# Structure documented in "docs/collection-files.md" os: windows scripting: language: batchfile startCode: |- @echo off :: {{ $homepage }} — v{{ $version }} — {{ $date }} :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) endCode: |- pause exit /b 0 actions: - category: Privacy cleanup children: - category: Clear application history children: - name: Clear Listary indexes code: del /f /s /q %appdata%\Listary\UserData > nul - name: Clear Java cache recommend: strict code: rd /s /q "%APPDATA%\Sun\Java\Deployment\cache" - name: Clear Flash traces recommend: standard code: rd /s /q "%APPDATA%\Macromedia\Flash Player" - name: Clear Steam dumps, logs, and traces recommend: standard code: |- del /f /q %ProgramFiles(x86)%\Steam\Dumps del /f /q %ProgramFiles(x86)%\Steam\Traces del /f /q %ProgramFiles(x86)%\Steam\appcache\*.log - name: Clear Visual Studio telemetry and feedback data recommend: standard code: |- rmdir /s /q "%AppData%\vstelemetry" 2>nul rmdir /s /q "%LocalAppData%\Microsoft\VSApplicationInsights" 2>nul rmdir /s /q "%ProgramData%\Microsoft\VSApplicationInsights" 2>nul rmdir /s /q "%Temp%\Microsoft\VSApplicationInsights" 2>nul rmdir /s /q "%Temp%\VSFaultInfo" 2>nul rmdir /s /q "%Temp%\VSFeedbackPerfWatsonData" 2>nul rmdir /s /q "%Temp%\VSFeedbackVSRTCLogs" 2>nul rmdir /s /q "%Temp%\VSRemoteControl" 2>nul rmdir /s /q "%Temp%\VSTelem" 2>nul rmdir /s /q "%Temp%\VSTelem.Out" 2>nul - category: Clear most recently used lists (MRU) children: - category: Clear Quick Access (jump) lists docs: https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf children: - name: Clear recently accessed files recommend: standard code: del /f /q "%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\*" - name: Clear user pins code: del /f /q "%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\*" - name: Clear regedit last key recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f - name: Clear regedit favorites recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f - name: Clear list of recent programs opened recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f - name: Clear Adobe Media Browser MRU recommend: standard code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f - name: Clear MSPaint MRU recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f - name: Clear Wordpad MRU recommend: standard code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f - name: Clear Map Network Drive MRU MRU recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f - name: Clear Windows Search Assistant history recommend: standard code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f - name: Clear list of Recent Files Opened, by Filetype recommend: standard code: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f - name: Clear windows media player recent files and URLs recommend: standard code: |- reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f - name: Clear Most Recent Application's Use of DirectX recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f - name: Clear Windows Run MRU & typedpaths recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f - name: Clear Dotnet CLI telemetry recommend: standard code: rmdir /s /q "%USERPROFILE%\.dotnet\TelemetryStorageService" 2>nul - category: Clear browser history children: - category: Clear Internet Explorer history children: - name: Clear Internet Explorer caches recommend: standard docs: # INetCache - https://support.microsoft.com/en-us/help/260897/how-to-delete-the-contents-of-the-temporary-internet-files-folder - https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache # WebCache - https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache code: |- del /f /q "%localappdata%\Microsoft\Windows\INetCache\IE\*" rd /s /q "%localappdata%\Microsoft\Windows\WebCache" - name: Clear Internet Explorer recent URLs recommend: strict docs: - https://web.archive.org/web/20160304232740/http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ - https://web.archive.org/web/20160321221849/http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/ - https://web.archive.org/web/20150601014235/http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html - http://sketchymoose.blogspot.com/2014/02/typedurls-registry-key.html code: |- reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f - name: Clear Temporary Internet Files (browser cache) recommend: standard docs: - https://en.wikipedia.org/wiki/Temporary_Internet_Files - https://www.windows-commandline.com/delete-temporary-internet-files/ # %localappdata%\Temporary Internet Files - https://www.thewindowsclub.com/temporary-internet-files-folder-location # %localappdata%\Microsoft\Windows\Temporary Internet Files and INetCache code: |- :: Windows XP rd /s /q %userprofile%\Local Settings\Temporary Internet Files :: Windows 7 rd /s /q "%localappdata%\Microsoft\Windows\Temporary Internet Files" takeown /f "%localappdata%\Temporary Internet Files" /r /d y icacls "%localappdata%\Temporary Internet Files" /grant administrators:F /t rd /s /q "%localappdata%\Temporary Internet Files" :: Windows 8 and above rd /s /q "%localappdata%\Microsoft\Windows\INetCache" - name: Clear Internet Explorer Feeds Cache recommend: standard docs: https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data code: rd /s /q "%localappdata%\Microsoft\Feeds Cache" - name: Clear Internet Explorer cookies recommend: strict docs: - https://docs.microsoft.com/en-us/windows/win32/wininet/managing-cookies - https://docs.microsoft.com/en-us/internet-explorer/kb-support/ie-edge-faqs - https://www.thewindowsclub.com/cookies-folder-location-windows code: |- :: Windows 7 browsers rd /s /q "%APPDATA%\Microsoft\Windows\Cookies" :: Windows 8 and higher rd /s /q "%localappdata%\Microsoft\Windows\INetCookies" - name: Clear Internet Explorer DOMStore recommend: standard docs: https://web.archive.org/web/20100416135352/http://msdn.microsoft.com/en-us/library/cc197062(VS.85).aspx code: rd /s /q "%localappdata%\Microsoft\InternetExplorer\DOMStore" - name: Clear all Internet Explorer user data docs: - https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+Data - https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data - https://www.forensafe.com/blogs/internetexplorer.html # Includes Internet Explorer cache, tab recovery data, persistance storage (DOMStore, indexed DB etc.) # Folders: CacheStorage\, Tracking Protection\, Tiles\, TabRoaming\, IECompatData\ # DOMStore\, Recovery\ (that includes browser history), DomainSuggestions\, # VersionManager\, UrlBlockManager\, Indexed DB\, imagestore\, IEFlipAheadCache\ # EUPP\, EmieUserList\, EmieSiteList\, EmieBrowserModeList\ # Files: brndlog.txt, brndlog.bak, ie4uinit-ClearIconCache.log, ie4uinit-UserConfig.log, # MSIMGSIZ.DAT code: rd /s /q "%localappdata%\Microsoft\Internet Explorer" - category: Clear Google Chrome history children: - name: Clear Google Chrome crash reports recommend: standard docs: https://www.chromium.org/developers/crash-reports code: |- rd /s /q "%localappdata%\Google\Chrome\User Data\Crashpad\reports\" rd /s /q "%localappdata%\Google\CrashReports\" - name: Clear Software Reporter Tool logs recommend: standard docs: https://support.google.com/chrome/forum/AAAAP1KN0B0T8qnffV5gwM/ code: del /f /q "%localappdata%\Google\Software Reporter Tool\*.log" - name: Clear all Chrome user data docs: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md code: |- :: Windows XP rd /s /q "%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data" :: Windows Vista and later rd /s /q "%localappdata%\Google\Chrome\User Data" - category: Clear Firefox history children: - name: Clear browsing history and caches recommend: standard code: |- set ignoreFiles="content-prefs.sqlite" "permissions.sqlite" "favicons.sqlite" for %%d in ("%APPDATA%\Mozilla\Firefox\Profiles\" "%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\" ) do ( IF EXIST %%d ( FOR /d %%p IN (%%d*) DO ( for /f "delims=" %%f in ('dir /b /s "%%p\*.sqlite" 2^>nul') do ( set "continue=" for %%i in (%ignoreFiles%) do ( if %%i == "%%~nxf" ( set continue=1 ) ) if not defined continue ( del /q /s /f %%f ) ) ) ) ) - name: Clear all Firefox user profiles, settings, and data code: |- rd /s /q "%localappdata%\Mozilla\Firefox\Profiles" rd /s /q "%APPDATA%\Mozilla\Firefox\Profiles" - name: Clear all Opera data (user profiles, settings, and data) code: |- :: Windows XP rd /s /q "%USERPROFILE%\Local Settings\Application Data\Opera\Opera" :: Windows Vista and later rd /s /q "%localappdata%\Opera\Opera" rd /s /q "%APPDATA%\Opera\Opera" - category: Clear Safari history children: - name: Clear Webpage Icons recommend: standard docs: https://www.sans.org/blog/safari-browser-forensics/ code: |- :: Windows XP del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db" :: Windows Vista and later del /q /s /f "%localappdata%\Apple Computer\Safari\WebpageIcons.db" - name: Clear Safari cache recommend: standard docs: https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari code: |- :: Windows XP del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db" :: Windows Vista and later del /q /s /f "%localappdata%\Apple Computer\Safari\Cache.db" - name: Clear Safari cookies recommend: strict docs: https://kb.digital-detective.net/display/BF/Location+of+Safari+Data code: |- :: Windows XP del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cookies.db" :: Windows Vista and later del /q /s /f "%localappdata%\Apple Computer\Safari\Cookies.db" - name: Clear all Safari data (user profiles, settings, and data) docs: - https://kb.digital-detective.net/display/BF/Location+of+Safari+Data - https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari - https://zerosecurity.org/2013/04/safari-forensic-tutorial code: |- :: Windows XP rd /s /q "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari" :: Windows Vista and later rd /s /q "%AppData%\Apple Computer\Safari" - category: Clear Windows logs & caches children: - name: Clear thumbnail cache code: del /f /s /q /a %LocalAppData%\Microsoft\Windows\Explorer\*.db - category: Clear Windows log files children: - category: Clear Windows Update logs children: - name: Clear Windows update and SFC scan logs docs: https://answers.microsoft.com/en-us/windows/forum/all/cwindowslogscbs/fe4e359a-bcb9-4988-954d-563ef83bac1c recommend: standard code: del /f /q %SystemRoot%\Temp\CBS\* - name: Clear Windows Update Medic Service logs recommend: standard docs: https://answers.microsoft.com/en-us/windows/forum/all/what-is-this-waasmedic-and-why-it-required-to/e5e55a95-d5bb-4bf4-a7ce-4783df371de4 code: |- takeown /f %SystemRoot%\Logs\waasmedic /r /d y icacls %SystemRoot%\Logs\waasmedic /grant administrators:F /t rd /s /q %SystemRoot%\Logs\waasmedic - name: Clear Cryptographic Services Traces recommend: standard docs: https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows code: |- del /f /q %SystemRoot%\System32\catroot2\dberr.txt del /f /q %SystemRoot%\System32\catroot2.log del /f /q %SystemRoot%\System32\catroot2.jrs del /f /q %SystemRoot%\System32\catroot2.edb del /f /q %SystemRoot%\System32\catroot2.chk - name: Windows Update Events Logs code: del /f /q "%SystemRoot%\Logs\SIH\*" - name: Windows Update Logs code: del /f /q "%SystemRoot%\Traces\WindowsUpdate\*" - name: Clear Optional Component Manager and COM+ components logs recommend: standard code: del /f /q %SystemRoot%\comsetup.log - name: Clear Distributed Transaction Coordinator logs recommend: standard code: del /f /q %SystemRoot%\DtcInstall.log - name: Clear Pending File Rename Operations logs code: del /f /q %SystemRoot%\PFRO.log - name: Clear Windows Deployment Upgrade Process Logs recommend: standard code: |- del /f /q %SystemRoot%\setupact.log del /f /q %SystemRoot%\setuperr.log - name: Clear Windows Setup Logs recommend: standard docs: https://support.microsoft.com/en-gb/help/927521/windows-vista-windows-7-windows-server-2008-r2-windows-8-1-and-windows code: |- del /f /q %SystemRoot%\setupapi.log del /f /q %SystemRoot%\Panther\* del /f /q %SystemRoot%\inf\setupapi.app.log del /f /q %SystemRoot%\inf\setupapi.dev.log del /f /q %SystemRoot%\inf\setupapi.offline.log - name: Clear Windows System Assessment Tool logs recommend: standard docs: https://docs.microsoft.com/en-us/windows/win32/winsat/windows-system-assessment-tool-portal code: del /f /q %SystemRoot%\Performance\WinSAT\winsat.log - name: Clear Password change events recommend: standard code: del /f /q %SystemRoot%\debug\PASSWD.LOG - name: Clear user web cache database recommend: standard docs: https://support.microsoft.com/en-gb/help/4056823/performance-issue-with-custom-default-user-profile code: del /f /q %localappdata%\Microsoft\Windows\WebCache\*.* - name: Clear system temp folder when no one is logged in recommend: standard code: del /f /q %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.* - name: Clear DISM (Deployment Image Servicing and Management) Logs recommend: standard docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files code: |- del /f /q %SystemRoot%\Logs\CBS\CBS.log del /f /q %SystemRoot%\Logs\DISM\DISM.log - name: Clear WUAgent (Windows Update History) logs docs: https://social.technet.microsoft.com/Forums/ie/en-US/f5744a18-d4ca-4631-8324-878b9225251d/windowssoftwaredistribution-folder-cleanup-automation?forum=winserverwsus code: |- # `sc queryex` output is same in every OS language setlocal EnableDelayedExpansion SET /A wuau_service_running=0 SC queryex "wuauserv"|Find "STATE"|Find /v "RUNNING">Nul||( SET /A wuau_service_running=1 net stop wuauserv ) del /q /s /f "%SystemRoot%\SoftwareDistribution" IF !wuau_service_running! == 1 ( net start wuauserv ) endlocal - name: Clear Server-initiated Healing Events Logs code: del /f /q "%SystemRoot%\Logs\SIH\*" - name: Common Language Runtime Logs recommend: standard code: |- del /f /q "%LocalAppData%\Microsoft\CLR_v4.0\UsageTraces\*" del /f /q "%LocalAppData%\Microsoft\CLR_v4.0_32\UsageTraces\*" - name: Network Setup Service Events Logs recommend: standard code: del /f /q "%SystemRoot%\Logs\NetSetup\*" - name: Disk Cleanup tool (Cleanmgr.exe) Logs code: del /f /q "%SystemRoot%\System32\LogFiles\setupcln\*" - name: Clear Windows temp files recommend: standard code: |- del /f /q %localappdata%\Temp\* rd /s /q "%WINDIR%\Temp" rd /s /q "%TEMP%" - name: Clear main telemetry file recommend: standard code: |- if exist "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" ( takeown /f "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" /r /d y icacls "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" /grant administrators:F /t echo "" > "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" echo Clear successful: "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" ) else ( echo "Main telemetry file does not exist. Good!" ) - name: Clear Event Logs in Event Viewer docs: https://serverfault.com/questions/407838/do-windows-events-from-the-windows-event-log-have-sensitive-information code: |- REM https://social.technet.microsoft.com/Forums/en-US/f6788f7d-7d04-41f1-a64e-3af9f700e4bd/failed-to-clear-log-microsoftwindowsliveidoperational-access-is-denied?forum=win10itprogeneral wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) for /f "tokens=*" %%i in ('wevtutil.exe el') DO ( echo Deleting event log: "%%i" wevtutil.exe cl %1 "%%i" ) - name: Clean Windows Defender scan history docs: https://www.thewindowsclub.com/clear-windows-defender-protection-history code: del "%ProgramData%\Microsoft\Windows Defender\Scans\History\" /s /f /q - name: Clear credentials from Windows Credential Manager code: |- cmdkey.exe /list > "%TEMP%\List.txt" findstr.exe Target "%TEMP%\List.txt" > "%TEMP%\tokensonly.txt" FOR /F "tokens=1,2 delims= " %%G IN (%TEMP%\tokensonly.txt) DO cmdkey.exe /delete:%%H del "%TEMP%\List.txt" /s /f /q del "%TEMP%\tokensonly.txt" /s /f /q - name: Delete controversial default0 user docs: https://github.com/undergroundwires/privacy.sexy/issues/30 recommend: standard code: net user defaultuser0 /delete 2>nul - name: Empty trash bin call: function: RunPowerShell parameters: code: |- $bin = (New-Object -ComObject Shell.Application).NameSpace(10) $bin.items() | ForEach { Write-Host "Deleting $($_.Name) from Recycle Bin" Remove-Item $_.Path -Recurse -Force } - name: Enable Reset Base in Dism Component Store recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f - name: Clear Windows Product Key from Registry code: slmgr /cpky docs: https://winaero.com/blog/remove-windows-10-product-key-from-registry-and-protect-it-from-being-stolen/ - name: Clear volume backups (shadow copies) docs: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods code: vssadmin delete shadows /all /quiet - name: Remove Default Apps Associations recommend: standard code: dism /online /Remove-DefaultAppAssociations - name: Clear (Reset) Network Data Usage recommend: standard docs: https://www.windowslifestyle.com/reset-data-usage-tool-reset-network-data-usage-windows-10/ code: |- # `sc queryex` output is same in every OS language setlocal EnableDelayedExpansion SET /A dps_service_running=0 SC queryex "DPS"|Find "STATE"|Find /v "RUNNING">Nul||( SET /A dps_service_running=1 net stop DPS ) del /F /S /Q /A "%windir%\System32\sru*" IF !dps_service_running! == 1 ( net start DPS ) endlocal - name: Clear previous Windows installations code: |- if exist "%SystemDrive%\Windows.old" ( takeown /f "%SystemDrive%\Windows.old" /a /r /d y icacls "%SystemDrive%\Windows.old" /grant administrators:F /t rd /s /q "%SystemDrive%\Windows.old" echo Deleted previous installation from "%SystemDrive%\Windows.old\" ) else ( echo No previous Windows installation has been found ) - category: Disable OS data collection children: - category: Disable Windows telemetry and data collection children: - name: Disable Customer Experience Improvement (CEIP/SQM) docs: https://docs.microsoft.com/en-us/windows/win32/devnotes/ceipenable recommend: standard code: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f - name: Disable Application Impact Telemetry (AIT) recommend: standard code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f - category: Disable diagnostics telemetry services children: - name: Disable connected user experiences and telemetry service # Connected User Experiences and Telemetry recommend: standard docs: http://batcmd.com/windows/10/services/diagtrack/ call: function: DisableService parameters: serviceName: DiagTrack # Check: (Get-Service -Name DiagTrack).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable WAP push message routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service recommend: standard docs: http://batcmd.com/windows/10/services/dmwappushservice/ call: function: DisableService parameters: serviceName: dmwappushservice # Check: (Get-Service -Name dmwappushservice).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable diagnostics hub standard collector service # Microsoft (R) Diagnostics Hub Standard Collector docs: http://batcmd.com/windows/10/services/diagnosticshub-standardcollector-service/ call: function: DisableService parameters: serviceName: diagnosticshub.standardcollector.service # Check: (Get-Service -Name diagnosticshub.standardcollector.service).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable diagnostic execution service # Diagnostic Execution Service docs: http://batcmd.com/windows/10/services/diagsvc/ call: function: DisableService parameters: serviceName: diagsvc # Check: (Get-Service -Name diagsvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Customer Experience Improvement Program recommend: standard code: |- schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE revertCode: |- schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /ENABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /ENABLE schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /ENABLE - category: Disable Webcam Telemetry (devicecensus.exe) docs: - https://www.ghacks.net/2019/09/23/what-is-devicecensus-exe-on-windows-10-and-why-does-it-need-internet-connectivity/ - https://answers.microsoft.com/en-us/windows/forum/windows_10-security/devicecensusexe-and-host-process-for-windows-task/520d42a2-45c1-402a-81de-e1116ecf2538 children: - name: Disable devicecensus.exe (telemetry) task recommend: standard code: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /enable - name: Disable devicecensus.exe (telemetry) process recommend: standard call: function: KillProcessWhenItStarts parameters: processName: DeviceCensus.exe - category: Disable Compatibility Telemetry (Application Experience) children: - category: Disable Microsoft Compatibility Appraiser docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/ children: - name: Disable Microsoft Compatibility Appraiser task recommend: standard code: schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /enable - name: Disable CompatTelRunner.exe (Microsoft Compatibility Appraiser) process recommend: standard call: function: KillProcessWhenItStarts parameters: processName: CompatTelRunner.exe - name: Disable sending information to Customer Experience Improvement Program recommend: standard docs: - https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/ - https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/permanently-disabling-windows-compatibility/6bf71583-81b0-4a74-ae2e-8fd73305aad1 code: schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /enable - name: Disable Application Impact Telemetry Agent task recommend: standard docs: https://www.shouldiblockit.com/aitagent.exe-6181.aspx code: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /enable - name: Disable "Disable apps to improve performance" reminder recommend: strict docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/ code: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /disable revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /enable - name: Disable telemetry in data collection policy recommend: standard code: |- reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /d 0 /t REG_DWORD /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "LimitEnhancedDiagnosticDataWindowsAnalytics" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f - name: Disable license telemetry recommend: standard code: reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t "REG_DWORD" /d "1" /f - name: Disable error reporting recommend: standard docs: # Settings - https://docs.microsoft.com/en-us/windows/win32/wer/wer-settings - https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493 # Windows Error Reporting Service - http://batcmd.com/windows/10/services/wersvc/ # Problem Reports Control Panel Support - http://batcmd.com/windows/10/services/wercplsupport/ call: - function: RunInlineCode parameters: code: |- :: Disable Windows Error Reporting (WER) reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f :: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f :: Disable WER sending second-level data reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f :: Disable WER crash dialogs, popups reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable revertCode: |- :: Enable Windows Error Reporting (WER) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f :: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "0" /f :: Enable WER sending second-level data reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /f :: Enable WER crash dialogs, popups reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "0" /f schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Enable schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Enable - # Windows Error Reporting Service function: DisableService parameters: serviceName: wersvc # Check: (Get-Service -Name wersvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - # Problem Reports Control Panel Support function: DisableService parameters: serviceName: wercplsupport # Check: (Get-Service -Name wercplsupport).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - category: Disable automatic driver updates by Windows Update children: - name: Disable device metadata retrieval (breaks auto updates) recommend: strict docs: - https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964 - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f - name: Do not include drivers with Windows Updates docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::ExcludeWUDriversInQualityUpdate recommend: strict code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 0 /f - name: Prevent Windows Update for device driver search docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965 recommend: strict code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 1 /f - name: Disable cloud speech recognition recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f - name: Disable active probing (pings to MSFT NCSI server) recommend: strict code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f - name: Opt out from Windows privacy consent recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 1 /f - name: Disable Windows feedback recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics code: |- reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f - name: Disable text and handwriting collection recommend: standard code: |- reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f - category: Deny app access to personal information children: - name: Deny app access to location recommend: standard docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesslocation # LetAppsAccessLocation - https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ # ConsentStore\location - https://social.technet.microsoft.com/Forums/en-US/63904312-04af-41e5-8b57-1dd446ea45c5/ # lfsvc\Service\Configuration code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Deny" /f :: For older Windows (before 1903) reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Allow" /f :: For older Windows (before 1903) reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "1" /t REG_DWORD /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /f - name: Deny app access to account info, name, and picture recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Deny" /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Allow" /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /f - name: Deny app access to motion data recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /f - name: Deny app access to phone recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone code: |- :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /f - name: Deny app access to trusted devices docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices recommend: standard code: |- :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /f - name: Deny app sync with devices (unpaired, beacons, TVs, etc.) recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices code: |- :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /f - name: Deny app access to camera docs: - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kscategory-video-camera - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscamera code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /f - name: Deny app access to microphone docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophonee code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /f - name: Deny apps share and sync non-explicitly paired wireless devices over uPnP code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Deny" /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Allow" /f - name: Deny app access to diagnostics info about your other apps recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Deny" /t REG_SZ /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Allow" /t REG_SZ /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /f - category: Deny app access to your file system children: - name: Deny app access to Document folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Allow" /t REG_SZ /f - name: Deny app access to Pictures folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Allow" /t REG_SZ /f - name: Deny app access to Videos folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Allow" /t REG_SZ /f - name: Deny app access to other filesystem recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Allow" /t REG_SZ /f - name: Deny app access to your contacts recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /f - name: Deny app access to Notifications recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO (re-activation through GUI is not possible) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /f - name: Deny app access to Calendar recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /f - name: Deny app access to call history recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory code: |- :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /f - name: Deny app access to email recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d DENY /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /f - name: Deny app access to tasks recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Deny" /t REG_SZ /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Allow" /t REG_SZ /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /f - name: Deny app access to messaging (SMS / MMS) docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Deny" /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Allow" /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /f - name: Deny app access to radios recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d DENY /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /f - name: Deny app access to bluetooth devices recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Allow" /t REG_SZ /f - category: Disable app access to voice activation children: - name: Disable apps and Cortana to activate with voice recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoice code: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 0 /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /t REG_DWORD /d 2 /f revertCode: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 1 /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /f - name: Disable apps and Cortana to activate with voice when sytem is locked recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoiceAboveLock code: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 0 /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /t REG_DWORD /d 2 /f revertCode: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 1 /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /f - category: Disable location access children: - name: Turn off Windows Location Provider code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "0" /f - name: Turn off location scripting recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "0" /f - name: Turn off location recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f :: For older Windows (before 1903) reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Deny" /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "0" /t REG_DWORD /f :: For older Windows (before 1903) reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Allow" /f - name: Turn off sensors recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "0" /f - category: Disable windows search data collection children: - category: Disable cortana children: - name: Do not allow Cortana recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowCortana - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /f - name: Do not allow Cortana experience recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 1 /f - name: Do not allow search and Cortana to search cloud sources like OneDrive and SharePoint recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 1 /f - name: Disable Cortana speech interaction while the system is locked recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-abovelock code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /f - name: Opt out from Cortana consent recommend: standard code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 10 /f - name: Do not allow Cortana to be enabled recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 1 /f - name: Disable Cortana (Internet search results in start menu) recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f - category: Disable Cortana history children: - name: Prevent Cortana from displaying history recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /f - name: Prevent Cortana from using device history recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /f - name: Remove the Cortana taskbar icon recommend: standard code: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /t REG_DWORD /d 0 /f revertCode: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /f - name: Disable Cortana in ambient mode recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 1 /f - category: Disable Cortana voice listening children: - name: Disable "Hey Cortana" voice activation recommend: standard code: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 1 /f - name: Disable Cortana listening to commands on Windows key + C recommend: standard code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 1 /f - name: Disable using Cortana even when device is locked recommend: standard code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 1 /f - name: Disable automatic update of Speech Data recommend: standard code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d 0 /f revertCode: reg delete "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /f - name: Disable Cortana voice support during Windows setup recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /f - category: Configure Windows search indexing children: - name: Disable search indexing encrypted items / stores recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowindexingencryptedstoresoritems code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /f - name: Do not use automatic language detection when indexing recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-alwaysuseautolangdetection code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 1 /f - name: Do not allow search to use location recommend: standard docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 1 /f - name: Disable web search in search bar recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DisableWebSearch - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 0 /f - name: Do not search the web or display web results in Search docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies recomend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 1 /f - name: Disable Bing search recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 1 /f - category: Disable targeted ads and marketing children: - name: Disable ad customization with Advertising ID recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general code: |- reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "0" /f - category: Disable cloud-based tips and ads children: - name: Disable Windows Tips recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "0" /f - name: Disable Windows Spotlight (random wallpaper on lock screen) recommend: standard docs: - https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "0" /f - name: Disable Microsoft consumer experiences recommend: standard docs: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-71771 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "0" /f - name: Turn Off Suggested Content in Settings app recommend: standard docs: - https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 - https://www.blogsdna.com/28017/how-to-disable-turn-off-suggested-content-on-windows-10-setting-app.htm code: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "0" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f revertCode: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "1" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "1" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "1" /t REG_DWORD /f - category: Disable biometrics (breaks fingerprinting/facial login) children: - name: Do not allow the use of biometrics recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f - name: Do not allow users to log on using biometrics recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f - name: Disable Windows Biometric Service recommend: strict docs: - https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-biometric-service - http://batcmd.com/windows/10/services/wbiosrvc/ call: function: DisableService parameters: serviceName: WbioSrvc # Check: (Get-Service -Name WbioSrvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Wi-Fi sense recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f - name: Hide most used apps (tracks app launch) docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10 recommend: strict code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 0 /t REG_DWORD /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 1 /t REG_DWORD /f - name: Disable Inventory Collector recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 0 /f - name: Disable Website Access of Language List recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 0 /f - name: Disable Auto Downloading Maps recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f - name: Disable steps recorder recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f - name: Disable game screen recording recommend: standard code: |- reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 0 /f - name: Disable Windows DRM internet access docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f - name: Disable feedback on write (sending typing info) recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f - name: Disable Activity Feed recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f - category: Disable Windows Insider Program children: - name: Disable Windows Insider Service docs: - https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-insider-service - http://batcmd.com/windows/10/services/wisvc/ recommend: standard call: function: DisableService parameters: serviceName: wisvc # Check: (Get-Service -Name wisvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Do not let Microsoft try features on this build docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /f reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /f - name: Disable getting preview builds of Windows docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /f - name: Remove "Windows Insider Program" from Settings docs: https://winaero.com/how-to-hide-the-windows-insider-program-page-from-the-settings-app-in-windows-10/ code: reg add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /t "REG_DWORD" /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /f - category: Disable cloud sync docs: https://support.microsoft.com/en-us/help/4026102/windows-10-about-sync-settings children: - name: Disable all settings sync recommend: standard enabler: all those bottom code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f - name: Disable Application Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable App Sync Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Credentials Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f - name: Disable Desktop Theme Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Personalization Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Start Layout Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Web Browser Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Windows Setting Sync recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable Language Setting Sync recommend: standard docs: - https://winaero.com/turn-on-off-sync-settings-windows-10/ - https://www.thewindowsclub.com/how-to-configure-windows-10-sync-settings-using-registry-editor - https://tuxicoman.jesuislibre.net/blog/wp-content/uploads/Windows10_Telemetrie_1709.pdf # from guide on confidentiality and privacy with Windows 10 distributed to the French police, previous version of guide: https://www.pmenier.net/dotclear/docext/win10/.Windows10-Presentation.pdf code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 1 /f - category: Configure programs children: - category: Disable Visual Studio data collection children: - category: Disable Experience Improvement Program (PerfWatson) docs: - https://docs.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program - https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/ children: - name: Disable SQM OS key recommend: standard code: |- if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f ) else ( reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f ) revertCode: |- if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f ) else ( reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f ) - name: Disable SQM group policy recommend: standard code: reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /t REG_DWORD /d 1 /f - name: Disable visual studio telemetry recommend: standard code: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 0 /f - name: Disable Visual Studio feedback recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 0 /f - name: Stop and disable Visual Studio Standard Collector Service # Collects logs for Diagnostics Hub recommend: standard call: function: DisableService parameters: serviceName: VSStandardCollectorService150 # (Get-Service -Name VSStandardCollectorService150).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable NET Core CLI telemetry recommend: standard code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1 revertCode: setx DOTNET_CLI_TELEMETRY_OPTOUT 0 - name: Disable PowerShell 7+ telemetry recommend: standard docs: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry code: setx POWERSHELL_TELEMETRY_OPTOUT 1 revertCode: setx POWERSHELL_TELEMETRY_OPTOUT 0 - category: Disable NVIDIA telemetry docs: - https://github.com/privacysexy-forks/nVidia-modded-Inf - https://github.com/privacysexy-forks/Disable-Nvidia-Telemetry - https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20 children: - name: Uninstall NVIDIA telemetry tasks recommend: standard code: |- if exist "%ProgramFiles%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL" ( rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry ) - name: Delete NVIDIA residual telemetry files recommend: standard code: |- del /s %SystemRoot%\System32\DriverStore\FileRepository\NvTelemetry*.dll rmdir /s /q "%ProgramFiles(x86)%\NVIDIA Corporation\NvTelemetry" 2>nul rmdir /s /q "%ProgramFiles%\NVIDIA Corporation\NvTelemetry" 2>nul - name: Opt out from NVIDIA telemetry recommend: standard code: |- reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\services\NvTelemetryContainer" /v "Start" /t REG_DWORD /d 4 /f revertCode: |- reg delete "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /f reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /f reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /f reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /f reg delete "HKLM\SYSTEM\CurrentControlSet\services\NvTelemetryContainer" /f - name: Disable NVIDIA telemetry services recommend: standard code: |- schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE revertCode: |- schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE - category: Disable Visual Studio Code data collection docs: - https://code.visualstudio.com/updates/v1_26#_offline-mode - https://code.visualstudio.com/docs/getstarted/settings children: - name: Disable Visual Studio Code telemetry docs: https://code.visualstudio.com/docs/getstarted/telemetry recommend: standard call: function: SetVsCodeSetting parameters: setting: telemetry.enableTelemetry powerShellValue: $false - name: Disable Visual Studio Code crash reporting docs: https://code.visualstudio.com/docs/getstarted/telemetry recommend: standard call: function: SetVsCodeSetting parameters: setting: telemetry.enableCrashReporter powerShellValue: $false - name: Do not run Microsoft online experiments docs: https://github.com/privacysexy-forks/vscode/blob/1aee0c194cff72d179b9f8ef324e47f34555a07d/src/vs/workbench/contrib/experiments/node/experimentService.ts#L173 recommend: standard call: function: SetVsCodeSetting parameters: setting: workbench.enableExperiments powerShellValue: $false - name: Choose manual updates over automatic updates call: function: SetVsCodeSetting parameters: setting: update.mode powerShellValue: >- 'manual' - name: Show Release Notes from Microsoft online service after an update call: function: SetVsCodeSetting parameters: setting: update.showReleaseNotes powerShellValue: $false - name: Automatically check extensions from Microsoft online service call: function: SetVsCodeSetting parameters: setting: extensions.autoCheckUpdates powerShellValue: $false - name: Fetch recommendations from Microsoft only on demand call: function: SetVsCodeSetting parameters: setting: extensions.showRecommendationsOnlyOnDemand powerShellValue: $true - name: Automatically fetch git commits from remote repository call: function: SetVsCodeSetting parameters: setting: git.autofetch powerShellValue: $false - name: Fetch package information from NPM and Bower call: function: SetVsCodeSetting parameters: setting: npm.fetchOnlinePackageInfo powerShellValue: $false - category: Disable Microsoft Office telemetry docs: https://docs.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office children: - name: Disable Microsoft Office logging recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f - name: Disable client telemetry recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f - name: Customer Experience Improvement Program docs: https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612 recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f - name: Disable feedback recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f - name: Disable telemetry agent recommend: standard code: |- schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /DISABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /DISABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /DISABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /DISABLE revertCode: |- schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /ENABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /ENABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /ENABLE schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /ENABLE # - (breaks office, see https://answers.microsoft.com/en-us/office/forum/office_2016-officeapps/office-2016-click-to-run-service-is-it-necessary/07f87963-7193-488a-9885-d6339105824b) # name: Disable ClickToRun Service Monitor # docs: https://web.archive.org/web/20180201221907/https://technet.microsoft.com/en-us/library/jj219427.aspx # call: # - # function: RunInlineCode # parameters: # code: schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /DISABLE # revertCode: schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /ENABLE # - # function: DisableService # parameters: # serviceName: ClickToRunSvc # Check: (Get-Service -Name ClickToRunSvc).StartType # defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable Subscription Heartbeat code: |- schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /DISABLE schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /DISABLE revertCode: |- schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /ENABLE schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /ENABLE - category: Configure browsers children: - category: Configure Edge children: - category: Chromium Edge settings children: - name: Disable Edge usage and crash-related data reporting (shows "Your browser is managed") # Obselete since Microsoft Edge version 89 recommend: standard docs: - https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::MetricsReportingEnabled - https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#metricsreportingenabled code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /f - name: Disable sending site information (shows "Your browser is managed") # Obselete since Microsoft Edge version 89 recommend: standard docs: - https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SendSiteInfoToImproveServices - https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#sendsiteinfotoimproveservices code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /f - name: Disable Automatic Installation of Microsoft Edge Chromium docs: - https://admx.help/?Category=EdgeChromium_Blocker&Policy=Microsoft.Policies.EdgeUpdate::NoUpdate - https://web.archive.org/web/20210118230052/https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit code: reg add "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /f - name: Disable live tile data collection recommend: standard docs: - https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 0 /f - name: Disable MFU tracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableMFUTracking code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 0 /f - name: Disable recent apps recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableRecentApps code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 0/f - name: Turn off backtracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::TurnOffBackstack code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 0 /f - name: Disable Search Suggestions in Edge docs: - https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/address-bar-settings-gp - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 1 /f - category: Configure Internet Explorer children: - name: Disable Geolocation in Internet Explorer recommend: standard code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 0 /f - name: Disable Internet Explorer InPrivate logging recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 0 /f - name: Disable Internet Explorer CEIP recommend: standard docs: https://www.stigviewer.com/stig/internet_explorer_8/2014-07-03/finding/V-15492 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 1 /f - name: Disable calling legacy WCM policies recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 1 /f - name: Disable SSLv3 fallback recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-04-02/finding/V-64729 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v EnableSSL3Fallback /t REG_DWORD /d 3 /f - name: Disable ignoring cert errors recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2017-03-01/finding/V-64717 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 0 /f - category: Configure Google Chrome children: - name: Disable Chrome Software Reporter Tool recommend: standard code: |- icacls "%localappdata%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)" cacls "%localappdata%\Google\Chrome\User Data\SwReporter" /e /c /d %username% reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "software_reporter_tool.exe" /f revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /f - category: Chrome cleanup children: - name: Do not share scanned software data to Google (shows "Your browser is managed") recommend: standard docs: - https://www.chromium.org/administrators/policy-list-3#ChromeCleanupReportingEnabled - https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81593 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /f - name: Prevent Chrome from scanning the system for cleanup (shows "Your browser is managed") recommend: standard docs: - https://www.chromium.org/administrators/policy-list-3#ChromeCleanupEnabled - https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81591 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /f - name: Disable Chrome metrics reporting (shows "Your browser is managed") recommend: standard docs: https://www.stigviewer.com/stig/google_chrome_v23_windows/2013-01-11/finding/V-35780 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /f - category: Configure Mozilla Firefox telemetry children: - category: Disable default browser agent reporting children: - name: Disable default browser agent reporting policy recommend: standard docs: https://www.bleepingcomputer.com/news/software/firefox-now-tells-mozilla-what-your-default-browser-is-every-day/ code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 1 /f revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 0 /f - name: Disable default browser agent reporting services recommend: standard code: |- schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB" schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD" revertCode: |- schtasks.exe /change /enable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB" schtasks.exe /change /enable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD" - name: Disable Firefox metrics reporting recommend: standard docs: https://github.com/privacysexy-forks/policy-templates#disabletelemetry code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 1 /f revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 0 /f - name: Disable Google update service recommend: standard docs: - https://websetnet.net/how-to-disable-google-chrome-automatic-updates-in-windows-10/ - https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-25791.html #gupdate - https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-26582.html #gupdatem call: - function: RunInlineCode parameters: code: |- schtasks /change /disable /tn "GoogleUpdateTaskMachineCore" schtasks /change /disable /tn "GoogleUpdateTaskMachineUA" revertCode: |- schtasks /Change /enable /tn "GoogleUpdateTaskMachineCore" schtasks /change /enable /tn "GoogleUpdateTaskMachineUA" - function: DisableService parameters: serviceName: gupdate # Check: (Get-Service -Name gupdate).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: gupdatem # Check: (Get-Service -Name gupdatem).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable Adobe Acrobat update service recommend: standard call: - function: DisableService parameters: serviceName: AdobeARMservice # Check: (Get-Service -Name AdobeARMservice).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: adobeupdateservice # Check: (Get-Service -Name adobeupdateservice).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: adobeflashplayerupdatesvc # Check: (Get-Service -Name adobeflashplayerupdatesvc).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: RunInlineCode parameters: code: |- schtasks /change /tn "Adobe Acrobat Update Task" /disable schtasks /change /tn "Adobe Flash Player Updater" /disable revertCode: |- schtasks /change /tn "Adobe Acrobat Update Task" /enable schtasks /change /tn "Adobe Flash Player Updater" /enable - name: Disable Razer Game Scanner Service recommend: standard call: function: DisableService parameters: serviceName: Razer Game Scanner Service # Check: (Get-Service -Name 'Razer Game Scanner Service').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Logitech Gaming Registry Service recommend: standard call: function: DisableService parameters: serviceName: LogiRegistryService # Check: (Get-Service -Name 'LogiRegistryService').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable Dropbox auto update service recommend: standard call: - function: DisableService parameters: serviceName: dbupdate # Check: (Get-Service -Name 'dbupdate').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: dbupdatem # Check: (Get-Service -Name 'dbupdatem').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: RunInlineCode parameters: code: |- schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineCore" schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA" revertCode: |- schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineCore" schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineUA" - category: Disable Media Player data collection children: - name: Do not send Windows Media Player statistics recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f - name: Disable metadata retrieval recommend: standard code: |- reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f - name: Disable Windows Media Player Network Sharing Service docs: http://batcmd.com/windows/10/services/wmpnetworksvc/ recommend: standard call: function: DisableService parameters: serviceName: WMPNetworkSvc # Check: (Get-Service -Name 'WMPNetworkSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable CCleaner Monitoring code: |- reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 1 /f - category: Security improvements children: - category: Meltdown and Spectre protection docs: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot children: - name: Spectre variant 2 and meltdown (own OS) code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f wmic cpu get name | findstr "Intel" >nul && ( reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 0 /f ) wmic cpu get name | findstr "AMD" >nul && ( reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 64 /f ) revertCode: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f - name: Spectre variant 2 and meltdown (HyperV) code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f - name: Disable administrative shares recommend: standard code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 1 /f - name: Force enable data execution prevention (DEP) code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 1 /f - name: Disable AutoPlay and AutoRun docs: - https://en.wikipedia.org/wiki/AutoRun - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673 recommend: standard code: |- :: 255 (0xff) means all drives reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f revertCode: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 2 /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /f - name: Disable remote Assistance recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f - name: Disable lock screen camera recommend: standard docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /f - name: Prevent the storage of the LAN Manager hash of passwords recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 10 /f - name: Disable Windows Installer Always install with elevated privileges recommend: standard docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f - name: Prevent WinRM from using Basic Authentication recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 1 /f - name: Restrict anonymous enumeration of shares recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 0 /f - name: Refuse less secure authentication recommend: standard docs: - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801 - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 5 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 3 /f - name: Enable Structured Exception Handling Overwrite Protection (SEHOP) recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f - name: Block Anonymous enumeration of SAM accounts recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 0 /f - name: Restrict anonymous access to Named Pipes and Shares recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759 code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 0 /f - category: Disable unsafe features children: - name: Disable unsafe SMBv1 protocol recommend: standard docs: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 code: |- dism /online /Disable-Feature /FeatureName:"SMB1Protocol" /NoRestart dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart revertCode: |- dism /online /Enable-Feature /FeatureName:"SMB1Protocol" /NoRestart dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart - name: Disable PowerShell 2.0 against downgrade attacks recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637 code: |- dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart revertCode: |- dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart - name: Disable the Windows Connect Now wizard recommend: standard docs: - https://docs.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now - https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698 code: |- reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f - category: Increase cryptography on ISS children: - name: Increase Diffie-Hellman key (DHK) exchange to 4096-bit code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ServerMinKeyBitLength /t REG_DWORD /d 0x00001000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00001000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v Enabled /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ServerMinKeyBitLength" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ClientMinKeyBitLength" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "Enabled" /f - name: Disable RC2 cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v "Enabled" /f - name: Disable RC4 cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v "Enabled" /f - name: Disable DES cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v "Enabled" /f - name: Disable 3DES (Triple DES) cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v "Enabled" /f - name: Disable MD5 hash function code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /v "Enabled" /f - name: Disable SHA1 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /v "Enabled" /f - name: Disable null cipher code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v "Enabled" /f - name: Force not to respond to renegotiation requests code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoClients /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoServers /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v DisableRenegoOnServer /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v UseScsvForTls /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoClients" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoServers" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "DisableRenegoOnServer" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "UseScsvForTls" /f - name: Disable DTLS 1.0 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "DisabledByDefault" /f - name: Disable DTLS 1.1 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "DisabledByDefault" /f - name: Enable DTLS 1.3 # Windows 10 and Windows 10 Server version 1903 and newer supports DTLS 1.3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "DisabledByDefault" /f - name: Disable TLS 1.0 docs: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls # After disabling TLS 1.0 must be (will be) activated SchUseStrongCrypto for .NET apps code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f - name: Disable TLS 1.1 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /f - name: Enable TLS 1.3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "DisabledByDefault" /f - name: Enabling Strong Authentication for .NET applications (TLS 1.2) docs: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications code: |- reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f - name: Disable SSLv2 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /f - name: Disable SSLv3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /f - category: Privacy over security children: - category: Disable Windows Defender docs: https://en.wikipedia.org/wiki/Windows_Firewall # See defender status: Get-MpComputerStatus children: - category: Disable Windows Defender Firewall # Also known as Windows Firewall, Microsoft Defender Firewall children: - name: Disable Firewall through command-line utility # ❗️ Following must be enabled and in running state: # - mpsdrv (Windows Defender Firewall Authorization Driver) # - bfe (Base Filtering Engine) # - mpssvc (Windows Defender Firewall) # If the dependent services are not running, the script fails with: # "An error occurred while attempting to contact the Windows Defender Firewall service. Make sure that the service is running and try your request again." # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc docs: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior call: function: RunPowerShell parameters: code: |- if(!(Get-Command 'netsh' -ErrorAction Ignore)) { throw '"netsh" does not exist, is system installed correctly?' } $message=netsh advfirewall set allprofiles state off 2>&1 if($?) { Write-Host "Successfully disabled firewall." } else { if($message -like '*Firewall service*') { Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' } else { throw "Cannot disable: $message" } } revertCode: |- if(!(Get-Command 'netsh' -ErrorAction Ignore)) { throw '"netsh" does not exist, is system installed correctly?' } $message=netsh advfirewall set allprofiles state on 2>&1 if($?) { Write-Host "Successfully enabled firewall." } else { if($message -like '*Firewall service*') { Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' } else { throw "Cannot enable: $message" } } - name: Disable Firewall through registry # Lower-level, good in case command-line utility is not available/functioning docs: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 code: |- :: Policy based reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f :: Non-policy based reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f # When reverting HKLM\SOFTWARE\Policies profiles are deleted as they are not included in clean installation # On the other hand "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet # so they're not deleted but set to default state revertCode: |- # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy :: Policy based reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /f 2>nul :: Non-policy based reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - name: Disable Microsoft Defender Antivirus # Depreciated since Windows 10 version 1903 docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f 2>nul - category: Disable Defender features # Status: Get-MpPreference children: - category: Disable Windows Defender Antivirus cloud protection service docs: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus # Also known as Microsoft MAPS (Microsoft Active Protection Service) or Microsoft SpyNet children: - category: Disable cloud protection service features children: - name: Turn off block at first sight docs: # What is block at first sight? How does it work? How to turn on/off? - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: - function: SetMpPreference parameters: property: DisableBlockAtFirstSeen # Status: Get-MpPreference | Select-Object -Property DisableBlockAtFirstSeen value: $True # Set: Set-MpPreference -Force -DisableBlockAtFirstSeen $True default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableBlockAtFirstSeen | Set-MpPreference -Force -DisableBlockAtFirstSeen $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /f 2>nul - name: Set maximum time possible for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required" docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpBafsExtendedTimeout code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /f 2>nul - name: Set lowest possible cloud protection level # Requires "Join Microsoft MAPS" docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpCloudBlockLevel code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /f 2>nul - name: Disable receiving notifications to disable security intelligence # Requires "Join Microsoft MAPS" docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureDisableNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /f 2>nul - category: Disable Defender cloud export for analysis children: - name: Turn off Windows Defender SpyNet reporting recommend: strict docs: - https://www.stigviewer.com/stig/windows_7/2012-07-02/finding/V-15713 # Manage with registry policy - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting # Managing with MDM policy - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#mapsreporting call: # 0: Disabled, 1: Basic, 2: Advanced (default) - function: SetMpPreference parameters: property: MAPSReporting # Status: Get-MpPreference | Select-Object -Property MAPSReporting value: "'0'" # Set: Set-MpPreference -Force -MAPSReporting 0 default: "'2'" # Default: 2 (Advanced) | Remove-MpPreference -Force -MAPSReporting | Set-MpPreference -Force -MAPSReporting 2 - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /f 2>nul - name: Do not send file samples for further analysis recommend: strict docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SubmitSamplesConsent # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#submitsamplesconsent call: # 0 = 'Always Prompt', 1 = 'Send safe samples automatically' (default), 2 = 'Never send', 3 = 'Send all samples automatically' - function: SetMpPreference parameters: property: SubmitSamplesConsent # Status: Get-MpPreference | Select-Object -Property SubmitSamplesConsent value: "'2'" # Set: Set-MpPreference -Force -SubmitSamplesConsent 2 default: "'1'" # Default: 1 (Send safe samples automatically) | Remove-MpPreference -Force -SubmitSamplesConsent | Set-MpPreference -Force -SubmitSamplesConsent 1 setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 1 (OS default) in Windows 11 - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /f 2>nul - name: Disable Malicious Software Reporting tool diagnostic data recommend: strict docs: https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /f 2>nul - name: Disable uploading files for threat analysis in real-time # Requires "Join Microsoft MAPS" recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_RealtimeSignatureDelivery code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /f 2>nul - name: Disable the Potentially Unwanted Application (PUA) feature # Already disabled as default docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus - https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/ - https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: - function: SetMpPreference parameters: # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 - function: RunInlineCode parameters: code: |- :: For legacy versions: Windows 10 v1809 and Windows Server 2019 reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f :: For newer Windows versions reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f revertCode: |- :: For legacy versions: Windows 10 v1809 and Windows Server 2019 reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /f 2>nul :: For newer Windows versions reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /f 2>nul - name: Turn off tamper protection # Added in Windows 10, version 1903 docs: - https://www.thewindowsclub.com/how-to-enable-tamper-protection-in-windows-10 - https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-tamperprotection call: - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) # ❌ Fails with "ERROR: Access is denied." in Windows 11 21H2 | ✅ Works in Windows 10 >= 20H2 parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /f 2>nul - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /f 2>nul - name: Disable file hash computation feature # Added in Windows 10, version 2004 docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /f 2>nul - category: Disable Windows Defender Exploit Guard docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ children: - name: Disable prevention of users and apps from accessing dangerous websites docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /f 2>nul - name: Disable Controlled folder access docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /f 2>nul - category: Disable Network Inspection System features children: - name: Disable protocol recognition docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /f 2>nul - name: Disable definition retirement docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /f 2>nul - name: Limit detection events rate to minimum docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /f 2>nul - category: Disable Real-Time protection children: - name: Disable real-time monitoring docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227 # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring call: # Enabled by default (DisableRealtimeMonitoring is false) - function: SetMpPreference parameters: property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /f 2>nul - name: Disable Intrusion Prevention System (IPS) docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem call: - function: SetMpPreference parameters: property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True # ❌ Windows 11 and Windows 10: Does not fail but does not change the value default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False # ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /f 2>nul - name: Disable Information Protection Control (IPC) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /f 2>nul - category: Disable Defender monitoring of behavior children: - name: Disable behavior monitoring docs: - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229 # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring call: - function: SetMpPreference parameters: property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /f 2>nul - name: Disable sending raw write notifications to behavior monitoring docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /f 2>nul - category: Disable Defender monitoring of downloaded files and attachments children: - name: Disable scanning for all downloaded files and attachments docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225 # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection call: - function: SetMpPreference parameters: property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True # ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /f 2>nul - name: Disable scanning files bigger than 1 KB (minimum possible) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /f 2>nul - category: Disable Defender monitoring of file and program activity children: - name: Disable monitoring file and program activity docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /f 2>nul - name: Disable bidirectional scanning of incoming and outgoing file and program activity docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection call: # 0='Both': bi-directional (full on-access, default) # 1='Incoming': scan only incoming (disable on-open) # 2='Outcoming': scan only outgoing (disable on-close) - function: SetMpPreference parameters: property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1 default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /f 2>nul - name: Disable process scanning on real-time protection docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /f 2>nul - category: Disable Defender remediation children: - name: Disable routine remediation docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#admx-microsoftdefenderantivirus-disableroutinelytakingaction - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /f 2>nul - name: Disable running scheduled auto-remediation docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday call: # 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never' - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /f 2>nul - function: SetMpPreference parameters: property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8 default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0 - name: Disable remediation actions docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference # None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10 call: # Not using ThreatIdDefaultAction as it requires known threat IDs - function: SetMpPreference # https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction parameters: property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction # Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value): # `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`. # E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed. # Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction` value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9 # Default: 0 (none) # Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction` # works on both Windows 10 and Windows 11 - function: RunInlineCode parameters: code: |- reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f :: 1: Clean, 2: Quarantine, 3: Remove, 6: Allow, 8: Ask user, 9: No action, 10: Block, NULL: default (based on the update definition) reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f revertCode: |- reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /f 2>nul - name: Auto-purge items from Quarantine folder docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay call: # Values: # Default: 90 on both Windows 10 21H1 and Windows 11 21H2 # Minimum: 1 # 0 means indefinitely - function: SetMpPreference parameters: property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1 default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90 setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /f 2>nul - name: Disable always running antimalware service docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /f 2>nul # - Too good to disable, also no reported privacy issues # category: Disable Windows Defender Device Guard and Credential Guard # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 # children: # - # name: Disable LSA protection (disabled by default) # docs: # - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection # - https://itm4n.github.io/lsass-runasppl/ # - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # code: |- # reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f # reg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f # revertCode: |- # Already disabled by default, so just delete the keys # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f 2>nul # reg delete "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /f 2>nul # - # name: Disable virtualization-based security (disabled by default) # docs: # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity # code: |- # :: Virtualization features # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul # :: Lock # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul # :: HypervisorEnforcedCodeIntegrity # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f 2>nul # revertCode: |- # :: Virtualization features # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul # :: Lock # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul # :: HypervisorEnforcedCodeIntegrity # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul # - # name: Disable System Guard Secure Launch # docs: # - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection # - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch # code: |- # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 2 /f # reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /t REG_DWORD /d 0 /f # revertCode: |- # reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /f 2>nul # - # name: Disable Windows Defender Application Control Code Integrity Policy # docs: # - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # code: |- # del "$env:windir\System32\CodeIntegrity\SIPolicy.p7b" # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /t REG_DWORD /d 0 /f # revertCode: |- # reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /v "Enabled" /f 2>nul - name: Disable auto-exclusions docs: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions call: - function: SetMpPreference parameters: property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False setDefaultOnWindows11: true # `Remove-MpPreference` has no affect (does not change the value) in Windows 11 - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /f 2>nul - category: Disable Defender scans children: - category: Disable scan actions children: - name: Disable checking for signatures before scan # Default configuration docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan call: - function: SetMpPreference parameters: property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False - function: RunInlineCode parameters: # Default: Does not exist code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /f 2>nul - name: Disable creating system restore point on a daily basis # Default behavior docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint call: - function: SetMpPreference parameters: property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /f 2>nul - name: Set minumum time for keeping files in scan history folder docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay call: # Default is 15, minimum is 0 which means never removing items - function: SetMpPreference parameters: property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /f 2>nul - category: Disable catch-up scans children: - name: Set maximum days before a catch-up scan is forced docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup # Default and minumum is 2, maximum is 20 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /f 2>nul - name: Disable catch-up full scans # Disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan call: - function: SetMpPreference parameters: property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /f 2>nul - name: Disable catch-up quick scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan call: - function: SetMpPreference parameters: property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /f 2>nul - category: Turn off scan options children: - name: Disable scan heuristics docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /f 2>nul - category: Limit CPU usage during scans children: - name: Limit CPU usage during scans to minimum docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor call: # Default: 50, minimum 1 - function: SetMpPreference parameters: property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1 default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /f 2>nul - name: Limit CPU usage during idle scans to minumum docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: - function: SetMpPreference parameters: property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /f 2>nul - name: Disable scanning when not idle # Default OS setting docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled call: - function: SetMpPreference parameters: property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /f 2>nul - name: Disable scheduled On Demand anti malware scanner (MRT) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /f 2>nul - category: Limit scanned areas children: - name: Disable e-mail scanning # Disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning call: - function: SetMpPreference parameters: property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /f 2>nul - name: Disable script scanning docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning call: function: SetMpPreference parameters: property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True # ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False - name: Disable reparse point scanning docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /f 2>nul - name: Disable scanning on mapped network drives on full-scan docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /f 2>nul - function: SetMpPreference parameters: property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True - name: Disable scanning network files docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /f 2>nul - function: SetMpPreference parameters: property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False - name: Disable scanning packed executables docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /f 2>nul - category: Disable scanning archive files children: - name: Disable scanning archive files docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /f 2>nul - function: SetMpPreference parameters: property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False - name: Limit depth for scanning archive files to minimum docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /f 2>nul - name: Limit file size for archive files to be scanned to minimum docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /f 2>nul - name: Disable scanning removable drives docs: # Disabled by default - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /f 2>nul - function: SetMpPreference parameters: property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True - category: Disable auto-scans children: - name: Disable scheduled scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday call: # Options are: # 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday', # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /f 2>nul - function: SetMpPreference parameters: property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8' default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0' - name: Disable randomizing scheduled task times docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /f 2>nul - function: SetMpPreference parameters: property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True - name: Disable scheduled full-scans docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters call: # Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan' - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /f 2>nul - function: SetMpPreference parameters: property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1' default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1' setDefaultOnWindows11: true # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11 - name: Limit how many times quick scans run per day docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /f 2>nul - name: Disable scanning after security intelligence (signature) update docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /f 2>nul - category: Limit Defender updates children: - category: Disable Defender Security Intelligence (signature) updates children: - name: Disable forced security intelligence (signature) updates from Microsoft Update docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /f 2>nul - name: Disable security intelligence (signature) updates when running on battery power docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /f 2>nul - name: Disable checking for the latest virus and spyware security intelligence (signature) on startup docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /f 2>nul - name: Disable catch-up security intelligence (signature) updates # default is one day docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval call: # Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /f 2>nul - function: SetMpPreference parameters: property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0' default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1' - name: Limit spyware security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when spyware security intelligence (signature) is considered up-to-dates docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /f 2>nul - name: Limit virus security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when virus security intelligence (signature) is considered up-to-date docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /f 2>nul - name: Disable security intelligence (signature) update on startup docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /f 2>nul - function: SetMpPreference parameters: property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False - name: Disable automatically checking security intelligence (signature) updates # Already disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday call: # Options: # 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday' # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default) - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /f 2>nul - function: SetMpPreference parameters: property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8' default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8' - name: Limit update checks for security intelligence (signature) updates docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval call: # Valid values range from 1 (every hour) to 24 (once per day). # If not specified (0), parameter, Windows Defender checks at the default interval - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /f 2>nul - function: SetMpPreference parameters: property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24' default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0' - category: Disable alternate definition updates children: - name: Disable definition updates through both WSUS and the Microsoft Malware Protection Center docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /f 2>nul - name: Disable definition updates through both WSUS and Windows Update docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /f 2>nul - name: Limit Defender updates to those that complete gradual release cycle docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: function: SetMpPreference parameters: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease - name: Limit Defender engine updates to those that complete gradual release cycle docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: function: SetMpPreference parameters: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad' # Valid values: # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'" - name: Limit Defender platform updates to those that complete gradual release cycle docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: function: SetMpPreference parameters: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad' # Valid values: # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'" - name: Limit Defender definition updates to those that complete gradual release cycle docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: # ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform) function: SetMpPreference parameters: property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel # Its former name was "SignaturesUpdatesChannel" value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad' # 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged' # ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" - category: Disable Windows Defender reporting children: - name: Disable Windows Defender logging code: |- reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f revertCode: |- # 1 as default in registry reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f - name: Disable ETW Provider of Windows Defender (Windows Event Logs) docs: - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-views code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f revertCode: |- # 1 as default in registry reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f - name: Do not send Watson events # Deprecated since February 2015 update http://support.microsoft.com/kb/3036437 docs: https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::reporting_disablegenericreports code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /f 2>nul - name: Send minimum Windows software trace preprocessor (WPP Software Tracing) levels docs: - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /f 2>nul - name: Disable auditing events in Microsoft Defender Application Guard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview code: reg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /f 2>nul - category: Remove Defender from UI children: - name: Hide Windows Defender Security Center icon docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /f 2>nul - name: Remove "Scan with Windows Defender" option from context menu docs: - https://windowsreport.com/remove-right-click-windows-defender-scan-windows-10/ - https://twigstechtips.blogspot.com/2010/06/windows-remove-with-microsoft-security.html code: |- reg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f 2>nul reg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f 2>nul reg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul reg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul reg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul revertCode: |- reg add "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f reg add "HKCR\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f reg add "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /ve /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f reg add "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f reg add "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f reg add "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f - name: Remove Windows Defender Security Center from taskbar docs: https://www.alfintechcomputer.com/what-is-securityhealthsystray-exe-windows-security-notification-icon/ code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809 revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "%windir%\system32\SecurityHealthSystray.exe" /f - category: Hide Defender UI children: - name: Enable headless UI mode docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /f 2>nul - name: Restrict threat history to administrators docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode call: - function: SetMpPreference parameters: property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /f 2>nul - category: Hide areas in Windows Defender Security Center children: - name: Hide the "Virus and threat protection" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /f 2>nul - name: Hide the "Ransomware data recovery" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /f 2>nul - name: Hide the "Family options" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /f 2>nul - name: Hide the "Device performance and health" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /f 2>nul - name: Hide the "Account protection" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /f 2>nul - name: Hide the "App and browser protection" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /f 2>nul - category: Hide the Device security areas children: - name: Hide the Device security area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /f 2>nul - name: Disable the Clear TPM button docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /f 2>nul - name: Disable the Secure boot area button docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /f 2>nul - name: Hide the Security processor (TPM) troubleshooter page docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /f 2>nul - name: Hide the TPM Firmware Update recommendation docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /f 2>nul - name: Hide the "Firewall and network protection" area docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FirewallNetworkProtection_UILockdown code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /f 2>nul - category: Hide Windows Defender notifications children: - category: Hide Windows Defender Security Center notifications docs: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications children: - name: Hide all notifications docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disablenotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul - name: Hide non-critical notifications docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disableenhancednotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /f 2>nul - name: Disable Windows Action Center security and maintenance notifications # For Windows 10 build 1607 and above docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /f 2>nul - name: Disable all Windows Defender Antivirus notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress code: |- reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f reg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f revertCode: |- reg delete "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul reg delete "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul - name: Suppress reboot notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /f 2>nul - category: Disable OS components for Defender # Hackers way of disabling Defender children: - category: Disable Defender tasks children: - name: Disable Windows Defender ExploitGuard task docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ code: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Enable - name: Disable Windows Defender Cache Maintenance task # Cache Maintenance is the storage for temporary files that are being either quarantined by Windows Defender # or being checked. Running this will clear the Cache. docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable - name: Disable Windows Defender Cleanup task docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae # Periodic cleanup task # Clears up files that are not needed anymore by Windows Defender. code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Enable - name: Disable Windows Defender Scheduled Scan task # Does not exist in Windows 11 docs: - https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d - https://winbuzzer.com/2020/05/26/windows-defender-how-to-perform-a-scheduled-scan-in-windows-10-xcxwbt/ code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Enable 2>nul - name: Disable Windows Defender Verification task # Check if there are any problems with your Windows Defender like in updates, system files, etc,. # Creates daily restore points docs: - https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae - https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 - https://www.windowsphoneinfo.com/threads/same-problems-with-windows-defender-verification-and-scan-tasks.121489/#Same_problems_with_Windows_Defender_Verification_and_Scan_Tasks code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable 2>nul revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Enable - category: Disable Defender services and drivers # Normally users can disable services on GUI or using commands like "sc config" # However Defender services are protected with different ways # 1. Some cannot be disabled (access error) normally but only with DisableServiceInRegistry # 2. Some cannot be disabled even using DisableServiceInRegistry, must be disabled as TrustedInstaller using RunInlineCodeAsTrustedInstaller children: - name: Disable Windows Defender Firewall service (breaks Microsoft Store and `netsh advfirewall` CLI) docs: - http://batcmd.com/windows/10/services/mpssvc/ - https://en.wikipedia.org/wiki/Windows_Firewall # More information about MpsSvc: - https://web.archive.org/web/20110203202612/http://technet.microsoft.com/en-us/library/dd364391(v=WS.10).aspx # More information about boot time protection and stopping the firewall service: - https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx # Stopping the service associated with Windows Firewall is not supported by Microsoft: - https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx # ❗️ Breaks Microsoft Store # Can no longer update nor install apps, they both fail with 0x80073D0A # Also breaks some of Store apps such as Photos: # - https://answers.microsoft.com/en-us/windows/forum/all/microsoft-store-windows-defender-windows-firewall/f2f68cd7-64ec-4fe1-ade4-9d12cde057f9 # - https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 # > The MpsSvc service host much more functionality than just windows firewall. For instance, Windows # Service hardening which is a windows protection of system services. It also host network isolatio # which is a crucial part of the confidence model for Windows Store based applications. 3rd party firewalls # know this fact and instead of disabling the firewall service they coordinate through public APIs with Windows # Firewall so that they can have ownership of the firewall policies of the computer. Hence you do not have to do # anything special once you install a 3rd party security product. # Source: https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ # ❗️ Breaks: `netsh advfirewall set` # Disabling and stopping it breaks "netsh advfirewall set" commands such as # `netsh advfirewall set allprofiles state on`, `netsh advfirewall set allprofiles state off`. # More about `netsh firewall` context: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior call: - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: serviceName: MpsSvc # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MpsSvc").Start defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual - function: RenameSystemFile parameters: filePath: '%WinDir%\system32\mpssvc.dll' - name: Disable Windows Defender Antivirus service # ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` docs: http://batcmd.com/windows/10/services/windefend/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WinDefend" >nul & sc config "WinDefend" start=disabled revertCode: sc config "WinDefend" start=auto & sc start "WinDefend" >nul # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%ProgramFiles%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - category: Disable kernel-level Windows Defender drivers children: - name: Disable Windows Defender Firewall Authorization Driver service (breaks `netsh advfirewall` CLI) docs: - http://batcmd.com/windows/10/services/mpsdrv/ # ❗️ Breaks: `netsh advfirewall set` # Disabling and stopping it breaks "netsh advfirewall set" commands such as # `netsh advfirewall set allprofiles state on`, `netsh advfirewall set allprofiles state off`. # More about `netsh firewall` context: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior call: - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: serviceName: mpsdrv # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\mpsdrv").Start defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - function: RenameSystemFile parameters: filePath: '%SystemRoot%\System32\drivers\mpsdrv.sys' # - Skipping wdnsfltr "Windows Defender Network Stream Filter Driver" as it's Windows 1709 only - name: Disable Microsoft Defender Antivirus Network Inspection System Driver service docs: http://batcmd.com/windows/10/services/wdnisdrv/ call: - function: RunInlineCodeAsTrustedInstaller parameters: # "net stop" is used to stop dependend services as well, "sc stop" fails code: net stop "WdNisDrv" /yes >nul & sc config "WdNisDrv" start=disabled revertCode: sc config "WdNisDrv" start=demand & sc start "WdNisDrv" >nul - function: RenameSystemFile parameters: filePath: '%SystemRoot%\System32\drivers\WdNisDrv.sys' # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%SystemRoot%\System32\drivers\wd\WdNisDrv.sys' - name: Disable Microsoft Defender Antivirus Mini-Filter Driver service docs: - https://www.n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - http://batcmd.com/windows/10/services/wdfilter/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdFilter" >nul & sc config "WdFilter" start=disabled revertCode: sc config "WdFilter" start=boot & sc start "WdFilter" >nul - function: RenameSystemFile parameters: filePath: '%SystemRoot%\System32\drivers\WdFilter.sys' # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%SystemRoot%\System32\drivers\wd\WdFilter.sys' - name: Disable Microsoft Defender Antivirus Boot Driver service docs: http://batcmd.com/windows/10/services/wdboot/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdBoot" >nul & sc config "WdBoot" start=disabled revertCode: sc config "WdBoot" start=boot & sc start "WdBoot" >nul - function: RenameSystemFile parameters: filePath: '%SystemRoot%\System32\drivers\WdBoot.sys' # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%SystemRoot%\System32\drivers\wd\WdBoot.sys' - name: Disable Microsoft Defender Antivirus Network Inspection service docs: - http://batcmd.com/windows/10/services/wdnissvc/ - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdNisSvc" >nul & sc config "WdNisSvc" start=disabled revertCode: sc config "WdNisSvc" start=auto & sc start "WdNisSvc" >nul # - # "Access is denied" when renaming file # function: RenameSystemFile # parameters: # filePath: '%ProgramFiles%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... - name: Disable Windows Defender Advanced Threat Protection Service service docs: http://batcmd.com/windows/10/services/sense/ call: - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: serviceName: Sense # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense").Start defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - function: RenameSystemFile parameters: filePath: '%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe' - name: Disable Windows Defender Security Center Service docs: http://batcmd.com/windows/10/services/securityhealthservice/ call: - # Windows 10: # ❌ Cannot disable through sc config as Administrator; throws "Access is denied" # ✅ Can disable using registry as Administrator; "DisableServiceInRegistry" function works # ✅ Can disable using registry as TrustedInstaller # Windows 11: # ❌ Cannot disable through sc config as administrator; throws "Access is denied" # ❌ Cannot disable using registry as Administrator; using DisableServiceInRegistry throws "Requested registry access is not allowed." # ✅ Can disable using registry as TrustedInstaller function: RunInlineCodeAsTrustedInstaller parameters: code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 3 /f - function: RenameSystemFile parameters: filePath: '%WinDir%\system32\SecurityHealthService.exe' - category: Disable SmartScreen docs: - https://en.wikipedia.org/wiki/Microsoft_SmartScreen - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview children: - category: Disable SmartScreen for apps and files children: - name: Disable SmartScreen for apps and files docs: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnableSmartScreen code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /f 2>nul - name: Disable SmartScreen in file explorer docs: - https://winaero.com/change-windows-smartscreen-settings-windows-10/ - https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/ code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f revertCode: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul - name: Disable SmartScreen preventing users from running applications docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /f 2>nul - category: Disable SmartScreen in Microsoft browsers children: - name: Prevent Chromium Edge SmartScreen from blocking potentially unwanted apps docs: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /f 2>nul - name: Disable SmartScreen in Edge docs: - https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ # Privacy concerns - https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen - https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreen-settings - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63713 - https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenEnabled code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f :: For Microsoft Edge version 77 or later reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul :: For Microsoft Edge version 77 or later reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /f 2>nul - name: Disable SmartScreen in Internet Explorer docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 code: reg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /f 2>nul - category: Disable SmartScreen for Windows Store apps children: - name: Turn off SmartScreen App Install Control feature docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen code: |- reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f revertCode: |- reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /f 2>nul - name: Turn off SmartScreen to check web content (URLs) that apps use docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /f 2>nul - name: Disable automatic updates docs: - https://docs.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152 - http://batcmd.com/windows/10/services/usosvc/ call: - function: RunInlineCode parameters: code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "3" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime /f 2>nul - function: DisableService parameters: serviceName: UsoSvc # Check: (Get-Service -Name 'UsoSvc').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - category: UI for privacy children: - name: Disable lock screen app notifications recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 0 /f docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687 - category: Disable online content in explorer children: - name: Disable online tips recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanel::AllowOnlineTips code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 1 /f - name: Turn off Internet File Association service recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseInternetOpenWith_2 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 0 /f - name: Turn off the "Order Prints" picture task recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellRemoveOrderPrints_2 - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000042 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 0 /f - name: Disable the file and folder Publish to Web option recommend: standard docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-14255 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 0 /f - name: Prevent downloading a list of providers for wizards recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63621 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 0 /f - category: Recent documents children: - name: Do not keep history of recently opened documents recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f - name: Clear history of recently opened documents on exit recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 01 /f - name: Disable Live Tiles push notifications recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Notifications::NoTileNotification code: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 0 /f - name: Turn off "Look For An App In The Store" option recommend: standard docs: - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000030 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseStoreOpenWith_1 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 0 /f - name: Do not show recently used files in Quick Access recommend: strict docs: - https://matthewhill.uk/windows/group-policy-disable-recent-files-frequent-folder-explorer/ # ShowRecent - https://www.howto-connect.com/delete-recent-frequent-from-file-explorer-on-windows-10/ # 3134ef9c-6b18-4996-ad04-ed5912e00eb5 - https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry # Wow6432Node code: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d 0 /t "REG_DWORD" /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f ) revertCode: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d "1" /t "REG_DWORD" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f ) - name: Disable Sync Provider Notifications code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 0 /t REG_DWORD /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 1 /t REG_DWORD /f - name: Turn hibernate off to disable sleep for quick start docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/compact-os#ram-pagefilesys-and-hiberfilsys code: powercfg -h off revertCode: powercfg -h on - name: Enable camera on/off OSD notifications docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-coremmres-nophysicalcameraled - https://www.reddit.com/r/Surface/comments/88nyln/the_webcamled_took_anyone_it_apart/dwm64p5 - https://answers.microsoft.com/en-us/windows/forum/all/enable-osd-notification-for-webcam/caf1fff4-78d3-4b93-905b-ef657097a44e code: reg add "HKLM\SOFTWARE\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /d 1 /t REG_DWORD /f revertCode: reg delete "HKLM\Software\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /f - category: Hide from This PC and Browse in dialog boxes children: - name: 3D Objects code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Desktop code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Documents code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Downloads code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Movies code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Music code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Pictures code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - category: Disable OS services children: - name: Delivery Optimization (P2P Windows Updates) recommend: standard docs: http://batcmd.com/windows/10/services/dosvc/ call: function: DisableService parameters: serviceName: DoSvc # Check: (Get-Service -Name 'DoSvc').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Microsoft Windows Live ID Service recommend: standard docs: http://batcmd.com/windows/10/services/wlidsvc/ call: function: DisableService parameters: serviceName: wlidsvc # Check: (Get-Service -Name 'wlidsvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Program Compatibility Assistant Service recommend: standard docs: http://batcmd.com/windows/10/services/pcasvc/ call: function: DisableService parameters: serviceName: PcaSvc # Check: (Get-Service -Name 'PcaSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Downloaded Maps Manager recommend: standard docs: http://batcmd.com/windows/10/services/mapsbroker/ call: function: DisableService parameters: serviceName: MapsBroker # Check: (Get-Service -Name 'MapsBroker').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Microsoft Retail Demo experience recommend: standard docs: http://batcmd.com/windows/10/services/retaildemo/ call: function: DisableService parameters: serviceName: RetailDemo # Check: (Get-Service -Name 'RetailDemo').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - category: Mail, contact, calendar and user data synchronization children: - name: User Data Storage (UnistoreSvc) Service docs: http://batcmd.com/windows/10/services/unistoresvc/ recommend: strict call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc_*").Start serviceName: UnistoreSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: Sync Host (OneSyncSvc) Service Service docs: http://batcmd.com/windows/10/services/onesyncsvc/ recommend: strict call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc_*").Start serviceName: OneSyncSvc defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual - name: Contact data indexing docs: http://batcmd.com/windows/10/services/pimindexmaintenancesvc/ call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_*").Start serviceName: PimIndexMaintenanceSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: App user data access docs: http://batcmd.com/windows/10/services/userdatasvc/ call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc_*").Start serviceName: UserDataSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: Text messaging docs: http://batcmd.com/windows/10/services/messagingservice/ call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService_*").Start serviceName: MessagingService defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: Windows Push Notification Service recommend: standard docs: https://en.wikipedia.org/w/index.php?title=Windows_Push_Notification_Service&oldid=1012335551#Privacy_Issue call: function: DisableService parameters: serviceName: WpnService # Check: (Get-Service -Name 'WpnService').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - category: Disable Xbox services children: - name: Xbox Live Auth Manager recommend: standard call: function: DisableService parameters: serviceName: XblAuthManager # Check: (Get-Service -Name 'XblAuthManager').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Xbox Live Game Save recommend: standard call: function: DisableService parameters: serviceName: XblGameSave # Check: (Get-Service -Name 'XblGameSave').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Xbox Live Networking Service recommend: standard call: function: DisableService parameters: serviceName: XboxNetApiSvc # Check: (Get-Service -Name 'XboxNetApiSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Volume Shadow Copy Service (breaks System Restore and Windows Backup) # Also known as • Volume Snapshot Service • VSS • VSC recommend: strict docs: - https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service - https://www.schneier.com/blog/archives/2009/12/the_security_im.html call: function: DisableService parameters: serviceName: VSS # Check: (Get-Service -Name 'VSS').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable NetBios for all interfaces docs: - https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/ - https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5f3c095-1ad2-4963-b075-787f800b81f2/ call: function: RunPowerShell parameters: code: |- $key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces' Get-ChildItem $key | ForEach { Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 2 -Verbose } revertCode: |- $key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces' Get-ChildItem $key | ForEach { Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 0 -Verbose } - category: Remove bloatware children: - category: Uninstall Windows store apps docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 children: - category: Uninstall provisioned Windows apps docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#provisioned-windows-apps children: - name: App Connector app recommend: strict docs: https://superuser.com/a/1003226 call: function: UninstallStoreApp parameters: packageName: Microsoft.Appconnector # Discontinued after Windows 10 1511 - category: Uninstall 3D modeling apps children: - name: Microsoft 3D Builder app docs: https://www.microsoft.com/en-us/p/3d-builder/9wzdncrfj3t6 call: function: UninstallStoreApp parameters: packageName: Microsoft.3DBuilder - name: 3D Viewer app docs: https://www.microsoft.com/en-us/p/3d-viewer/9nblggh42ths call: function: UninstallStoreApp parameters: packageName: Microsoft.Microsoft3DViewer - category: Uninstall MSN (Bing) apps children: - name: MSN Weather app docs: https://www.microsoft.com/en-us/p/msn-weather/9wzdncrfj3q2 recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.BingWeather - name: MSN Sports app recommend: standard docs: https://www.microsoft.com/en-us/p/msn-sports/9wzdncrfhvh4 call: function: UninstallStoreApp parameters: packageName: Microsoft.BingSports - name: MSN News app recommend: standard docs: https://www.microsoft.com/en-us/p/microsoft-news/9wzdncrfhvfw call: function: UninstallStoreApp parameters: packageName: Microsoft.BingNews - name: MSN Money app recommend: standard docs: https://www.microsoft.com/en-us/p/msn-money/9wzdncrfhv4v call: function: UninstallStoreApp parameters: packageName: Microsoft.BingFinance - name: Uninstall Cortana app recommend: standard docs: https://www.microsoft.com/en-us/p/msn-money/9wzdncrfhv4v call: function: UninstallStoreApp parameters: packageName: Microsoft.549981C3F5F10 - name: App Installer app docs: https://www.microsoft.com/en-us/p/app-installer/9nblggh4nns1 call: function: UninstallStoreApp parameters: packageName: Microsoft.DesktopAppInstaller - name: Get Help app docs: https://www.microsoft.com/en-us/p/get-help/9nblgggzhtbj call: function: UninstallStoreApp parameters: packageName: Microsoft.GetHelp - name: Microsoft Tips app docs: https://www.microsoft.com/en-us/p/microsoft-tips/9wzdncrdtbjj call: function: UninstallStoreApp parameters: packageName: Microsoft.Getstarted - category: Extensions children: - name: HEIF Image Extensions app docs: https://www.microsoft.com/en-us/p/heif-image-extensions/9pmmsr1cgpwg call: function: UninstallStoreApp parameters: packageName: Microsoft.HEIFImageExtension - name: VP9 Video Extensions app docs: https://www.microsoft.com/en-us/p/vp9-video-extensions/9n4d0msmp0pt call: function: UninstallStoreApp parameters: packageName: Microsoft.VP9VideoExtensions - name: Web Media Extensions app docs: https://www.microsoft.com/en-us/p/web-media-extensions/9n5tdp8vcmhs call: function: UninstallStoreApp parameters: packageName: Microsoft.WebMediaExtensions - name: Webp Image Extensions app docs: https://www.microsoft.com/en-us/p/webp-image-extensions/9pg2dk419drg call: function: UninstallStoreApp parameters: packageName: Microsoft.WebpImageExtension - name: Microsoft Messaging app docs: https://www.microsoft.com/en-us/p/microsoft-messaging/9wzdncrfjbq6 call: function: UninstallStoreApp parameters: packageName: Microsoft.Messaging - name: Mixed Reality Portal app docs: https://www.microsoft.com/en-us/p/mixed-reality-portal/9ng1h8b3zc7m call: function: UninstallStoreApp parameters: packageName: Microsoft.MixedReality.Portal - category: Uninstall Microsoft Office apps children: - name: My Office app recommend: standard docs: https://www.microsoft.com/en-us/p/my-office-app/9n8vd0f315mh call: function: UninstallStoreApp parameters: packageName: Microsoft.MicrosoftOfficeHub - name: OneNote app docs: https://www.microsoft.com/en-us/p/onenote-for-windows-10/9wzdncrfhvjl call: function: UninstallStoreApp parameters: packageName: Microsoft.Office.OneNote - name: Sway app docs: https://www.microsoft.com/en-us/p/sway/9wzdncrd2g0j call: function: UninstallStoreApp parameters: packageName: Microsoft.Office.Sway - name: Feedback Hub app recommend: standard docs: https://www.microsoft.com/en-us/p/feedback-hub/9nblggh4r32n call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsFeedbackHub - name: Windows Alarms and Clock app docs: https://www.microsoft.com/en-us/p/windows-alarms-clock/9wzdncrfj3pr call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsAlarms - name: Windows Camera app docs: https://www.microsoft.com/en-us/p/windows-camera/9wzdncrfjbbg call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsCamera - name: Paint 3D app docs: https://www.microsoft.com/en-us/p/paint-3d/9nblggh5fv99 call: function: UninstallStoreApp parameters: packageName: Microsoft.MSPaint - name: Windows Maps app recommend: standard docs: https://www.microsoft.com/en-us/p/windows-maps/9wzdncrdtbvb call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsMaps - name: Minecraft for Windows 10 app docs: https://www.microsoft.com/en-us/p/minecraft-for-windows-10/9nblggh2jhxj call: function: UninstallStoreApp parameters: packageName: Microsoft.MinecraftUWP - name: Microsoft Store app call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsStore - name: Microsoft People app docs: https://www.microsoft.com/en-us/p/microsoft-people/9nblggh10pg8 call: function: UninstallStoreApp parameters: packageName: Microsoft.People - name: Microsoft Pay app call: function: UninstallStoreApp parameters: packageName: Microsoft.Wallet - name: Store Purchase app docs: https://social.technet.microsoft.com/Forums/exchange/en-US/24b1088d-0fc5-4a82-8015-c9c964532603/store-purchase-app?forum=win10itproapps call: function: UninstallStoreApp parameters: packageName: Microsoft.StorePurchaseApp - name: Snip & Sketch app docs: https://www.microsoft.com/en-us/p/snip-sketch/9mz95kl8mr0l call: function: UninstallStoreApp parameters: packageName: Microsoft.ScreenSketch - name: Print 3D app docs: https://www.microsoft.com/en-us/p/print-3d/9pbpch085s3s call: function: UninstallStoreApp parameters: packageName: Microsoft.Print3D - name: Mobile Plans app docs: https://www.microsoft.com/en-us/p/mobile-plans/9nblggh5pnb1 call: function: UninstallStoreApp parameters: packageName: Microsoft.OneConnect - name: Microsoft Solitaire Collection app docs: https://www.microsoft.com/en-us/p/microsoft-solitaire-collection/9wzdncrfhwd2 call: function: UninstallStoreApp parameters: packageName: Microsoft.MicrosoftSolitaireCollection - name: Microsoft Sticky Notes app docs: https://www.microsoft.com/en-us/p/microsoft-sticky-notes/9nblggh4qghw call: function: UninstallStoreApp parameters: packageName: Microsoft.MicrosoftStickyNotes - category: Xbox children: - name: Xbox Console Companion app docs: https://www.microsoft.com/en-us/p/xbox-console-companion/9wzdncrfjbd8 recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxApp - name: Xbox Live in-game experience app recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.Xbox.TCUI - name: Xbox Game Bar app docs: https://www.microsoft.com/en-us/p/xbox-game-bar/9nzkpstsnw4p recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxGamingOverlay - name: Xbox Game Bar Plugin appcache docs: https://www.microsoft.com/en-us/p/xbox-game-bar/9nzkpstsnw4p recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxGameOverlay - name: Xbox Identity Provider app recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxIdentityProvider - name: Xbox Speech To Text Overlay app recommend: standard call: function: UninstallStoreApp parameters: packageName: Microsoft.XboxSpeechToTextOverlay - name: Mail and Calendar app docs: https://www.microsoft.com/en-us/p/mail-and-calendar/9wzdncrfhvqm call: function: UninstallStoreApp parameters: packageName: microsoft.windowscommunicationsapps - category: Zune children: - name: Groove Music app docs: https://www.microsoft.com/en-us/p/groove-music/9wzdncrfj3pt call: function: UninstallStoreApp parameters: packageName: Microsoft.ZuneMusic - name: Movies and TV app docs: https://www.microsoft.com/en-us/p/movies-tv/9wzdncrfj3p2 call: function: UninstallStoreApp parameters: packageName: Microsoft.ZuneVideo - name: Windows Calculator app docs: https://www.microsoft.com/en-us/p/windows-calculator/9wzdncrfhvn5 call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsCalculator - name: Microsoft Photos app docs: https://www.microsoft.com/en-us/p/microsoft-photos/9wzdncrfjbh4 call: function: UninstallStoreApp parameters: packageName: Microsoft.Windows.Photos - name: Skype app docs: https://www.microsoft.com/en-us/p/skype/9wzdncrfj364 call: function: UninstallStoreApp parameters: packageName: Microsoft.SkypeApp - name: GroupMe app docs: https://www.microsoft.com/en-us/p/groupme/9nblggh5z4f2 call: function: UninstallStoreApp parameters: packageName: Microsoft.GroupMe10 - name: Windows Voice Recorder app docs: https://www.microsoft.com/en-us/p/windows-voice-recorder/9wzdncrfhwkn call: function: UninstallStoreApp parameters: packageName: Microsoft.WindowsSoundRecorder - category: Phone children: - name: Your Phone Companion app # Depreciated in newer Windows 10 call: - function: UninstallStoreApp parameters: packageName: Microsoft.WindowsPhone - function: UninstallStoreApp parameters: packageName: Microsoft.Windows.Phone - name: Communications - Phone app # Depreciated in newer Windows 10 call: function: UninstallStoreApp parameters: packageName: Microsoft.CommsPhone - name: Your Phone app docs: https://www.microsoft.com/en-us/p/your-phone/9nmpj99vjbwv call: function: UninstallStoreApp parameters: packageName: Microsoft.YourPhone - category: Uninstall installed Windows apps docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#installed-windows-apps children: - name: Microsoft Advertising app recommend: standard docs: - https://docs.microsoft.com/en-us/windows/uwp/monetize/install-the-microsoft-advertising-libraries - https://social.msdn.microsoft.com/Forums/windowsapps/en-US/db8d44cb-1381-47f7-94d3-c6ded3fea36f/microsoft-ad-monetization-platform-shut-down-as-of-june-1st?forum=aiamgr call: function: UninstallStoreApp parameters: packageName: Microsoft.Advertising.Xaml - name: Remote Desktop app docs: https://www.microsoft.com/en-us/p/microsoft-remote-desktop/9wzdncrfj3ps?activetab=pivot:overviewtab call: function: UninstallStoreApp parameters: packageName: Microsoft.RemoteDesktop - name: Network Speed Test app recommend: standard docs: https://www.microsoft.com/en-us/p/network-speed-test/9wzdncrfhx52 call: function: UninstallStoreApp parameters: packageName: Microsoft.NetworkSpeedTest - name: Microsoft To Do app docs: https://www.microsoft.com/en-us/p/microsoft-to-do-lists-tasks-reminders/9nblggh5r558 call: function: UninstallStoreApp parameters: packageName: Microsoft.Todos - category: Third party children: - name: Shazam app # Discontinued https://www.windowscentral.com/shazam-pulls-plug-windows-apps call: function: UninstallStoreApp parameters: packageName: ShazamEntertainmentLtd.Shazam - name: Candy Crush Saga app docs: https://www.microsoft.com/en-us/p/candy-crush-saga/9nblggh18846 call: - function: UninstallStoreApp parameters: packageName: king.com.CandyCrushSaga - function: UninstallStoreApp parameters: packageName: king.com.CandyCrushSodaSaga - name: Flipboard app docs: https://www.microsoft.com/en-us/p/flipboard/9wzdncrfj32q call: function: UninstallStoreApp parameters: packageName: Flipboard.Flipboard - name: Twitter app docs: https://www.microsoft.com/en-us/p/twitter/9wzdncrfj140 call: function: UninstallStoreApp parameters: packageName: 9E2F88E3.Twitter - name: iHeartRadio app docs: https://www.microsoft.com/en-us/p/iheartradio/9wzdncrfj223 call: function: UninstallStoreApp parameters: packageName: ClearChannelRadioDigital.iHeartRadio - name: Duolingo app docs: https://www.microsoft.com/en-us/p/duolingo-learn-languages-for-free/9wzdncrcv5xn call: function: UninstallStoreApp parameters: packageName: D5EA27B7.Duolingo-LearnLanguagesforFree - name: Photoshop Express app docs: https://www.microsoft.com/en-us/p/adobe-photoshop-express-image-editor-adjustments-filters-effects-borders/9wzdncrfj27n call: function: UninstallStoreApp parameters: packageName: AdobeSystemIncorporated.AdobePhotoshop - name: Pandora app docs: https://www.microsoft.com/en-us/p/pandora/9wzdncrfj46v call: function: UninstallStoreApp parameters: packageName: PandoraMediaInc.29680B314EFC2 - name: Eclipse Manager app docs: https://www.microsoft.com/en-us/p/eclipse-manager/9wzdncrdjmh1 call: function: UninstallStoreApp parameters: packageName: 46928bounde.EclipseManager - name: Code Writer app docs: https://www.microsoft.com/en-us/p/code-writer/9wzdncrfhzdt call: function: UninstallStoreApp parameters: packageName: ActiproSoftwareLLC.562882FEEB491 - name: Spotify app docs: https://www.microsoft.com/en-us/p/spotify-music/9ncbcszsjrsb call: function: UninstallStoreApp parameters: packageName: SpotifyAB.SpotifyMusic - category: Uninstall system apps docs: - https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#system-apps - https://github.com/privacysexy-forks/Windows10Debloater/blob/d4ede6d3225e7def087b389c7e8cf6be0d5e2cd7/Windows10Debloater.ps1#L43-L47 children: - name: File Picker app call: function: UninstallSystemApp parameters: packageName: 1527c705-839a-4832-9118-54d4Bd6a0c89 - name: File Explorer app call: function: UninstallSystemApp parameters: packageName: c5e2524a-ea46-4f67-841f-6a9465d9d515 - name: App Resolver UX app call: function: UninstallSystemApp parameters: packageName: E2A4F912-2574-4A75-9BB0-0D023378592B - name: Add Suggested Folders To Library app call: - function: UninstallSystemApp parameters: packageName: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE - function: UninstallSystemApp parameters: packageName: InputApp - name: Microsoft AAD Broker Plugin app (breaks Office app authentication) recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.AAD.BrokerPlugin # Offical docs point to wrong "Microsoft.AAD.Broker.Plugin" - name: Microsoft Accounts Control app call: function: UninstallSystemApp parameters: packageName: Microsoft.AccountsControl - name: Microsoft Async Text Service app call: function: UninstallSystemApp parameters: packageName: Microsoft.AsyncTextService - category: Windows Hello setup UI children: - name: Bio enrollment app (breaks biometric authentication) docs: https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_store-insiderplat_pc/what-is-bio-enrollment-app/53808b5a-8694-4128-a5bd-34e3b954434a recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.BioEnrollment - name: Cred Dialog Host app call: function: UninstallSystemApp parameters: packageName: Microsoft.CredDialogHost - name: EC app call: function: UninstallSystemApp parameters: packageName: Microsoft.ECApp - name: Lock app (shows lock screen) docs: https://www.getwox.com/what-is-lockapp-exe/ call: function: UninstallSystemApp parameters: packageName: Microsoft.LockApp - category: Microsoft Edge children: - name: Microsoft Edge (Legacy) app recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.MicrosoftEdge - name: Microsoft Edge (Legacy) Dev Tools Client app docs: https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.MicrosoftEdgeDevToolsClient - name: Win32 Web View Host app / Desktop App Web Viewer recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.Win32WebViewHost - name: Microsoft PPI Projection app docs: https://en.wikipedia.org/wiki/Perceptive_Pixel recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.PPIProjection - name: ChxApp app call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.Apprep.ChxApp - name: Assigned Access Lock App app call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.AssignedAccessLockApp - name: Capture Picker app call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.CapturePicker - name: Cloud Experience Host app (breaks Microsoft cloud/corporate sign in) # Allows to connect to corporate domains or Microsoft cloud based services recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.CloudExperienceHost - name: Content Delivery Manager app (automatically installs apps) docs: https://www.ghacks.net/2019/12/23/how-to-block-the-automatic-installation-of-suggested-windows-10-apps/ recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.ContentDeliveryManager - category: Uninstall Cortana system apps children: - name: Search app (breaks Windows search) docs: https://thegeekpage.com/searchui-exe-suspended-error/ call: - function: UninstallSystemApp parameters: packageName: Microsoft.Windows.Cortana # Removed since version 2004 - function: UninstallStoreApp parameters: packageName: Microsoft.Windows.Search # Added in version 2004, it was called "Cortana" before now it's plain "Search" - name: Holographic First Run app recommend: standard docs: https://www.addictivetips.com/windows-tips/check-pc-windows-holographic-app-requirements/ call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.Holographic.FirstRun - name: OOBE Network Captive Port app docs: https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details#connect-users-to-the-network call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.OOBENetworkCaptivePortal # Offical docs point to wrong "Microsoft.Windows.OOBENetworkCaptivePort" - name: OOBE Network Connection Flow app docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details - https://www.windowscentral.com/windows-10-build-15019-pc-everything-you-need-know call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.OOBENetworkConnectionFlow - name: Windows 10 Family Safety / Parental Controls app recommend: standard docs: https://account.microsoft.com/family/about call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.ParentalControls - category: People Hub children: - name: My People / People Bar App on taskbar (People Experience Host) docs: https://winaero.com/pin-contacts-taskbar-windows-10/ recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.PeopleExperienceHost - name: Pinning Confirmation Dialog app call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.PinningConfirmationDialog - name: Windows Security GUI (Sec Health UI) app call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.SecHealthUI - name: Secondary Tile Experience app docs: https://docs.microsoft.com/en-us/windows/uwp/design/shell/tiles-and-notifications/secondary-tiles recommend: strict # Individual tiles may track e.g. like Firefox call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.SecondaryTileExperience - name: Secure Assessment Browser app (breaks Microsoft Intune/Graph) recommend: strict docs: https://docs.microsoft.com/en-us/graph/api/resources/intune-deviceconfig-windows10secureassessmentconfiguration?view=graph-rest-1.0 call: function: UninstallSystemApp parameters: packageName: Microsoft.Windows.SecureAssessmentBrowser # - # # Not a bloatware, required for different setting windows such as WiFi and battery panes in action bar # name: Start app # call: # function: UninstallSystemApp # parameters: # packageName: Microsoft.Windows.ShellExperienceHost - category: Windows Feedback children: - name: Windows Feedback app recommend: standard call: function: UninstallSystemApp parameters: packageName: Microsoft.WindowsFeedback - name: Xbox Game Callable UI app (breaks Xbox Live games) docs: https://docs.microsoft.com/en-us/gaming/xbox-live/features/general/tcui/live-tcui-overview recommend: strict call: function: UninstallSystemApp parameters: packageName: Microsoft.XboxGameCallableUI - name: CBS Preview app recommend: standard call: function: UninstallSystemApp parameters: packageName: Windows.CBSPreview - name: Contact Support app call: function: UninstallSystemApp parameters: packageName: Windows.ContactSupport # - # # Not a bloatware, required for core OS functinoality # name: Settings app # call: # function: UninstallSystemApp # parameters: # packageName: Windows.immersivecontrolpanel - name: Windows Print 3D app call: function: UninstallSystemApp parameters: packageName: Windows.Print3D - name: Print UI app call: function: UninstallSystemApp parameters: packageName: Windows.PrintDialog - category: Remove OneDrive children: - name: Kill OneDrive process recommend: strict code: taskkill /f /im OneDrive.exe revertCode: '"%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe"' - name: Uninstall OneDrive recommend: strict code: |- if %PROCESSOR_ARCHITECTURE%==x86 ( %SystemRoot%\System32\OneDriveSetup.exe /uninstall 2>nul ) else ( %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall 2>nul ) revertCode: |- if %PROCESSOR_ARCHITECTURE%==x86 ( %SystemRoot%\System32\OneDriveSetup.exe /silent ) else ( %SystemRoot%\SysWOW64\OneDriveSetup.exe /silent ) - name: Remove OneDrive leftovers recommend: strict code: |- rd "%UserProfile%\OneDrive" /q /s rd "%LocalAppData%\Microsoft\OneDrive" /q /s rd "%ProgramData%\Microsoft OneDrive" /q /s rd "%SystemDrive%\OneDriveTemp" /q /s - name: Delete OneDrive shortcuts recommend: strict docs: https://docs.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive.exe-from-being-advertised-after-install-office-2016 code: |- del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk" /s /f /q del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" /s /f /q del "%USERPROFILE%\Links\OneDrive.lnk" /s /f /q - name: Disable usage of OneDrive recommend: strict code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSyncNGSC" /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSync" /d 1 /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSyncNGSC" /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSync" /d 0 /f - name: Prevent automatic OneDrive install for current user recommend: strict code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f revertCode: |- if %PROCESSOR_ARCHITECTURE%==x86 ( reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d " %SystemRoot%\System32\OneDriveSetup.exe /silent" /f ) else ( reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\SysWOW64\OneDriveSetup.exe /silent" /f ) - name: Prevent automatic OneDrive install for new users recommend: strict code: |- reg load "HKU\Default" "%SystemDrive%\Users\Default\NTUSER.DAT" reg delete "HKU\Default\software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f reg unload "HKU\Default" revertCode: |- reg load "HKU\Default" "%SystemDrive%\Users\Default\NTUSER.DAT" if %PROCESSOR_ARCHITECTURE%==x86 ( reg add "HKU\Default\software\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d " %SystemRoot%\System32\OneDriveSetup.exe /silent" /f ) else ( reg add "HKU\Default\software\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\SysWOW64\OneDriveSetup.exe /silent" /f ) reg unload "HKU\Default" - name: Remove OneDrive from explorer menu recommend: strict code: |- reg delete "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f reg delete "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "0" /t REG_DWORD /f reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "0" /t REG_DWORD /f revertCode: |- reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "1" /t REG_DWORD /f reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "1" /t REG_DWORD /f - name: Delete all OneDrive related Services recommend: strict code: for /f "tokens=1 delims=," %%x in ('schtasks /query /fo csv ^| find "OneDrive"') do schtasks /Delete /TN %%x /F - name: Delete OneDrive path from registry recommend: strict docs: https://stackoverflow.com/questions/46744840/export-registry-value-to-file-and-then-set-a-variable-in-batch code: reg delete "HKCU\Environment" /v "OneDrive" /f - name: Uninstall Edge (chromium-based) call: function: RunPowerShell parameters: code: |- $installer = (Get-ChildItem "$env:ProgramFiles*\Microsoft\Edge\Application\*\Installer\setup.exe") if (!$installer) { Write-Host 'Could not find the installer' } else { & $installer.FullName -Uninstall -System-Level -Verbose-Logging -Force-Uninstall } - category: Disable built-in Windows features children: - name: Direct Play feature call: function: DisableFeature parameters: featureName: DirectPlay - name: Internet Explorer feature call: - function: DisableFeature parameters: featureName: Internet-Explorer-Optional-x64 - function: DisableFeature parameters: featureName: Internet-Explorer-Optional-x84 - function: DisableFeature parameters: featureName: Internet-Explorer-Optional-amd64 - name: Legacy Components feature call: function: DisableFeature parameters: featureName: LegacyComponents - category: Server features for developers & administrators children: - category: Hyper-V Virtualization children: - name: Hyper-V feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-All - name: Hyper-V GUI Management Tools feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Management-Clients - name: Hyper-V Management Tools feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Tools-All - name: Hyper-V Module for Windows PowerShell feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Management-PowerShell - name: Telnet Client feature docs: https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx call: function: DisableFeature parameters: featureName: TelnetClient - name: Net.TCP Port Sharing feature docs: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing call: function: DisableFeature parameters: featureName: WCF-TCP-PortSharing45 - name: SMB Direct feature docs: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-direct call: function: DisableFeature parameters: featureName: SmbDirect - name: TFTP Client feature call: function: DisableFeature parameters: featureName: TFTP - category: Printing features children: - category: Printer networking children: - name: Internet Printing Client call: function: DisableFeature parameters: featureName: Printing-Foundation-InternetPrinting-Client - name: LPD Print Service call: function: DisableFeature parameters: featureName: LPDPrintService - name: LPR Port Monitor feature call: function: DisableFeature parameters: featureName: Printing-Foundation-LPRPortMonitor - name: Microsoft Print to PDF feature call: function: DisableFeature parameters: featureName: Printing-PrintToPDFServices-Features - name: Print and Document Services feature call: function: DisableFeature parameters: featureName: Printing-Foundation-Features - name: Work Folders Client feature docs: https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview call: function: DisableFeature parameters: featureName: WorkFolders-Client - category: XPS support children: - name: XPS Services feature call: function: DisableFeature parameters: featureName: Printing-XPSServices-Features - name: XPS Viewer feature call: function: DisableFeature parameters: featureName: Xps-Foundation-Xps-Viewer - name: Media Features feature call: function: DisableFeature parameters: featureName: MediaPlayback - name: Scan Management feature call: function: DisableFeature parameters: featureName: ScanManagementConsole - name: Windows Fax and Scan feature call: function: DisableFeature parameters: featureName: FaxServicesClientPackage - name: Windows Media Player feature call: function: DisableFeature parameters: featureName: WindowsMediaPlayer - name: Windows Search feature call: function: DisableFeature parameters: featureName: SearchEngine-Client-Package - category: Uninstall capabilities & features on demand docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#fods-that-are-not-preinstalled-but-may-need-to-be-preinstalled children: - category: Preinstalled children: - name: DirectX Configuration Database capability call: function: UninstallCapability parameters: capabilityName: DirectX.Configuration.Database - name: Internet Explorer 11 capability call: function: UninstallCapability parameters: capabilityName: Browser.InternetExplorer - name: Math Recognizer capability call: function: UninstallCapability parameters: capabilityName: MathRecognizer - name: OneSync capability (breaks Mail, People, and Calendar) recommend: strict docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#onesync call: function: UninstallCapability parameters: capabilityName: OneCoreUAP.OneSync - name: OpenSSH client capability call: function: UninstallCapability parameters: capabilityName: OpenSSH.Client - name: PowerShell ISE capability call: function: UninstallCapability parameters: capabilityName: Microsoft.Windows.PowerShell.ISE - name: Print Management Console capability call: function: UninstallCapability parameters: capabilityName: Print.Management.Console - name: Quick Assist capability call: function: UninstallCapability parameters: capabilityName: App.Support.QuickAssist - name: Steps Recorder capability call: function: UninstallCapability parameters: capabilityName: App.StepsRecorder - name: Windows Fax and Scan capability call: function: UninstallCapability parameters: capabilityName: Print.Fax.Scan # Following are excluded because: # 1. They are not widely considered as "bloatware" as the community # 2. Do not have known privacy issues # 3. Make Windows more functional when running all scripts # - # name: WordPad capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.WordPad # - # name: Paint capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.MSPaint # - # name: Notepad capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.Notepad - category: Not preinstalled children: - name: .NET Framework capability call: function: UninstallCapability parameters: capabilityName: NetFX3 - name: Mixed Reality capability call: function: UninstallCapability parameters: capabilityName: Analog.Holographic.Desktop - name: Wireless Display capability call: function: UninstallCapability parameters: capabilityName: App.WirelessDisplay.Connect - name: Accessibility - Braille Support capability call: function: UninstallCapability parameters: capabilityName: Accessibility.Braille - name: Developer Mode capability call: function: UninstallCapability parameters: capabilityName: Tools.DeveloperMode.Core - name: Graphics Tools capability call: function: UninstallCapability parameters: capabilityName: Tools.Graphics.DirectX - name: IrDA capability call: function: UninstallCapability parameters: capabilityName: Network.Irda - name: Microsoft WebDriver capability call: function: UninstallCapability parameters: capabilityName: Microsoft.WebDriver - name: MSIX Packaging Tool Driver capability call: function: UninstallCapability parameters: capabilityName: Msix.PackagingTool.Driver - category: Networking tools children: - name: RAS Connection Manager Administration Kit (CMAK) capability call: function: UninstallCapability parameters: capabilityName: RasCMAK.Client - name: RIP Listener capability call: function: UninstallCapability parameters: capabilityName: RIP.Listener - name: Simple Network Management Protocol (SNMP) capability call: function: UninstallCapability parameters: capabilityName: SNMP.Client - name: SNMP WMI Provider capability call: function: UninstallCapability parameters: capabilityName: WMI-SNMP-Provider.Client - name: OpenSSH Server capability call: function: UninstallCapability parameters: capabilityName: OpenSSH.Server - category: Printing children: - name: Enterprise Cloud Print capability call: function: UninstallCapability parameters: capabilityName: Print.EnterpriseCloudPrint - name: Mopria Cloud Service capability call: function: UninstallCapability parameters: capabilityName: Print.MopriaCloudService - category: Remote server administration tools (RSAT) children: - name: Active Directory Domain Services and Lightweight Directory Services Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.ActiveDirectory.DS-LDS.Tools - name: BitLocker Drive Encryption Administration Utilities capability call: function: UninstallCapability parameters: capabilityName: Rsat.BitLocker.Recovery.Tools - name: Active Directory Certificate Services Tools call: function: UninstallCapability parameters: capabilityName: Rsat.CertificateServices.Tools - name: DHCP Server Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.DHCP.Tools - name: DNS Server Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.Dns.Tools - name: Failover Clustering Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.FailoverCluster.Management.Tools - name: File Services Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.FileServices.Tools - name: Group Policy Management Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.GroupPolicy.Management.Tools - name: IP Address Management (IPAM) Client capability call: function: UninstallCapability parameters: capabilityName: Rsat.IPAM.Client.Tools - name: Data Center Bridging LLDP Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.LLDP.Tools - name: Network Controller Management Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.NetworkController.Tools - name: Network Load Balancing Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.NetworkLoadBalancing.Tools - name: Remote Access Management Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.RemoteAccess.Management.Tools - name: Server Manager Tools call: function: UninstallCapability parameters: capabilityName: Rsat.ServerManager.Tools - name: Shielded VM Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.Shielded.VM.Tools - name: Storage Replica Module for Windows PowerShell capability call: function: UninstallCapability parameters: capabilityName: Rsat.StorageReplica.Tools - name: Volume Activation Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.VolumeActivation.Tools - name: Windows Server Update Services Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.WSUS.Tools - name: Storage Migration Service Management Tools capability call: function: UninstallCapability parameters: capabilityName: Rsat.StorageMigrationService.Management.Tools - name: Systems Insights Module for Windows PowerShell capability call: function: UninstallCapability parameters: capabilityName: Rsat.SystemInsights.Management.Tools - category: Storage children: - name: Windows Storage Management capability call: function: UninstallCapability parameters: capabilityName: Microsoft.Windows.StorageManagement - name: OneCore Storage Management capability call: function: UninstallCapability parameters: capabilityName: Microsoft.OneCore.StorageManagement - name: Windows Emergency Management Services and Serial Console capability call: function: UninstallCapability parameters: capabilityName: Windows.Desktop.EMS-SAC.Tools - name: XPS Viewer capability call: function: UninstallCapability parameters: capabilityName: XPS.Viewer - name: Remove Meet Now icon from taskbar recommend: strict docs: # Skype feature, introduced in 20H2, KB4580364 update - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TaskBar2::HideSCAMeetNow - https://www.windowscentral.com/how-disable-meet-now-feature-windows-10 code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /f - category: Advanced settings children: - name: Change NTP (time) server to pool.ntp.org docs: https://www.pool.ntp.org/en/use.html recommend: strict # `sc queryex` output is same in every OS language code: |- :: Configure time source w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" :: Stop time service if running SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||( net stop w32time ) :: Start time service and sync now net start w32time w32tm /config /update w32tm /resync revertCode: |- :: Configure time source w32tm /config /syncfromflags:manual /manualpeerlist:"time.windows.com" :: Stop time service if running SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||( net stop w32time ) :: Start time servie and sync now net start w32time w32tm /config /update w32tm /resync - name: Disable Reserved Storage for updates # since 19H1 (1903) docs: - https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState - https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves - https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy code: |- dism /online /Set-ReservedStorageState /State:Disabled /NoRestart reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "2" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f revertCode: |- DISM /Online /Set-ReservedStorageState /State:Enabled /NoRestart reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f - name: Run script on start-up [EXPERIMENTAL] code: |- del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat copy "%~dpnx0" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat" revertCode: del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat functions: - name: KillProcessWhenItStarts parameters: - name: processName # https://docs.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'{{ $processName }}'" /v "Debugger" /t REG_SZ /d "%windir%\System32\taskkill.exe" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'{{ $processName }}'" /v "Debugger" /f - name: DisableFeature parameters: - name: featureName code: dism /Online /Disable-Feature /FeatureName:"{{ $featureName }}" /NoRestart revertCode: dism /Online /Enable-Feature /FeatureName:"{{ $featureName }}" /NoRestart - name: UninstallStoreApp parameters: - name: packageName call: function: RunPowerShell parameters: code: Get-AppxPackage '{{ $packageName }}' | Remove-AppxPackage revertCode: |- $package = Get-AppxPackage -AllUsers '{{ $packageName }}' if (!$package) { Write-Error "Cannot reinstall '{{ $packageName }}'" -ErrorAction Stop } $manifest = $package.InstallLocation + '\AppxManifest.xml' Add-AppxPackage -DisableDevelopmentMode -Register "$manifest" - name: UninstallSystemApp parameters: - name: packageName # It simply renames files # Because system apps are non removable (check: (Get-AppxPackage -AllUsers 'Windows.CBSPreview').NonRemovable) # Otherwise they throw 0x80070032 when trying to uninstall them call: function: RunPowerShell parameters: code: |- $package = Get-AppxPackage -AllUsers '{{ $packageName }}' if (!$package) { Write-Host 'Not installed' exit 0 } $directories = @($package.InstallLocation, "$env:LOCALAPPDATA\Packages\$($package.PackageFamilyName)") foreach($dir in $directories) { if ( !$dir -Or !(Test-Path "$dir") ) { continue } cmd /c ('takeown /f "' + $dir + '" /r /d y 1> nul') if($LASTEXITCODE) { throw 'Failed to take ownership' } cmd /c ('icacls "' + $dir + '" /grant administrators:F /t 1> nul') if($LASTEXITCODE) { throw 'Failed to take ownership' } $files = Get-ChildItem -File -Path $dir -Recurse -Force foreach($file in $files) { if($file.Name.EndsWith('.OLD')) { continue } $newName = $file.FullName + '.OLD' Write-Host "Rename '$($file.FullName)' to '$newName'" Move-Item -LiteralPath "$($file.FullName)" -Destination "$newName" -Force } } revertCode: |- $package = Get-AppxPackage -AllUsers '{{ $packageName }}' if (!$package) { Write-Error 'App could not be found' -ErrorAction Stop } $directories = @($package.InstallLocation, "$env:LOCALAPPDATA\Packages\$($package.PackageFamilyName)") foreach($dir in $directories) { if ( !$dir -Or !(Test-Path "$dir") ) { continue; } cmd /c ('takeown /f "' + $dir + '" /r /d y 1> nul') if($LASTEXITCODE) { throw 'Failed to take ownership' } cmd /c ('icacls "' + $dir + '" /grant administrators:F /t 1> nul') if($LASTEXITCODE) { throw 'Failed to take ownership' } $files = Get-ChildItem -File -Path "$dir\*.OLD" -Recurse -Force foreach($file in $files) { $newName = $file.FullName.Substring(0, $file.FullName.Length - 4) Write-Host "Rename '$($file.FullName)' to '$newName'" Move-Item -LiteralPath "$($file.FullName)" -Destination "$newName" -Force } } - name: UninstallCapability parameters: - name: capabilityName call: function: RunPowerShell parameters: code: Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' | Remove-WindowsCapability -Online revertCode: |- $capability = Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' Add-WindowsCapability -Name "$capability.Name" -Online - name: RenameSystemFile parameters: - name: filePath code: |- if exist "{{ $filePath }}" ( takeown /f "{{ $filePath }}" icacls "{{ $filePath }}" /grant administrators:F move "{{ $filePath }}" "{{ $filePath }}.OLD" && ( echo Moved "{{ $filePath }}" to "{{ $filePath }}.OLD" ) || ( echo Could not move {{ $filePath }} 1>&2 ) ) else ( echo No action required: {{ $filePath }} is not found. ) revertCode: |- if exist "{{ $filePath }}.OLD" ( takeown /f "{{ $filePath }}.OLD" icacls "{{ $filePath }}.OLD" /grant administrators:F move "{{ $filePath }}.OLD" "{{ $filePath }}" && ( echo Moved "{{ $filePath }}.OLD" to "{{ $filePath }}" ) || ( echo Could restore from backup file {{ $filePath }}.OLD 1>&2 ) ) else ( echo Could not find backup file "{{ $filePath }}.OLD" 1>&2 ) - name: SetVsCodeSetting parameters: - name: setting - name: powerShellValue call: function: RunPowerShell parameters: code: |- $jsonfile = \"$env:APPDATA\Code\User\settings.json\" if (!(Test-Path $jsonfile -PathType Leaf)) { Write-Host \"No updates. Settings file was not at $jsonfile\" exit 0 } $json = Get-Content $jsonfile | Out-String | ConvertFrom-Json $json | Add-Member -Type NoteProperty -Name '{{ $setting }}' -Value {{ $powerShellValue }} -Force $json | ConvertTo-Json | Set-Content $jsonfile revertCode: |- $jsonfile = "$env:APPDATA\Code\User\settings.json" if (!(Test-Path $jsonfile -PathType Leaf)) { Write-Error "Settings file could not be found at $jsonfile" -ErrorAction Stop } $json = Get-Content $jsonfile | ConvertFrom-Json $json.PSObject.Properties.Remove('{{ $setting }}') $json | ConvertTo-Json | Set-Content $jsonfile - name: RunPowerShell parameters: - name: code - name: revertCode optional: true code: PowerShell -ExecutionPolicy Unrestricted -Command "{{ $code | inlinePowerShell | escapeDoubleQuotes }}" revertCode: |- {{ with $revertCode }} PowerShell -ExecutionPolicy Unrestricted -Command "{{ . | inlinePowerShell | escapeDoubleQuotes }}" {{ end }} - name: DisablePerUserService parameters: - name: serviceName - name: defaultStartupMode # Alowed values: Boot | System | Automatic | Manual # More about per-user services: https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows call: - # System-wide variant: every per-user service has also system-wide counterpart with same default startup mode function: DisableServiceInRegistry parameters: serviceName: '{{ $serviceName }}' defaultStartupMode: '{{ $defaultStartupMode }}' - # Per-user variant function: DisableServiceInRegistry parameters: serviceName: '{{ $serviceName }}_*' defaultStartupMode: '{{ $defaultStartupMode }}' - name: RunInlineCode parameters: - name: code - name: revertCode optional: true code: '{{ $code }}' revertCode: '{{ with $revertCode }}{{ . }}{{ end }}' - name: RunPowerShellWithSameCodeAndRevertCode parameters: - name: code call: function: RunPowerShell parameters: code: '{{ $code }}' revertCode: '{{ $code }}' - name: RunInlineCodeAsTrustedInstaller parameters: - name: code - name: revertCode call: function: RunPowerShell parameters: # PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks. # Seen e.g. on Windows 11 when reverting scripts after executing them and reboot. # They are seen to throw different exceptions: # - `Unregister-ScheduledTask : The system cannot find the file specified` # `ObjectNotFound: (MSFT_ScheduledTask:Root/Microsoft/...T_ScheduledTask)` with `HRESULT 0x80070002` # - `No MSFT_ScheduledTask objects found with property 'TaskName'` # - Because task is already running but `Get-ScheduledTask` cannot find it it throws: # `Failed to execute with exit code: 267009` # Solution # Checking if task is running: # - ❌ Not using `$(schtasks.exe /query /tn "$taskName" 2>$null)".Contains('Running')` because it outputs # different text (not always "Running") in German/English versions. # - ❌ Not using `(Get-ScheduledTask $taskName -ErrorAction Ignore).State -eq 'Running' # because `Get-ScheduledTask `sometimes fails. # - ✅ Using `(Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009` where "267009" indicates running. # Deleting existing task: # - ❌ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002` # - ✅ Using `schtasks.exe /delete /tn "$taskName" /f` with additional `| Out-Null` or `2>&1 | Out-Null` # to suppress errors. code: |- $command = '{{ $code }}' $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]) $streamOutFile = New-TemporaryFile $batchFile = New-TemporaryFile try { $batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru "@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII $taskName = 'privacy.sexy invoke' schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output $taskAction = New-ScheduledTaskAction ` -Execute 'cmd.exe' ` -Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1" $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries Register-ScheduledTask ` -TaskName $taskName ` -Action $taskAction ` -Settings $settings ` -Force ` -ErrorAction Stop ` | Out-Null try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect() $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null $timeOutLimit = (Get-Date).AddMinutes(5) Write-Host "Running as $trustedInstallerName" while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200 if((Get-Date) -gt $timeOutLimit) { Write-Warning "Skipping results, it took so long to execute script." break; } } if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "Failed to execute with exit code: $result." } } finally { schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors } Get-Content $streamOutFile } finally { Remove-Item $streamOutFile, $batchFile } revertCode: |- # Duplicated until custom pipes are implemented $command = '{{ $revertCode }}' $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]) $streamOutFile = New-TemporaryFile $batchFile = New-TemporaryFile try { $batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru "@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII $taskName = 'privacy.sexy invoke' schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output $taskAction = New-ScheduledTaskAction ` -Execute 'cmd.exe' ` -Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1" $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries Register-ScheduledTask ` -TaskName $taskName ` -Action $taskAction ` -Settings $settings ` -Force ` -ErrorAction Stop ` | Out-Null try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect() $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null $timeOutLimit = (Get-Date).AddMinutes(5) Write-Host "Running as $trustedInstallerName" while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200 if((Get-Date) -gt $timeOutLimit) { Write-Warning "Skipping results, it took so long to execute script." break; } } if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "Failed to execute with exit code: $result." } } finally { schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors } Get-Content $streamOutFile } finally { Remove-Item $streamOutFile, $batchFile } - name: DisableServiceInRegistry parameters: - name: serviceName - name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual call: function: RunPowerShell parameters: code: |- # We do registry way because GUI, "sc config" or "Set-Service" won't not work $serviceQuery = '{{ $serviceName }}' # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue if(!$service) { Write-Host "Service query `"$serviceQuery`" did not yield any results, no need to disable it." Exit 0 } $serviceName = $service.Name Write-Host "Disabling service: `"$serviceName`"." # -- 2. Stop if running if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is running, trying to stop it." try { Stop-Service -Name "$serviceName" -Force -ErrorAction Stop Write-Host "Stopped `"$serviceName`" successfully." } catch { Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_" } } else { Write-Host "`"$serviceName`" is not running, no need to stop." } # -- 3. Skip if service info is not found in registry $registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" if(!(Test-Path $registryKey)) { Write-Host "`"$registryKey`" is not found in registry, cannot enable it." Exit 0 } # -- 4. Skip if already disabled if( $(Get-ItemProperty -Path "$registryKey").Start -eq 4) { Write-Host "`"$serviceName`" is already disabled from start, no further action is needed." Exit 0 } # -- 5. Disable service try { Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop Write-Host "Disabled `"$serviceName`" successfully." } catch { Write-Error "Could not disable `"$serviceName`": $_" } revertCode: |- $serviceQuery = '{{ $serviceName }}' $defaultStartupMode = '{{ $defaultStartupMode }}' # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue if(!$service) { Write-Warning "Service query `"$serviceQuery`" did not yield and results, cannot enable it." Exit 1 } $serviceName = $service.Name Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start." # -- 2. Skip if service info is not found in registry $registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" if(!(Test-Path $registryKey)) { Write-Warning "`"$registryKey`" is not found in registry, cannot enable it." Exit 1 } # -- 3. Enable if not already enabled $defaultStartupRegValue = ` if ($defaultStartupMode -eq 'Boot') { '0' } ` elseif($defaultStartupMode -eq 'System') { '1' } ` elseif($defaultStartupMode -eq 'Automatic') { '2' } ` elseif($defaultStartupMode -eq 'Manual') { '3' } ` else { throw "Unknown start mode: $defaultStartupMode"} if( $(Get-ItemProperty -Path "$registryKey").Start -eq $defaultStartupRegValue) { Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start." } else { try { Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer." } catch { Write-Error "Could not enable `"$serviceName`": $_" Exit 1 } } # -- 4. Start if not running (must be enabled first) if($defaultStartupMode -eq 'Automatic') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is not running, trying to start it." try { Start-Service $serviceName -ErrorAction Stop Write-Host "Started `"$serviceName`" successfully." } catch { Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_" } } else { Write-Host "`"$serviceName`" is already running, no need to start." } } - name: SetMpPreference # Configures preferences for Windows Defender scans and updates. # ❗️ Requires "WinDefend" service in running state, otherwise fails parameters: - name: property - name: value - # When provided, it sets defaults using `Set-MpPreference`. # Used by default in Windows 10 as `Remove-MpPreference` cmdlet is very limited/poor in Windows 10. # Ignored by default in Windows 11 with providing a value for `setDefaultOnWindows11` name: default optional: true - # When reverting in Windows 11, `Set-MpPreference` is called instead of `Remove-MpPreference` # Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11. name: setDefaultOnWindows11 optional: true call: function: RunPowerShell parameters: # Unsupported arguments -> # Skips when error contains "Cannot convert", this happens e.g. when trying to set `PlatformUpdatesChannel`, # `EngineUpdatesChannel`, `DefinitionUpdatesChannel` to `Broad`. `Broad` is not supported on all platforms # and throws e.g. with: # `Cannot process argument transformation on parameter 'EngineUpdatesChannel'. Cannot convert value # "Broad" to type "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType". # Error: "Unable to match the identifier name Broad to a valid enumerator name. Specify one of the # following enumerator names and try again: NotConfigured, Beta, Preview"` code: |- $propertyName = '{{ $property }}' $value = {{ $value }} if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) { Write-Host "Skipping. `"$propertyName`" is already `"$value`" as desired." exit 0 } $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Set-MpPreference".' exit 0 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName `$value -ErrorAction Stop" Set-MpPreference -Force -{{ $property }} $value -ErrorAction Stop Write-Host "Successfully set `"$propertyName`" to `"$value`"." exit 0 } catch { if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" exit 0 } elseif (($_ | Out-String) -like '*Cannot convert*') { Write-Host "Skipping. Argument `"$value`" for property `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } else { Write-Error "Failed to set using $($command.Name): $_" exit 1 } } # `Remove-MpPreference` is different in Windows 11 / 10 # Windows 11 and 10 have different revert behavior which is caused by different `Remove-MpPreference` cmdlet versions used # Windows 10 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2019-ps # Windows 11 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2022-ps # On Windows 11: # - By default, `Remove-MpPreference` sets default values for settings for all cases. # - `setDefaultOnWindows11` parameter changes this behavior to set the default value using `Set-MpPreference` # On Windows 10: # - If `default` argument is is provided, it's set using `Set-MpPreference` # - `default` argument should not be provided if `Remove-MpPreference` is suppored in Windows 10, revertCode: |- $propertyName = '{{ $property }}' {{ with $default }} $defaultValue = {{ . }} {{ end }} $setDefaultOnWindows10 = {{ with $default }} $true # {{ end }} $false $setDefaultOnWindows11 = {{ with $setDefaultOnWindows11 }} $true # {{ end }} $false # ------ Set-MpPreference ------ if(($setDefaultOnWindows10 -and [System.Environment]::OSVersion.Version.Major -lt 11) ` -or ($setDefaultOnWindows11 -and [System.Environment]::OSVersion.Version.Major -eq 11)) { if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $defaultValue) { Write-Host "Skipping. `"$propertyName`" is already configured as desired `"$defaultValue`"." exit 0 } $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Set-MpPreference".' exit 1 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName `$defaultValue -ErrorAction Stop" Write-Host "Successfully restored `"$propertyName`" to its default `"$defaultValue`"." exit 0 } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" } else { Write-Error "Failed to set using $($command.Name): $_" } exit 1 } } # ------ Remove-MpPreference ------ $command = Get-Command 'Remove-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Remove-MpPreference".' exit 1 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName -ErrorAction Stop" Write-Host "Successfully restored `"$propertyName`" to its default." exit 0 } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" } else { Write-Error "Failed to set using $($command.Name): $_" } exit 1 - name: DisableService parameters: - name: serviceName - name: defaultStartupMode # Allowed values: Automatic | Manual call: function: RunPowerShell # Careful with Set-Service cmdlet: # 1. It exits with positive code even if service is disabled # 2. It had breaking API change for `-StartupMode` parameter: # Powershell >= 6.0 : Automatic, AutomaticDelayedStart, Disabled, InvalidValue, Manual # PowerShell <= 5 : Boot, System, Automatic, Manual, Disabled # So "Disabled", "Automatic" and "Manual" are only consistent ones. # Read more: # https://github.com/PowerShell/PowerShell/blob/v7.2.0/src/Microsoft.PowerShell.Commands.Management/commands/management/Service.cs#L2966-L2978 # https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.1 parameters: code: |- $serviceName = '{{ $serviceName }}' Write-Host "Disabling service: `"$serviceName`"." # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if(!$service) { Write-Host "Service `"$serviceName`" could not be not found, no need to disable it." Exit 0 } # -- 2. Stop if running if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is running, stopping it." try { Stop-Service -Name "$serviceName" -Force -ErrorAction Stop Write-Host "Stopped `"$serviceName`" successfully." } catch { Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_" } } else { Write-Host "`"$serviceName`" is not running, no need to stop." } # -- 3. Skip if already disabled $startupType = $service.StartType # Does not work before .NET 4.6.1 if(!$startupType) { $startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode } } if($startupType -eq 'Disabled') { Write-Host "$serviceName is already disabled, no further action is needed" } # -- 4. Disable service try { Set-Service -Name "$serviceName" -StartupType Disabled -Confirm:$false -ErrorAction Stop Write-Host "Disabled `"$serviceName`" successfully." } catch { Write-Error "Could not disable `"$serviceName`": $_" } revertCode: |- $serviceName = '{{ $serviceName }}' $defaultStartupMode = '{{ $defaultStartupMode }}' Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start." # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if(!$service) { Write-Warning "Service `"$serviceName`" could not be not found, cannot enable it." Exit 1 } # -- 2. Enable or skip if already enabled $startupType = $service.StartType # Does not work before .NET 4.6.1 if(!$startupType) { $startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode } } if($startupType -eq "$defaultStartupMode") { Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start, no further action is needed." } else { try { Set-Service -Name "$serviceName" -StartupType "$defaultStartupMode" -Confirm:$false -ErrorAction Stop Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer." } catch { Write-Error "Could not enable `"$serviceName`": $_" Exit 1 } } # -- 4. Start if not running (must be enabled first) if($defaultStartupMode -eq 'Automatic') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is not running, starting it." try { Start-Service $serviceName -ErrorAction Stop Write-Host "Started `"$serviceName`" successfully." } catch { Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_" } } else { Write-Host "`"$serviceName`" is already running, no need to start." } }