%username%' get sid /value ^| find /i "SID"') do ( set "User_SID=%%t" ) schtasks /Change /TN "\OneDrive Standalone Update Task-%User_SID%" /DISABLE schtasks /Change /TN "\OneDrive Reporting Task-%User_SID%" /DISABLE ``` Deleting tasks works fine so this script will delete all these tasks instead. [1]: https://renenyffenegger.ch/notes/Windows/security/SID/index "Windows security identifiers (SID) | renenyffenegger.ch" [2]: https://en.wikipedia.org/w/index.php?title=Windows_Task_Scheduler&oldid=1086196699#Bugs "Windows Task Scheduler - Wikipedia | wikipedia.rg" recommend: strict call: function: RunPowerShell parameters: code: |- $tasks=$( Get-ScheduledTask 'OneDrive Reporting Task-*' Get-ScheduledTask 'OneDrive Standalone Update Task-*' ) if($tasks.Length -eq 0) { Write-Host 'Skipping, no OneDrive tasks exists.' } else { Write-Host "Total found OneDrive tasks: $($tasks.Length)." foreach ($task in $tasks) { $fullPath = $task.TaskPath + $task.TaskName Write-Host "Deleting `"$fullPath`"" schtasks /DELETE /TN "$fullPath" /f } } - name: Delete OneDrive environment variable recommend: strict docs: |- Since Windows 10 1809, Microsoft introduced `%OneDrive%` environment variable to reach OneDrive through an alias [1]. This variable is redundant when OneDrive is undesired. This script deletes `OneDrive` environment variable [2]. `OneDrive` key at `HKCU\Environment` is found on both Windows 10 and Windows 11. [1]: https://superuser.com/a/1397495 "Determine OneDrive synchronisation folders - Super User | superuser.com" [2]: https://stackoverflow.com/questions/46744840/export-registry-value-to-file-and-then-set-a-variable-in-batch "Export registry value to file and then set a variable in Batch - Stack Overflow | stackoverflow.com" code: reg delete "HKCU\Environment" /v "OneDrive" /f 2>nul - name: Uninstall Edge (chromium-based) call: function: RunPowerShell parameters: code: |- $installer = (Get-ChildItem "$env:ProgramFiles*\Microsoft\Edge\Application\*\Installer\setup.exe") if (!$installer) { Write-Host 'Could not find the installer' } else { & $installer.FullName -Uninstall -System-Level -Verbose-Logging -Force-Uninstall } - category: Disable built-in Windows features children: - name: Direct Play feature call: function: DisableFeature parameters: featureName: DirectPlay - name: Internet Explorer feature call: - function: DisableFeature parameters: featureName: Internet-Explorer-Optional-x64 - function: DisableFeature parameters: featureName: Internet-Explorer-Optional-x84 - function: DisableFeature parameters: featureName: Internet-Explorer-Optional-amd64 - name: Legacy Components feature call: function: DisableFeature parameters: featureName: LegacyComponents - category: Server features for developers & administrators children: - category: Hyper-V Virtualization children: - name: Hyper-V feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-All - name: Hyper-V GUI Management Tools feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Management-Clients - name: Hyper-V Management Tools feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Tools-All - name: Hyper-V Module for Windows PowerShell feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Management-PowerShell - name: Telnet Client feature docs: https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx call: function: DisableFeature parameters: featureName: TelnetClient - name: Net.TCP Port Sharing feature docs: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing call: function: DisableFeature parameters: featureName: WCF-TCP-PortSharing45 - name: SMB Direct feature docs: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-direct call: function: DisableFeature parameters: featureName: SmbDirect - name: TFTP Client feature call: function: DisableFeature parameters: featureName: TFTP - category: Printing features children: - category: Printer networking children: - name: Internet Printing Client call: function: DisableFeature parameters: featureName: Printing-Foundation-InternetPrinting-Client - name: LPD Print Service call: function: DisableFeature parameters: featureName: LPDPrintService - name: LPR Port Monitor feature call: function: DisableFeature parameters: featureName: Printing-Foundation-LPRPortMonitor - name: Microsoft Print to PDF feature call: function: DisableFeature parameters: featureName: Printing-PrintToPDFServices-Features - name: Print and Document Services feature call: function: DisableFeature parameters: featureName: Printing-Foundation-Features - name: Work Folders Client feature docs: https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview call: function: DisableFeature parameters: featureName: WorkFolders-Client - category: XPS support children: - name: XPS Services feature call: function: DisableFeature parameters: featureName: Printing-XPSServices-Features - name: XPS Viewer feature call: function: DisableFeature parameters: featureName: Xps-Foundation-Xps-Viewer - name: Media Features feature call: function: DisableFeature parameters: featureName: MediaPlayback - name: Scan Management feature call: function: DisableFeature parameters: featureName: ScanManagementConsole - name: Windows Fax and Scan feature call: function: DisableFeature parameters: featureName: FaxServicesClientPackage - name: Windows Media Player feature call: function: DisableFeature parameters: featureName: WindowsMediaPlayer - name: Windows Search feature call: function: DisableFeature parameters: featureName: SearchEngine-Client-Package - category: Uninstall capabilities & features on demand docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#fods-that-are-not-preinstalled-but-may-need-to-be-preinstalled children: - category: Preinstalled children: - name: DirectX Configuration Database capability call: function: UninstallCapability parameters: capabilityName: DirectX.Configuration.Database - name: Internet Explorer 11 capability call: function: UninstallCapability parameters: capabilityName: Browser.InternetExplorer - name: Math Recognizer capability call: function: UninstallCapability parameters: capabilityName: MathRecognizer - name: OneSync capability (breaks Mail, People, and Calendar) recommend: strict docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#onesync call: function: UninstallCapability parameters: capabilityName: OneCoreUAP.OneSync - name: OpenSSH client capability call: function: UninstallCapability parameters: capabilityName: OpenSSH.Client - name: PowerShell ISE capability call: function: UninstallCapability parameters: capabilityName: Microsoft.Windows.PowerShell.ISE - name: Print Management Console capability call: function: UninstallCapability parameters: capabilityName: Print.Management.Console - name: Quick Assist capability call: function: UninstallCapability parameters: capabilityName: App.Support.QuickAssist - name: Steps Recorder capability call: function: UninstallCapability parameters: capabilityName: App.StepsRecorder - name: Windows Fax and Scan capability call: function: UninstallCapability parameters: capabilityName: Print.Fax.Scan # Following are excluded because: # 1. They are not widely considered as "bloatware" as the community # 2. Do not have known privacy issues # 3. Make Windows more functional when running all scripts # - # name: WordPad capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.WordPad # - # name: Paint capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.MSPaint # - # name: Notepad capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.Notepad - category: Not preinstalled children: - name: .NET Framework capability call: function: UninstallCapability parameters: capabilityName: NetFX3 - name: Mixed Reality capability call: function: UninstallCapability parameters: capabilityName: Analog.Holographic.Desktop - name: Wireless Display capability call: function: UninstallCapability parameters: capabilityName: App.WirelessDisplay.Connect - name: Accessibility - Braille Support capability call: function: UninstallCapability parameters: capabilityName: Accessibility.Braille - name: Developer Mode capability call: function: UninstallCapability parameters: capabilityName: Tools.DeveloperMode.Core - name: Graphics Tools capability call: function: UninstallCapability parameters: capabilityName: Tools.Graphics.DirectX - name: IrDA capability call: function: UninstallCapability parameters: capabilityName: Network.Irda - name: Microsoft WebDriver capability call: function: UninstallCapability parameters: capabilityName: Microsoft.WebDriver - name: MSIX Packaging Tool Driver capability call: function: UninstallCapability parameters: capabilityName: Msix.PackagingTool.Driver - category: Networking tools children: - name: RAS Connection Manager Administration Kit (CMAK) capability call: function: UninstallCapability parameters: capabilityName: RasCMAK.Client - name: RIP Listener capability call: function: UninstallCapability parameters: capabilityName: RIP.Listener - name: Simple Network Management Protocol (SNMP) capability call: function: UninstallCapability parameters: capabilityName: SNMP.Client - name: SNMP WMI Provider capability call: function: UninstallCapability parameters: capabilityName: WMI-SNMP-Provider.Client - name: OpenSSH Server capability call: function: UninstallCapability parameters: capabilityName: OpenSSH.Server - category: Printing children: - name: Enterprise Cloud Print capability call: function: UninstallCapability parameters: capabilityName: Print.EnterpriseCloudPrint - name: Mopria Cloud Service capability call: function: UninstallCapability parameters: capabilityName: Print.MopriaCloudService - category: Remote server administration tools (RSAT) children: - name: Active Directory Domain Services and Lightweight Directory Services Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.ActiveDirectory.DS-LDS.Tools - name: BitLocker Drive Encryption Administration Utilities capability call: function: UninstallCapability parameters: capabilityName: Rsat.BitLocker.Recovery.Tools - name: Active Directory Certificate Services Tools call: function: UninstallCapability parameters: capabilityName: Rsat.CertificateServices.Tools - name: DHCP Server Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.DHCP.Tools - name: DNS Server Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.Dns.Tools - name: Failover Clustering Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.FailoverCluster.Management.Tools - name: File Services Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.FileServices.Tools - name: Group Policy Management Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.GroupPolicy.Management.Tools - name: IP Address Management (IPAM) Client capability call: function: UninstallCapability parameters: capabilityName: Rsat.IPAM.Client.Tools - name: Data Center Bridging LLDP Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.LLDP.Tools - name: Network Controller Management Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.NetworkController.Tools - name: Network Load Balancing Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.NetworkLoadBalancing.Tools - name: Remote Access Management Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.RemoteAccess.Management.Tools - name: Server Manager Tools call: function: UninstallCapability parameters: capabilityName: Rsat.ServerManager.Tools - name: Shielded VM Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.Shielded.VM.Tools - name: Storage Replica Module for Windows PowerShell capability call: function: UninstallCapability parameters: capabilityName: Rsat.StorageReplica.Tools - name: Volume Activation Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.VolumeActivation.Tools - name: Windows Server Update Services Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.WSUS.Tools - name: Storage Migration Service Management Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.StorageMigrationService.Management.Tools - name: Systems Insights Module for Windows PowerShell capability call: function: UninstallCapability parameters: capabilityName: Rsat.SystemInsights.Management.Tools - category: Storage children: - name: Windows Storage Management capability call: function: UninstallCapability parameters: capabilityName: Microsoft.Windows.StorageManagement - name: OneCore Storage Management capability call: function: UninstallCapability parameters: capabilityName: Microsoft.OneCore.StorageManagement - name: Windows Emergency Management Services and Serial Console capability call: function: UninstallCapability parameters: capabilityName: Windows.Desktop.EMS-SAC.Tools - name: XPS Viewer capability call: function: UninstallCapability parameters: capabilityName: XPS.Viewer - category: Remove Widgets docs: |- Windows 11 adds a new taskbar flyout named "Widgets", which displays a panel with Microsoft Start, a news aggregator with personalized stories and content (expanding upon the "news and interests" panel introduced in later builds of Windows 10) [1]. It's rebranding/future version of older "Windows 10 News and Interests" feature [2]. The user can customize the panel by adding or removing widgets, rearranging, resizing, and personalizing the content [1]. It has privacy implications as it collects data about your usage of the computer such as diagnostics data [3]. [1]: https://en.wikipedia.org/wiki/Features_new_to_Windows_11#Windows_shell "Features new to Windows 11 | Wikipedia" [2]: https://www.bleepingcomputer.com/news/microsoft/windows-10-news-and-interests-enabled-for-everyone-in-latest-update/ "Windows 10 News and Interests enabled for everyone in latest update | Bleeping Computer" [3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "What data does Microsoft collect? | Widgets | Microsoft" children: - name: Unpin Widgets from taskbar docs: |- To control whether the Widgets button is visible on the taskbar, Microsoft introduced `TaskbarDa` registry value [1]. Possible `DWORD` 32-bit settings for the `TaskbarDa` value are [1] [2]: 1. 0 = Hidden 2. 1 = Visible This registry key does not exist in Windows 11 installations by default. [1]: https://www.elevenforum.com/t/add-or-remove-widgets-button-on-taskbar-in-windows-11.32/ " Add or Remove Widgets Button on Taskbar in Windows 11 | Windows Eleven Forum" [2]: https://www.bleepingcomputer.com/news/microsoft/new-windows-11-registry-hacks-to-customize-your-device/ "New Windows 11 registry hacks to customize your device | Bleeping Computer" recommend: strict code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d "0" /f revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /f 2>nul - name: Uninstall Windows Web Experience Pack (breaks Widgets) recommend: strict docs: |- Windows Web Experience Pack is a store app that enables Widgets feature [1]. The app is not needed and not known to break other OS functionality if you do not wish to use Widgets feature. This app is known to collect diagnostics data, individual widgets might also collect data [2]. See its [Windows Store Page](https://apps.microsoft.com/store/detail/windows-web-experience-pack/9MSSGKG348SP). It requires you to agree with Microsoft's general privacy terms, see [privacy agreement](http://go.microsoft.com/fwlink/?LinkID=521839) [3]. The agreement allows Microsoft to collect your personal data [3]. [1]: https://support.microsoft.com/en-us/windows/how-to-update-the-windows-web-experience-pack-in-the-microsoft-store-a16c9bf1-f042-4dc9-a523-740cca1e1e60 "How to update the Windows Web Experience Pack in the Microsoft Store | support.microsoft.com" [2]: https://apps.microsoft.com/store/detail/windows-web-experience-pack/9MSSGKG348SP "Windows Web Experience Pack - Microsoft Store Apps | apps.microsoft.com/store" [3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "Stay up to date with widgets | support.microsoft.com" call: function: UninstallStoreApp parameters: packageName: MicrosoftWindows.Client.WebExperience - name: Remove Meet Now icon from taskbar recommend: strict docs: # Skype feature, introduced in 20H2, KB4580364 update - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TaskBar2::HideSCAMeetNow - https://www.windowscentral.com/how-disable-meet-now-feature-windows-10 code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /f - category: Advanced settings children: - name: Change NTP (time) server to pool.ntp.org docs: https://www.pool.ntp.org/en/use.html recommend: strict # `sc queryex` output is same in every OS language code: |- :: Configure time source w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" :: Stop time service if running SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||( net stop w32time ) :: Start time service and sync now net start w32time w32tm /config /update w32tm /resync revertCode: |- :: Configure time source w32tm /config /syncfromflags:manual /manualpeerlist:"time.windows.com" :: Stop time service if running SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||( net stop w32time ) :: Start time servie and sync now net start w32time w32tm /config /update w32tm /resync - name: Disable Reserved Storage for updates # since 19H1 (1903) docs: - https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState - https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves - https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy code: |- dism /online /Set-ReservedStorageState /State:Disabled /NoRestart reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "2" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f revertCode: |- DISM /Online /Set-ReservedStorageState /State:Enabled /NoRestart reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f - name: Run script on start-up [EXPERIMENTAL] code: |- del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat copy "%~dpnx0" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat" revertCode: del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat functions: - name: KillProcess parameters: - name: processName - name: processStartPath - name: processStartArgs # `start` command is used to start processes without blocking execution of rest of the script, see https://ss64.com/nt/start.html. code: |- tasklist /fi "ImageName eq {{ $processName }}" /fo csv 2>NUL | find /i "{{ $processName }}">NUL && ( echo {{ $processName }} is running and will be killed. taskkill /f /im {{ $processName }} ) || ( echo Skipping, {{ $processName }} is not running. ) revertCode: |- tasklist /fi "ImageName eq {{ $processName }}" /fo csv 2>NUL | find /i "{{ $processName }}">NUL && ( echo Skipping, {{ $processName }} is already running. ) || ( if exist "{{ $processStartPath }}" ( start "" "{{ $processStartPath }}" {{ with $processStartArgs }}{{ . }}{{ end }} echo Executed {{ $processStartPath }} {{ with $processStartArgs }}{{ . }}{{ end }} ) else ( echo Failed to run the file, it does not exist. 1>&2 ) ) - name: KillProcessWhenItStarts parameters: - name: processName # https://docs.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'{{ $processName }}'" /v "Debugger" /t REG_SZ /d "%windir%\System32\taskkill.exe" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'{{ $processName }}'" /v "Debugger" /f - name: DisableFeature parameters: - name: featureName code: dism /Online /Disable-Feature /FeatureName:"{{ $featureName }}" /NoRestart revertCode: dism /Online /Enable-Feature /FeatureName:"{{ $featureName }}" /NoRestart - name: UninstallStoreApp parameters: - name: packageName call: function: RunPowerShell parameters: code: Get-AppxPackage '{{ $packageName }}' | Remove-AppxPackage revertCode: |- $package = Get-AppxPackage -AllUsers '{{ $packageName }}' if (!$package) { Write-Error "Cannot reinstall '{{ $packageName }}'" -ErrorAction Stop } $manifest = $package.InstallLocation + '\AppxManifest.xml' Add-AppxPackage -DisableDevelopmentMode -Register "$manifest" - name: UninstallSystemApp parameters: - name: packageName # It simply renames files # Because system apps are non removable (check: (Get-AppxPackage -AllUsers 'Windows.CBSPreview').NonRemovable) # Otherwise they throw 0x80070032 when trying to uninstall them call: function: RunPowerShell parameters: code: |- $package = Get-AppxPackage -AllUsers '{{ $packageName }}' if (!$package) { Write-Host 'Not installed' exit 0 } $directories = @($package.InstallLocation, "$env:LOCALAPPDATA\Packages\$($package.PackageFamilyName)") foreach($dir in $directories) { if ( !$dir -Or !(Test-Path "$dir") ) { continue } cmd /c ('takeown /f "' + $dir + '" /r /d y 1> nul') if($LASTEXITCODE) { throw 'Failed to take ownership' } cmd /c ('icacls "' + $dir + '" /grant administrators:F /t 1> nul') if($LASTEXITCODE) { throw 'Failed to take ownership' } $files = Get-ChildItem -File -Path $dir -Recurse -Force foreach($file in $files) { if($file.Name.EndsWith('.OLD')) { continue } $newName = $file.FullName + '.OLD' Write-Host "Rename '$($file.FullName)' to '$newName'" Move-Item -LiteralPath "$($file.FullName)" -Destination "$newName" -Force } } revertCode: |- $package = Get-AppxPackage -AllUsers '{{ $packageName }}' if (!$package) { Write-Error 'App could not be found' -ErrorAction Stop } $directories = @($package.InstallLocation, "$env:LOCALAPPDATA\Packages\$($package.PackageFamilyName)") foreach($dir in $directories) { if ( !$dir -Or !(Test-Path "$dir") ) { continue; } cmd /c ('takeown /f "' + $dir + '" /r /d y 1> nul') if($LASTEXITCODE) { throw 'Failed to take ownership' } cmd /c ('icacls "' + $dir + '" /grant administrators:F /t 1> nul') if($LASTEXITCODE) { throw 'Failed to take ownership' } $files = Get-ChildItem -File -Path "$dir\*.OLD" -Recurse -Force foreach($file in $files) { $newName = $file.FullName.Substring(0, $file.FullName.Length - 4) Write-Host "Rename '$($file.FullName)' to '$newName'" Move-Item -LiteralPath "$($file.FullName)" -Destination "$newName" -Force } } - name: UninstallCapability parameters: - name: capabilityName call: function: RunPowerShell parameters: code: Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' | Remove-WindowsCapability -Online revertCode: |- $capability = Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' Add-WindowsCapability -Name "$capability.Name" -Online - name: RenameSystemFile parameters: - name: filePath code: |- if exist "{{ $filePath }}" ( takeown /f "{{ $filePath }}" icacls "{{ $filePath }}" /grant administrators:F move "{{ $filePath }}" "{{ $filePath }}.OLD" && ( echo Moved "{{ $filePath }}" to "{{ $filePath }}.OLD" ) || ( echo Could not move {{ $filePath }} 1>&2 ) ) else ( echo No action required: {{ $filePath }} is not found. ) revertCode: |- if exist "{{ $filePath }}.OLD" ( takeown /f "{{ $filePath }}.OLD" icacls "{{ $filePath }}.OLD" /grant administrators:F move "{{ $filePath }}.OLD" "{{ $filePath }}" && ( echo Moved "{{ $filePath }}.OLD" to "{{ $filePath }}" ) || ( echo Could restore from backup file {{ $filePath }}.OLD 1>&2 ) ) else ( echo Could not find backup file "{{ $filePath }}.OLD" 1>&2 ) - name: SetVsCodeSetting parameters: - name: setting - name: powerShellValue call: function: RunPowerShell parameters: code: |- $jsonfile = "$env:APPDATA\Code\User\settings.json" if (!(Test-Path $jsonfile -PathType Leaf)) { Write-Host "No updates. Settings file was not at $jsonfile" exit 0 } $json = Get-Content $jsonfile | Out-String | ConvertFrom-Json $json | Add-Member -Type NoteProperty -Name '{{ $setting }}' -Value {{ $powerShellValue }} -Force $json | ConvertTo-Json | Set-Content $jsonfile revertCode: |- $jsonfile = "$env:APPDATA\Code\User\settings.json" if (!(Test-Path $jsonfile -PathType Leaf)) { Write-Error "Settings file could not be found at $jsonfile" -ErrorAction Stop } $json = Get-Content $jsonfile | ConvertFrom-Json $json.PSObject.Properties.Remove('{{ $setting }}') $json | ConvertTo-Json | Set-Content $jsonfile - name: RunPowerShell parameters: - name: code - name: revertCode optional: true code: PowerShell -ExecutionPolicy Unrestricted -Command "{{ $code | inlinePowerShell | escapeDoubleQuotes }}" revertCode: |- {{ with $revertCode }} PowerShell -ExecutionPolicy Unrestricted -Command "{{ . | inlinePowerShell | escapeDoubleQuotes }}" {{ end }} - name: DisablePerUserService parameters: - name: serviceName - name: defaultStartupMode # Alowed values: Boot | System | Automatic | Manual # More about per-user services: https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows call: - # System-wide variant: every per-user service has also system-wide counterpart with same default startup mode function: DisableServiceInRegistry parameters: serviceName: '{{ $serviceName }}' defaultStartupMode: '{{ $defaultStartupMode }}' - # Per-user variant function: DisableServiceInRegistry parameters: serviceName: '{{ $serviceName }}_*' defaultStartupMode: '{{ $defaultStartupMode }}' - name: RunInlineCode parameters: - name: code - name: revertCode optional: true code: '{{ $code }}' revertCode: '{{ with $revertCode }}{{ . }}{{ end }}' - name: RunPowerShellWithSameCodeAndRevertCode parameters: - name: code call: function: RunPowerShell parameters: code: '{{ $code }}' revertCode: '{{ $code }}' - name: RunInlineCodeAsTrustedInstaller parameters: - name: code - name: revertCode call: function: RunPowerShell parameters: # PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks. # Seen e.g. on Windows 11 when reverting scripts after executing them and reboot. # They are seen to throw different exceptions: # - `Unregister-ScheduledTask : The system cannot find the file specified` # `ObjectNotFound: (MSFT_ScheduledTask:Root/Microsoft/...T_ScheduledTask)` with `HRESULT 0x80070002` # - `No MSFT_ScheduledTask objects found with property 'TaskName'` # - Because task is already running but `Get-ScheduledTask` cannot find it it throws: # `Failed to execute with exit code: 267009` # Solution # Checking if task is running: # - ❌ Not using `$(schtasks.exe /query /tn "$taskName" 2>$null)".Contains('Running')` because it outputs # different text (not always "Running") in German/English versions. # - ❌ Not using `(Get-ScheduledTask $taskName -ErrorAction Ignore).State -eq 'Running' # because `Get-ScheduledTask `sometimes fails. # - ✅ Using `(Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009` where "267009" indicates running. # Deleting existing task: # - ❌ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002` # - ✅ Using `schtasks.exe /delete /tn "$taskName" /f` with additional `| Out-Null` or `2>&1 | Out-Null` # to suppress errors. code: |- $command = '{{ $code }}' $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]) $streamOutFile = New-TemporaryFile $batchFile = New-TemporaryFile try { $batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru "@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII $taskName = 'privacy.sexy invoke' schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output $taskAction = New-ScheduledTaskAction ` -Execute 'cmd.exe' ` -Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1" $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries Register-ScheduledTask ` -TaskName $taskName ` -Action $taskAction ` -Settings $settings ` -Force ` -ErrorAction Stop ` | Out-Null try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect() $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null $timeOutLimit = (Get-Date).AddMinutes(5) Write-Host "Running as $trustedInstallerName" while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200 if((Get-Date) -gt $timeOutLimit) { Write-Warning "Skipping results, it took so long to execute script." break; } } if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "Failed to execute with exit code: $result." } } finally { schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors } Get-Content $streamOutFile } finally { Remove-Item $streamOutFile, $batchFile } revertCode: |- # Duplicated until custom pipes are implemented $command = '{{ $revertCode }}' $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]) $streamOutFile = New-TemporaryFile $batchFile = New-TemporaryFile try { $batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru "@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII $taskName = 'privacy.sexy invoke' schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output $taskAction = New-ScheduledTaskAction ` -Execute 'cmd.exe' ` -Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1" $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries Register-ScheduledTask ` -TaskName $taskName ` -Action $taskAction ` -Settings $settings ` -Force ` -ErrorAction Stop ` | Out-Null try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect() $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null $timeOutLimit = (Get-Date).AddMinutes(5) Write-Host "Running as $trustedInstallerName" while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200 if((Get-Date) -gt $timeOutLimit) { Write-Warning "Skipping results, it took so long to execute script." break; } } if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "Failed to execute with exit code: $result." } } finally { schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors } Get-Content $streamOutFile } finally { Remove-Item $streamOutFile, $batchFile } - name: DisableServiceInRegistry parameters: - name: serviceName - name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual call: function: RunPowerShell parameters: code: |- # We do registry way because GUI, "sc config" or "Set-Service" won't not work $serviceQuery = '{{ $serviceName }}' # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue if(!$service) { Write-Host "Service query `"$serviceQuery`" did not yield any results, no need to disable it." Exit 0 } $serviceName = $service.Name Write-Host "Disabling service: `"$serviceName`"." # -- 2. Stop if running if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is running, trying to stop it." try { Stop-Service -Name "$serviceName" -Force -ErrorAction Stop Write-Host "Stopped `"$serviceName`" successfully." } catch { Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_" } } else { Write-Host "`"$serviceName`" is not running, no need to stop." } # -- 3. Skip if service info is not found in registry $registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" if(!(Test-Path $registryKey)) { Write-Host "`"$registryKey`" is not found in registry, cannot enable it." Exit 0 } # -- 4. Skip if already disabled if( $(Get-ItemProperty -Path "$registryKey").Start -eq 4) { Write-Host "`"$serviceName`" is already disabled from start, no further action is needed." Exit 0 } # -- 5. Disable service try { Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop Write-Host "Disabled `"$serviceName`" successfully." } catch { Write-Error "Could not disable `"$serviceName`": $_" } revertCode: |- $serviceQuery = '{{ $serviceName }}' $defaultStartupMode = '{{ $defaultStartupMode }}' # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue if(!$service) { Write-Warning "Service query `"$serviceQuery`" did not yield and results, cannot enable it." Exit 1 } $serviceName = $service.Name Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start." # -- 2. Skip if service info is not found in registry $registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" if(!(Test-Path $registryKey)) { Write-Warning "`"$registryKey`" is not found in registry, cannot enable it." Exit 1 } # -- 3. Enable if not already enabled $defaultStartupRegValue = ` if ($defaultStartupMode -eq 'Boot') { '0' } ` elseif($defaultStartupMode -eq 'System') { '1' } ` elseif($defaultStartupMode -eq 'Automatic') { '2' } ` elseif($defaultStartupMode -eq 'Manual') { '3' } ` else { throw "Unknown start mode: $defaultStartupMode"} if( $(Get-ItemProperty -Path "$registryKey").Start -eq $defaultStartupRegValue) { Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start." } else { try { Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer." } catch { Write-Error "Could not enable `"$serviceName`": $_" Exit 1 } } # -- 4. Start if not running (must be enabled first) if($defaultStartupMode -eq 'Automatic') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is not running, trying to start it." try { Start-Service $serviceName -ErrorAction Stop Write-Host "Started `"$serviceName`" successfully." } catch { Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_" } } else { Write-Host "`"$serviceName`" is already running, no need to start." } } - name: SetMpPreference # Configures preferences for Windows Defender scans and updates. # ❗️ Requires "WinDefend" service in running state, otherwise fails parameters: - name: property - name: value - # When provided, it sets defaults using `Set-MpPreference`. # Used by default in Windows 10 as `Remove-MpPreference` cmdlet is very limited/poor in Windows 10. # Ignored by default in Windows 11 with providing a value for `setDefaultOnWindows11` name: default optional: true - # When reverting in Windows 11, `Set-MpPreference` is called instead of `Remove-MpPreference` # Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11. name: setDefaultOnWindows11 optional: true call: function: RunPowerShell parameters: # Unsupported arguments -> # Skips when error contains "Cannot convert", this happens e.g. when trying to set `PlatformUpdatesChannel`, # `EngineUpdatesChannel`, `DefinitionUpdatesChannel` to `Broad`. `Broad` is not supported on all platforms # and throws e.g. with: # `Cannot process argument transformation on parameter 'EngineUpdatesChannel'. Cannot convert value # "Broad" to type "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType". # Error: "Unable to match the identifier name Broad to a valid enumerator name. Specify one of the # following enumerator names and try again: NotConfigured, Beta, Preview"` code: |- $propertyName = '{{ $property }}' $value = {{ $value }} if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) { Write-Host "Skipping. `"$propertyName`" is already `"$value`" as desired." exit 0 } $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Set-MpPreference".' exit 0 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName `$value -ErrorAction Stop" Set-MpPreference -Force -{{ $property }} $value -ErrorAction Stop Write-Host "Successfully set `"$propertyName`" to `"$value`"." exit 0 } catch { if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" exit 0 } elseif (($_ | Out-String) -like '*Cannot convert*') { Write-Host "Skipping. Argument `"$value`" for property `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } else { Write-Error "Failed to set using $($command.Name): $_" exit 1 } } # `Remove-MpPreference` is different in Windows 11 / 10 # Windows 11 and 10 have different revert behavior which is caused by different `Remove-MpPreference` cmdlet versions used # Windows 10 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2019-ps # Windows 11 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2022-ps # On Windows 11: # - By default, `Remove-MpPreference` sets default values for settings for all cases. # - `setDefaultOnWindows11` parameter changes this behavior to set the default value using `Set-MpPreference` # On Windows 10: # - If `default` argument is is provided, it's set using `Set-MpPreference` # - `default` argument should not be provided if `Remove-MpPreference` is supported in Windows 10. revertCode: |- $propertyName = '{{ $property }}' {{ with $default }} $defaultValue = {{ . }} {{ end }} $setDefaultOnWindows10 = {{ with $default }} $true # {{ end }} $false $setDefaultOnWindows11 = {{ with $setDefaultOnWindows11 }} $true # {{ end }} $false $osVersion = [System.Environment]::OSVersion.Version function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) } function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) } # ------ Set-MpPreference ------ if(($setDefaultOnWindows10 -and (Test-IsWindows10)) -or ($setDefaultOnWindows11 -and (Test-IsWindows11))) { if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $defaultValue) { Write-Host "Skipping. `"$propertyName`" is already configured as desired `"$defaultValue`"." exit 0 } $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Set-MpPreference".' exit 1 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName `$defaultValue -ErrorAction Stop" Write-Host "Successfully restored `"$propertyName`" to its default `"$defaultValue`"." exit 0 } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" } else { Write-Error "Failed to set using $($command.Name): $_" } exit 1 } } # ------ Remove-MpPreference ------ $command = Get-Command 'Remove-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Remove-MpPreference".' exit 1 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName -ErrorAction Stop" Write-Host "Successfully restored `"$propertyName`" to its default." exit 0 } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" } else { Write-Error "Failed to set using $($command.Name): $_" } exit 1 } - name: DisableService parameters: - name: serviceName - name: defaultStartupMode # Allowed values: Automatic | Manual call: function: RunPowerShell # Careful with Set-Service cmdlet: # 1. It exits with positive code even if service is disabled # 2. It had breaking API change for `-StartupMode` parameter: # Powershell >= 6.0 : Automatic, AutomaticDelayedStart, Disabled, InvalidValue, Manual # PowerShell <= 5 : Boot, System, Automatic, Manual, Disabled # So "Disabled", "Automatic" and "Manual" are only consistent ones. # Read more: # https://github.com/PowerShell/PowerShell/blob/v7.2.0/src/Microsoft.PowerShell.Commands.Management/commands/management/Service.cs#L2966-L2978 # https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.1 parameters: code: |- $serviceName = '{{ $serviceName }}' Write-Host "Disabling service: `"$serviceName`"." # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if(!$service) { Write-Host "Service `"$serviceName`" could not be not found, no need to disable it." Exit 0 } # -- 2. Stop if running if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is running, stopping it." try { Stop-Service -Name "$serviceName" -Force -ErrorAction Stop Write-Host "Stopped `"$serviceName`" successfully." } catch { Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_" } } else { Write-Host "`"$serviceName`" is not running, no need to stop." } # -- 3. Skip if already disabled $startupType = $service.StartType # Does not work before .NET 4.6.1 if(!$startupType) { $startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode } } if($startupType -eq 'Disabled') { Write-Host "$serviceName is already disabled, no further action is needed" } # -- 4. Disable service try { Set-Service -Name "$serviceName" -StartupType Disabled -Confirm:$false -ErrorAction Stop Write-Host "Disabled `"$serviceName`" successfully." } catch { Write-Error "Could not disable `"$serviceName`": $_" } revertCode: |- $serviceName = '{{ $serviceName }}' $defaultStartupMode = '{{ $defaultStartupMode }}' Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start." # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if(!$service) { Write-Warning "Service `"$serviceName`" could not be not found, cannot enable it." Exit 1 } # -- 2. Enable or skip if already enabled $startupType = $service.StartType # Does not work before .NET 4.6.1 if(!$startupType) { $startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode } } if($startupType -eq "$defaultStartupMode") { Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start, no further action is needed." } else { try { Set-Service -Name "$serviceName" -StartupType "$defaultStartupMode" -Confirm:$false -ErrorAction Stop Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer." } catch { Write-Error "Could not enable `"$serviceName`": $_" Exit 1 } } # -- 4. Start if not running (must be enabled first) if($defaultStartupMode -eq 'Automatic') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is not running, starting it." try { Start-Service $serviceName -ErrorAction Stop Write-Host "Started `"$serviceName`" successfully." } catch { Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_" } } else { Write-Host "`"$serviceName`" is already running, no need to start." } } - name: ShowWarning parameters: - name: message - name: ignoreWindows11 # Ignores warning message on Windows 11, allowed values: true | false, default: false - name: ignoreWindows10 # Ignores warning message on Windows 10, allowed values: true | false, default: false call: function: RunPowerShell parameters: code: |- $warningMessage = '{{ $message }}' $ignoreWindows10 = {{ with $ignoreWindows10 }} $true # {{ end }} $false $ignoreWindows11 = {{ with $ignoreWindows11 }} $true # {{ end }} $false $osVersion = [System.Environment]::OSVersion.Version function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) } function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) } if (($ignoreWindows10 -and (Test-IsWindows10)) -or ($ignoreWindows11 -and (Test-IsWindows11))) { exit 0 # Skip } Write-Warning "$warningMessage" # revertCode: No warnings needed when reverting