# Structure is documented in "docs/collection-files.md" os: windows scripting: language: batchfile startCode: |- @echo off :: {{ $homepage }} โ€” v{{ $version }} โ€” {{ $date }} :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: Initialize environment setlocal EnableExtensions DisableDelayedExpansion endCode: |- :: Pause the script to view the final state pause :: Restore previous environment settings endlocal :: Exit the script successfully exit /b 0 actions: - category: Privacy cleanup children: - category: Clear recent activity logs docs: |- This category encompasses a suite of scripts designed to erase traces of a user's recent activities. These activities include files accessed, applications used, and system settings altered. The primary objective of this category is to enhance user privacy by removing records that could potentially reveal personal usage patterns, habits, and preferences. By doing so, these scripts contribute significantly to safeguarding personal and sensitive information from unauthorized access and analysis. children: - category: Clear Quick Access (jump) lists docs: |- This category focuses on managing Jump Lists in Windows. This feature was first introduced with Windows 7 in July 2009 and has been included in subsequent versions [1] [2] [3]. These lists are found in the Start Menu or Taskbar and provide quick access to recently opened files and folders [1] [2] [3] [4] [5]. The privacy concern with Jump Lists is their detailed recording of user activities. They store data such as file names, directory paths, MAC (Modified, Accessed, Created) timestamps, network information, volume names, and file sizes [2] [3] [4] [6]. This information is utilized in forensic analysis to reveal user behavior and interactions with the system [1] [2] [3] [4] [5]. Authorities frequently examine these files for investigative purposes [3]. Clearing these Jump Lists is crucial for maintaining privacy. It helps remove traces of user activities, particularly those involving personal or confidential files. By doing so, users prevent the easy accessibility of their activity history, an important privacy measure since these records can persist long after the original files and applications are deleted [3] [5]. [1]: https://web.archive.org/web/20231128091134/https://www.forensicfocus.com/articles/forensic-analysis-of-windows-7-jump-lists/ "Forensic Analysis of Windows 7 Jump Lists - Forensic Focus | forensicfocus.com" [2]: https://web.archive.org/web/20210205154335/https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf "A forensic insight into Windows 10 Jump Lists | Bhupendra Singh, Upasna Sin | Dept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India" [3]: https://web.archive.org/web/20231128094035/https://forensafe.com/blogs/jumplist.html "Jump Lists Blog | forensafe.com" [4]: https://web.archive.org/web/20231128091208/https://www.justice.gov/usao/page/file/931366/download "Forensic Science and Forensic Evidence I | United States Attorneys' Bulletin | justice.gov" [5]: https://web.archive.org/web/20231128091107/https://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public "Windows 7 forensics jump lists-rv3-public | PPT | slideshare.net" [6]: https://web.archive.org/web/20231128095448/https://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf "The Meaning of Linkfiles In Forensic Examinations | Harry Parsonage | computerforensics.parsonage.co.uk" children: - name: Clear recently accessed files list recommend: standard docs: |- This script clears the `AutomaticDestinations` Jump List files in Windows. It improves user privacy by removing traces of recent file and application usage. These files are automatically created when a user opens a file or an application [1]. They help users quickly access recently or frequently used items, usually via the Windows taskbar [2]. They are hidden and do not appear in Windows Explorer [3]. The files are located in `%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations` [2] [3] [4]. These files are identified by the `automaticDestinations-ms` extension [3]. However, these files also record detailed user activity, such as timestamps, file locations, network information, and usage frequency [1] [3] [4] [5]. They store comprehensive data including boot session times, sequence numbers, user directories, and MAC addresses of network cards [1] [5]. Web search strings from browsers like Edge, Firefox, Chrome, and Opera, used by Cortana, are also stored in these files [3]. By clearing these files, the script not only removes the history of user activity but also reduces the risk of this data being analyzed to construct user activity timelines [1]. Such analysis could potentially expose personal usage patterns and behaviors, compromising privacy. [1]: https://web.archive.org/web/20231128094035/https://forensafe.com/blogs/jumplist.html "Jump Lists Blog | forensafe.com" [2]: https://web.archive.org/web/20231128091208/https://www.justice.gov/usao/page/file/931366/download "Forensic Science and Forensic Evidence I | Uneyited States Attorns' Bulletin | justice.gov" [3]: https://web.archive.org/web/20210205154335/https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf "A forensic insight into Windows 10 Jump Lists | Bhupendra Singh, Upasna Sin | Dept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India" [4]: https://web.archive.org/web/20231128091107/https://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public "Windows 7 forensics jump lists-rv3-public | PPT | slideshare.net" [5]: https://web.archive.org/web/20231128095448/https://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf "The Meaning of Linkfiles In Forensic Examinations | Harry Parsonage | computerforensics.parsonage.co.uk" call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations' - name: Clear pinned items for the user docs: |- This script removes `CustomDestinations` Jump List files in Windows. These files are hidden [1] and located in `%APPDATA%\Microsoft\Windows\Recent\CustomDestinations` [1] [2] [3]. `CustomDestinations` files are created by different applications to enable users to pin items such as tasks and files or applications. This includes tasks like opening a new browser window or creating a new spreadsheet [2], as well as files and applications frequently used [3] [4]. They are commonly used by web browsers and media players to store a user's web history and other activities [1]. The privacy concern arises because these files not only record pinned items but also store detailed data about user interactions. This includes file opening, modification, and access times, along with the full directory path and volume information [3] [4]. Such information, if accessed, could potentially reveal personal habits and preferences [1] [2] [3]. Clearing these files prevents the potential use of this data in reconstructing a user's activity history, which is particularly sensitive when it involves personal or confidential information. The script thus plays a crucial role in maintaining the confidentiality and privacy of the user's digital activities. [1]: https://web.archive.org/web/20210205154335/https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf "A forensic insight into Windows 10 Jump Lists | Bhupendra Singh, Upasna Sin | Dept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India" [2]: https://web.archive.org/web/20231128091107/https://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public "Windows 7 forensics jump lists-rv3-public | PPT | slideshare.net" [3]: https://web.archive.org/web/20231128091208/https://www.justice.gov/usao/page/file/931366/download "Forensic Science and Forensic Evidence I | United States Attorneys' Bulletin | justice.gov" [4]: https://web.archive.org/web/20231128094035/https://forensafe.com/blogs/jumplist.html "Jump Lists Blog | forensafe.com" call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Microsoft\Windows\Recent\CustomDestinations' - category: Clear Windows Registry usage data docs: |- The Windows Registry is a hierarchical database that stores settings, configurations, and options for the operating system, installed applications, and user preferences. Over time, as users interact with their system and software, usage data and traces get stored in the registry. This category focuses on clearing specific types of this usage data, ensuring privacy and potentially improving system responsiveness. children: - name: Clear last `regedit` key recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f - name: Clear favorite keys in `regedit` recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f - name: Clear recently opened applications list recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f - name: Clear "Adobe Media Browser" most recently used (MRU) list recommend: standard code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f - name: Clear "MSPaint" most recently used (MRU) list recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f - name: Clear "Wordpad" most recently used (MRU) list recommend: standard code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f - name: Clear "Map Network Drive" most recently used (MRU) list recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f - name: Clear "Windows Search Assistant" history recommend: standard code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f - name: Clear recently opened files list for each file type recommend: standard code: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f - name: Clear Windows Media Player recent files and URLs recommend: standard code: |- reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f - name: Clear most recent DirectX application usage recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f - name: Clear "Windows Run" most recently used (MRU) list and typed paths recommend: standard code: |- reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f - category: Clear third-party application data children: - name: Clear Listary search index call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Listary\UserData' - name: Clear Java cache recommend: strict call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Sun\Java\Deployment\cache' - name: Clear Flash Player traces recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Macromedia\Flash Player' - category: Clear Steam data children: - name: Clear Steam dumps recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%PROGRAMFILES(X86)%\Steam\Dumps' - name: Clear Steam traces recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%PROGRAMFILES(X86)%\Steam\Traces' - name: Clear Steam cache recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%ProgramFiles(x86)%\Steam\appcache' - category: Clear Visual Studio usage data docs: |- Visual Studio is an integrated development environment (IDE) from Microsoft that is used to develop software [1]. Visual Studio store data such as your usage of the software and also information about your hardware [2]. The data is stored both in Microsoft cloud [3] and locally on computer. These scripts allow you to delete the local data that might reveal your personally identifiable data about you or the way you use the product. [1]: https://en.wikipedia.org/wiki/Visual_Studio "Visual Studio | Wikipedia" [2]: https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program "Visual Studio Customer Experience Improvement Program | Microsoft Learn" [3]: https://www.infoworld.com/article/2609774/microsoft-reinvents-visual-studio-as-an-azure-cloud-service.html "Microsoft reinvents Visual Studio as an Azure cloud service | InfoWorld" children: - category: Clear Visual Studio telemetry and feedback data docs: |- These scripts delete data about you and your behavior that's locally stored by Visual Studio on your computer. These do not clear data that's already collected in Microsoft servers, but it can prevent sending more data by deleting data waiting to be sent. children: - name: Clear offline Visual Studio usage telemetry data recommend: standard docs: |- SQM files are text files that are created and used by Microsoft [1]. SQM stands for "Service Quality Monitoring" [1]. When unable to connect to internet Visual Studio stores SQM files in `%LOCALAPPDATA%\Microsoft\VSCommon\\SQM` [2]. The number of files grows continuously and it can get to thousands. Cleaning these files speeds up Visual Studio significantly according to community reports [2]. [1]: https://techshift.net/how-to-open-sqm-file/ "What is a .SQM File And How To Open It - Microsoft (Visual Guide) | TechShift.net" [2]: https://stackoverflow.com/a/38862596 "Process monitor - Slow Visual Studio, related to SQMClient? | Stack Overflow" call: - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\14.0\SQM' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\15.0\SQM' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\16.0\SQM' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\17.0\SQM' - name: Clear Visual Studio Application Insights logs recommend: standard docs: |- Application Insights for Visual Studio stores diagnostic data for e.g. exceptions and performance [1]. Application Insights store `.TRN` files that might grow and exceed thousands [2] [3]. [1]: https://azuredevopslabs.com/labs/vsts/monitor/ "Monitoring Applications using Application Insights | Azure DevOps Hands-on-Labs" [2]: https://developercommunity.visualstudio.com/t/visual-studio-freezes-randomly/224181#T-N257722-N277241-N407607 "Visual Studio freezes randomly | Visual Studio Feedback" [3]: https://stackoverflow.com/a/53754481 "Visual Studio 2017 (15.3.1) keeps hanging/freezing | Stack Overflow" call: - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\VSApplicationInsights' - function: ClearDirectoryContents parameters: directoryGlob: '%PROGRAMDATA%\Microsoft\VSApplicationInsights' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\Microsoft\VSApplicationInsights' - name: Clear Visual Studio telemetry data recommend: standard docs: |- `vstelemetry` is a folder created by both Visual Studio [1] and also by SQL Server Management Studio [2] to store telemetry data. There has been security vulnerabilities through these folders that were patched in 2020 by Microsoft [2]. [1]: http://processchecker.com/file/VsHub.exe.html "What is VsHub.exe ? VsHub.exe info | Processchecker.com" [2]: https://herolab.usd.de/en/security-advisories/usd-2020-0030/ "usd-2020-0030 - usd HeroLab" call: - function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\vstelemetry' - function: ClearDirectoryContents parameters: directoryGlob: '%PROGRAMDATA%\vstelemetry' - name: Clear Visual Studio temporary telemetry and log data recommend: standard docs: |- These logs area created by different tools that Visual Studio uses such as its launcher, installer or data collection agents. Folders include `VSFaultInfo` [1], `VSFeedbackPerfWatsonData` [2], `VSFeedbackCollector` [2], `VSFeedbackVSRTCLogs` [3], `VSRemoteControl` [4] [5], `VSFeedbackIntelliCodeLogs` [4] [5], `VSTelem` [6] [7], `VSTelem.Out` [6]. There are more log and cache data stored by Visual Studio, but not all of them come with privacy implications. These files can be useful for faster loading, so this script removes only the sensitive data stored instead of cleaning all the cache completely. [1]: https://developercommunity.visualstudio.com/t/visual-studio-installer-crashes-after-updating-to/1356122 "Visual Studio Installer crashes after updating to version 16.9.0 - Visual Studio Feedback | Visual Studio Developer Community" [2]: https://developercommunity.visualstudio.com/t/microsoft-visual-studio-1/588200#T-N588861-N594783 "MSTF help | Visual Studio Developer Community" [3]: https://github.com/MicrosoftDocs/live-share/issues/3584 "Agent logs in %TEMP%\VSFeedbackVSRTCLogs taking up over 87GB ยท Issue #3584 ยท MicrosoftDocs/live-share | GitHub" [4]: https://developercommunity.visualstudio.com/t/please-keep-my-temp-folder-clean/731637 "Please keep my TEMP folder clean! - Visual Studio Feedback | Visual Studio Developer Community" [5]: https://stackoverflow.com/q/60974427 "Reduce log and other temporary file creation in Visual Studio 2019 | Stack Overflow" [6]: https://stackoverflow.com/q/72341126 "Visual Studio 2022 - Telemetry | Stack Overflow" [7]: https://social.msdn.microsoft.com/Forums/vstudio/en-US/5b2a0baa-748f-40e0-b504-f6dfad9b7b4d/vstelem-folder-24000-files-2064kb?forum=msbuild "VSTELEM folder 24000 files 2064Kb | MSDN Forums" call: - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSFaultInfo' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSFeedbackPerfWatsonData' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSFeedbackVSRTCLogs' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSFeedbackIntelliCodeLogs' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSRemoteControl' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\Microsoft\VSFeedbackCollector' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSTelem' - function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%\VSTelem.Out' - category: Clear Visual Studio licenses docs: |- Visual Studio stores a local copy of your product key. This information is kept even though Visual Studio is uninstalled [1] which may reveal unnecessary data and not be desired. This key is not only stored for purchased Visual Studio products but also for the free trials. [1]: https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow" children: - name: Clear Visual Studio 2010 licenses docs: "[How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow](https://stackoverflow.com/a/14810695)" code: reg delete "HKCR\Licenses\77550D6B-6352-4E77-9DA3-537419DF564B" /va /f - name: Clear Visual Studio 2015 licenses docs: "[How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow](https://stackoverflow.com/a/32482322)" code: reg delete "HKCR\Licenses\4D8CFBCB-2F6A-4AD2-BABF-10E28F6F2C8F" /va /f - name: Clear Visual Studio 2017 licenses docs: "[Is Visual Studio Community a 30 day trial? | Stack Overflow](https://stackoverflow.com/a/51570570)" code: reg delete "HKCR\Licenses\5C505A59-E312-4B89-9508-E162F8150517" /va /f - name: Clear Visual Studio 2019 licenses docs: "[How to change Visual Studio 2017 License Key? | Stack Overflow](https://stackoverflow.com/a/46974337)" code: reg delete "HKCR\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA" /va /f - name: Clear Visual Studio 2022 licenses docs: |- Different keys have been reported by community for VS 2022 license [1]. This may depend on different preview versions. The latest reported key is `1299B4B9-DFCC-476D-98F0-F65A2B46C96D` [2] [3]. I have tested and verified this along with some other keys of preview versions. This scripts deletes all mentioned keys. [1]: https://github.com/beatcracker/VSCELicense/issues/14 "VS 2022 Key Discussion | beatcracker/VSCELicense | GitHub" [2]: https://learn.microsoft.com/en-us/answers/questions/673243/how-do-i-remove-a-license-from-visual-studio-2022.html "MSFT Answer | Microsoft Learn" [3]: https://stackoverflow.com/a/71624750 "How to change Visual Studio 2017 License Key? | Stack Overflow" code: |- reg delete "HKCR\Licenses\B16F0CF0-8AD1-4A5B-87BC-CB0DBE9C48FC" /va /f reg delete "HKCR\Licenses\10D17DBA-761D-4CD8-A627-984E75A58700" /va /f reg delete "HKCR\Licenses\1299B4B9-DFCC-476D-98F0-F65A2B46C96D" /va /f - name: Clear Dotnet CLI telemetry recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%USERPROFILE%\.dotnet\TelemetryStorageService' - category: Clear browser history children: - category: Clear Internet Explorer history children: - name: Clear Internet Explorer cache recommend: standard docs: # INetCache - https://support.microsoft.com/en-us/help/260897/how-to-delete-the-contents-of-the-temporary-internet-files-folder - https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache # WebCache - https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache call: - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\WebCache' - name: Clear Internet Explorer recent URLs recommend: strict docs: - https://web.archive.org/web/20160304232740/http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ - https://web.archive.org/web/20160321221849/http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/ - https://web.archive.org/web/20150601014235/http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html - http://sketchymoose.blogspot.com/2014/02/typedurls-registry-key.html code: |- reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f - name: Clear "Temporary Internet Files" (browser cache) recommend: standard docs: - https://en.wikipedia.org/wiki/Temporary_Internet_Files - https://www.windows-commandline.com/delete-temporary-internet-files/ # %LOCALAPPDATA%\Temporary Internet Files - https://www.thewindowsclub.com/temporary-internet-files-folder-location # %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files and INetCache call: - function: ClearDirectoryContents parameters: directoryGlob: '%USERPROFILE%\Local Settings\Temporary Internet Files' grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ“‚ Unprotected on Windows 11 since 22H2 - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files' # This directory consists of 4 additional folders: # - C:\Users\undergroundwires\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 # - C:\Users\undergroundwires\AppData\Local\Microsoft\Windows\Temporary Internet Files\IE # - C:\Users\undergroundwires\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low # - C:\Users\undergroundwires\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized # Since Windows 10 22H2 and Windows 11 22H2, data files are observed in this subdirectories but not on the parent. # Especially in `IE` folder includes many files. These folders are protected and hidden by default. grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCache' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Temporary Internet Files' grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - name: Clear Internet Explorer feeds cache recommend: standard docs: https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data call: function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Feeds Cache' - name: Clear Internet Explorer cookies recommend: strict docs: - https://docs.microsoft.com/en-us/windows/win32/wininet/managing-cookies - https://docs.microsoft.com/en-us/internet-explorer/kb-support/ie-edge-faqs - https://www.thewindowsclub.com/cookies-folder-location-windows call: - function: ClearDirectoryContents parameters: # Windows 7 browsers directoryGlob: '%APPDATA%\Microsoft\Windows\Cookies' - function: ClearDirectoryContents parameters: # Windows 8 and higher directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCookies' - name: Clear Internet Explorer DOMStore recommend: standard docs: |- [Introduction to DOM Storage | msdn.microsoft.com](https://web.archive.org/web/20100416135352/http://msdn.microsoft.com/en-us/library/cc197062(VS.85).aspx) call: function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\InternetExplorer\DOMStore' - name: Clear Internet Explorer usage data docs: - https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+Data - https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data - https://www.forensafe.com/blogs/internetexplorer.html # Includes Internet Explorer cache, tab recovery data, persistance storage (DOMStore, indexed DB etc.) # Folders: CacheStorage\, Tracking Protection\, Tiles\, TabRoaming\, IECompatData\ # DOMStore\, Recovery\ (that includes browser history), DomainSuggestions\, # VersionManager\, UrlBlockManager\, Indexed DB\, imagestore\, IEFlipAheadCache\ # EUPP\, EmieUserList\, EmieSiteList\, EmieBrowserModeList\ # Files: brndlog.txt, brndlog.bak, ie4uinit-ClearIconCache.log, ie4uinit-UserConfig.log, # MSIMGSIZ.DAT call: function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Internet Explorer' - category: Clear Chrome history children: - name: Clear Chrome crash reports recommend: standard docs: https://www.chromium.org/developers/crash-reports call: - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Google\CrashReports' - name: Clear Google's "Software Reporter Tool" logs recommend: standard docs: https://support.google.com/chrome/forum/AAAAP1KN0B0T8qnffV5gwM/ call: function: DeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Google\Software Reporter Tool\*.log' - name: Clear Chrome user data docs: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md call: - # Windows XP function: ClearDirectoryContents parameters: directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data' - # Windows Vista and newer function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Google\Chrome\User Data' - category: Clear Firefox history docs: |- This category encompasses a series of scripts aimed at helping users manage and delete their browsing history and related data in Mozilla Firefox. The scripts are designed to target different aspects of user data stored by Firefox, providing users options for maintaining privacy and freeing up disk space. children: - name: Clear Firefox browsing history (URLs, downloads, bookmarks, visits, etc.) # This script (name, documentation and code) is same in Linux and Windows collections. # Changes should be done at both places. # Marked: refactor-with-partials docs: |- This script targets the Firefox browsing history, including URLs, downloads, bookmarks, and site visits, by deleting specific database entries. Firefox stores various user data in a file named `places.sqlite`. This file includes: - Annotations, bookmarks, and favorite icons (`moz_anno_attributes`, `moz_annos`, `moz_favicons`) [1] - Browsing history, a record of pages visited (`moz_places`, `moz_historyvisits`) [1] - Keywords and typed URLs (`moz_keywords`, `moz_inputhistory`) [1] - Item annotations (`moz_items_annos`) [1] - Bookmark roots such as places, menu, toolbar, tags, unfiled (`moz_bookmarks_roots`) [1] The `moz_places` table holds URL data, connecting to various other tables like `moz_annos`, `moz_bookmarks`, `moz_inputhistory`, and `moz_historyvisits` [2]. Due to these connections, the script removes entries from all relevant tables simultaneously to maintain database integrity. **Bookmarks**: Stored across several tables (`moz_bookmarks`, `moz_bookmarks_folders`, `moz_bookmarks_roots`) [3], with additional undocumented tables like `moz_bookmarks_deleted` [4]. **Downloads**: Stored in the 'places.sqlite' database, within the 'moz_annos' table [5]. The entries in `moz_annos` are linked to `moz_places` that store the actual history entry (`moz_places.id = moz_annos.place_id`) [6]. Associated URL information is stored within the 'moz_places' table [5]. Downloads have been historically stored in `downloads.rdf` for Firefox 2.x and below [7], and `downloads.sqlite` later on [7]. **Favicons**: Older Firefox versions stored favicons in `places.sqlite` within the `moz_favicons` table [5], while newer versions use `favicons.sqlite` and the `moz_icons` table [5]. By executing this script, users can ensure their Firefox browsing history, bookmarks, and downloads are thoroughly removed, contributing to a cleaner and more private browsing experience. [1]: https://web.archive.org/web/20221029141626/https://kb.mozillazine.org/Places.sqlite "Places.sqlite - MozillaZine Knowledge Base | kb.mozillazine.org" [2]: https://web.archive.org/web/20221030160803/https://wiki.mozilla.org/images/0/08/Places.sqlite.schema.pdf "Places.sqlite.schema.pdf | Mozilla Wiki" [3]: https://web.archive.org/web/20221029145432/https://wiki.mozilla.org/Places:BookmarksComments "Places:BookmarksComments | MozillaWiki | wiki.mozilla.org" [4]: https://web.archive.org/web/20221029145447/https://github.com/mozilla/application-services/issues/514 "Add a `moz_bookmarks_deleted` table for tombstones ยท Issue #514 ยท mozilla/application-services | GitHub | github.com" [5]: https://web.archive.org/web/20221029145535/https://www.foxtonforensics.com/browser-history-examiner/firefox-history-location "Mozilla Firefox History Location | Firefox History Viewer | foxtonforensics.com" [6]: https://web.archive.org/web/20221029145550/https://support.mozilla.org/en-US/questions/1319253 "Where does Firefox store SQLITE download history | Firefox Support Forum | Mozilla Support | support.mozilla.org" [7]: https://web.archive.org/web/20221029145712/https://kb.mozillazine.org/Downloads.rdf "Downloads.rdf | MozillaZine Knowledge Base | kb.mozillazine.org" call: - function: DeleteFilesFromFirefoxProfiles parameters: pathGlob: downloads.rdf - function: DeleteFilesFromFirefoxProfiles parameters: pathGlob: downloads.sqlite - function: DeleteFilesFromFirefoxProfiles parameters: pathGlob: places.sqlite - function: DeleteFilesFromFirefoxProfiles parameters: pathGlob: favicons.sqlite - name: Clear all Firefox user information and preferences docs: |- This script performs a reset of Mozilla Firefox, erasing all user profiles, settings, and personalized data to restore the browser to its default state. Firefox user profiles, encompassing bookmarks, browsing history, passwords, extensions, themes, and preferences [1]. These folders are in: - `C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\` on Windows XP and earlier [1], - `%APPDATA%\Mozilla\Firefox\Profiles\` on Windows 10 and later [1]. > **Caution**: > - Using this script results in a total loss of all personalized Firefox data. > - If your goal is solely to clear browsing data while retaining settings and extensions, this script is not recommended. > - Close Firefox before running this script to prevent potential issues. [1]: https://web.archive.org/web/20231101125909/https://kb.mozillazine.org/Profile_folder_-_Firefox#Windows "Profile folder - Firefox - MozillaZine Knowledge Base | kb.mozillazine.org" call: - # Windows XP function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Mozilla\Firefox\Profiles' - # Windows Vista and newer function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Mozilla\Firefox\Profiles' - name: Clear Opera history (user profiles, settings, and data) call: - # Windows XP function: ClearDirectoryContents parameters: directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Opera\Opera' - # Windows Vista and newer function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Opera\Opera' - # Windows Vista and newer function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Opera\Opera' - category: Clear Safari history children: - name: Clear Webpage Icons recommend: standard docs: https://www.sans.org/blog/safari-browser-forensics/ call: - # Windows XP function: DeleteFiles parameters: fileGlob: '%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db' - # Windows Vista and newer function: DeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\WebpageIcons.db' - name: Clear Safari cache recommend: standard docs: https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari call: - # Windows XP function: DeleteFiles parameters: fileGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db' - # Windows Vista and newer function: DeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\Cache.db' - name: Clear Safari cookies recommend: strict docs: https://kb.digital-detective.net/display/BF/Location+of+Safari+Data call: - # Windows XP function: DeleteFiles parameters: fileGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cookies.db' - # Windows Vista and newer function: DeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\Cookies.db' - name: Clear all Safari data (user profiles, settings, and data) docs: - https://kb.digital-detective.net/display/BF/Location+of+Safari+Data - https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari - https://zerosecurity.org/2013/04/safari-forensic-tutorial call: - # Windows XP function: ClearDirectoryContents parameters: directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari' - # Windows Vista and newer function: ClearDirectoryContents parameters: directoryGlob: '%APPDATA%\Apple Computer\Safari' - category: Clear temporary Windows files docs: |- This category covers removal of temporary Windows files. It is recommended to clean these files as they can be used for unauthorized analysis of user behavior and system usage [1]. They may also potentially host malicious software [2] [3]. Eliminating these files significantly enhances the security and privacy of the system. Microsoft advises this cleanup for enhanced security [2]. Besides enhancing security, removing these files also frees up disk space. However, removing temporary files might lead to a slight delay in initial application/system load times. By regularly clearing these files, users reduce the chance of malware residing [2] [3] in these folders and prevent the unauthorized use of their information for forensic analysis [1], serving as a simple and effective strategy for maintaining a secure and private system environment. [1]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University" [2]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com" [3]: https://web.archive.org/web/20231001145930/https://nvd.nist.gov/vuln/detail/CVE-2019-11644 "NVD - CVE-2019-11644 | nist.gov" children: - name: Clear temporary system folder recommend: standard docs: |- This script eliminates the contents of the `%WINDIR%\Temp\` directory, also known as the Windows Temp directory [1]. This directory is located within the Windows system folder `%SystemDrive%\Windows\Temp\` [1] [2]. It is used by the system and system-level processes to store temporary files, including those generated by the operating system and other system-level software. This folder, protected by specific access control lists (ACL) [3] [4], is accessible only to system-level accounts [2]. Known for being utilized by malware, cleaning this directory is recommended for maintaining system security [2] [5]. Moreover, it's used for forensics to analyze user behavior [6], thus raising privacy concerns. Microsoft underscores the importance of cleaning this folder to free up disk space [7], resolve system application issues [1] [8] [9], and counteract malware [2]. Some system applications may populate this folder, taking up considerable disk space [7] [9] [10]. This script only deletes the contents of the `%WINDIR%\Temp\` directory, not the directory itself, to maintain system integrity, security, and privacy, avoiding potential issues caused by unintentional directory deletion without proper ACL. Deleting the directory itself might disrupt certain applications, such as `dism` [11], and application installers [12], while also removing the special ACL that secures the folder. [1]: https://web.archive.org/web/20231001145018/https://learn.microsoft.com/en-us/troubleshoot/windows-server/deployment/error-0x800f0922-uninstall-role-feature "Error 0x800f0922 when you uninstall roles - Windows Server | Microsoft Learn" [2]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com" [3]: https://web.archive.org/web/20231001145051/https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-postmortem-debugging#window-sysinternals-procdump "Enabling Postmortem Debugging - Windows drivers | Microsoft Learn" [4]: https://web.archive.org/web/20231001150053/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892%28v=vs.85%29 "About User Profiles (Windows) | Microsoft Learn" [5]: https://web.archive.org/web/20231001145930/https://nvd.nist.gov/vuln/detail/CVE-2019-11644 "NVD - CVE-2019-11644 | nist.gov" [6]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University" [7]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" [8]: https://web.archive.org/web/20231001150108/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/adr-updates-download-failure "Automatic deployment rule (ADR) fails to download updates - Configuration Manager | Microsoft Learn" [9]: https://web.archive.org/web/20231001150158/https://support.microsoft.com/en-us/topic/error-message-112-setup-is-unable-to-decompress-and-copy-all-the-program-files-c8dadf2a-4e7e-11bf-6543-ab5560b7fc19 'Error Message 112 "Setup Is Unable to Decompress and Copy All the Program Files" - Microsoft Support' [10]: https://web.archive.org/web/20231001150233/https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/unifiedcontent-folder-fills-up-drive "Exchange UnifiedContent folder fills up the drive - Exchange | Microsoft Learn" [11]: https://github.com/undergroundwires/privacy.sexy/pull/176 "Do not delete temp dirs by iam-py-test ยท Pull Request #176 ยท undergroundwires/privacy.sexy" [12]: https://github.com/undergroundwires/privacy.sexy/issues/89 "Some installer failed to installer ยท Issue #89 ยท undergroundwires/privacy.sexy" call: function: ClearDirectoryContents parameters: directoryGlob: '%WINDIR%\Temp' - name: Clear temporary user folder recommend: standard docs: |- This script deletes the contents of the `%TEMP%\` (or `%LOCALAPPDATA%\Temp\` [1], `%TMP%\` [2]) directory, used by applications and processes to store temporary files. This directory is situated within the user profile `%SystemDrive%\Users\\AppData\Local\Temp` [1] [2] [3]. Only the respective profile user can read and write to this folder [4]. This folder's usage for understanding user behavior in forensics [5] raises privacy concerns. Its content deletion, a regular operation performed by Windows system tools like SilentCleanup (`cleanmgr.exe`) or Storage Sense (`storsvc.exe`) [8], does not harm the system. On cloud machines, Microsoft does not retain contents of this directory and conducts automatic clean-ups to prevent data accumulation [6]. This script, while removing the contents, retains the directory to preserve the access control list (ACL) assigned by Microsoft [7], preventing potential misconfigurations due to unintentional folder creation without proper ACL. Microsoft recommends cleaning this folder to free disk space [8] and eliminate potential malware [9]. Post-script execution, a reboot is recommended to ensure smooth application functionality accessing `%TEMP%` [8]. [1]: https://github.com/undergroundwires/privacy.sexy/pull/176 "Do not delete temp dirs by iam-py-test ยท Pull Request #176 ยท undergroundwires/privacy.sexy" [2]: https://web.archive.org/web/20231001150554/https://learn.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables "Recognized environment variables - Windows Deployment | Microsoft Learn" [3]: https://web.archive.org/web/20231001150603/https://learn.microsoft.com/en-us/dotnet/api/system.io.path.gettemppath?view=net-7.0#examples "Path.GetTempPath Method (System.IO) | Microsoft Learn" [4]: https://web.archive.org/web/20231001150917/https://learn.microsoft.com/en-us/windows/win32/shell/about-user-profiles "About User Profiles - Win32 apps | Microsoft Learn" [5]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University" [6]: https://web.archive.org/web/20231001150713/https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-troubleshoot-default-temp-folder-size-too-small-web-worker-role "Default TEMP folder size is too small for a role | Microsoft Learn" [7]: https://web.archive.org/web/20231001150053/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892%28v=vs.85%29 "About User Profiles (Windows) | Microsoft Learn" [8]: https://web.archive.org/save/https://learn.microsoft.com/en-us/troubleshoot/windows-server/shell-experience/temp-folder-with-logon-session-id-deleted "The %TEMP% folder with logon session ID is deleted - Windows Server | Microsoft Learn" [9]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com" call: function: ClearDirectoryContents parameters: directoryGlob: '%TEMP%' - name: Clear prefetch folder recommend: standard docs: |- This script deletes the contents of `%WINDIR%\Prefetch\*`, typically pointing to `C:\Windows\Prefetch\` [1] [2]. **What is Prefetch?** Introduced in Windows XP [2], Prefetch was developed by Windows to expedite application startup [1] and the boot process [1] [2]. It works by preemptively loading data and code pages into memory from the disk before requests [2], monitoring application's startup page faults [2], and storing the gathered data in the Prefetch directory [2]. **Why Clear the Prefetch Directory?** Over time, many files accumulate in the Prefetch directory. Clearing this directory enhances privacy and potentially frees disk space by removing traces of recently used applications and files in the system, making unauthorized tracking of application usage more difficult. Despite its design for improving application startup times [1], Prefetch can inadvertently expose information about the applications and files accessed on the system [1]. Clearing the Prefetch directory addresses this issue by eliminating these traces. Microsoft suggests deleting the Prefetch directory and its contents if significant system configuration changes occur, like adjustments to drivers, services, or applications that start automatically [3]. This action eradicates any outdated prefetched data [3], ensuring that the system operates with the most up-to-date and relevant data for application startups [3]. The files in the Prefetch directory are used for forensic purposes [4] [5], adding to the privacy concerns. They reveal information about application usage, including data layout [4], access history on disk [4], last execution time [5], and the total number of times an application has been run [5]. Additionally, they contain historical process information such as loaded libraries and process dependencies [6]. Erasing these files mitigates the risk of this information being used for unauthorized tracking or analysis, improving your privacy. **Trade-Off** Clearing the Prefetch might cause a minor delay in application startup times until the necessary data is regenerated as applications are used again [2]. This is a compromise for heightened privacy and potentially freed disk space. [1]: https://web.archive.org/web/20231001151015/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices "Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn" [2]: https://web.archive.org/web/20231001151029/https://learn.microsoft.com/en-us/sysinternals/resources/archive/v03n02#windows-xp-prefetching "Sysinternals Newsletter Vol. 3, No. 2 - Sysinternals | Microsoft Learn" [3]: https://web.archive.org/web/20230829142700/https://download.microsoft.com/download/7/e/7/7e7662cf-cbea-470b-a97e-ce7ce0d98dc2/win7perf.docx "Performance Testing Guide for Windows | Microsoft" [4]: https://web.archive.org/web/20231001151107/https://ccsweb.lanl.gov/~kei/mypubbib/papers/TOS_13_diskseen.pdf "A Prefetching Scheme Exploiting both Data Layout and Access History on Disk | ccsweb.lanl.gov" [5]: https://web.archive.org/web/20231001151150/https://www.justice.gov/sites/default/files/usao/legacy/2008/02/04/usab5601.pdf "Computer Forensics | justice.gov" [6]: https://web.archive.org/web/20231001151207/https://par.nsf.gov/servlets/purl/10333089 "Malware Family Classification via Residual Prefetch Artifacts | par.nsf.gov" call: function: ClearDirectoryContents parameters: directoryGlob: '%WINDIR%\Prefetch' - category: Clear Windows log and caches children: - name: Clear thumbnail cache call: function: DeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Microsoft\Windows\Explorer\*.db' - category: Clear Windows system log files children: - category: Clear Windows Update system logs children: - name: Clear Windows update and SFC scan logs recommend: standard docs: https://answers.microsoft.com/en-us/windows/forum/all/cwindowslogscbs/fe4e359a-bcb9-4988-954d-563ef83bac1c call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Temp\CBS' - name: Clear Windows Update Medic Service logs recommend: standard docs: https://answers.microsoft.com/en-us/windows/forum/all/what-is-this-waasmedic-and-why-it-required-to/e5e55a95-d5bb-4bf4-a7ce-4783df371de4 call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Logs\waasmedic' - name: Clear "Cryptographic Services" diagnostic traces recommend: standard docs: |- This script removes specific files associated with the "Cryptographic Services". The files include: - `%SYSTEMROOT%\System32\catroot2\dberr.txt` - `%SYSTEMROOT%\System32\catroot2.log` - `%SYSTEMROOT%\System32\catroot2.jrs` - `%SYSTEMROOT%\System32\catroot2.edb` - `%SYSTEMROOT%\System32\catroot2.chk` The "Cryptographic Services" (`CryptSvc`) service manages services such as key management for the computer [1] [2]. This service is used by different features, including Windows Updates [3] [4] [5]. There is no official documentation available for these files from Microsoft. However, after analyzing the internal workings of Windows, below is a detailed explanation of the purpose, collected data, and privacy implications for each file: | File name | Purpose | Data Collected | Privacy Implications | | --------- | ------- | -------------- | -------------------- | | `dberr.txt` | Logging database errors | Error messages and codes related to database operations | Potential system issues or vulnerabilities | | `catroot2.log` | Logging activities, errors, or transactions related to cryptographic operations | Log data including status messages, error codes | System configurations and vulnerabilities | | `catroot2.jrs` | Journal file for data integrity in cryptographic operations | Transaction logs or temporary cryptographic data | System's state and cryptographic operations | | `catroot2.edb` | Storing certificate and signature data for Windows Update | Certificate and signature validation data, update details | Update history and security state | | `catroot2.chk` | Ensuring data consistency in the ESE database | Information for database recovery | System state information | This script deletes these files, improving user privacy by removing sensitive information related to system configurations, vulnerabilities, and cryptographic operations is not readily available. [1]: https://web.archive.org/web/20231025233132/https://www.windows-security.org/windows-service/cryptographic-services "Cryptographic Services | Windows security encyclopedia | windows-security.org" [2]: https://web.archive.org/web/20231025233145/https://revertservice.com/10/cryptsvc/ "Cryptographic Services (CryptSvc) Defaults in Windows 10 | revertservice.com" [3]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20231025233228/https://support.microsoft.com/en-us/topic/claims-to-windows-token-service-c2wts-not-starting-after-rebooting-server-52a2d131-cb9d-bf28-77d4-1663a99d03b3 "Claims to Windows Token Service (c2WTS) not starting after rebooting server - Microsoft Support | support.microsoft.com" [5]: https://web.archive.org/web/20231025233251/https://learn.microsoft.com/en-us/troubleshoot/windows-server/backup-and-storage/vss-error-8193-restart-cryptographic-services "VSS event 8193 when you restart the Cryptographic Services service after you install the DHCP role - Windows Server | Microsoft Learn | learn.microsoft.com" call: - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\catroot2\dberr.txt' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\catroot2.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\catroot2.jrs' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\catroot2.edb' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\catroot2.chk' - name: Clear Server-initiated Healing Events system logs docs: |- These are logs related to Windows Update [1] [2]. It stores event trace log (ETL) files [3]. While the logs are largely technical, like many diagnostic logs, there's a potential for some data that could be considered personally identifiable information (PII), such as usernames or machine names, to be included. From a forensic standpoint, they offer valuable data for reconstructing system events related to software updates [3] : - **Update History**: The logs can provide a history of updates, including those that failed and required remediation. This could be used to establish a timeline of events on a system. - **System Integrity**: In forensic scenarios where the integrity of the system is in question, the SIH logs could be used to determine if there were any issues with updates, including any that were automatically remediated. - **Behavior Analysis**: While the primary purpose of the logs is not to capture user behavior, they can be part of a broader set of logs and data used in behavioral analysis, especially when reconstructing events leading up to a particular system state or incident. [1]: https://web.archive.org/web/20231020011710/https://raw.githubusercontent.com/Azure/azure-diskinspect-service/master/docs/manifest_by_file.md "Official Microsoft Documentation | azure-diskinspect-service/docs/manifest_by_file.md at master ยท Azure/azure-diskinspect-service | github.com" [2]: https://web.archive.org/web/20231020012236/https://answers.microsoft.com/es-es/windows/forum/all/windows-10-carpeta-y-archivos-sih/4d318121-fed6-4202-8b92-d4dc236b468e "Windows 10 | Carpeta y archivos SIH - Microsoft Community" [3]: https://tzworks.com/prototypes/tela/tela.users.guide.pdf "TZWorks Shim Database Parser (shims) Users Guide" call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Logs\SIH' - name: Clear Windows Update logs call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Traces\WindowsUpdate' - name: Clear Optional Component Manager and COM+ components logs recommend: standard call: function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\comsetup.log' - name: Clear "Distributed Transaction Coordinator (DTC)" logs recommend: standard call: function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\DtcInstall.log' - name: Clear logs for pending/unsuccessful file rename operations docs: |- This script is used to clear the log files created by Windows whenever there are pending file rename operations that are not successfully completed. The logged operations might include renaming, moving or deleting a file that is currently in use [1]. [1]: https://web.archive.org/web/20230806191624/https://support.microsoft.com/en-us/topic/how-to-install-multiple-windows-updates-or-hotfixes-with-only-one-reboot-6247def4-7f39-c1a0-efe5-61f82849fb7c "How to install multiple Windows updates or hotfixes with only one reboot - Microsoft Support" call: function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\PFRO.log' - name: Clear Windows update installation logs recommend: standard docs: |- This script is used to clear the log files created during the Windows update installation process. This includes both the actions log (`setupact.log`) and the error log (`setuperr.log`). These files contains information about initializing setup and typically used if setup fails to launch [1]. [1]: https://web.archive.org/web/20230806191844/https://learn.microsoft.com/en-us/windows/deployment/upgrade/log-files "Log files and resolving upgrade errors - Windows Deployment | Microsoft Learn" call: - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\setupact.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\setuperr.log' - name: Clear Windows setup logs recommend: standard docs: https://support.microsoft.com/en-gb/help/927521/windows-vista-windows-7-windows-server-2008-r2-windows-8-1-and-windows call: - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\setupapi.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\inf\setupapi.app.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\inf\setupapi.dev.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\inf\setupapi.offline.log' - function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Panther' - name: Clear "Windows System Assessment Tool (`WinSAT`)" logs recommend: standard docs: https://docs.microsoft.com/en-us/windows/win32/winsat/windows-system-assessment-tool-portal call: function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\Performance\WinSAT\winsat.log' - name: Clear password change events recommend: standard call: function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\debug\PASSWD.LOG' - name: Clear user web cache database recommend: standard docs: https://support.microsoft.com/en-gb/help/4056823/performance-issue-with-custom-default-user-profile call: function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\WebCache' - name: Clear system temp folder when not logged in recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\ServiceProfiles\LocalService\AppData\Local\Temp' - name: Clear DISM (Deployment Image Servicing and Management) system logs recommend: standard docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files call: - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\Logs\CBS\CBS.log' - function: DeleteFiles parameters: fileGlob: '%SYSTEMROOT%\Logs\DISM\DISM.log' - name: Clear Windows update files # Marked: stop-service-do-stuff-restart-service docs: |- This script clears the contents of the `%SYSTEMROOT%\SoftwareDistribution\` directory. This action is sometimes called *resetting the Windows Update Agent* or *resetting Windows Update components* by Microsoft [1]. This directory contains Windows Update files [2] [3]. It includes logs of Windows updates [2] [4], downloaded updates [5], and database files related to the updates [2]. Over time, the size of this folder can increase [5], leading to potential disk space issues. Clearing this directory can help free up disk space [5]. This folder is used by Windows Updates [1] [6]. The `wuauserv` service, also known as "Windows Update Service" [7], uses this folder for its operations [1] [8] [9]. This service manages the Windows Update Agent (WUA) functionality [7]. Clearing this directory is generally safe, and sometimes, Microsoft even recommends this action to troubleshoot and resolve update-related errors [1] [5] [6] [9] [10]. This script contributes to users' privacy and system efficiency by cleaning up old and potentially unnecessary update files. [1]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update#how-do-i-reset-windows-update-components "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231027190239/https://support.microsoft.com/en-us/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc "Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158) - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide#windows-update-files-or-automatic-update-files "Microsoft Defender Antivirus exclusions on Windows Server | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20231027190425/https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs "Windows Update log files - Windows Deployment | Microsoft Learn | learn.microsoft.com" [5]: https://web.archive.org/web/20231027190439/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/address-disk-space-issues-caused-by-winsxs "Large WinSxS directory causes disk space issues - Windows Client | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20231027190148/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/common-windows-update-errors "Common Windows Update errors - Windows Client | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20231027190357/https://revertservice.com/10/wuauserv/ "Windows Update (wuauserv) Service Defaults in Windows 10 | revertservice.com" [8]: https://web.archive.org/web/20231027190213/https://support.microsoft.com/en-us/windows/troubleshoot-problems-updating-windows-188c2b0f-10a7-d72f-65b8-32d177eb136c#WindowsVersion=Windows_11 "Troubleshoot problems updating Windows - Microsoft Support | support.microsoft.com" [9]: https://web.archive.org/web/20231027190503/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/troubleshoot-software-update-scan-failures "Troubleshoot software update scan failures - Configuration Manager | Microsoft Learn | learn.microsoft.com" [10]: https://web.archive.org/web/20231029172022/https://support.microsoft.com/en-us/topic/you-receive-an-administrators-only-error-message-in-windows-xp-when-you-try-to-visit-the-windows-update-web-site-or-the-microsoft-update-web-site-d2c732b6-21e0-a2ce-8d18-303ed71736c9 'You receive an "Administrators only" error message in Windows XP when you try to visit the Windows Update Web site or the Microsoft Update Web site - Microsoft Support | support.microsoft.com' code: |- # `sc queryex` output is the same in every OS language setlocal EnableDelayedExpansion SET /A wuau_service_running=0 SC queryex "wuauserv"|Find "STATE"|Find /v "RUNNING">Nul||( SET /A wuau_service_running=1 net stop wuauserv ) del /q /s /f "%SYSTEMROOT%\SoftwareDistribution\*" IF !wuau_service_running! == 1 ( net start wuauserv ) endlocal - name: Clear Common Language Runtime system logs recommend: standard call: - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\CLR_v4.0\UsageTraces' - function: ClearDirectoryContents parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageTraces' - name: Clear Network Setup Service Events system logs recommend: standard call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\Logs\NetSetup' - name: Clear logs generated by Disk Cleanup Tool (`cleanmgr.exe`) docs: |- This script is used to clear the log files generated by the Disk Cleanup Tool (cleanmgr.exe). These logs are generated when the Disk Cleanup Tool is used to free up disk space. Log files for this tool are stored in `C:\Windows\System32\LogFiles\setupcln\` [1]. Erasing these logs can enhance user privacy by removing traces of the cleanup process. These logs are known to be used in forensic analysis [2]. [1]: https://web.archive.org/web/20230806192546/https://ss64.com/nt/cleanmgr.html "Cleanmgr - Delete Junk and Temp files - Windows CMD - SS64.com" [2]: https://web.archive.org/web/20230806192800/https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ "Beyond good olโ€™ Run key, Part 86 | Hexacorn" call: function: ClearDirectoryContents parameters: directoryGlob: '%SYSTEMROOT%\System32\LogFiles\setupcln' - name: Clear diagnostics tracking logs # Marked: stop-service-do-stuff-restart-service ("DiagTrack") recommend: standard docs: |- This script deletes primary telemetry files in Windows. These files store event trace logs that are collected by the `DiagTrack` service [1] [2]. This service is also known as "Diagnostics Tracking Service" [3] or "Connected User Experiences and Telemetry" service [4]. These files are stored as Event Trace Log (`.etl`) files, also known as a trace logs [5]. Contents of these files are transmitted to Microsoft servers [1] [2]. This services uses *AutoLogger* logs. *AutoLogger* allows saving trace logs early in the operating system boot process before the user logs in [6]. This data is collected during system boot and shut-down, and typically read and deleted at each system boot [3]. The information collected is divided into two files: - `%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl` [1] [2] - `%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl` [1] [2] To modify or delete these files, `SYSTEM` rights are required [1], which this script provides. The collected data varies based on the telemetry level set [2] and may include information about websites visited, application and system performance, device activity, and memory dumps [7]. By deleting these telemetry files, this script prevents the `DiagTrack` service from sending a specific set of diagnostic and usage data to Microsoft, enhancing user privacy by reducing data sharing. [1]: https://web.archive.org/web/20231027164549/https://it-forensik.fiw.hs-wismar.de/images/a/a3/MT_MReuter.pdf "Options for using Event Tracing for Windows (ETW) to support forensic analyzes of process behavior in Windows 10 | University of Wismar" [2]: https://web.archive.org/web/20230215084038/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/Analyse_Telemetriekomponente_1_2.pdf?__blob=publicationFile&v=3 "Analyse der Telemetriekomponente in Windows 10 | The national cyber security authority in Germany | bsi.bund.de" [3]: https://web.archive.org/web/20231027164826/https://troopers.de/downloads/troopers19/TROOPERS19_DM_Telemetry.pdf "The Anatomy of Windows Telemetry | The national cyber security authority in Germany | troopers.de" [4]: https://web.archive.org/web/20231027165627/https://revertservice.com/10/diagtrack/ "Connected User Experiences and Telemetry (DiagTrack) Service Defaults in Windows 10 | revertservice.com" [5]: https://web.archive.org/web/20231027164529/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-log "Trace Log - Windows drivers | Microsoft Learn" [6]: https://web.archive.org/web/20231027164510/https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session "Configuring and Starting an AutoLogger Session - Win32 apps | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20231027164821/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com" call: - function: DeleteFiles parameters: fileGlob: '%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl' grantPermissions: true - function: DeleteFiles parameters: fileGlob: '%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl' grantPermissions: true - name: Clear event logs in Event Viewer application docs: https://serverfault.com/questions/407838/do-windows-events-from-the-windows-event-log-have-sensitive-information code: |- REM https://social.technet.microsoft.com/Forums/en-US/f6788f7d-7d04-41f1-a64e-3af9f700e4bd/failed-to-clear-log-microsoftwindowsliveidoperational-access-is-denied?forum=win10itprogeneral wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) for /f "tokens=*" %%i in ('wevtutil.exe el') DO ( echo Deleting event log: "%%i" wevtutil.exe cl %1 "%%i" ) - name: Clear Defender scan (protection) history docs: |- This script deletes the scan history kept by Microsoft Defender on your computer. Microsoft Defender logs detected threats but also gathers and stores data about various other files it scans [1] [2]. While removing this history enhances your privacy, it might decrease security, as these logs assist in monitoring threats. By eliminating traces of your system's files, activities and any threats detected, you ensure no residual data can be utilized to study or analyze your computer's activities, thus protecting your privacy. Defender keeps a log of various details whenever it scans your computer for threats. This includes [3] [4]: - **Time**: The moment the threat was discovered. - **Threat Status**: The action carried out against the threat. - **Virus Type**: The type or category of the virus. - **Threat ID**: A unique identifier for the threat. - **Virus Name**: The name of the virus. - **File Path**: The location of the threat on your computer. - **File Hash**: A unique code representing the file. - **Quarantine File Name (GUID)**: The name given to the quarantined threat. - **File Size**: The size of the file. When you first set up Windows, it conducts an initial scan [1]. This scan identifies system files that won't require future scans [1]. These 'safe' files are saved in a unique folder, which becomes a part of the scan history [1]. If a threat is recognized, Microsoft Defender will notify you [4]. Regardless of whether you choose to run the file or not, a `DetectionHistory` file is created [2]. This file is stored in a specific folder (`%ProgramData%\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\[numbered folder]\`), and it contains a system-generated ID for the event [2]. > **Caution:** Deleting these logs may decrease your security. These logs help in keeping track of potential threats and their sources, allowing for a more proactive response in future encounters. Without this history, Microsoft Defender might not recognize recurring threats as quickly, possibly leaving your system more vulnerable. It's essential to understand that you're making a trade-off between enhanced privacy and potentially reduced security. [1]: https://web.archive.org/web/20230829142700/https://download.microsoft.com/download/7/e/7/7e7662cf-cbea-470b-a97e-ce7ce0d98dc2/win7perf.docx "Performance Testing Guide for Windows | Microsoft" [2]: https://web.archive.org/web/20230829143754/https://www.sans.org/blog/uncovering-windows-defender-real-time-protection-history-with-dhparser/ "Uncovering Windows Defender Real-time Protection History with DHParser | SANS Alumni Blog" [3]: https://web.archive.org/web/20230829144957/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/defender/msft-mpthreatdetection "MSFT\_MpThreatDetection class | Microsoft Learn" [4]: https://web.archive.org/web/20230829144434/https://forensafe.com/blogs/windows_defender.html "Windows Defender | Forensafe" call: function: ClearDirectoryContents # Otherwise it cannot access/delete files under `Scans\History`, see https://github.com/undergroundwires/privacy.sexy/issues/246 parameters: directoryGlob: '%ProgramData%\Microsoft\Windows Defender\Scans\History' grantPermissions: true # Running as TrustedInstaller is not needed, and causes Defender to alarm https://github.com/undergroundwires/privacy.sexy/issues/264 - name: Clear credentials in Windows Credential Manager call: function: RunPowerShell parameters: code: |- $cmdkeyPath = Get-Command cmdkey -ErrorAction SilentlyContinue if (-not $cmdkeyPath) { throw 'Failed to find the `cmdkey` utility on this system.' } $cmdkeyListOutput = & $cmdkeyPath /list if ($LASTEXITCODE -ne 0) { throw "Failed to execute `cmdkey /list`. Exit code: $LASTEXITCODE." } if (-not $cmdkeyListOutput) { throw 'Failed to retrieve credentials list. The output from `cmdkey /list` is empty.' } $credentialEntries = @($cmdkeyListOutput | Select-String 'Target') if (-not $credentialEntries) { Write-Host 'Skipping: No credentials found for deletion.' exit 0 } $allCredentialsDeletedSuccessfully = $true Write-Host "Total of $($credentialEntries.Length) credential(s) found. Initiating deletion..." foreach ($credentialEntry in $credentialEntries) { if ($credentialEntry -notmatch 'Target:(.+)') { Write-Error "Failed to parse credential from output: $credentialEntry" $allCredentialsDeletedSuccessfully = $false continue } $credentialTargetName = $matches[1].Trim() Write-Host "Deleting credential: `"$credentialTargetName`"..." & $cmdkeyPath /delete:$credentialTargetName if ($LASTEXITCODE -ne 0) { Write-Error "Failed to delete credential '$credentialTargetName'. `cmdkey` returned exit code: $LASTEXITCODE." $allCredentialsDeletedSuccessfully = $false } else { Write-Host "Successfully deleted credential: `"$credentialTargetName`"." } } if (-not $allCredentialsDeletedSuccessfully) { Write-Warning 'Failed to delete some credentials. Please check the error messages above.' } else { Write-Host "Successfully deleted all $($credentialEntries.Length) credential(s)." } - name: Remove the controversial `default0` user docs: https://github.com/undergroundwires/privacy.sexy/issues/30 recommend: standard code: net user defaultuser0 /delete 2>nul - name: Empty trash (Recycle Bin) call: function: RunPowerShell parameters: code: |- $bin = (New-Object -ComObject Shell.Application).NameSpace(10) $bin.items() | ForEach { Write-Host "Deleting $($_.Name) from Recycle Bin" Remove-Item $_.Path -Recurse -Force } - name: Minimize DISM "Reset Base" update data recommend: standard docs: |- This script diminishes unnecessary system data, thus enhancing your privacy and performance. The **DISM tool** is used to manage Windows images and is often used to fix issues with the Windows operating system [1]. The **"Reset Base"** option can help to reduce the size of the WinSxS folder [2]. Once, "Reset Base" is enabled, you cannot uninstall any previous updates [2]. This script activates the **"Reset Base"** feature, minimizing the size of WinSxS folder. It contributes to the reduction of redundant data, enhancing both the performance of your system and your privacy. The **WinSxS folder**, also known as the "Windows Side by Side" folder, is a component of the Windows operating system [3]. It is located in the Windows directory (for example, `C:\Windows\WinSxS`) [3]. The WinSxS folder is used to store system components that are required for the installation of Windows [3]. It also stores components that are added to the system through Windows updates [3]. **Windows Component Store** contains all the files that are required to Windows features on demand [3]. > **Caution:** Once the "Reset Base" operation is activated, you will not be able to uninstall previous updates. However, this small trade-off improves your privacy and control over system data. [1]: https://web.archive.org/web/20230806160623/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/what-is-dism?view=windows-11 "DISM Overview | Microsoft Learn" [2]: https://web.archive.org/web/20230806160827/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder?view=windows-11 "Clean Up the WinSxS Folder | Microsoft Learn" [3]: https://web.archive.org/web/20230710000943/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/manage-the-component-store?view=windows-11 "Manage the Component Store | Microsoft Learn" code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f - name: Remove Windows product key from registry # Helps to protect it from being stolen and used for identity theft or identifying you. docs: https://winaero.com/blog/remove-windows-10-product-key-from-registry-and-protect-it-from-being-stolen/ # We use cscript.exe to execute instead of `slmgr` command directly to keep the output but surpress the dialogs. code: cscript.exe //nologo "%SYSTEMROOT%\System32\slmgr.vbs" /cpky - name: Clear volume backups (shadow copies) docs: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods code: vssadmin delete shadows /all /quiet - name: Remove associations of default apps recommend: standard code: dism /online /Remove-DefaultAppAssociations - name: Clear System Resource Usage Monitor (SRUM) data # Marked: stop-service-do-stuff-restart-service recommend: standard docs: |- This script deletes the Windows System Resource Usage Monitor (SRUM) database file. SRUM tracks the usage of desktop applications, services, Windows applications, and network connections [1] [2] [3]. SRUM stores its file at `C:\Windows\System32\sru\SRUDB.dat` [1] [3] [4]. Before deleting the file, the script temporarily stops the Diagnostic Policy Service (DPS). The DPS helps Windows detect and solve problems with its components [4]. Stopping this service is required as modifications to the SRUM file require it to be turned off [5]. Deleting this file can enhance user privacy as it contains usage data and is often used for forensic analysis of user behavior [1] [6]. [1]: https://web.archive.org/web/20231013164746/https://raw.githubusercontent.com/libyal/esedb-kb/main/documentation/System%20Resource%20Usage%20Monitor%20%28SRUM%29.asciidoc "esedb-kb/documentation/System Resource Usage Monitor (SRUM).asciidoc at main ยท libyal/esedb-kb | github.com" [2]: https://web.archive.org/web/20231004161112/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809 "Windows 10, version 1809 basic diagnostic events and fields (Windows 10) - Windows Privacy | Microsoft Learn" [3]: https://web.archive.org/web/20231004161132/https://security.opentext.com/appDetails/SRUM-Database-Parser "SRUM Database Parser | security.opentext.com" [4]: https://web.archive.org/web/20231004161147/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#diagnostic-policy-service "Security guidelines for system services in Windows Server 2016 | Microsoft Learn" [5]: https://web.archive.org/web/20231008135321/https://devblogs.microsoft.com/sustainable-software/measuring-your-application-power-and-carbon-impact-part-1/ "Measuring Your Application Power and Carbon Impact (Part 1) - Sustainable Software | devblogs.microsoft.com" [6]: https://web.archive.org/web/20231008135333/https://www.sciencedirect.com/science/article/abs/pii/S1742287615000031 "Forensic implications of System Resource Usage Monitor (SRUM) data in Windows 8 | Yogesh Khatri | sciencedirect.com" call: function: RunPowerShell parameters: # If the service is not stopped, following error is thrown: # Failed to delete SRUM database file at: "C:\Windows\System32\sru\SRUDB.dat". Error Details: The process cannot access # the file 'C:\Windows\System32\sru\SRUDB.dat' because it is being used by another process. code: |- $srumDatabaseFilePath = "$env:WINDIR\System32\sru\SRUDB.dat" if (!(Test-Path -Path $srumDatabaseFilePath)) { Write-Output "Skipping, SRUM database file not found at `"$srumDatabaseFilePath`". No actions are required." exit 0 } $dps = Get-Service -Name 'DPS' -ErrorAction Ignore $isDpsInitiallyRunning = $false if ($dps) { $isDpsInitiallyRunning = $dps.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running if ($isDpsInitiallyRunning) { Write-Output "Stopping the Diagnostic Policy Service (DPS) to delete the SRUM database file." $dps | Stop-Service -Force $dps.WaitForStatus([System.ServiceProcess.ServiceControllerStatus]::Stopped) Write-Output "Successfully stopped Diagnostic Policy Service (DPS)." } } else { Write-Output "Diagnostic Policy Service (DPS) not found. Proceeding without stopping the service." } try { Remove-Item -Path $srumDatabaseFilePath -Force -ErrorAction Stop Write-Output "Successfully deleted the SRUM database file at `"$srumDatabaseFilePath`"." } catch { throw "Failed to delete SRUM database file at: `"$srumDatabaseFilePath`". Error Details: $($_.Exception.Message)" } finally { if ($isDpsInitiallyRunning) { try { if ((Get-Service -Name 'DPS').Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Output "Restarting the Diagnostic Policy Service (DPS)." $dps | Start-Service } } catch { throw "Failed to restart the Diagnostic Policy Service (DPS). Error Details: $($_.Exception.Message)" } } } - name: Clear previous Windows installations call: function: DeleteDirectory parameters: directoryGlob: '%SYSTEMDRIVE%\Windows.old' grantPermissions: true - category: Disable OS data collection children: - category: Disable Application Compatibility Framework docs: |- This category disables the Application Compatibility (AppCompat) framework on Windows. The Application Compatibility (AppCompat) framework is a feature in Windows that collects data about application compatibility. This includes gathering information about application crashes, issues, and other operational details to help improve the compatibility of applications on Windows [1]. It is controlled by a set of policies within the Microsoft Windows operating system aimed at enabling applications designed for older versions of Windows to function properly on newer versions [1]. However, the Application Compatibility framework involves various forms of data collection that may be considered invasive from a privacy standpoint [1]. It can potentially be exploited to reveal more data about your application usage or to inject your computer with malware [2] [3] [4]. By disabling the AppCompat framework, this script contributes to enhancing users' privacy by limiting potential data collection and exposure to malware exploitation. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230927174707/https://docplayer.net/15700963-The-active-use-and-exploitation-of-microsoft-s-application-compatibility-framework-jon-erickson.html "'The active use and exploitation of Microsoft's Application Compatibility Framework' by Jon Erickson" [3]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com" [4]: https://web.archive.org/web/20230927174559/https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf "Malicious Application Compatibility Shims | blackhat.com" children: # Excluding "Application Experience" service (`AeLookupSvc`) as it does not exists since Windows 10 21H1 and Windows 11 22H2 - name: Disable Application Impact Telemetry (AIT) recommend: standard docs: |- This script disables Application Impact Telemetry (AIT). Application Impact Telemetry (AIT) is a function that tracks the usage of certain Windows system components by various applications [1]. Turning this feature off stops the collection of usage data [1], enhancing your privacy by ensuring that your usage patterns and behaviors are not sent to external servers. Disabling telemetry will take effect on any newly launched applications [1]. To ensure that telemetry collection has stopped for all applications, please reboot your machine [1]. Note that if the Customer Experience Improvement Program (CEIP) is turned off, Application Telemetry will be disabled regardless of this setting [1]. This script performs its function by modifying a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!AITEnable`. This is the switch that controls the AIT setting within the operating system [1]. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffapplicationimpacttelemetry "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 - name: Disable Application Compatibility Engine recommend: standard docs: |- This script disables the Application Compatibility Engine on Windows systems. The Application Compatibility Engine examines a compatibility database every time an application starts [1]. If it finds a match for the application, it either applies compatibility fixes or displays a help message for known problems with the application [1]. This process may inadvertently reveal data about the applications you run on your system, especially if the query functions are intercepted [2]. Moreover, this database can be utilized by malware creators to modify an application and make it perform unintended actions [3]. Disabling the Application Compatibility Engine leads to enhanced system performance [1]. However, this might compromise the compatibility of many older, popular applications and permit the installation of known incompatible applications [1]. Additionally, certain Windows features like Windows Resource Protection and User Account Control use this engine to resolve application issues [1]. Without the engine, these solutions won't be applied, and applications may not install or run correctly [1]. This option is suitable for users seeking faster performance who are knowledgeable about the compatibility of the applications they use [1]. Keep in mind that any changes to this setting require a system reboot to take effect as many system processes cache this setting's value for performance reasons [1]. The script achieves its goal by altering a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableEngine` [1]. By disabling this engine, known to be a vulnerability exploited by malware [4], the script reduces the potential attack surface on the system, enhancing overall security. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffengine "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230927174559/https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf "Malicious Application Compatibility Shims | blackhat.com" [3]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com" [4]: https://web.archive.org/web/20230927174707/https://docplayer.net/15700963-The-active-use-and-exploitation-of-microsoft-s-application-compatibility-framework-jon-erickson.html "'The active use and exploitation of Microsoft's Application Compatibility Framework' by Jon Erickson" code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableEngine" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableEngine" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 - name: Remove "Program Compatibility" tab from file properties (context menu) recommend: strict docs: |- This script removes the "Program Compatibility" tab from the file properties context menu. This tab is visible on the property context menu of any program shortcut or executable file, and displays options that can be applied to the application to solve common issues affecting older applications [1]. When enabled, this script prevents the compatibility property page from appearing in the context menus, though it does not impact any prior compatibility settings applied to applications through this interface [1]. This script achieves its functionality by modifying a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePropPage` [1]. This setting is often used in organizational environments to prevent end-users from modifying the compatibility settings of applications. It ensures that applications operate with the settings considered most suitable by the system administrator or IT department. This restriction aids in upholding system stability and security by ensuring users cannot run applications in modes recognized to be insecure or unstable. This script assists in upholding a more secure and stable environment by barring unauthorized changes to application compatibility settings. The security benefits include: - **Restricting User Actions**: By limiting the actions that a user can perform, administrators can prevent unintended security vulnerabilities. Users may inadvertently (or intentionally) choose settings that could expose the system to risks, and this script helps in preventing such scenarios. - **Maintaining Known Configurations**: By ensuring that applications can only run in certain compatibility modes, administrators can more effectively manage and secure their environments. They can thoroughly test and verify the security of the allowed configurations, leading to a more robust security posture. - **Preventing Exploitation of Vulnerabilities**: Some compatibility settings might make applications run in a less secure mode to maintain compatibility with older software or systems. Preventing users from enabling such settings can help in avoiding potential vulnerabilities associated with these modes. By preventing users from changing compatibility settings, you could prevent them from selecting settings that send additional data to software vendors (for example, certain compatibility modes might enable additional telemetry or error reporting). Though primarily aimed at control and stability, this restriction indirectly contributes to privacy protection by reducing potential unwanted data transmission. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatremoveprogramcompatproppage "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePropPage" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePropPage" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 - name: Disable Steps Recorder (collects screenshots, mouse/keyboard input and UI data) recommend: standard docs: |- This script disables Steps Recorder on your device. Steps Recorder, formerly known as Problem Steps Recorder [1] [2], is a tool that records the actions taken on a computer, including keyboard and mouse inputs, user interface interactions, and screenshots with every click [2] [3].This tool is used to diagnose and troubleshoot problems by capturing the exact steps taken when an issue occurs [1]. The data collected by Steps Recorder can be sent to Microsoft or third-party developers [3] [4], potentially revealing sensitive user information. By running this script, the Steps Recorder functionality will be turned off by altering a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableUAR` [3]. This prevents the automatic recording and sharing of user action data, enhancing the privacy and security of the user's device. Not running this script leaves the Steps Recorder enabled by default on Windows [3], allowing it to record and potentially share user actions and information. Using this script enhances user privacy by ensuring that personal actions taken on a computer are not automatically recorded and shared without the user's knowledge or consent. It's a straightforward measure to increase your control over your own device and data. Additionally, disabling Steps Recorder is recommended by The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) [5]. While enhancing privacy, this script may complicate the troubleshooting process as Steps Recorder will not be available to easily record and share encountered issues. [1]: https://web.archive.org/web/20230927120359/https://support.microsoft.com/en-us/windows/record-steps-to-reproduce-a-problem-46582a9b-620f-2e36-00c9-04e25d784e47 "Record steps to reproduce a problem - Microsoft Support" [2]: https://web.archive.org/web/20230927120405/https://cloudblogs.microsoft.com/dynamics365/no-audience/2016/03/08/capturing-repro-scenarios-using-windows-steps-recorder/ "Capturing Repro Scenarios Using Windows Steps Recorder - Microsoft Dynamics 365 Blog" [3]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffuseractionrecord "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" [4]: https://web.archive.org/web/20230927120745/https://learn.microsoft.com/en-us/windows/win32/win7appqual/windows-error-reporting-problem-steps-recorder "Windows Error Reporting Problem Steps Recorder - Win32 apps | Microsoft Learn" [5]: https://web.archive.org/web/20210729125842/https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-1909-workstations "Hardening Microsoft Windows 10 version 1909 Workstations | Cyber.gov.au" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 - name: Disable "Inventory Collector" task recommend: standard docs: |- This script disables the "Inventory Collector" task on your computer. The Inventory Collector is a feature in Windows that gathers data about the applications, files, devices, and drivers on your system and sends this information to Microsoft [1]. This process is used to help solve compatibility problems, ensuring that your software and hardware work together without issues [1]. Running this script will turn off the Inventory Collector, ensuring no data is sent to Microsoft [1]. It also stops the collection of installation data through the Program Compatibility Assistant [1]. By disabling these features, you prevent potentially sensitive information from being shared and avoid uncontrolled updates to your system [2] [3]. If not disabled, the Inventory Collector remains active, continuing to send data [1]. If the Customer Experience Improvement Program is turned off, the Inventory Collector will already be inactive, and running this script will have no effect [1]. Disabling Inventory Collector is advised by several organizations and authorities for enhanced security: - The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) [4] - The Department of Defense (DoD) information systems in the USA [2] - Microsoft, as part of Windows security baseline for Azure [3] - National Institute of Standards and Technology (NIST) in the USA [5] This advice is based on the principle of limiting the amount of data shared, contributing to better privacy and security. When you run this script, it modifies a specific registry key (`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableInventory`) to turn off the Inventory Collector [1]. Note that disabling the Inventory Collector could impact the functionality of certain features that rely on system information and updates [2] [3]. By running this script, the functionality will be turned off by altering a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableInventory` [1]. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffprograminventory "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230927174739/https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63663 "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft | stigviewer.com" [3]: https://web.archive.org/web/20231105200918/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#windows-components "Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20210729125842/https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-1909-workstations "Hardening Microsoft Windows 10 version 1909 Workstations | Cyber.gov.au" [5]: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls "USGCB Windows Settings | nist.gov" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 - category: Disable Program Compatibility Assistant (PCA) docs: |- This category covers disabling the Program Compatibility Assistant (PCA) in Windows. The PCA is designed to help users run desktop applications created for earlier versions of Windows by tracking and identifying known compatibility issues [1]. When an issue is detected, PCA offers the user a recommended fix to help the app run better on Windows [1]. **Privacy Implications:** 1. **Tracking and Monitoring of Application Activities:** PCA tracks the activities and behaviors of applications to identify symptoms of compatibility issues [1]. Continuous monitoring could inadvertently collect user data, depending on the nature of the applications being monitored and the specifics of the compatibility issues. This persistent oversight could be seen as an invasion of privacy as users' application usage is consistently observed. 2. **Application and System Data Access:** PCA accesses data about the application and system to determine appropriate compatibility modes and fixes [1]. Access to application and system data might inadvertently lead to access to sensitive or personal information. The extent of PCA's access to such information is not clear from the official documentations, presenting a potential privacy concern. 3. **Automatic Modifications and Permissions:** PCA automatically applies certain compatibility modes to resolve issues, such as giving applications administrative privileges or preventing an app from freeing a DLL from memory [1]. Automatic changes in application permissions or behavior could potentially introduce security risks, as apps might gain access to resources or data they would not normally have access to. Users may not be fully aware of the extent of the changes applied, leading to unintentional security or privacy vulnerabilities. 4. **User Notification and Consent:** While PCA does notify users and often requires their input to apply recommended settings, some fixes are applied silently [1]. Users might not be aware of all the changes PCA makes to application settings and system configurations, limiting their control over their own system and potential impacts on their privacy. 5. **User Feedback and Data Sharing with Microsoft**: At the end of each scenario, after the app is run with recommended compatibility settings, the Program Compatibility Assistant (PCA) will ask the user a simple question to gather feedback on whether the app worked or failed with the compatibility setting [1]. This data is sent to Microsoft [1]. Users may have concerns about sending any kind of data to Microsoft. Some users might be wary of potential data mishandling or misuse. It's crucial to ensure that the data collected is securely stored and processed, and that users are adequately informed about what data is being collected and how it will be used. 6. **Detection and Mitigation Measures by PCA**: The PCA automatically detects issues with applications and applies various mitigation measures [1]. The automatic detection and mitigation by PCA imply that the system is continuously monitoring application behavior, which might be seen as invasive by some users. There could be concerns regarding what kind of data is accessed by PCA during this monitoring and whether any sensitive data could potentially be exposed. 7. **Downloading Missing Components for Apps:** PCA provides a recommendation to download missing components and install them after the app terminates [1]. This could involve downloading software from the internet, which may introduce security and privacy risks [1]. Users might inadvertently download malicious software or software with privacy-invasive features if not adequately guided [1]. 8. **Handling of Administrative Privileges:** PCA handles various scenarios involving administrative privileges and User Account Control (UAC) dialogs, including applying the `RUNASADMIN` compatibility mode to certain installers and applets [1]. This handling of administrative privileges could potentially be exploited by malicious software to gain elevated privileges without adequate user knowledge or consent. It is important to ensure that the mechanisms for handling administrative privileges are secure and not prone to exploitation. 9. **Using the Compatibility Troubleshooter**: The Compatibility Troubleshooter allows users to apply recommended fixes to get apps working properly [1]. Use of the Compatibility Troubleshooter involves sharing more data regarding app behavior and issues with Microsoft, raising similar concerns as mentioned above regarding data sharing. By disabling PCA, these potential privacy and security concerns can be mitigated, giving users more control over their data and application behavior, and reducing the risk of unintentional data collection and sharing. [1]: https://web.archive.org/web/20230928141226/https://learn.microsoft.com/en-us/windows/compatibility/pca-scenarios-for-windows-8 "Program Compatibility Assistant scenarios - Compatibility Cookbook | Microsoft Learn" children: - name: Disable "Program Compatibility Assistant (PCA)" feature recommend: standard docs: |- This script disables the Program Compatibility Assistant (PCA) feature in Windows [1]. The purposes include: - Enhances privacy by stopping the continuous monitoring and data collection by PCA. The PCA monitors applications run by the user [1]. - Users gain more control over their system by manually managing application compatibility issues. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions [1]. - Potentially avoids the automatic changes made by PCA that might introduce security risks. - It increases the system performance. Microsoft recommends turning off the PCA can be useful for those who require better performance and are already aware of application compatibility issues [1]. This script modifies a specific registry key (`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePCA`) to turn off the PCA [1]. As a result, users will not receive automatic solutions to known compatibility issues when running applications [1], ensuring that they have control over the solutions they apply. By default, if you do not run this script or disable PCA manually, the PCA will be turned on [1]. Once this script is executed and PCA is turned off, the user won't be presented with solutions to known compatibility issues when running applications [1]. [1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffprogramcompatibilityassistant_2 "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2 - name: Disable "Program Compatibility Assistant Service" (`PcaSvc`) recommend: standard docs: |- This script disables the "Program Compatibility Assistant Service" (`PcaSvc`) in Windows [1]. The `PcaSvc` assists the Program Compatibility Assistant (PCA) in monitoring programs installed and run by the user [1], detecting known compatibility problems [1], and aiding in Windows appraiser data collection [2]. By disabling this service, the script prevents PCA from functioning [1], thereby halting application monitoring and data collection, leading to enhanced user privacy. This script turns off the `PcaSvc` which is, by default, automatically started in Windows [1]. Microsoft has clarified that disabling this service does not have a negative impact on the system's functionality, affirming that it's safe to execute this action [1]. By running this script, you prevent the continuous surveillance and data gathering activities conducted by PCA. [1]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#program-compatibility-assistant-service "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" [2]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#appraiser-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn" call: function: DisableService parameters: serviceName: PcaSvc # Check: (Get-Service -Name 'PcaSvc').StartType # Windows 10 21H1: Manual | Windows 11 22H2: Automatic defaultStartupMode: Automatic # Allowed values: Automatic | Manual - category: Disable Windows telemetry and data collection children: - name: Disable Customer Experience Improvement Program (CEIP) docs: https://docs.microsoft.com/en-us/windows/win32/devnotes/ceipenable recommend: standard code: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f - category: Disable diagnostics telemetry services children: - name: Disable "Connected User Experiences and Telemetry" (`DiagTrack`) service # Connected User Experiences and Telemetry recommend: standard docs: http://batcmd.com/windows/10/services/diagtrack/ call: function: DisableService parameters: serviceName: DiagTrack # Check: (Get-Service -Name DiagTrack).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable WAP push notification routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service recommend: standard docs: http://batcmd.com/windows/10/services/dmwappushservice/ call: function: DisableService parameters: serviceName: dmwappushservice # Check: (Get-Service -Name dmwappushservice).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Diagnostics Hub Standard Collector" service docs: http://batcmd.com/windows/10/services/diagnosticshub-standardcollector-service/ call: function: DisableService parameters: serviceName: diagnosticshub.standardcollector.service # Check: (Get-Service -Name diagnosticshub.standardcollector.service).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Diagnostic Execution Service" (`diagsvc`) docs: http://batcmd.com/windows/10/services/diagsvc/ call: function: DisableService parameters: serviceName: diagsvc # Check: (Get-Service -Name diagsvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Customer Experience Improvement Program" scheduled tasks recommend: standard docs: |- ### Overview of default task statuses `\Microsoft\Windows\Customer Experience Improvement Program\Consolidator`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | `\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | `\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'Consolidator' taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\ taskNamePattern: Consolidator - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'KernelCeipTask' taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\ taskNamePattern: KernelCeipTask - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'UsbCeip' taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\ taskNamePattern: UsbCeip - category: Disable census data collection docs: |- Census is a component within Windows that inventories the device [1]. The primary role of Census is to collect and understand data about the device's configuration [1], including its operating system type, region, language, and architecture [2]. This data helps determine the appropriateness of updates for the device [3]. By disabling this feature, users can enhance their privacy by preventing the collection and transmission of device data to Microsoft [1] [2] [3]. [1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn" [2]: https://web.archive.org/web/20231017234118/https://answers.microsoft.com/en-us/windows/forum/all/what-is-device-census/6f0b9f58-86b6-4e36-8fc8-4701218b49b6 "What is Device Census? - Microsoft Community" [3]: https://web.archive.org/web/20231017234127/https://support.microsoft.com/en-us/topic/update-to-windows-10-version-1703-version-1607-version-1511-and-version-1507-for-update-applicability-march-15-2018-3aad1c66-2b88-c012-4623-dee1410891ad "Update to Windows 10 Version 1703, Version 1607, Version 1511, and Version 1507 for update applicability: March 15, 2018 - Microsoft Support" children: - name: Disable "Device" task recommend: standard docs: |- This script disables the "Device" scheduled task. According to the Task Scheduler, this task triggers the execution of the `%WINDIR%\System32\devicecensus.exe SystemCxt` command in Windows 10 and 11. This component collects device and configuration data, which is then sent to Microsoft [1]. By disabling this task, users can prevent this specific data collection process, enhancing their privacy. ### Overview of default task statuses `\Microsoft\Windows\Device Information\Device`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Device Information\' -TaskName 'Device' taskPathPattern: \Microsoft\Windows\Device Information\ taskNamePattern: Device - name: Disable "Device User" task recommend: standard docs: |- This script disables the "Device User" scheduled task. According to the Task Scheduler, this task triggers the execution of the `%WINDIR%\System32\devicecensus.exe UserCxt` command in Windows 10 and 11. This component collects device and configuration data, which is then sent to Microsoft [1]. By disabling this task, users can prevent this specific data collection process, enhancing their privacy. ### Overview of default task statuses `\Microsoft\Windows\Device Information\Device User`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Device Information\' -TaskName 'Device User' taskPathPattern: \Microsoft\Windows\Device Information\ taskNamePattern: Device User - name: Disable device and configuration data collection tool recommend: standard docs: |- This script prevents the execution of `devicecensus.exe`, also known as the "device and configuration data collection tool" [1]. This tool is located at `%WINDIR%\System32\DeviceCensus.exe` [1] [2] and is responsible for gathering data used for compatibility updates [3]. Disabling this tool helps keeping the device's data private and preventing its usage for diagnostic collections or determining update applicability [1] [2] [3]. [1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn" [2]: https://web.archive.org/web/20231017234628/https://strontic.github.io/xcyclopedia/library/DeviceCensus.exe-594993E23161BB37E365D8784DE020EA.html "DeviceCensus.exe | Device Census | STRONTIC | strontic.github.io" [3]: https://web.archive.org/web/20231017234127/https://support.microsoft.com/en-us/topic/update-to-windows-10-version-1703-version-1607-version-1511-and-version-1507-for-update-applicability-march-15-2018-3aad1c66-2b88-c012-4623-dee1410891ad "Update to Windows 10 Version 1703, Version 1607, Version 1511, and Version 1507 for update applicability: March 15, 2018 - Microsoft Support" call: function: TerminateExecutableOnLaunch parameters: executableNameWithExtension: DeviceCensus.exe - category: Disable Compatibility Telemetry (Application Experience) children: - category: Disable Microsoft Compatibility Appraiser docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/ children: - name: Disable Microsoft Compatibility Appraiser task recommend: standard docs: |- ### Overview of default task statuses `\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'Microsoft Compatibility Appraiser' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: Microsoft Compatibility Appraiser - name: Disable CompatTelRunner.exe (Microsoft Compatibility Appraiser) process recommend: standard call: function: TerminateExecutableOnLaunch parameters: executableNameWithExtension: CompatTelRunner.exe - name: Disable sending information to Customer Experience Improvement Program recommend: standard docs: |- ### Overview of default task statuses `\Microsoft\Windows\Application Experience\ProgramDataUpdater`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | ### Additional documentation - [Turn off the Windows Customer Experience program - gHacks Tech News](https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/) - [Permanently Disabling Windows Compatibility Telemetry - Microsoft Community](https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/permanently-disabling-windows-compatibility/6bf71583-81b0-4a74-ae2e-8fd73305aad1) call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'ProgramDataUpdater' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: ProgramDataUpdater - name: Disable Application Impact Telemetry Agent task recommend: standard docs: |- [aitagent.exe - Should I Block It? (Application Impact Telemetry Agent)](https://www.shouldiblockit.com/aitagent.exe-6181.aspx) ### Overview of default task statuses `\Microsoft\Windows\Application Experience\AitAgent`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'AitAgent' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: AitAgent - name: Disable the reminder to "Disable apps to improve performance" recommend: strict docs: |- [Turn off the Windows Customer Experience program - gHacks Tech News](https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/) ### Overview of default task statuses `\Microsoft\Windows\Application Experience\StartupAppTask`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'StartupAppTask' taskPathPattern: \Microsoft\Windows\Application Experience\ taskNamePattern: StartupAppTask - category: Disable enterprise/business focused data collection docs: |- This category contains scripts to disable data collection capabilities focused on enterprise/business uses. The scripts target various Windows features like Desktop Analytics, Windows Update for Business, and Azure services. These capabilities are meant to provide insights for IT administrators but collect and transmit data from end user devices. By disabling these enterprise/business focused data collection features, you can increase privacy and reduce data sharing from your personal device. However, note that some functionality expected by business IT administrators may be reduced. These scripts can help limit enterprise/Microsoft visibility into your device, but may limit management capabilities on managed business devices. children: - category: Disable Desktop Analytics telemetry docs: |- Desktop Analytics is a cloud-based service that provides insights about Windows devices in an organization. The service provides insight and intelligence from user data [1]. Desktop Analytics collects diagnostic data from enrolled Windows devices and sends it to Microsoft cloud services [1]. It creates an inventory of apps running in an organization. This data provides insights about application compatibility and pilot identification to help IT administrators in organizations evaluate the readiness and compatibility of devices for Windows feature updates [1]. To enable data collection, Desktop Analytics configures settings on the device registry and group policies related to commercial ID, telemetry levels, and data sharing [2]. While this data sharing raises potential privacy concerns, Microsoft states that privacy controls allow organizations to limit data collection [1]. Desktop Analytics is retired since November 30, 2022 in favor of Microsoft Intune and Configuration Manager [3]. [1]: https://web.archive.org/web/20230528031527/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn" [2]: https://web.archive.org/web/20230531234446/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn" [3]: https://web.archive.org/web/20230601065209/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/whats-new "What's new in Desktop Analytics - Configuration Manager | Microsoft Learn" children: - name: Disable processing of Desktop Analytics recommend: strict docs: |- This script ensures that Microsoft does not process Windows diagnostic data from your device [1]. When activated, it modifies a setting known as the Group Policy object on your device. This object is a set of policies that determine how your system operates. The script disables a policy related to Microsoft's Desktop Analytics service. This service is designed to provide insights into the health and usage of your devices but may involve processing diagnostic data [2]. By disabling this policy, the script helps to enhance the privacy of your device by preventing the processing of its diagnostic data by Microsoft. This means that information about the usage and performance of your device will not be sent to Microsoft's Desktop Analytics service [1][2]. [1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowdesktopanalyticsprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs" [2]: https://web.archive.org/web/20211127031547/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDesktopAnalyticsProcessing "Allow Desktop Analytics Processing | admx.help" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /f - name: Disable sending device name in Windows diagnostic data recommend: strict docs: |- This script enhances privacy by ensuring that the name of your device is anonymized in any diagnostic data collected by Microsoft Desktop Analytics [1]. In other words, instead of your actual device name, "Unknown" will appear in the data [1]. Since the release of Windows 10, version 1803, the device name is not included in the diagnostic data by default [1]. This script guarantees that this privacy-enhancing measure remains in place [1]. When implemented, it changes a specific registry setting, `AllowDeviceNameInTelemetry`, which controls whether the device name is included in Windows diagnostic data [2]. The script sets this value to `0`, thus disabling the inclusion of the device name in the data [2]. [1]: https://web.archive.org/web/20220903043346/https://docs.microsoft.com/en-US/mem/configmgr/desktop-analytics/enroll-devices#device-name "Enroll devices in Desktop Analytics - Configuration Manager | Microsoft Docs" [2]: https://web.archive.org/web/20210228151919/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDeviceNameInDiagnosticData "Allow device name to be sent in Windows diagnostic data" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /f - name: Disable collection of Edge browsing data for Desktop Analytics recommend: strict docs: |- This script configures Microsoft Edge to prevent it from sending your browsing history data to Desktop Analytics [1]. This browsing data can include information from either your intranet or internet history, or both [1]. When you use Microsoft Edge for browsing, it can collect and send your browsing history to Desktop Analytics, a Microsoft service that helps enterprises to analyze and improve their IT environment. If this setting is disabled, Microsoft Edge does not send any browsing history data, thereby enhancing your privacy. The script achieves this by modifying a specific value in the Windows Registry. The specific value that the script modifies is `MicrosoftEdgeDataOptIn` located at `HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection`. The script sets this value to `0`, which indicates to Microsoft Edge that it should not send browsing history data to Desktop Analytics [1]. While enhancing privacy, this could limit the functionality of Desktop Analytics for enterprises that rely on this service for IT insights. However, for individual users, this script can help prevent unwanted data collection and transmission, contributing to an overall safer browsing experience [1]. [1]: https://web.archive.org/web/20220524020212/https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.MicrosoftEdge::ConfigureTelemetryForMicrosoft365Analytics "Configure collection of browsing data for Desktop Analytics" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /f - name: Disable diagnostics data processing for Business cloud recommend: strict docs: |- This script controls whether diagnostic data from your device is processed by Windows Update for Business cloud [1] [2]. If enabled, the script can enhance privacy by ensuring that diagnostic data from your device is not processed by the Windows Update for Business cloud (WufB) [1], an update management service provided by Microsoft [3]. This service typically helps businesses manage updates on their devices efficiently. But if privacy is a concern, you can opt to disable it [3]. The policy is applicable to devices joined to Azure Active Directory [1]. Azure Active Directory is a Microsoft cloud service that provides identity and access capabilities. Disabling this policy means that some features of the Windows Update for Business deployment service might not be available. However, your device will gain an added layer of privacy as diagnostic data will not be processed by the business cloud [1]. [1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowwufbcloudprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs" [2]: https://web.archive.org/web/20210307173837/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowWUfBCloudProcessing "Allow WUfB Cloud Processing" [3]: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-management-for-windows-on-a-windows-365-cloud-pc/ba-p/3452703 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowWUfBCloudProcessing" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowWUfBCloudProcessing" /f - name: Disable Update Compliance processing of diagnostics data recommend: standard docs: |- Update Compliance is a service provided by Microsoft hosted in Azure, which uses Windows diagnostic data [1]. This service doesn't meet the US Government community compliance (GCC) requirements [1], and is utilized by both Desktop Analytics and Azure Update Management [1]. This script is designed to disable the Update Compliance processing of diagnostic data on your device. When this script is run, it modifies the system registry to prevent diagnostic data from your device being processed by Update Compliance. This change in settings increases the privacy of your device by limiting the diagnostic data that can be accessed and analyzed by Microsoft's services. Diagnostic data, in this context, includes information about device health, system events, and usage metrics. By disabling the processing of this data, the script helps protect the privacy of your activities on your device [1]. This script can be reversed at any time by using the provided `revertCode` if you decide to re-enable the processing of diagnostic data by Update Compliance. In technical terms, the script sets the `AllowUpdateComplianceProcessing` value in the `HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection` registry path to 0, which disables the processing of diagnostic data by Update Compliance [2]. [1]: https://web.archive.org/web/20220703201221/https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started "Get started with Update Compliance - Windows Deployment | Microsoft Docs" [2]: https://web.archive.org/web/20220610123725/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowUpdateComplianceProcessing "Allow Update Compliance Processing" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowUpdateComplianceProcessing" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowUpdateComplianceProcessing" /f - name: Disable commercial usage of collected data recommend: standard docs: |- This protects your privacy by placing a limit on the commercial usage of your data. It manages how Windows diagnostic data is handled by controlling whether Microsoft is a processor or controller for Windows diagnostic data collected from your device [1] [2]. In the default setting, Microsoft operates as the controller of this diagnostic data, thus enabling it to use the data for commercial purposes. This script alters that setting to limit the commercial usage of your data [1] [2]. This script does not affect the operation of optional analytics processor services like Desktop Analytics and Windows Update for Business reports. Moreover, it doesn't change whether diagnostic data is collected or the ability of the user to change the level. [1]: https://web.archive.org/web/20230803142206/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline "System Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230330140620/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowCommercialDataPipeline "Allow commercial data pipeline" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /f - name: Disable diagnostic and usage telemetry recommend: standard docs: |- This script improves your privacy by blocking the transmission of diagnostic and usage telemetry data from your Windows device [1]. This includes data about your device's usage, app compatibility, and system performance, which can be sensitive in nature. By stopping this data from being sent, you reduce the amount of personal information that could potentially be accessed by third parties. The script works by configuring the Group Policy Object (GPO) and Local Policy preferences, which essentially govern your device's data sharing policies [2]. These modifications restrict the data that Windows and its built-in apps can collect and send. Upon executing this script, Desktop Analytics will be disabled, as it relies on basic diagnostic data to function [2]. Desktop Analytics is a cloud-based service provided by Microsoft [4]. It provides insights and intelligence for IT administrators [4]. Desktop Analytics is deprecated and was retired on November 30, 2022. Once this script is executed, even if the policy permits a telemetry setting of Security or Basic, users will not have the capability to opt for a higher data sharing level [3]. This restriction is limited to the operating system and apps included with Windows, and does not pertain to third-party apps installed on your device [3]. [1]: https://web.archive.org/web/20230731225232/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry "System Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230731225319/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn" [3]: https://web.archive.org/web/20211129155126/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection%3A%3AAllowTelemetry "Allow Telemetry" [4]: https://web.archive.org/web/20230731225544/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn" code: |- # Using Local policy preference reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f # Using Group policy object (GPO) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f revertCode: |- # Using Local policy preference reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 1 /f # Using Group policy object (GPO) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /f - name: Disable automatic cloud configuration downloads recommend: strict docs: |- This script turns off the OneSettings service, a feature from Microsoft that downloads configuration settings [1]. This action can enhance the privacy and security of your Windows desktop environment by managing a feature called the Services Configuration [1]. Services Configuration is a mechanism that various Windows components and apps use to update their settings dynamically [2] [3]. By default, Windows periodically tries to connect with the OneSettings service to download configuration settings [1]. This script turns off that function, reducing the chance of data being shared with third-party vendors [1]. This script is recommended by CIS Microsoft Windows Desktop Benchmarks [1]. Please be aware that turning off this service might affect how certain apps that rely on this service work [3]. The script changes a registry setting to disable OneSettings downloads [3] [1]. It also provides a revert code to undo this change, if needed, which returns the system to its previous state. If you want to limit how much data is sent to Microsoft, turning off the OneSettings service can help enhance your privacy [1]. For more information about the impact of OneSettings on privacy, visit [docs.microsoft.com](https://web.archive.org/web/20230803030919/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809). This script lets you manage your privacy by restricting the automatic configuration updates of Windows components and apps, including telemetry services, from the cloud [3] [1]. By using this script, Windows will not connect to OneSettings to fetch any configuration settings [1]. This reduces the amount of data sent to third-party vendors, which can help alleviate potential security concerns [1]. However, please be aware that while this setting can enhance privacy, turning off this service could lead to some applications not working properly. These applications may depend on dynamic configuration updates that will be stopped when the service is disabled [3] [1]. [1]: https://web.archive.org/web/20230803030428/https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker_v1.12.0.audit:b3aec171f406cbe87f37e57bc9dd1411 "18.9.17.3 Ensure 'Disable OneSettings Downloads' is set to 'En... | Tenable" [2]: https://web.archive.org/web/20230803024926/https://learn.microsoft.com/en-us/windows/win32/services/service-configuration "Service Configuration - Win32 apps | Microsoft Learn" [3]: https://web.archive.org/web/20230731230134/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" code: reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableOneSettingsDownloads" /t "REG_DWORD" /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableOneSettingsDownloads" /f - name: Disable license telemetry recommend: standard code: reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t "REG_DWORD" /d "1" /f - name: Disable error reporting recommend: standard docs: |- This script disables the Windows Error Reporting (WER) feature. Windows Error Reporting collects and sends error logs from your computer to Microsoft [1], which can be a potential privacy concern for users. By disabling it, this script ensures that your system errors remain local to your machine and are not sent to external servers. Here's a breakdown of what the script does: 1. **Registry Changes**: The script modifies specific registry entries to disable the WER functionality and its related settings. 2. **Scheduled Tasks**: The script disables scheduled tasks related to error details updates and queue reporting. 3. **Services**: The script disables the services related to error reporting. ### Registry changes - `HKLM\Software\Microsoft\Windows\Windows Error Reporting!DefaultConsent` [2] - `HKLM\Software\Microsoft\Windows\Windows Error Reporting!DefaultOverrideBehavior` [2] - `HKLM\Software\Microsoft\Windows\Windows Error Reporting!DontSendAdditionalData` [2] - `HKLM\Software\Microsoft\Windows\Windows Error Reporting!LoggingDisabled` [2] - `HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting!Disabled` [2] - `HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting` [3] ### Services - Windows Error Reporting Service [4] - Problem Reports Control Panel Support [5] ### Overview of default task statuses `\Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | `\Microsoft\Windows\Windows Error Reporting\QueueReporting`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231018135854/https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/windows-error-reporting-diagnostics-enablement-guidance "Windows Error Reporting and Windows diagnostics enablement guidance - Windows Client | Microsoft Learn" [2]: https://web.archive.org/web/20231018135903/https://learn.microsoft.com/en-us/windows/win32/wer/wer-settings "WER Settings - Win32 apps | Microsoft Learn" [3]: https://web.archive.org/web/20231018135918/https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493 "The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent. | stigviewer.com" [4]: https://web.archive.org/web/20231018135930/https://batcmd.com/windows/10/services/wersvc/ "Windows Error Reporting Service - Windows 10 Service - batcmd.com" [5]: https://web.archive.org/web/20231019222221/https://batcmd.com/windows/10/services/wercplsupport/ "Problem Reports Control Panel Support - Windows 10 Service - batcmd.com" call: - function: RunInlineCode parameters: code: |- :: Disable Windows Error Reporting (WER) reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f :: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f :: Disable WER sending second-level data reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f :: Disable WER logging reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f revertCode: |- :: Enable Windows Error Reporting (WER) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f :: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "0" /f :: Enable WER sending second-level data reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /f :: Enable WER crash dialogs, popups reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "0" /f - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ErrorDetails\' -TaskName 'EnableErrorDetailsUpdate' taskPathPattern: \Microsoft\Windows\ErrorDetails\ taskNamePattern: EnableErrorDetailsUpdate - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Error Reporting\' -TaskName 'QueueReporting' taskPathPattern: \Microsoft\Windows\Windows Error Reporting\ taskNamePattern: QueueReporting - # Windows Error Reporting Service function: DisableService parameters: serviceName: wersvc # Check: (Get-Service -Name wersvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - # Problem Reports Control Panel Support function: DisableService parameters: serviceName: wercplsupport # Check: (Get-Service -Name wercplsupport).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - category: Disable Windows Update data collection children: - category: Disable automatic driver updates by Windows Update children: - name: Disable device metadata retrieval (breaks auto updates) recommend: strict docs: - https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964 - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f - name: Disable inclusion of drivers with Windows updates docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::ExcludeWUDriversInQualityUpdate recommend: strict code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 0 /f - name: Disable Windows Update device driver search docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965 recommend: strict code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 1 /f - category: Disable obtaining updates from other PCs on the Internet (delivery optimization) docs: |- Windows Delivery Optimization is a feature introduced by Microsoft to facilitate a more efficient downloading process for Windows updates, upgrades, and applications [1] [2]. Instead of exclusively relying on Microsoft's servers, this feature identifies other PCs on a user's local network or even across the internet that already possess the desired updates or applications [2]. By breaking the download into smaller segments and fetching each from the fastest and most reliable source, which can include other PCs, the system ensures more efficient downloads [2]. To support this process, Delivery Optimization uses a local cache to temporarily store downloaded files [2]. While Delivery Optimization is designed for speed and reliability, its operation raises privacy concerns. Specifically, when enabled, it can distribute updates and applications from one user's PC to others [2], sharing users' data such as their IP addresses [3]. Benefits of disabling Delivery Optimization for privacy: - **Minimizing Data Sharing**: By turning off Delivery Optimization, users ensure that updates and apps are neither downloaded from nor sent to other devices [2]. This guarantees that all data remains strictly on the user's device [2] and the user IP is not shared [3]. - **Storage Conservation**: Users can save storage space by eliminating the local cache utilized by Delivery Optimization. - **Guaranteed Source Authenticity**: Although Microsoft ensures the authenticity of updates and apps shared via Delivery Optimization [2], disabling the feature guarantees that all updates and apps come directly from Microsoft's servers, eliminating potential intermediaries. - **Bandwidth Conservation**: With the feature off, updates are restricted to direct downloads from Microsoft [1]. This is beneficial for users on metered or capped internet connections, as it allows for more effective bandwidth monitoring [2]. - **Enhanced Security**: Devices using Delivery Optimization open port 7680 to accept peer requests [4]. Disabling the feature avoids this, ensuring users are not exposed to unwanted inbound traffic and enhancing security [5]. - **VPN Protection**: Although Delivery Optimization attempts to detect VPNs and halts uploads when a VPN connection is detected [4], disabling it removes any risk of unintended data sharing over a VPN. Notably, the USA government [5] and Department of Defense (DoD) in the USA [6] recommends disabling this feature. [1]: https://web.archive.org/web/20230914164204/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization "What is Delivery Optimization? - Windows Deployment | Microsoft Learn" [2]: https://web.archive.org/web/20230914164355/https://support.microsoft.com/en-us/windows/windows-update-delivery-optimization-and-privacy-bf86a244-8f26-a3c7-a137-a43bfbe688e8 "Windows Update Delivery Optimization and privacy - Microsoft Support" [3]: https://web.archive.org/web/20230914164646/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-monitor "Monitor Delivery Optimization - Windows Deployment | Microsoft Learn" [4]: https://web.archive.org/web/20230905120220/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq "Delivery Optimization Frequently Asked Questions - Windows Deployment | Microsoft Learn" [5]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov" [6]: https://web.archive.org/web/20230914171410/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-65681 "Windows Update must not obtain updates from other PCs on the Internet | stigviewer.com" children: - name: Disable peering download method for Windows Updates recommend: standard docs: |- This script modifies Delivery Optimization's download method for Windows Updates [1] to disable peering. When this script is run, it sets the download method to `0`, which means "HTTP only, no peering" [1] [2]. As a result, Windows Updates are downloaded solely from the internet and not from other computers on the network (referred to as "peer-to-peer") [3]. Peer-to-peer is a method where multiple computers share data amongst themselves. For Windows Updates, the default setting is for computers within a network to share updates (called LAN mode, represented by the value `1`) [1] [2]. Changing the setting to "HTTP only" reduces potential vulnerabilities [3]. When updates are fetched only from official servers, there's less chance of unwanted or malicious data entering the system. This is why the Department of Defense (DoD) in the USA [4] and USA government [3] recommends this setting. They assert that leaving it in its default configuration could expose the system to additional risks [3]. [1]: https://web.archive.org/web/20230914171524/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization "DeliveryOptimization Policy CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20230914171842/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference "Delivery Optimization reference - Windows Deployment | Microsoft Learn" [3]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov" [4]: https://web.archive.org/web/20230914171410/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-65681 "Windows Update must not obtain updates from other PCs on the Internet | stigviewer.com" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t "REG_DWORD" /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /f 2>nul # Key does not exist since Windows 10 21H2, Windows 11 22H2 - name: Disable "Delivery Optimization" service (breaks Microsoft Store downloads) recommend: strict docs: |- Delivery Optimization is a Windows feature that provides the Windows Updates through peer-to-peer sharing [1]. In simple terms, instead of solely relying on Microsoft's servers for updates, your computer can also fetch them from other devices that already possess the necessary files. The "Delivery Optimization" service manages these content delivery tasks [2] [3]. It orchestrates the retrieval of updates both from other Windows users [3]. In doing so, it connects to various Microsoft service points to collect data, such as policies, content details, device specifications, and information about other Windows users [3]. This data sharing raises privacy concerns. This service also logs IP addresses [4] of peers which can be considered personal data. It listens on port 7680 for TCP/UDP traffic [5] that may expose the user to unwanted inbound traffic and enhancing security [6]. By default, the "Delivery Optimization" service is set to start automatically when Windows boots up [2]. This script alters that behavior, ensuring it doesn't run unless explicitly started by the user. Taking control of this service prevents Microsoft from activating peer-to-peer sharing, enhancing user privacy. It ensures your device doesn't share update data or fetch it from arbitrary peers. > **Caution:** Disabling this service affects the functionality of Windows Store. It plays a role not just in Windows Updates but also in Microsoft Store app downloads, especially since Windows 11 [7]. There have been reported issues with some app downloads on Windows 10 [8]. [1]: https://web.archive.org/web/20230914164204/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization "What is Delivery Optimization? - Windows Deployment | Microsoft Learn" [2]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#delivery-optimization "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" [3]: https://web.archive.org/web/20230914172129/https://learn.microsoft.com/en-us/windows/deployment/do/delivery-optimization-workflow "Delivery Optimization client-service communication explained - Windows Deployment | Microsoft Learn" [4]: https://web.archive.org/web/20230914164646/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-monitor "Monitor Delivery Optimization - Windows Deployment | Microsoft Learn" [5]: https://web.archive.org/web/20230914172319/https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-deployment "Deploying a privileged access solution | Microsoft Learn" [6]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov" [7]: https://web.archive.org/web/20230914164355/https://support.microsoft.com/en-us/windows/windows-update-delivery-optimization-and-privacy-bf86a244-8f26-a3c7-a137-a43bfbe688e8 "Windows Update Delivery Optimization and privacy - Microsoft Support" [8]: https://github.com/undergroundwires/privacy.sexy/issues/173 "[BUG] Error 0x80004002 on Microsoft Store when attempting to download an app ยท Issue #173 ยท undergroundwires/privacy.sexy" call: function: DisableServiceInRegistry # Using registry way because other options such as "sc config" or # "Set-Service" returns "Access is denied" since Windows 10 1809. parameters: serviceName: DoSvc # Check: (Get-Service -Name 'DoSvc').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable cloud-based speech recognition recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f - name: Disable active probing to Microsoft NCSI server recommend: strict code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f - name: Opt out of Windows privacy consent recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 1 /f - name: Disable Windows feedback collection recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics code: |- reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f - name: Disable text and handwriting data collection recommend: standard code: |- reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f - category: Disable app access to personal information children: - name: Disable app access to location recommend: standard docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesslocation # LetAppsAccessLocation - https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ # ConsentStore\location - https://social.technet.microsoft.com/Forums/en-US/63904312-04af-41e5-8b57-1dd446ea45c5/ # lfsvc\Service\Configuration code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Deny" /f :: For older Windows (before 1903) reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Allow" /f :: For older Windows (before 1903) reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "1" /t REG_DWORD /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /f - name: Disable app access to account information, name, and picture recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Deny" /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Allow" /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /f - name: Disable app access to motion data recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /f - name: Disable app access to phone recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone code: |- :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /f - name: Disable app access to trusted devices docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices recommend: standard code: |- :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /f - name: Disable app sync with devices (unpaired, beacons, TVs, etc.) recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices code: |- :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /f - name: Disable app access to camera docs: - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kscategory-video-camera - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscamera code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /f - name: Disable app access to microphone docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /f - name: Disable app share and sync for non-explicitly paired wireless devices code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Deny" /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Allow" /f - name: Disable app access to diagnostic information about other apps recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Deny" /t REG_SZ /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Allow" /t REG_SZ /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /f - category: Disable app access to your file system children: - name: Disable app access to "Documents" folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Allow" /t REG_SZ /f - name: Disable app access to "Pictures" folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Allow" /t REG_SZ /f - name: Disable app access to "Videos" folder recommend: standard code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Allow" /t REG_SZ /f - name: Disable app access to other filesystems recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Allow" /t REG_SZ /f - name: Disable app access to your contacts recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Allow" /f :: GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /f - name: Disable app access to Notifications recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO (re-activation through GUI is not possible) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /f - name: Disable app access to Calendar recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /f - name: Disable app access to call history recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory code: |- :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /f - name: Disable app access to email recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /f - name: Disable app access to tasks recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Deny" /t REG_SZ /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Allow" /t REG_SZ /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /f - name: Disable app access to messaging (SMS / MMS) recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Deny" /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Deny" /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Allow" /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /f - name: Disable app access to radios recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Deny" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d DENY /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /t REG_MULTI_SZ /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /t REG_MULTI_SZ /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Allow" /t REG_SZ /f :: For older Windows (before 1903) reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d "Allow" /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /f - name: Disable app access to Bluetooth devices recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Deny" /t REG_SZ /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Allow" /t REG_SZ /f - category: Disable app access to voice activation children: - name: Disable voice activation for apps including Cortana recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoice code: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 0 /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /t REG_DWORD /d 2 /f revertCode: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 1 /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /f - name: Disable voice activation for apps including Cortana on locked system recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoiceAboveLock code: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 0 /f :: Using GPO (re-activation through GUI is not possible) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /t REG_DWORD /d 2 /f revertCode: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 1 /f :: Using GPO reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /f - category: Disable location access children: - name: Disable Windows Location Provider code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "0" /f - name: Disable location scripting recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "0" /f - name: Disable location recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f :: For older Windows (before 1903) reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Deny" /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "0" /t REG_DWORD /f :: For older Windows (before 1903) reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Allow" /f - name: Disable device sensors recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "0" /f - category: Disable Windows search data collection children: - category: Disable Cortana children: - name: Disable Cortana when searching recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowCortana - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /f - name: Disable Cortana experience recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 1 /f - name: Disable Cortana's access to cloud services such as OneDrive and SharePoint recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 1 /f - name: Disable Cortana speech interaction while the system is locked recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-abovelock code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /f - name: Disable participation in Cortana data collection recommend: standard code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 10 /f - name: Disable enabling of Cortana recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 1 /f - name: Disable Cortana (Internet search results in start menu) recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f - category: Disable Cortana history children: - name: Disable Cortana's history display recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /f - name: Disable Cortana's device history usage recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /f - name: Remove Cortana taskbar icon recommend: standard code: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /t REG_DWORD /d 0 /f revertCode: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /f - name: Disable Cortana in ambient mode recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 1 /f - category: Disable Cortana voice listening children: - name: Disable "Hey Cortana" voice activation recommend: standard code: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 1 /f - name: Disable Cortana listening to commands on Windows key + C recommend: standard code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 1 /f - name: Disable Cortana on locked device recommend: standard code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 1 /f - name: Disable automatic update of Speech Data recommend: standard code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d 0 /f revertCode: reg delete "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /f - name: Disable Cortana voice support during Windows setup recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /f - category: Configure Windows search indexing children: - name: Disable indexing of encrypted items and stores recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowindexingencryptedstoresoritems code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /f - name: Disable automatic language detection when indexing recommend: standard docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-alwaysuseautolangdetection code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 1 /f - name: Disable search's access to location recommend: standard docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 1 /f - name: Disable web search in search bar recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DisableWebSearch - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 0 /f - name: Disable web search and results in search docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 1 /f - name: Disable Bing search recommend: standard code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 1 /f - category: Disable targeted advertisements and marketing children: - name: Disable ad customization with Advertising ID recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general code: |- reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "0" /f - category: Disable cloud-based advertising and tips children: - name: Disable Windows Tips recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "0" /f - name: Disable Windows Spotlight (shows random wallpapers on lock screen) recommend: strict docs: |- The script disables the Windows Spotlight feature. Windows Spotlight is a feature in Windows 10 and Windows 11 [1] that automatically downloads and displays random wallpapers on the lock screen [1] [2]. These images are sourced from the internet [1] [2] [3]. At times, it might also promote various Microsoft products, services [1] [2], or even third-party apps and content [4]. When the lock screen fetches images from the internet, there's a silent data exchange happening. This can inadvertently reveal details about the user's device or their preferences. To mitigate this potential privacy risk, the script makes a change to a key (`DisableWindowsSpotlightFeatures`) in the Windows operating system [3]. Originally, Windows Spotlight is turned on unless the user decides otherwise [2]. By applying this script, users can be sure their lock screen remains private and doesn't retrieve wallpapers from the internet, eliminating potential data leaks. [1]: https://web.archive.org/web/20230911110727/https://support.microsoft.com/en-us/windows/personalize-your-lock-screen-81dab9b0-35cf-887c-84a0-6de8ef72bea0 "Personalize your lock screen - Microsoft Support" [2]: https://web.archive.org/web/20230911110748/https://learn.microsoft.com/en-us/windows/configuration/windows-spotlight "Configure Windows Spotlight on the lock screen - Configure Windows | Microsoft Learn" [3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn" [4]: https://web.archive.org/web/20230911110921/https://download.microsoft.com/download/8/F/B/8FBD2E85-8852-45EC-8465-92756EBD9365/Windows10andWindowsServer2016PolicySettings.xlsx "Group Policy Settings Reference - Microsoft" code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /f 2>nul # Key does not exist since Windows 10 21H2, Windows 11 22H2 - name: Disable Microsoft Consumer Experiences recommend: standard docs: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-71771 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "0" /f - name: Disable suggested content in Settings app recommend: standard docs: - https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004 - https://www.blogsdna.com/28017/how-to-disable-turn-off-suggested-content-on-windows-10-setting-app.htm code: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "0" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f revertCode: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "1" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "1" /t REG_DWORD /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "1" /t REG_DWORD /f - category: Disable biometrics (breaks fingerprinting/facial login) children: - name: Disable use of biometrics recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f - name: Disable biometric logon recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f - name: Disable Windows Biometric Service recommend: strict docs: - https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-biometric-service - http://batcmd.com/windows/10/services/wbiosrvc/ call: function: DisableService parameters: serviceName: WbioSrvc # Check: (Get-Service -Name WbioSrvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Wi-Fi Sense recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f - name: Disable app launch tracking (hides most-used apps) docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10 recommend: strict code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 0 /t REG_DWORD /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 1 /t REG_DWORD /f - name: Disable Website Access of Language List recommend: standard docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 0 /f - name: Disable automatic map downloads recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f - name: Disable game screen recording recommend: standard code: |- reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 0 /f - name: Disable internet access for Windows DRM docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f - name: Disable typing feedback (sends typing data) recommend: standard code: |- reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f - name: Disable Activity Feed feature recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f - category: Disable Windows Insider Program children: - name: Disable Windows Insider Service docs: - https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-insider-service - http://batcmd.com/windows/10/services/wisvc/ recommend: standard call: function: DisableService parameters: serviceName: wisvc # Check: (Get-Service -Name wisvc).StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable Microsoft feature trials docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /f reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /f - name: Disable receipt of Windows preview builds docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /f - name: Remove "Windows Insider Program" from Settings docs: https://winaero.com/how-to-hide-the-windows-insider-program-page-from-the-settings-app-in-windows-10/ code: reg add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /t "REG_DWORD" /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /f - category: Disable cloud sync docs: https://support.microsoft.com/en-us/help/4026102/windows-10-about-sync-settings children: - name: Disable all settings synchronization recommend: standard # This script is a master switch that disables all other types of setting synchronizations in this category. code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f - name: Disable "Application" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable "App Sync" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable "Credentials" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f - name: Disable "Desktop Theme" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable "Personalization" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable "Start Layout" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable "Web Browser" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable "Windows" setting synchronization recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f - name: Disable "Language" setting synchronization recommend: standard docs: - https://winaero.com/turn-on-off-sync-settings-windows-10/ - https://www.thewindowsclub.com/how-to-configure-windows-10-sync-settings-using-registry-editor - https://tuxicoman.jesuislibre.net/blog/wp-content/uploads/Windows10_Telemetrie_1709.pdf # from guide on confidentiality and privacy with Windows 10 distributed to the French police, previous version of guide: https://www.pmenier.net/dotclear/docext/win10/.Windows10-Presentation.pdf code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 0 /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 1 /f - category: Configure programs children: - category: Disable Visual Studio data collection docs: |- These scripts disable future local and cloud data collection by Visual Studio about you and your behavior. These do not clean existing data collected about you locally or on cloud servers. children: - name: Disable participation in Visual Studio Customer Experience Improvement Program (VSCEIP) recommend: standard docs: |- `VSCEIP` collects information about errors, computer hardware, and how people use Visual Studio [1]. The information is sent to Microsoft servers for further analysis. This was previously known as Customer Experience Improvement Program (`PerfWatson`) for Visual Studio that primarily collected your personal usage and related performance data [2]. For more information about the information collected, processed, or transmitted by the `VSCEIP`, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). Visual Studio uses different keys based on CPU architecture of the host operating system (32bit or 64bit) [1]: - 32bit: `HKLM\SOFTWARE\Microsoft\VSCommon` - 64bit: `HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon` Key `OptIn` can have two different values [1]: - `0` is opted out (turn off) - `1` is opted in (turn on) The default installation sets the key as `1` (opt-in by default) since Visual Studio 2022. [1]: https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program "Customer Experience Improvement Program - Visual Studio (Windows) | Microsoft Learn" [2]: https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/ "How we use your PerfWatson data to identify Unresponsive areas | Visual Studio Blog" code: |- :: Using OS keys if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f ) else ( reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f ) :: Using GPO key reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /t REG_DWORD /d 0 /f revertCode: |- :: Using OS keys if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit? reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f ) else ( reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f ) :: Using GPO key reg delete "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /f 2>nul - name: Disable Visual Studio telemetry docs: |- This key was first seen to be used in Visual Studio 15 (2017) [1] [2]. By default (after clean installation) the registry key set by this script does not exist since Visual Studio 2022. [1]: https://developercommunity.visualstudio.com/t/bad-crashes-when-visualstudiotelemetryturnoffswitc/208693 "Bad crashes when VisualStudio\Telemetry\TurnOffSwitch is set to 0 | Visual Studio Feedback" [2]: https://social.msdn.microsoft.com/Forums/vstudio/en-US/7796f0c5-ec9a-4fc8-9f62-584a663f9016/vs2015-pro-upd-3-quotthe-application-cannot-startquot-exception-in-obtainoptinstatus 'VS2015 (pro + upd 3): "Forum post showing logs for TurnOffSwitch key | MSDN Forums' recommend: standard code: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f revertCode: reg delete "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /f 2>nul - name: Disable Visual Studio feedback docs: |- Feedback tool in Visual Studio allows users to report a problem from either Visual Studio or its installer. It collects rich diagnostic information along with personally identifiable information [1]. Information includes large log files, crash information, screenshots, repro recording, and other artifacts [1]. This script disables feedback dialog and screenshot capture/email input that's prompted to be sent as part of the feedback. By default (after clean installation) the registry keys are not configured/set since Visual Studio 2022. Having these settings no set imply that feedback is enabled. [1]: https://learn.microsoft.com/en-us/visualstudio/ide/how-to-report-a-problem-with-visual-studio "Report a problem with Visual Studio - Visual Studio (Windows) | Microsoft Learn" recommend: standard code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /f 2>nul - name: Stop and disable Visual Studio Standard Collector Service docs: |- Visual Studio Standard Collector Service is a service that is part of [Microsoft Visual Studio and .NET Log Collection Tool](https://www.microsoft.com/en-us/download/details.aspx?id=12493) [1]. This service collects logs for Diagnostics Hub just like Diagnostic Hub Standard Collector [2]. It has been known to be vulnerable to privilege elavation [3]. Disabling this service is recommended because otherwise it would: - Increase the attack surface of your computer, making it open to potential future vulnerabilities. - Use computer resources in favor of collecting more data about you and your behavior. [1]: https://learn.microsoft.com/en-us/answers/questions/891356/i-can39t-start-vsstandardcollectorservice150.html#answer-929168 "I can't start VSStandardCollectorService150 | Microsoft Q&A" [2]: https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service "CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service | Atredis Partners" [3]: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0952 "Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability" recommend: standard call: function: DisableService parameters: serviceName: VSStandardCollectorService150 # (Get-Service -Name VSStandardCollectorService150).StartType defaultStartupMode: Manual # Manual since Visual Studio 2022, allowed values: Automatic | Manual - name: Disable Diagnostics Hub log collection docs: |- Diagnostics Hub is online data collection point for diagnostic tools used by Visual Studio. It can be disabled by deleting `LogLevel` and `LogDirectory` registry keys [1] and enabled by adding them [2] [3] [4] [5]. The registry keys are not set after installation since Visual Studio 2022. [1]: https://developercommunity.visualstudio.com/t/cant-disable-diagnostics-hub-in-visual-stuido/1449322#T-N1449680 "Can't disable Diagnostics hub in visual stuido | Visual Studio Feedback" [2]: https://developercommunity.visualstudio.com/t/diagnostic-tool-no-registered-class/1099781#T-N1106849 "diagnostic tool No registered class | Visual Studio Feedback" [3]: https://stackoverflow.com/a/39380284 "c# - Visual Studio 2015 diagnostic tools no longer working | Stack Overflow" [4]: https://developercommunity.visualstudio.com/t/collectionstartfailedhubexception-on-profiler-laun/414212#T-N447791 "CollectionStartFailedHubException on profiler launch | Visual Studio Feedback" [5]: https://developercommunity.visualstudio.com/t/diagnostics-tools-failed-unexpectedly-unable-to-st/437117#T-N447777 "Diagnostics tools failed unexpectedly--unable to start standard collector | Visual Studio Feedback" code: |- reg delete "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /f 2>nul revertCode: |- "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -property catalog_productDisplayVersion >Nul | findstr "15." >nul && ( reg add "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /t REG_SZ /d "All" /f ) - name: Disable participation in IntelliCode data collection (breaks Visual Studio 2022) # recommend: standard (This script has been reported to cause issues with Visual Studio 2022, potentially leading to hangs or unresponsiveness) docs: |- This script disables data collection by IntelliCode in Visual Studio, a feature that offers AI-based code suggestions [1]. IntelliCode captures anonymized usage and error-reporting data to improve the product [1]. It generally does not send user-defined code to Microsoft, except when using team completion model training [2] [3] [4]. This script opts out of such data collection without affecting IntelliCode's functionality based on local models [3] [4]. By modifying specific registry keys, this script deactivates the remote analysis feature of IntelliCode [3]. These keys are not present by default in Visual Studio 2022 installations. This action ensures that IntelliCode relies solely on local models, enhancing user privacy by limiting data sent to Microsoft. > **Caution:** Users have reported that enabling this script may cause Visual Studio 2022 to hang or become unresponsive [5] [6]. > Despite its official documentation [4], due to these user experiences, careful consideration is recommended before applying this script. [1]: https://web.archive.org/web/20231112024816/https://learn.microsoft.com/en-us/visualstudio/ide/intellicode-visual-studio?view=vs-2022 "IntelliCode for Visual Studio | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231112024456/https://learn.microsoft.com/en-us/visualstudio/ide/intellicode-privacy?view=vs-2022 "IntelliCode privacy - Visual Studio IntelliCode | Microsoft Learn | docs.microsoft.com" [3]: https://web.archive.org/web/20231112024639/https://raw.githubusercontent.com/MicrosoftDocs/intellicode/50ea60c91a7175e749ed5e094403568a583a292e/docs/intellicode-privacy.md "intellicode/docs/intellicode-privacy.md at 50ea60c91a7175e749ed5e094403568a583a292e ยท MicrosoftDocs/intellicode | github.com/MicrosoftDocs" [4]: https://web.archive.org/web/20231122105835/https://raw.githubusercontent.com/microsoft/vscode-docs/main/docs/csharp/intellicode.md "vscode-docs/docs/csharp/intellicode.md at main ยท microsoft/vscode-docs | github.com/microsoft/vscode-docs" [5]: https://github.com/undergroundwires/privacy.sexy/issues/267 "[BUG]: Visual Studio 2022 hangs with `Opt-out from IntelliCode data collection` ยท Issue #267 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" [6]: https://github.com/undergroundwires/privacy.sexy/issues/286 "[BUG]: Disabling IntelliCode data collection crashes VS ยท Issue #286 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" code: |- :: Global policy reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f :: Local policy reg add "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f revertCode: |- :: Global policy reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul :: Local policy reg delete "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul reg delete "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul - name: Disable NET Core CLI telemetry recommend: standard code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1 revertCode: setx DOTNET_CLI_TELEMETRY_OPTOUT 0 - name: Disable PowerShell telemetry recommend: standard docs: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry code: setx POWERSHELL_TELEMETRY_OPTOUT 1 revertCode: setx POWERSHELL_TELEMETRY_OPTOUT 0 - category: Disable Nvidia telemetry docs: - https://github.com/privacysexy-forks/nVidia-modded-Inf - https://github.com/privacysexy-forks/Disable-Nvidia-Telemetry - https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20 children: - name: Remove Nvidia telemetry packages recommend: standard code: |- if exist "%ProgramFiles%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL" ( rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry ) - name: Remove Nvidia telemetry components recommend: standard call: - function: SoftDeleteFiles parameters: fileGlob: '%PROGRAMFILES(X86)%\NVIDIA Corporation\NvTelemetry\*' recurse: true - function: SoftDeleteFiles parameters: fileGlob: '%PROGRAMFILES%\NVIDIA Corporation\NvTelemetry\*' recurse: true - name: Disable Nvidia telemetry drivers recommend: standard call: function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\DriverStore\FileRepository\NvTelemetry*.dll' recurse: true - name: Disable participation in Nvidia telemetry recommend: standard call: function: RunInlineCode parameters: code: |- reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d 0 /f revertCode: |- reg delete "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /f reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /f reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /f reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /f - name: Disable Nvidia Telemetry Container service docs: |- [Disable Nvidia Telemetry tracking on Windows - gHacks Tech News](https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/) call: function: DisableService parameters: serviceName: NvTelemetryContainer # Display name: "NVIDIA Telemetry Container" # Description: "Container service for NVIDIA Telemetry" defaultStartupMode: Automatic - category: Disable Nvidia telemetry scheduled tasks docs: |- This category contains scripts that disable Nvidia telemetry tasks. Telemetry tasks are programmed to transmit data, which may encompass system performance details or error reports [1] [2]. By disabling these tasks, you can improve your privacy by ensuring your system's data remains confidential and is not shared with external sources. [1]: https://web.archive.org/web/20231019222235/https://www.file.net/process/nvtmrep.exe.html "NvTmRep.exe Windows process - What is it? | file.net" [2]: https://web.archive.org/web/20231019222243/https://www.file.net/process/nvtmmon.exe.html "NvTmMon.exe Windows process - What is it? | file.net" children: - name: Disable "NVIDIA Telemetry Report" task recommend: standard docs: |- This script disables the "NVIDIA Telemetry Report" scheduled task, which is related to the `NvTmRep` process. This process is called "NVIDIA crash and telemetry reporter" [1]. Disabling it stops the `C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe` [2] program from executing and reporting data [1]. ### Overview of default task statuses `\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | [1]: https://web.archive.org/web/20231019222235/https://www.file.net/process/nvtmrep.exe.html "NvTmRep.exe Windows process - What is it? | file.net" [2]: https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/ "Disable Nvidia Telemetry tracking on Windows - gHacks Tech News" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}' taskPathPattern: \ taskNamePattern: NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} - name: Disable "NVIDIA Telemetry Report on Logon" task recommend: standard docs: |- This script disables the "NVIDIA Telemetry Report on Logon" scheduled task, associated with the `NvTmRep` process. This process is also known as "NVIDIA crash and telemetry reporter" [1]. When enabled, this task executes the `C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe --logon` [2] program during user logon, sending telemetry data [1]. ### Overview of default task statuses `\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | [1]: https://web.archive.org/web/20231019222235/https://www.file.net/process/nvtmrep.exe.html "NvTmRep.exe Windows process - What is it? | file.net" [2]: https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/ "Disable Nvidia Telemetry tracking on Windows - gHacks Tech News" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}' taskPathPattern: \ taskNamePattern: NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} - name: Disable "NVIDIA telemetry monitor" task docs: |- This script disables the "NVIDIA telemetry monitor" scheduled task related to the `NvTmMon` process. The telemetry monitor collects and sends data to NVIDIA [1]. Turning off this task prevents `C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe` [2] from running and transmitting data [1]. ### Overview of default task statuses `\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | [1]: https://web.archive.org/web/20231019222243/https://www.file.net/process/nvtmmon.exe.html "NvTmMon.exe Windows process - What is it? | file.net" [2]: https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/ "Disable Nvidia Telemetry tracking on Windows - gHacks Tech News" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}' taskPathPattern: \ taskNamePattern: NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} - category: Disable Visual Studio Code data collection docs: - https://code.visualstudio.com/updates/v1_26#_offline-mode - https://code.visualstudio.com/docs/getstarted/settings children: - name: Disable Visual Studio Code telemetry docs: https://code.visualstudio.com/docs/getstarted/telemetry recommend: standard call: function: SetVsCodeSetting parameters: setting: telemetry.enableTelemetry powerShellValue: $false - name: Disable Visual Studio Code crash reporting docs: https://code.visualstudio.com/docs/getstarted/telemetry recommend: standard call: function: SetVsCodeSetting parameters: setting: telemetry.enableCrashReporter powerShellValue: $false - name: Disable online experiments by Microsoft in Visual Studio Code docs: https://github.com/privacysexy-forks/vscode/blob/1aee0c194cff72d179b9f8ef324e47f34555a07d/src/vs/workbench/contrib/experiments/node/experimentService.ts#L173 recommend: standard call: function: SetVsCodeSetting parameters: setting: workbench.enableExperiments powerShellValue: $false - name: Disable Visual Studio Code automatic updates in favor of manual updates call: function: SetVsCodeSetting parameters: setting: update.mode powerShellValue: manual - name: Disable fetching release notes from Microsoft servers after an update call: function: SetVsCodeSetting parameters: setting: update.showReleaseNotes powerShellValue: $false - name: Automatically check extensions from Microsoft online service call: function: SetVsCodeSetting parameters: setting: extensions.autoCheckUpdates powerShellValue: $false - name: Fetch recommendations from Microsoft only on demand call: function: SetVsCodeSetting parameters: setting: extensions.showRecommendationsOnlyOnDemand powerShellValue: $true - name: Disable automatic fetching of remote repositories in Visual Studio Code call: function: SetVsCodeSetting parameters: setting: git.autofetch powerShellValue: $false - name: Disable fetching package information from NPM and Bower in Visual Studio Code call: function: SetVsCodeSetting parameters: setting: npm.fetchOnlinePackageInfo powerShellValue: $false - category: Disable Microsoft Office telemetry docs: https://docs.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office children: - name: Disable Microsoft Office logging recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f - name: Disable Microsoft Office client telemetry recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f - name: Disable Microsoft Office Customer Experience Improvement Program docs: https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612 recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f - name: Disable Microsoft Office feedback recommend: standard code: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f - name: Disable Microsoft Office telemetry agent recommend: standard docs: |- This script disables the scheduled tasks associated with the Office telemetry agent. The Office Telemetry Agent, introduced in Office 2013, collects and uploads a variety of data for monitoring purposes [1]. This data includes runtime logs, properties of Office documents, and other insights from Office applications [1] [2]. Notably, it can upload file names, paths, and document titles in their original format [1]. The data is stored locally before being uploaded to a shared folder (at `%LOCALAPPDATA%\Microsoft\Office\16.0\Telemetry`) [3]. This poses privacy risks as it may contain personal or confidential information. The `OfficeTelemetryAgentLogOn` scheduled task, collects data for the Office Telemetry Dashboard [1]. This task activates upon user login to an Office client and continues to scan and collect data during the session [1]. The types of data collected encompass file names of recently accessed Office documents [2] [3], names of add-ins and solutions interacting with Office [3], and system information including user and computer names [2]. Disabling these tasks is recommended for enhancing privacy. The script effectively prevents privacy risks associated with telemetry data collection by disabling the related scheduled tasks. It prevents the collection and upload of potentially sensitive information, thereby protecting users from exposure of personal or internal process-related details. ### Overview of default task statuses `\Microsoft\Office\OfficeTelemetryAgentFallBack` (tested on Office version 2208): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | `\Microsoft\Office\OfficeTelemetryAgentFallBack2016` (tested on Office version 2208): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | `\Microsoft\Office\OfficeTelemetryAgentLogOn` (tested on Office version 2208): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | `\Microsoft\Office\OfficeTelemetryAgentLogOn2016` (tested on Office version 2208): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231022114220/https://learn.microsoft.com/en-us/deployoffice/compat/deploy-telemetry-dashboard "Deploy Office Telemetry Dashboard - Deploy Office | Microsoft Learn" [2]: https://web.archive.org/web/20231022114227/https://learn.microsoft.com/en-us/deployoffice/compat/data-that-the-telemetry-agent-collects-in-office "Data collected by the agent for Office Telemetry Dashboard - Deploy Office | Microsoft Learn" [3]: https://web.archive.org/web/20231022114234/https://learn.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office "Manage the privacy of data monitored by Office Telemetry Dashboard - Deploy Office | Microsoft Learn" call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentFallBack' taskPathPattern: \Microsoft\Office\ taskNamePattern: OfficeTelemetryAgentFallBack - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentFallBack2016' taskPathPattern: \Microsoft\Office\ taskNamePattern: OfficeTelemetryAgentFallBack2016 - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentLogOn' taskPathPattern: \Microsoft\Office\ taskNamePattern: OfficeTelemetryAgentLogOn - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentLogOn2016' taskPathPattern: \Microsoft\Office\ taskNamePattern: OfficeTelemetryAgentLogOn2016 # - (breaks office, see https://answers.microsoft.com/en-us/office/forum/office_2016-officeapps/office-2016-click-to-run-service-is-it-necessary/07f87963-7193-488a-9885-d6339105824b) # name: Disable ClickToRun Service Monitor # docs: https://web.archive.org/web/20180201221907/https://technet.microsoft.com/en-us/library/jj219427.aspx # call: # - # function: DisableScheduledTask # parameters: # # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'Office ClickToRun Service Monitor' # taskPathPattern: \Microsoft\Office\ # taskNamePattern: Office ClickToRun Service Monitor # - # function: DisableService # parameters: # serviceName: ClickToRunSvc # Check: (Get-Service -Name ClickToRunSvc).StartType # defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable "Microsoft Office Subscription Heartbeat" task docs: |- This script disables the "Microsoft Office Subscription Heartbeat" scheduled task. The primary function of the Office Subscription Heartbeat task is to periodically check the subscription status of Microsoft Office products [1] [2], verifying their licenses are active and valid [1]. This task actively communicates with Microsoft servers, transmitting Microsoft account data [3] for license verification. Disabling this task improves privacy as it prevents these regular communications and data transmissions, though it may lead to complications regarding license compliance over time. The task creates and utilizes cache files located at `%SYSTEMDRIVE%\Program Files\Microsoft Office 15\root\vfs\Common AppData\microsoft\office\Heartbeat` [1] and `%PROGRAMDATA%\Microsoft\Office\Heartbeat\HeartbeatCache` [3] [4], in `HeartbeatCache.xml` file [1] [4]. It executes the `OLicenseHeartbeat.exe` process daily [2], also known as "Office Subscription Licensing Heartbeat" [2]. `\Microsoft\Office\Office 15 Subscription Heartbeat` (tested since Office version 2208): | OS Version | Default Status | | ---------------- | -------------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | > **Caution:** Consider that while disabling this task may lead to increased privacy, it could also impact license compliance and the overall functionality of Microsoft Office products in the long run. [1]: https://web.archive.org/web/20231024130456/https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/licensing/subscription-automatic-license-renew-fails "Microsoft 365 subscription automatic license renewal fails when heartbeatcache in wrong location - Microsoft 365 | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231024130510/https://www.shouldiblockit.com/olicenseheartbeat.exe-9886.aspx "OLicenseHeartbeat.exe - Should I Block It? (Office Subscription Licensing Heartbeat) | shouldiblockit.com" [3]: https://web.archive.org/web/20231024130503/https://support.microsoft.com/en-us/office/-product-key-is-not-valid-error-when-activating-office-4f89be39-26eb-404f-b485-8e2014bd3790#ID0EBBD=Microsoft_365_subscription '"Product key is not valid" error when activating Office - Microsoft Support | support.microsoft.com' [4]: https://web.archive.org/web/20231024130510/https://support.microsoft.com/en-us/office/about-the-microsoft-support-and-recovery-assistant-e90bb691-c2a7-4697-a94f-88836856c72f#ID0ED6=Office "About the Microsoft Support and Recovery Assistant - Microsoft Support | support.microsoft.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'Office 15 Subscription Heartbeat' taskPathPattern: \Microsoft\Office\ taskNamePattern: Office 15 Subscription Heartbeat # "Office 16 Subscription Heartbeat": # For Office 16, there isn't a separate and verified task named "Office 16 Subscription Heartbeat". # Instead, it appears to utilize the "Office 15 Subscription Heartbeat" task, # but runs the `OLicenseHeartbeat.exe` process from the Office16 folder. - category: Configure browsers children: - category: Configure Edge children: - category: Configure Edge (Chromium) settings children: - name: Disable Edge diagnostic data sending (shows "Your browser is managed") recommend: standard docs: - http://archive.today/2023.08.26-152941/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::DiagnosticData - https://learn.microsoft.com/DeployEdge/microsoft-edge-policies#diagnosticdata - http://archive.today/2023.08.26-152952/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::MetricsReportingEnabled - https://learn.microsoft.com/en-gb/DeployEdge/microsoft-edge-policies#metricsreportingenabled - http://archive.today/2023.08.26-153019/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SendSiteInfoToImproveServices - https://learn.microsoft.com/DeployEdge/microsoft-edge-policies#sendsiteinfotoimproveservices code: |- :: Disabling metrics and site info sending for Edge v88 โ‰ฅ reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /t REG_DWORD /d 0 /f :: Disabling diagnostic data (replacing metrics and site info sending since Edge v89 โ‰ค) reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "DiagnosticData" /t REG_DWORD /d 0 /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "DiagnosticData" /f 2>nul - name: Disable automatic installation of Edge (Chromium) docs: - https://admx.help/?Category=EdgeChromium_Blocker&Policy=Microsoft.Policies.EdgeUpdate::NoUpdate - https://web.archive.org/web/20210118230052/https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit code: reg add "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /f - name: Disable Live Tile data collection recommend: standard docs: - https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 0 /f - name: Disable MFU tracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableMFUTracking code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 0 /f - name: Disable recent apps recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableRecentApps code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 0 /f - name: Disable backtracking recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::TurnOffBackstack code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 0 /f - name: Disable Search Suggestions in Edge docs: - https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/address-bar-settings-gp - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 1 /f - category: Configure Internet Explorer children: - name: Disable Internet Explorer geolocation recommend: standard code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 0 /f - name: Disable Internet Explorer InPrivate logging recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 0 /f - name: Disable Internet Explorer CEIP (Customer Experience Improvement Program) recommend: standard docs: https://www.stigviewer.com/stig/internet_explorer_8/2014-07-03/finding/V-15492 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 1 /f - name: Disable legacy WCM policy calls recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 1 /f - name: Disable SSLv3 fallback recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-04-02/finding/V-64729 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 3 /f - name: Disable certificate error ignoring recommend: standard docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2017-03-01/finding/V-64717 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 0 /f - category: Configure Chrome children: - name: Disable Chrome Software Reporter Tool recommend: standard code: |- icacls "%LOCALAPPDATA%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)" cacls "%LOCALAPPDATA%\Google\Chrome\User Data\SwReporter" /e /c /d %username% reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "software_reporter_tool.exe" /f revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /f - category: Configure Chrome cleanup children: - name: Disable sharing scanned software data with Google (shows "Your browser is managed") recommend: standard docs: - https://www.chromium.org/administrators/policy-list-3#ChromeCleanupReportingEnabled - https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81593 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /f - name: Disable Chrome system cleanup scans (shows "Your browser is managed") recommend: standard docs: - https://www.chromium.org/administrators/policy-list-3#ChromeCleanupEnabled - https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81591 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /f - name: Disable Chrome metrics reporting (shows "Your browser is managed") recommend: standard docs: https://www.stigviewer.com/stig/google_chrome_v23_windows/2013-01-11/finding/V-35780 code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /f - category: Configure Firefox children: - category: Disable default browser agent reporting children: - name: Disable default browser agent reporting recommend: standard docs: https://www.bleepingcomputer.com/news/software/firefox-now-tells-mozilla-what-your-default-browser-is-every-day/ code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 1 /f revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 0 /f - name: Disable services that report the default browser agent recommend: standard docs: |- ### Overview of default task statuses `\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB` (tested on version 118): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | `\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD` (tested on version 118): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Mozilla\' -TaskName 'Firefox Default Browser Agent 308046B0AF4A39CB' taskPathPattern: \Mozilla\ taskNamePattern: Firefox Default Browser Agent 308046B0AF4A39CB - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Mozilla\' -TaskName 'Firefox Default Browser Agent D2CEEC440E2074BD' taskPathPattern: \Mozilla\ taskNamePattern: Firefox Default Browser Agent D2CEEC440E2074BD - name: Disable Firefox metrics reporting recommend: standard docs: https://github.com/privacysexy-forks/policy-templates#disabletelemetry code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 1 /f revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 0 /f - category: Disable Google background automatic updates docs: |- This category includes scripts to manage the automatic updates of various Google products in background. These products include Google Chrome, Google Earth, along with other applications [1]. This category aims to give users control over the automatic update processes running in the background, without disabling manual updates or affecting the overall functionality of Google products [1]. Google Chrome checks for, downloads, and installs updates in the background [2], without requiring user interaction [2]. This includes constant network communication in background with Google servers, which reveals data about your device and usage behavior. By using the scripts provided, users can stop automatic update services and scheduled tasks related to Google software updates. This empowers users to initiate updates at their discretion, ensuring they have the final say in what gets installed on their systems. [1]: https://web.archive.org/web/20231026233855/https://github.com/google/omaha "google/omaha: Google Update for Windows | github.com/google" [2]: https://web.archive.org/web/20110218173854/http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414 "Update Google Chrome : Install or update Google Chrome - Google Chrome Help | google.com/support" children: # ๐Ÿ’ก Valuable resources of information for this category: # - https://bugs.chromium.org: Chromium project's bug tracker # - https://github.com/google/omaha: The open-source version of Google Update - name: Disable "Google Update Service" services recommend: standard docs: |- This script disables the "Google Update Service" services These services are identified as `gupdate` and `gupdatem` [1] [2] [3]. They are responsible for keeping Google software up to date by initiating updates [4]. They are linked to the `GoogleUpdate.exe` executable located in the `%PROGRAMFILES%\Google\Update` directory [5] [6] [7]. The services operate based on a client/service model, where the client requests services to conduct updates [1]. Despite both services being named "Google Update Service" [3] [8] [9], they are associated with different aspects of updating. The `gupdate` service is linked to regular update check [2] [5] [7], while `gupdatem` is connected to medium level service updates [2] [5] [6]. According to Google's documentation, these services play a crucial role in maintaining the software's security and functionality [3]. These services will uninstall themselves if no Google software is utilizing them [3]. However, there are privacy and security concerns associated with these services. They continuously run in the background, sending data back to Google [10] [11], and they log Event Logs [12] [13] [14] [15] [16], which reveals information about the system's state. There have also been vulnerabilities found in these services in the past, adding an additional layer of risk [17]. Disabling these services do not affect manual updates as these services are started for manual updates automatically [4]. Often administrators choose to delete these services to prevent auto-updates [9], a practice that is acknowledged by the Google team [9]. By disabling these services, this script aims to give users more control over their system and mitigate potential privacy and security risks, albeit at the cost of not receiving automatic software updates from Google. [1]: https://archive.ph/30Mh8 "omaha/omaha/goopdate/omaha3_idl.idl at 8fa5322c5c35d0cede28f4c32454cb0285490b6d ยท google/omaha | github.com/google" [2]: https://archive.ph/paJAm "omaha/omaha/common/omaha_customization_unittest.cc at 8fa5322c5c35d0cede28f4c32454cb0285490b6d ยท google/omaha | github.com/google" [3]: https://archive.ph/FJbvG "omaha/omaha/internal/grit/goopdateres.grd at 8fa5322c5c35d0cede28f4c32454cb0285490b6d ยท google/omaha ยท GitHub | github.com/google" [4]: https://archive.ph/ZoVnn "Comment 138 | 137915 - Update failed (error:3) | bugs.chromium.org" [5]: https://archive.ph/vAWVf "114356 - Loading issue... | bugs.chromium.org" [6]: https://web.archive.org/web/20231026231058/http://windows.fyicenter.com/4677_Google_Update_Service_gupdatem_-GoogleUpdate_exe_Service_on_Windows_7.html '"Google Update Service (gupdatem) - GoogleUpdate.exe" Service on Windows 7 | windows.fyicenter.com' [7]: https://web.archive.org/web/20231026231059/http://windows.fyicenter.com/4676_Google_Update_Service_gupdate_-GoogleUpdate_exe_Service_on_Windows_7.html '"Google Update Service (gupdate) - GoogleUpdate.exe" Service on Windows 7 | windows.fyicenter.com' [8]: https://archive.ph/AvwUm "Comment 9 | 948427 - Update disabled not working in Chrome 73.0.3683.86 | bugs.chromium.org" [9]: https://archive.ph/Sxvav "1096494 - google update service should never be deleted | bugs.chromium.org" [10]: https://web.archive.org/web/20231026231341/https://support.google.com/chrome/thread/207230079/high-ghost-data-usage-by-chrome-on-pc-past-midnight?hl=en "High ghost data usage by Chrome on PC past midnight - Google Chrome Community | support.google.com" [11]: https://web.archive.org/web/20231026231335/https://support.google.com/chrome/thread/113993958/why-gupdate-uses-all-my-bandwidth-stopping-my-surfing-completely?hl=en 'Why "gupdate" uses all my bandwidth, stopping my surfing completely? - Google Chrome Community | support.google.com' [12]: https://archive.ph/WgWli "237227 - Update service spam to Event Log | bugs.chromium.org" [13]: https://archive.ph/1ufoL 'Comment 5 | 71377 - Random but frequent crashes after downloads, "CSRBthFtpShellExt.dll_unloaded" | bugs.chromium.org' [14]: https://archive.ph/QKUdt "Comment 2 | 100548 - Please remove Googe Update from the Google Chrome Enterprise installation | bugs.chromium.org" [15]: https://archive.ph/H6S3z 'Comment 12 | 309362 - "Nearly up-to-date! Relaunch Google Chrome to finish updating." message is not going away | bugs.chromium.org' [16]: https://archive.ph/VYdgW "Comment 3 | 338776 - CRITICAL REGRESSION: unable to update to new version - relaunch after update does not finish updating - chromium | bugs.chromium.org" [17]: https://archive.ph/4CeqQ "167737 - Security: Unquoted search path vulnerability in GoogleUpdate.exe | bugs.chromium.org" # web.archive.org fails with those: # - https://archive.ph/FJbvG: https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/internal/grit/goopdateres.grd#L166-L177 # - https://archive.ph/paJAm: https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/common/omaha_customization_unittest.cc#L290-L299 # - https://archive.ph/30Mh8: https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/goopdate/omaha3_idl.idl#L178-L186 # - https://archive.ph/Sxvav: https://bugs.chromium.org/p/chromium/issues/detail?id=1096494 # - https://archive.ph/AvwUm: https://bugs.chromium.org/p/chromium/issues/detail?id=948427#c9 # - https://archive.ph/VYdgW: https://bugs.chromium.org/p/chromium/issues/detail?id=338776#c3 # - https://archive.ph/H6S3z: https://bugs.chromium.org/p/chromium/issues/detail?id=309362#c12 # - https://archive.ph/4CeqQ: https://bugs.chromium.org/p/chromium/issues/detail?id=167737 # - https://archive.ph/QKUdt: https://bugs.chromium.org/p/chromium/issues/detail?id=100548#c2 # - https://archive.ph/1ufoL: https://bugs.chromium.org/p/chromium/issues/detail?id=71377#c5 # - https://archive.ph/ZoVnn: https://bugs.chromium.org/p/chromium/issues/detail?id=137915#c138 # - https://archive.ph/WgWli: https://bugs.chromium.org/p/chromium/issues/detail?id=237227 # - https://archive.ph/vAWVf: https://bugs.chromium.org/p/chromium/issues/detail?id=114356 # - https://archive.ph/FJbvG: https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/internal/grit/goopdateres.grd#L166-L177 call: - function: DisableService parameters: serviceName: gupdate # Check: (Get-Service -Name gupdate).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: gupdatem # Check: (Get-Service -Name gupdatem).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable Google automatic updates scheduled tasks (breaks Google Credential Provider) recommend: strict docs: |- This script disables the scheduled tasks used by Google to automatically update its software on Windows. The Google Update service creates two main tasks [1]: - `GoogleUpdateTaskMachineCore`: Initiates automatic updates [2]. - `GoogleUpdateTaskMachineUA`: Corresponds to "Updates app" [3]. In newer versions of the Google Update service, these task names have random suffixes appended to them [4]. Both of these tasks call the executable file `C:\Program Files (x86)\Google\Update\GoogleUpdate.exe` [5] [6]. This process is officially named as "Google Installer" [7] or "Constant Shell" [8]. It is responsible for handling updates [9] [10]. Disabling these tasks can impact the functionality of the "Google Credential Provider for Windows" (GCPW) service [11] [12]. GCPW is a tool used to manage devices with Google endpoint management [13]. This tool is typically used to offer access to Google Workspace services on managed computers [13]. It allows users to sign in to a Windows 10 or 11 device using their Google Account for work or school [14]. These tasks are described by Google as following [15]: > Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security > vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it. ### Overview of default task statuses `\GoogleUpdateTaskMachineCore{RandomString}` [4] (tested since Chrome version 118): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Running | | Windows 11 22H2 | ๐ŸŸข Running | `\GoogleUpdateTaskMachineUA{RandomString}` [4] (tested since Chrome version 118): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | `\GoogleUpdateTaskMachineCore` [16] (used by older versions of Chrome): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | `\GoogleUpdateTaskMachineUA` [16] (used by older versions of Chrome): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | [1]: https://archive.ph/7GKGm "Comment 2 | 114356 - Google Update Services (gupdate & gupdatem) | bugs.chromium.org" [2]: https://archive.ph/ZMFsN "Comment 51 | 440549 - Google Chrome Auto-Update Not working consistently / Google Update GPO policy not honored. | bugs.chromium.org" [3]: https://archive.ph/gLYIf "Comment 52 | 440549 - Google Chrome Auto-Update Not working consistently / Google Update GPO policy not honored. | bugs.chromium.org" [4]: https://archive.ph/073xQ "omaha/omaha/common/scheduled_task_utils_internal.h at 8fa5322c5c35d0cede28f4c32454cb0285490b6d ยท google/omaha | github.com/google" [5]: https://archive.ph/Jxh9G "Comment 55 | 137915 - Update failed (error:3) | bugs.chromium.org" [6]: https://archive.ph/zQBY5 "Comment 12 | 1394589 - chrome 108 prematurely stopped checking for updates under Windows 7 - chromium" [7]: https://web.archive.org/web/20231025184531/https://strontic.github.io/xcyclopedia/library/GoogleUpdate.exe-6BF197B8C7DE4B004C5D6FA415FC7867.html "GoogleUpdate.exe | Google Installer | STRONTIC | strontic.github.io" [8]: https://archive.ph/hEosd "omaha/doc/Omaha3Walkthrough.md at 8fa5322c5c35d0cede28f4c32454cb0285490b6d ยท google/omaha | github.com/google" [9]: https://web.archive.org/web/20231025184546/https://www.shouldiblockit.com/googleupdate.exe-8f0de4fef8201e306f9938b0905ac96a.aspx "GoogleUpdate.exe - Should I Block It? (MD5 8f0de4fef8201e306f9938b0905ac96a) | shouldiblockit.com" [10]: https://web.archive.org/web/20231025185202/https://raw.githubusercontent.com/google/omaha/8fa5322c5c35d0cede28f4c32454cb0285490b6d/doc/GoogleUpdateOnAScheduleOverview.html "omaha/doc/GoogleUpdateOnAScheduleOverview.html at 8fa5322c5c35d0cede28f4c32454cb0285490b6d ยท google/omaha | github.com/google" [11]: https://web.archive.org/web/20231025184142/https://support.google.com/a/answer/9572621?hl=en#zippy=%2Cyour-administrator-doesnt-allow-you-to-sign-in-with-this-account-try-a-different-account "Troubleshoot GCPW - Google Workspace Admin Help | support.google.com" [12]: https://web.archive.org/web/20231025184249/https://cloud.google.com/knowledge/kb/error-message-received-when-trying-to-login-000003983 "Error message received when trying to login | Google Cloud | cloud.google.com" [13]: https://web.archive.org/web/20231025184232/https://support.google.com/a/topic/24642?hl=en "Manage devices for your organization - Google Workspace Admin Help | support.google.com" [14]: https://web.archive.org/web/20231025184204/https://support.google.com/a/answer/9250996?hl=en "Install Google Credential Provider for Windows - Google Workspace Admin Help | support.google.com" [15]: https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/internal/grit/goopdateres.grd#L166-L177 "omaha/omaha/internal/grit/goopdateres.grd at 8fa5322c5c35d0cede28f4c32454cb0285490b6d ยท google/omaha ยท GitHub | github.com/google" [16]: https://archive.ph/2rF9N "1274960 - GoogleUpdateSetup.exe don't check ACL of Schedule task files GoogleUpdateTaskMachineCore and GoogleUpdateTaskMachineUA - chromium | bugs.chromium.org" # web.archive.org fails with those: # - https://archive.ph/7GKGm: https://web.archive.org/web/20231025184306/https://bugs.chromium.org/p/chromium/issues/detail?id=114356#c2 # - https://archive.ph/ZMFsN: https://web.archive.org/web/20231025184413/https://bugs.chromium.org/p/chromium/issues/detail?id=440549#c51 # - https://archive.ph/gLYIf: https://web.archive.org/web/20231025184413/https://bugs.chromium.org/p/chromium/issues/detail?id=440549#c52 # - https://archive.ph/Jxh9G: https://web.archive.org/web/20231025184442/https://bugs.chromium.org/p/chromium/issues/detail?id=137915#c55 # - https://archive.ph/zQBY5: https://web.archive.org/web/20231025184510/https://bugs.chromium.org/p/chromium/issues/detail?id=1394589#c12 # - https://archive.ph/hEosd : https://web.archive.org/web/20231025185137/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/doc/Omaha3Walkthrough.md?plain=1#L11 # - https://archive.ph/2rF9N : https://web.archive.org/web/20231025184337/https://bugs.chromium.org/p/chromium/issues/detail?id=1274960 # - https://archive.ph/073xQ : https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/common/scheduled_task_utils_internal.h#L170-L173 # - https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/internal/grit/goopdateres.grd#L178-L181 call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineCore' taskPathPattern: \ taskNamePattern: GoogleUpdateTaskMachineCore - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineUA' taskPathPattern: \ taskNamePattern: GoogleUpdateTaskMachineUA - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineCore{*}' taskPathPattern: \ taskNamePattern: GoogleUpdateTaskMachineCore{*} - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineUA{*}' taskPathPattern: \ taskNamePattern: GoogleUpdateTaskMachineUA{*} - category: Disable Adobe background automatic updates docs: |- This category includes scripts designed to disable Adobe's background automatic update services and tasks. These automatic updates run in the background [1], typically starting up with your PC, and work to keep your Adobe software up to date [1]. By disabling them, you optimize your system's performance, reduce unwanted data collection, and minimize your vulnerability surface. These scripts only disable automatic updates; manual updates are still possible. [1]: https://web.archive.org/web/20230624030406/https://helpx.adobe.com/x-productkb/global/adobe-background-processes.html "Why do I need the Adobe background processes? | helpx.adobe.com" children: - name: Disable "Adobe Acrobat Update Service" service recommend: standard docs: |- This script disables the `AdobeARMservice` service. This service is officially named "Adobe Acrobat Update Service" [1]. It starts automatically when your PC boots, runs in the background, and installs updates if found [1] [2]. Its primary function is to keep your Adobe software up to date [1]. Disabling this service can help optimize your system's performance and reduce unwanted data collection. ### Overview of default service statuses `AdobeARMservice` (tested on Adobe Acrobat version 23.006): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Running | | Windows 11 22H2 | ๐ŸŸข Running | [1]: https://web.archive.org/web/20231027145411/https://www.shouldiblockit.com/armsvc.exe-2873.aspx "armsvc.exe - Should I Block It? (Adobe Acrobat Update Service) | shouldiblockit.com" [2]: https://web.archive.org/web/20231027145343/https://www.file.net/process/armsvc.exe.html "armsvc.exe Windows process - What is it? | file.net" call: function: DisableService parameters: serviceName: AdobeARMservice # Check: (Get-Service -Name AdobeARMservice).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable "Adobe Update Service" service recommend: standard docs: |- This script disables the `adobeupdateservice` service. This service is responsible for updating Creative Cloud desktop apps [1] [2]. It runs continuously in the background [3]. It manages the privileges required for various actions, such as installing app updates and syncing fonts [3]. This allows Adobe to perform its actions without prompting you for your system password or approval [3]. This service has had vulnerabilities in the past, including the Privilege Escalation Unquoted Service Path vulnerability [4], making it a potential security risk. The service's executable is typically found at `C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe` [1] [2]. ### Overview of default service statuses `adobeupdateservice` (tested on Adobe Acrobat version 23.006): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (Missing) | | Windows 11 22H2 | ๐ŸŸก N/A (Missing) | [1]: https://web.archive.org/web/20231027145409/https://helpx.adobe.com/creative-cloud/kb/all-apps-displayed-aam.html "Not all apps displayed for download | Creative Cloud desktop app" [2]: https://web.archive.org/web/20231027145700/https://helpx.adobe.com/se/xd/kb/adobe-xd-not-compatible-on-windows-machine.html "Adobe XD appears as not compatible on Creative Cloud desktop app | helpx.adobe.com" [3]: https://web.archive.org/web/20230624030406/https://helpx.adobe.com/x-productkb/global/adobe-background-processes.html "Why do I need the Adobe background processes? | helpx.adobe.com" [4]: https://web.archive.org/web/20231027145430/https://www.exploit-db.com/exploits/39954 "AdobeUpdateService 3.6.0.248 - Unquoted Service Path Privilege Escalation - Windows local Exploit | exploit-db.com" call: function: DisableService parameters: serviceName: adobeupdateservice # Check: (Get-Service -Name adobeupdateservice).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable "Adobe Acrobat Update Task" scheduled task recommend: standard docs: |- This script disables the "Adobe Acrobat Update Task" scheduled task. It is responsible for keeping your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes [1]. By disabling it, you reduce the system's exposure to potential vulnerabilities, though at the cost of not receiving automatic updates in the background. ### Overview of default task statuses `\Adobe Acrobat Update Task` [1] (tested on Adobe Acrobat version 23.006): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231027145509/http://windows.fyicenter.com/4324_Adobe_Acrobat_Update_Task_Scheduled_Task_on_Windows_7.html '"Adobe Acrobat Update Task" Scheduled Task on Windows 7 | windows.fyicenter.com' call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'Adobe Acrobat Update Task' taskPathPattern: \ taskNamePattern: Adobe Acrobat Update Task - name: Disable "Razer Game Scanner Service" recommend: standard call: function: DisableService parameters: serviceName: Razer Game Scanner Service # Check: (Get-Service -Name 'Razer Game Scanner Service').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Logitech Gaming Registry Service" recommend: standard call: function: DisableService parameters: serviceName: LogiRegistryService # Check: (Get-Service -Name 'LogiRegistryService').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - category: Disable Dropbox background automatic updates docs: |- This category focuses on disabling continuous background processes related to automatic updates of Dropbox. Although these processes are intended to keep Dropbox up to date, they can be intrusive and use system resources unnecessarily. Disabling them does not prevent updates, but stops the automatic background processes that are running constantly, contributing to both privacy and system optimization. Users have to manually update Dropbox to ensure they have the latest version and security features. children: - name: Disable "Dropbox Update Service" services recommend: standard docs: |- Dropbox operates using two Windows services, `dbupdate` and `dbupdatem`, to manage automatic updates [1]. Disabling these services can help enhance privacy and optimize system performance. ### Overview of default service statuses `dbupdate` (Dropbox Update Service, tested on Dropbox version 184.4): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐Ÿ”ด Stopped | | Windows 11 22H2 | ๐Ÿ”ด Stopped | `dbupdatem` (Dropbox Update Service, tested on Dropbox version 184.4): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐Ÿ”ด Stopped | | Windows 11 22H2 | ๐Ÿ”ด Stopped | [1]: https://web.archive.org/web/20231101153431/https://belkasoft.com/investigating_dropbox_desktop_app "Investigating the Dropbox Desktop App for Windows with Belkasoft X | belkasoft.com" call: - function: DisableService parameters: serviceName: dbupdate # Check: (Get-Service -Name 'dbupdate').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - function: DisableService parameters: serviceName: dbupdatem # Check: (Get-Service -Name 'dbupdatem').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable Dropbox automatic updates scheduled tasks recommend: standard docs: |- This script disables the scheduled tasks that Dropbox uses to trigger updates. These tasks, named `DropboxUpdateTaskMachineUA` and `DropboxUpdateTaskMachineCore`, are referred to as "Dropbox Update tasks" by Dropbox [1]. Disabling these scheduled tasks can further enhance privacy and optimize system performance. Dropbox disables these tasks for enterprise installations by default [1]. ### Overview of default task statuses `\DropboxUpdateTaskMachineCore` (tested on Dropbox version 184.4): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | `\DropboxUpdateTaskMachineUA` (tested on Dropbox version 184.4): | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://archive.ph/pJon7 "DropboxBusinessScripts/QA Installer/Dropbox Enterprise Installer.ps1 at 4f4c32ddd488b29e7fd16a40966761e70a758239 ยท dropbox/DropboxBusinessScripts | github.com/dropbox" # web.archive.org fails with those: # - https://archive.ph/pJon7: https://github.com/dropbox/DropboxBusinessScripts/blob/4f4c32ddd488b29e7fd16a40966761e70a758239/QA%20Installer/Dropbox%20Enterprise%20Installer.ps1#L127-L136 call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'DropboxUpdateTaskMachineUA' taskPathPattern: \ taskNamePattern: DropboxUpdateTaskMachineUA - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'DropboxUpdateTaskMachineCore' taskPathPattern: \ taskNamePattern: DropboxUpdateTaskMachineCore - category: Disable Media Player data collection children: - name: Disable sending Windows Media Player statistics recommend: standard code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f - name: Disable metadata retrieval recommend: standard code: |- reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f - name: Disable "Windows Media Player Network Sharing Service" (`WMPNetworkSvc`) docs: http://batcmd.com/windows/10/services/wmpnetworksvc/ recommend: standard call: function: DisableService parameters: serviceName: WMPNetworkSvc # Check: (Get-Service -Name 'WMPNetworkSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable CCleaner data collection code: |- reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 1 /f reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 1 /f reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 1 /f - category: Security improvements docs: |- This category encompasses a range of scripts designed to improve the security of your system by enforcing security best practices. These scripts help protect your system against various types of cyber threats and unauthorized access. children: - name: Disable hidden remote file access via administrative shares (breaks remote system management software) recommend: strict docs: |- This script improves your privacy and security by disabling Windows administrative shares, which are typically used for remote access to your computer's file system. Windows automatically creates hidden administrative shares, such as `C$` and `D$`, that allow system administrators remote access to every disk volume on your computer [1] [2]. These shares are often targeted as potential attack vectors [3]. Disabling administrative shares is generally a good practice for enhancing security. It is recommended by various security standards and compliance frameworks, including some government standards [3], PCI-DSS [4], and CIS [2]. It reduces the system's vulnerability to unauthorized remote access. These shares are often used for system administrators to perform tasks like software installation and vulnerability scanning remotely [1]. Disabling them may limit remote management capabilities. This might require setting up network shares manually for specific folders or drives, which is more secure but requires additional effort. Some software, such as Microsoft Systems Management Server (SMS) [2], Microsoft Operations Manager [2], Microsoft PsTools [5], and certain third-party network backup applications [2], rely on administrative shares. Therefore, disabling these shares could disrupt their functionality. > **Caution**: Disabling administrative shares can impact remote management software and may interrupt the ability to remotely control > machines. Consider your operational and security needs before making this change. [1]: https://web.archive.org/web/20230831114315/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/remove-administrative-shares "Remove administrative shares - Windows Server | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231206152703/http://www.itref.ir/uploads/editor/1edad0.pdf "CIS Microsoft Windows 8 Benchmark | itref.ir" [3]: https://web.archive.org/web/20230831124304/https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/Business-Partner-System-Security-Manual-BPSSM.pdf "CMS Manual System | Pub 100-17 Medicare Business Partners | Department of Health & Human Services (DHHS) & Centers for Medicare & Medicaid Services (CMS) | cms.gov" [4]: https://web.archive.org/web/20230831124324/https://www.unifiedcompliance.com/products/search-authority-documents/authority-document/1071/ "Payment Card Organizations > PCI Security Standards Council | Unified Compliance | www.unifiedcompliance.com" [5]: https://github.com/undergroundwires/privacy.sexy/issues/249 "Disabling administrative shares breaks PsTools | undergroundwires/privacy.sexy | github.com" code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /f # Key does not exist since Windows 11 22H2 - category: Enable protection against Meltdown and Spectre docs: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot children: - name: Mitigate Spectre Variant 2 and Meltdown in host operating system code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f wmic cpu get name | findstr "Intel" >nul && ( reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 0 /f ) wmic cpu get name | findstr "AMD" >nul && ( reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 64 /f ) revertCode: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f - name: Mitigate Spectre Variant 2 and Meltdown in Hyper-V code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f - name: Enable Data Execution Prevention (DEP) code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 1 /f - name: Disable AutoPlay and AutoRun docs: - https://en.wikipedia.org/wiki/AutoRun - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671 - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673 recommend: standard code: |- :: 255 (0xff) means all drives reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f revertCode: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 2 /f reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /f - name: Disable remote assistance feature recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f - name: Disable lock screen camera access recommend: standard docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /f - name: Disable storage of the LAN Manager password hashes recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 0 /f - name: Disable "Always install with elevated privileges" in Windows Installer recommend: standard docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f - name: Disable Basic Authentication usage in WinRM recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 1 /f - name: Disable anonymous enumeration of shares recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 0 /f - name: Disable usage of insecure authentication recommend: standard docs: - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801 - https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 5 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 3 /f - name: Enable Structured Exception Handling Overwrite Protection (SEHOP) recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f - name: Disable unauthorized user account discovery (anonymous SAM enumeration) recommend: standard docs: |- This script increases your system's security by preventing unauthorized users from seeing account names in the Security Accounts Manager (SAM) [1] [2] [3] [4] [5] [6]. When account names are exposed, attackers might use them for guessing passwords or tricking people into revealing sensitive information [4] [6] [7] [8]. This is a security action recommended by organizations like the Department of Defense [1], NASA [2], IRS [8], NIST [6], CIS [4], and Microsoft [3]. The change is enacted through the `HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RestrictAnonymousSAM` registry value [1] [2] [4] [5]. By default, it's enabled [4] and Windows restricts this setting if the registry value does not exist [3]. While the script secures the system from these threats, it also has implications for interoperability with older systems. It will prevent the establishment of trusts with Windows NT 4.0 domains [4] [5] [7] [9] and cause issues for older client operating systems, like Windows NT 3.51 and Windows 95, when they try to access server resources [4] [5] [7]. Typically, anonymous connections are requested by earlier versions of clients (down-level clients) during SMB session setup [7]. The script has no impact on domain controllers since their behavior in this aspect is controlled by different settings [5] [7]. The policy setting does not require a restart to become effective [5], and there is no impact on current systems where the default behavior already includes this restriction [4]. Despite the potential interoperability issues with older systems, the script maintains a security posture that is important in modern networks to minimize unauthorized access and protect user privacy. [1]: https://web.archive.org/web/20231105200434/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745 "Anonymous enumeration of SAM accounts must not be allowed. | www.stigviewer.com" [2]: https://web.archive.org/web/20231105200713/https://asapdata.arc.nasa.gov/share/Paul/CIS_Microsoft_Windows_Server_2016_RTM_Release_1607_Benchmark_v1.1.0.pdf "CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark | nasa.gov" [3]: https://web.archive.org/web/20231105200918/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#security-options---network-access "Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn | learn.microsoft.com" [4]: https://web.archive.org/web/20231105201133/https://community.mis.temple.edu/mis5170sec001sec701sp2018/files/2018/02/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark | temple.edu" [5]: https://web.archive.org/web/20231105201446/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852230%28v=ws.11%29 "Network access: Do not allow anonymous enumeration of SAM accounts | Microsoft Learn | learn.microsoft.com" [6]: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls "USGCB Windows Settings | nist.gov" [7]: https://web.archive.org/web/20231105201346/https://support.microsoft.com/en-us/topic/client-service-and-program-issues-can-occur-if-you-change-security-settings-and-user-rights-assignments-0cb6901b-dcbf-d1a9-e9ea-f1b49a56d53a "Client, service, and program issues can occur if you change security settings and user rights assignments - Microsoft Support | support.microsoft.com" [8]: https://web.archive.org/web/20231105200853/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-server2016.xlsx "IRS Office of Safeguards SCSEM | irs.gov" [9]: https://web.archive.org/web/20231105201413/https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/trust-between-windows-ad-domain-not-work-correctly "Trust between a Windows NT domain and an Active Directory domain can't be established or it doesn't work as expected - Windows Server | Microsoft Learn | learn.microsoft.com" code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f revertCode: |- :: Default value is `1` on modern Windows versions (Windows 10 since 22H2, Windows 11 since 22H2) reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f - name: Disable anonymous access to named pipes and shares recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759 code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 0 /f - category: Disable unsafe features children: - name: Disable unsafe SMBv1 protocol recommend: standard docs: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 code: |- dism /online /Disable-Feature /FeatureName:"SMB1Protocol" /NoRestart dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart revertCode: |- dism /online /Enable-Feature /FeatureName:"SMB1Protocol" /NoRestart dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart - name: Enable security against PowerShell 2.0 downgrade attacks recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637 code: |- dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart revertCode: |- dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart - name: Disable "Windows Connect Now" wizard recommend: standard docs: - https://docs.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now - https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698 code: |- reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 0 /f revertCode: |- reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f - category: Secure cryptography on IIS (Internet Information Services) server children: - name: Increase Diffie-Hellman key (DHK) exchange to 4096 bits code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ServerMinKeyBitLength /t REG_DWORD /d 0x00001000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00001000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v Enabled /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ServerMinKeyBitLength" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ClientMinKeyBitLength" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "Enabled" /f - name: Increase RSA key exchange to 2048 bits docs: |- In 2012, Microsoft began transitioning minimum RSA key length across various applications from 1024 to 2048 bits. 1024-Bit key exchange algorithms are still supported in Windows despite being considered deprecated for some time. NIST 800-131A Rev. 2 cites RSA Key Agreement and Key Transport schemes with len(n) < 2048 are disallowed. Generally, RSA 2048-bit+ key exchange algorithms are widely supported. While supported cipher suites remain a roundabout way to address supported key exchange algorithms, these can also be specified independently (although there are still constraints based on negotiated cipher suite) and provide a supplemental baseline to enforce using strong cryptography. This script works by creating the non-default key and value called PKCS at `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\` with a name of `ClientMinKeyBitLength` and value of `0x00000800` (2048). The revert deletes the `ClientMinKeyBitLength` value. See also: - [Transport Layer Security (TLS) registry settings | learn.microsoft.com](https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#keyexchangealgorithm---client-rsa-key-sizes) - [Pull request by bricedobson | undergroundwires/privacy.sexy | GitHub.com](https://github.com/undergroundwires/privacy.sexy/pull/165) code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00000800 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS" /v "ClientMinKeyBitLength" /f - name: Disable RC2 cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v "Enabled" /f - name: Disable RC4 cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v "Enabled" /f - name: Disable DES cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v "Enabled" /f - name: Disable 3DES (Triple DES) cipher code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v "Enabled" /f - name: Disable MD5 hash function code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /v "Enabled" /f - name: Disable SHA1 code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /v "Enabled" /f - name: Disable null cipher code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /f /v Enabled /t REG_DWORD /d 0x00000000 revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v "Enabled" /f - name: Disable response to renegotiation requests code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoClients /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoServers /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v DisableRenegoOnServer /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v UseScsvForTls /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoClients" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoServers" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "DisableRenegoOnServer" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "UseScsvForTls" /f - name: Disable DTLS 1.0 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "DisabledByDefault" /f - name: Disable DTLS 1.1 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "DisabledByDefault" /f - name: Enable DTLS 1.3 # Windows 10 and Windows Server 10 version 1903 and newer support DTLS 1.3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "DisabledByDefault" /f - name: Disable TLS 1.0 docs: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls # After disabling TLS 1.0 must be (will be) activated SchUseStrongCrypto for .NET apps code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f - name: Disable TLS 1.1 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /f - name: Enable TLS 1.3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "DisabledByDefault" /f - name: Enable strong authentication for .NET applications using TLS 1.2 docs: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications code: |- reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001 reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f - name: Disable SSLv2 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /f - name: Disable SSLv3 code: |- reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000 reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001 revertCode: |- reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /f - category: Privacy over security children: - category: Disable Microsoft Defender docs: https://en.wikipedia.org/wiki/Windows_Firewall # See defender status: Get-MpComputerStatus children: - category: Disable Microsoft Defender firewall # Also known as Windows Firewall, Microsoft Defender Firewall children: - category: Disable Microsoft Defender Firewall services and drivers children: - name: Disable "Windows Defender Firewall Authorization Driver" service docs: - http://batcmd.com/windows/10/services/mpsdrv/ # โ—๏ธ Breaks: `netsh advfirewall set` # Disabling and stopping it breaks "netsh advfirewall set" commands such as # `netsh advfirewall set allprofiles state on`, `netsh advfirewall set allprofiles state off`. # More about `netsh firewall` context: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior # ! Breaks: Windows Store # The Windows Defender Firewall service depends on this service. # Disabling this will also disable the Windows Defender Firewall service, breaking Microsoft Store. # https://i.imgur.com/zTmtSwT.png call: - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: serviceName: mpsdrv # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\mpsdrv").Start defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\drivers\mpsdrv.sys' grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - name: Disable "Windows Defender Firewall" service (breaks Microsoft Store downloads and `netsh advfirewall` CLI) docs: |- This script disables the "Windows Defender Firewall" service, also known as `MpsSvc` [1] [2] [3]. The Windows Defender Firewall, previously known as Windows Firewall [4], is a component that helps protect against unauthorized network access [3] [4]. It operates by filtering both incoming and outgoing network traffic based on predefined security rules [1]. Disabling the Windows Defender Firewall has significant impacts, including: - **Microsoft Store app downloads**: Disabling this service prevents updates and installations from the Microsoft Store, resulting in error code `0x80073D0A` [5] [6]. - **`netsh advfirewall` commands**: The script renders the `netsh advfirewall` command-line context, which manages Windows Firewall settings [7], becomes inoperative. - **Activation of boot-time filters**: Deactivating the service may trigger boot-time filters that protect the computer during startup or when the firewall service stops unexpectedly [2]. This feature was introduced to minimize vulnerabilities during startup [2]. Beyond firewall functionality, the MpsSvc service is integral to Windows Service hardening and network isolation [6], essential for Windows Store applications [6]. As a result, third-party firewalls typically interact with Windows Firewall via public APIs, rather than disabling the service outright [6]. The `MpsSvc` service is set to start automatically by default [3] and runs the `%WINDIR%\System32\MPSSVC.dll` driver [3]. This file is also referred to as "Microsoft Protection Service" [8]. > **Caution:** Disabling this service significantly compromises system security [9] and is not recommended by Microsoft [9]. > It affects not only the firewall's protective capabilities but also the functionality of other Windows components like the Store [5] [6] and command-line utilities. > Users should be aware of these considerable trade-offs when considering this script for privacy enhancement. [1]: https://web.archive.org/web/20110203202612/http://technet.microsoft.com/en-us/library/dd364391(v=WS.10).aspx "Windows Firewall Service | technet.microsoft.com" [2]: https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx "Stopping the Windows Authenticating Firewall Service and the boot time policy - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com" [3]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com" [4]: https://en.wikipedia.org/w/index.php?title=Windows_Firewall&oldid=1183396285 "Windows Firewall - Wikipedia | wikipedia.org" [5]: https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender ยท Issue #104 ยท undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy" [6]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? โ€“ Walker News | www.walkernews.net" [7]: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com" [8]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io" [9]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com" call: - function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config parameters: serviceName: MpsSvc # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MpsSvc").Start defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\System32\mpssvc.dll' grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - name: Disable firewall via command-line utility # โ—๏ธ Following must be enabled and in running state: # - mpsdrv ("Windows Defender Firewall Authorization Driver") # - bfe (Base Filtering Engine) # - mpssvc ("Windows Defender Firewall") # If the dependent services are not running, the script fails with: # "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again." # Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc docs: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior call: function: RunPowerShell parameters: code: |- if(!(Get-Command 'netsh' -ErrorAction Ignore)) { throw '"netsh" does not exist, is system installed correctly?' } $message=netsh advfirewall set allprofiles state off 2>&1 if($?) { Write-Host "Successfully disabled firewall." } else { if($message -like '*Firewall service*') { Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' } else { throw "Cannot disable: $message" } } revertCode: |- if(!(Get-Command 'netsh' -ErrorAction Ignore)) { throw '"netsh" does not exist, is system installed correctly?' } $message=netsh advfirewall set allprofiles state on 2>&1 if($?) { Write-Host "Successfully enabled firewall." } else { if($message -like '*Firewall service*') { Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?' } else { throw "Cannot enable: $message" } } - name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning docs: - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416 - https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2 code: |- :: Policy based reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f :: Non-policy based reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f # When reverting HKLM\SOFTWARE\Policies profiles are deleted as they are not included in clean installation # On the other hand "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet # so they're not deleted but set to default state revertCode: |- # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy :: Policy based reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /f 2>nul :: Non-policy based reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - name: Disable "Firewall & network protection" section in "Windows Security" docs: |- This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was called "Windows Defender Security Center" [1]. The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see this section in the "Windows Security" interface [3]. This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry key to hide the Firewall and network protection area [3]. [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" [2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn" [3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /f 2>nul - name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903 docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f 2>nul - category: Disable Defender features # Status: Get-MpPreference children: - category: Disable Defender Antivirus cloud protection service docs: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus # Also known as Microsoft MAPS (Microsoft Active Protection Service) or Microsoft SpyNet children: - category: Disable Defender cloud protection features children: - name: Disable block at first sight docs: # What is block at first sight? How does it work? How to turn on/off? - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: - function: SetMpPreference parameters: property: DisableBlockAtFirstSeen # Status: Get-MpPreference | Select-Object -Property DisableBlockAtFirstSeen value: $True # Set: Set-MpPreference -Force -DisableBlockAtFirstSeen $True default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableBlockAtFirstSeen | Set-MpPreference -Force -DisableBlockAtFirstSeen $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /f 2>nul - name: Maximize time for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required" docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpBafsExtendedTimeout code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /f 2>nul - name: Minimize cloud protection level # Requires "Join Microsoft MAPS" docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpCloudBlockLevel code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /f 2>nul - name: Disable notifications to turn off security intelligence # Requires "Join Microsoft MAPS" docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureDisableNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /f 2>nul - category: Disable Defender cloud export for analysis children: - name: Disable Microsoft Defender SpyNet reporting recommend: strict docs: - https://www.stigviewer.com/stig/windows_7/2012-07-02/finding/V-15713 # Manage with registry policy - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting # Managing with MDM policy - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#mapsreporting call: # 0: Disabled, 1: Basic, 2: Advanced (default) - function: SetMpPreference parameters: property: MAPSReporting # Status: Get-MpPreference | Select-Object -Property MAPSReporting value: "'0'" # Set: Set-MpPreference -Force -MAPSReporting 0 default: "'2'" # Default: 2 (Advanced) | Remove-MpPreference -Force -MAPSReporting | Set-MpPreference -Force -MAPSReporting 2 - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /f 2>nul - name: Disable sending file samples for further analysis recommend: strict docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SubmitSamplesConsent # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#submitsamplesconsent call: # 0 = 'Always Prompt', 1 = 'Send safe samples automatically' (default), 2 = 'Never send', 3 = 'Send all samples automatically' - function: SetMpPreference parameters: property: SubmitSamplesConsent # Status: Get-MpPreference | Select-Object -Property SubmitSamplesConsent value: "'2'" # Set: Set-MpPreference -Force -SubmitSamplesConsent 2 default: "'1'" # Default: 1 (Send safe samples automatically) | Remove-MpPreference -Force -SubmitSamplesConsent | Set-MpPreference -Force -SubmitSamplesConsent 1 setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 1 (OS default) in Windows 11 - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /f 2>nul - name: Disable "Malicious Software Reporting" tool diagnostic data recommend: strict docs: |- This script disables the diagnostic data sent by Microsoft's Malicious Software Removal Tool (MSRT) [1]. Starting from its version 5.39 in August 2016, MSRT was observed to transmit a "Heartbeat Report" to Microsoft every time it operated [2]. This happens even when the Customer Experience Improvement Program (CEIP) is turned off, and even if "DiagTrack" is not installed on the computer [2]. Such a report can be confirmed by viewing the MRT log located at `%windir%\debug\mrt.log` [2]. This script enhances user privacy by setting a specific system key, `HKLM\SOFTWARE\Policies\Microsoft\MRT!DontReportInfectionInformation`, to halt this data sharing with Microsoft [1] [2]. [1]: https://web.archive.org/web/20231009135123/https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection "Disable Malicious Software Reporting tool diagnostic data | admx.help" [2]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /f 2>nul - name: Disable uploading files for threat analysis in real-time # Requires "Join Microsoft MAPS" recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_RealtimeSignatureDelivery code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /f 2>nul - name: Disable Potentially Unwanted Application (PUA) feature # Already disabled as default docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147 - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus - https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/ - https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: - function: SetMpPreference parameters: # 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode' property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0 default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0 - function: RunInlineCode parameters: code: |- :: For legacy versions: Windows 10 v1809 and Windows Server 2019 reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f :: For newer Windows versions reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f revertCode: |- :: For legacy versions: Windows 10 v1809 and Windows Server 2019 reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /f 2>nul :: For newer Windows versions reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /f 2>nul - name: Disable tamper protection # Added in Windows 10, version 1903 docs: - https://www.thewindowsclub.com/how-to-enable-tamper-protection-in-windows-10 - https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-tamperprotection call: - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) # โŒ Fails with "ERROR: Access is denied." in Windows 11 21H2 | โœ… Works in Windows 10 >= 20H2 parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /f 2>nul - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /f 2>nul - name: Disable file hash computation feature # Added in Windows 10, version 2004 docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation - https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /f 2>nul - category: Disable "Windows Defender Exploit Guard" docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ children: - name: Disable prevention of users and apps from accessing dangerous websites docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /f 2>nul - name: Disable controlled folder access docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /f 2>nul - category: Disable network inspection system features children: - name: Disable protocol recognition docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /f 2>nul - name: Disable definition retirement docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /f 2>nul - name: Minimize rate of detection events docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /f 2>nul - category: Disable real-time protection children: - name: Disable real-time monitoring docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227 # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring call: # Enabled by default (DisableRealtimeMonitoring is false) - function: SetMpPreference parameters: property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True # โŒ Windows 11: Does not fail but does not set $True value | โœ… Windows 10: Works as expected default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /f 2>nul - name: Disable intrusion prevention system (IPS) docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem call: - function: SetMpPreference parameters: property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True # โŒ Windows 11 and Windows 10: Does not fail but does not change the value default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False # โ—๏ธ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /f 2>nul - name: Disable Information Protection Control (IPC) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /f 2>nul - category: Disable Defender monitoring of behavior children: - name: Disable behavior monitoring docs: - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229 # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring call: - function: SetMpPreference parameters: property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True # โŒ Windows 11: Does not fail but does not set $True value | โœ… Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /f 2>nul - name: Disable sending raw write notifications to behavior monitoring docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /f 2>nul - category: Disable monitoring of downloads and attachments in Defender children: - name: Disable scanning of all downloaded files and attachments docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225 # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection call: - function: SetMpPreference parameters: property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True # โŒ Windows 11: Does not fail but does not change the value | โœ… Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /f 2>nul - name: Disable scanning files larger than 1 KB (minimum possible) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /f 2>nul - category: Disable Defender monitoring of file and program activity children: - name: Disable file and program activity monitoring docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /f 2>nul - name: Disable bidirectional scan for incoming and outgoing file and program activities docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection call: # 0='Both': bi-directional (full on-access, default) # 1='Incoming': scan only incoming (disable on-open) # 2='Outcoming': scan only outgoing (disable on-close) - function: SetMpPreference parameters: property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1 default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /f 2>nul - name: Disable real-time protection process scanning docs: - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /f 2>nul - category: Disable Defender remediation children: - name: Disable routine remediation docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#admx-microsoftdefenderantivirus-disableroutinelytakingaction - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /f 2>nul - name: Disable running scheduled auto-remediation docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday call: # 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never' - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /f 2>nul - function: SetMpPreference parameters: property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8 default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0 - name: Disable remediation actions docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference # None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10 call: # Not using ThreatIdDefaultAction as it requires known threat IDs - function: SetMpPreference # https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction parameters: property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction # Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value): # `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`. # E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed. # Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction` value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9 # Default: 0 (none) # Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction` # works on both Windows 10 and Windows 11 - function: RunInlineCode parameters: code: |- reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f :: 1: Clean, 2: Quarantine, 3: Remove, 6: Allow, 8: Ask user, 9: No action, 10: Block, NULL: default (based on the update definition) reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f revertCode: |- reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /f 2>nul - name: Enable automatically purging items from quarantine folder docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay call: # Values: # Default: 90 on both Windows 10 21H1 and Windows 11 21H2 # Minimum: 1 # 0 means indefinitely - function: SetMpPreference parameters: property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1 default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90 setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /f 2>nul - name: Disable always running antimalware service docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /f 2>nul # - Too good to disable, also no reported privacy issues # category: Disable Microsoft Defender "Device Guard" and "Credential Guard" # docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419 # children: # - # name: Disable LSA protection (disabled by default) # docs: # - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection # - https://itm4n.github.io/lsass-runasppl/ # - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # code: |- # reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f # reg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f # revertCode: |- # Already disabled by default, so just delete the keys # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f 2>nul # reg delete "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /f 2>nul # - # name: Disable virtualization-based security (disabled by default) # docs: # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity # code: |- # :: Virtualization features # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul # :: Lock # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul # :: HypervisorEnforcedCodeIntegrity # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f 2>nul # revertCode: |- # :: Virtualization features # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul # :: Lock # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul # :: HypervisorEnforcedCodeIntegrity # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul # - # name: Disable System Guard Secure Launch # docs: # - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection # - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch # code: |- # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 2 /f # reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /t REG_DWORD /d 0 /f # revertCode: |- # reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /f 2>nul # reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /f 2>nul # - # name: Disable Windows Defender Application Control Code Integrity Policy # docs: # - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy # - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool # call: # - # function: RunInlineCode # parameters: # code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /t REG_DWORD /d 0 /f # revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /v "Enabled" /f 2>nul # - # function: DeleteFiles # parameters: # fileGlob: '%WINDIR%\System32\CodeIntegrity\SIPolicy.p7b' - name: Disable auto-exclusions docs: - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions call: - function: SetMpPreference parameters: property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False setDefaultOnWindows11: true # `Remove-MpPreference` has no affect (does not change the value) in Windows 11 - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /f 2>nul - category: Disable Defender scans children: - category: Disable scan actions children: - name: Disable signature verification before scanning # Default configuration docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan call: - function: SetMpPreference parameters: property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False - function: RunInlineCode parameters: # Default: Does not exist code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /f 2>nul - name: Disable creation of daily system restore points # Default behavior docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint call: - function: SetMpPreference parameters: property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /f 2>nul - name: Minimize retention time for files in scan history docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay call: # Default is 15, minimum is 0 which means never removing items - function: SetMpPreference parameters: property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /f 2>nul - category: Disable catch-up scans children: - name: Maximize days until mandatory catch-up scan docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup # Default and minumum is 2, maximum is 20 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /f 2>nul - name: Disable catch-up full scans # Disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan call: - function: SetMpPreference parameters: property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /f 2>nul - name: Disable catch-up quick scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan call: - function: SetMpPreference parameters: property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /f 2>nul - category: Disable Defender scan options children: - name: Disable scan heuristics docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /f 2>nul - category: Minimize CPU usage during scans children: - name: Minimize CPU usage during scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor call: # Default: 50, minimum 1 - function: SetMpPreference parameters: property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1 default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50 - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /f 2>nul - name: Minimize CPU usage during idle scans docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: - function: SetMpPreference parameters: property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /f 2>nul - name: Disable scanning when not idle # Default OS setting docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled call: - function: SetMpPreference parameters: property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /f 2>nul - name: Disable scheduled anti-malware scanner (MRT) docs: |- This script disables the scheduled scans by the Malicious Software Removal Tool (MSRT) provided by Microsoft. Starting from version 5.39 in August 2016, MSRT sends a "Heartbeat Report" to Microsoft every time it runs [1]. This behavior occurs even if certain user preferences like the Customer Experience Improvement Program (CEIP) are turned off or if "DiagTrack" is not on the computer [1]. A record of this "Successfully Submitted Heartbeat Report" can be checked in the MRT log, found at `%windir%\debug\mrt.log` [1]. By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft. [1]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody" code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /f 2>nul - category: Minimize scanned areas children: - name: Disable e-mail scanning # Disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning call: - function: SetMpPreference parameters: property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /f 2>nul - name: Disable script scanning docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning call: function: SetMpPreference parameters: property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True # โŒ Windows 11: Does not fail but does not set $True value | โœ… Windows 10: Works as expected default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False - name: Disable reparse point scanning docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /f 2>nul - name: Disable scanning mapped network drives during full scan docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /f 2>nul - function: SetMpPreference parameters: property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True - name: Disable network file scanning docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /f 2>nul - function: SetMpPreference parameters: property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False - name: Disable scanning packed executables docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /f 2>nul - category: Disable scanning archive files children: - name: Disable scanning archive files docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /f 2>nul - function: SetMpPreference parameters: property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False - name: Minimize scanning depth of archive files docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /f 2>nul - name: Minimize file size for scanning archive files docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /f 2>nul - name: Disable scanning removable drives docs: # Disabled by default - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /f 2>nul - function: SetMpPreference parameters: property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True - category: Disable auto-scans children: - name: Disable scheduled scans docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday call: # Options are: # 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday', # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /f 2>nul - function: SetMpPreference parameters: property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8' default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0' - name: Disable randomizing scheduled task times docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /f 2>nul - function: SetMpPreference parameters: property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True - name: Disable scheduled full-scans docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters call: # Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan' - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /f 2>nul - function: SetMpPreference parameters: property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1' default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1' setDefaultOnWindows11: true # โŒ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11 - name: Minimize daily quick scan frequency docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /f 2>nul - name: Disable scanning after security intelligence (signature) update docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /f 2>nul - category: Disable Defender updates children: - category: Disable Defender Security Intelligence (signature) updates children: - name: Disable forced security intelligence (signature) updates from Microsoft Update docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /f 2>nul - name: Disable security intelligence (signature) updates when running on battery power docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /f 2>nul - name: Disable startup check for latest virus and spyware security intelligence (signature) docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /f 2>nul - name: Disable catch-up security intelligence (signature) updates # default is one day docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval call: # Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /f 2>nul - function: SetMpPreference parameters: property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0' default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1' - name: Minimize spyware security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when spyware security intelligence (signature) is considered up-to-dates docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue - https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /f 2>nul - name: Minimize virus security intelligence (signature) updates # default is one day, recommended is 7 days # Maximize period when virus security intelligence (signature) is considered up-to-date docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue - https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243 code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /f 2>nul - name: Disable security intelligence (signature) update on startup docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine call: - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /f 2>nul - function: SetMpPreference parameters: property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False - name: Disable automatic checks for security intelligence (signature) updates # Already disabled by default docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday call: # Options: # 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday' # 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default) - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /f 2>nul - function: SetMpPreference parameters: property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8' default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8' - name: Minimize checks for security intelligence (signature) updates docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval call: # Valid values range from 1 (every hour) to 24 (once per day). # If not specified (0), parameter, Microsoft Defender checks at the default interval - function: RunInlineCode parameters: code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /f 2>nul - function: SetMpPreference parameters: property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24' default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0' - category: Disable alternate definition updates children: - name: Disable definition updates via WSUS and Microsoft Malware Protection Center docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /f 2>nul - name: Disable definition updates through both WSUS and Windows Update docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /f 2>nul - name: Minimize Defender updates to completed gradual release cycles docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: function: SetMpPreference parameters: # โŒ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease - name: Minimize Defender engine updates to completed release cycles docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: function: SetMpPreference parameters: # โŒ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad' # Valid values: # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # โŒ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'" - name: Minimize Defender platform updates to completed release cycles docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: function: SetMpPreference parameters: # โŒ Not generally supported on Windows (before 4.18.2106.5 Defender platform) property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad' # Valid values: # 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged' # โŒ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'" - name: Minimize Defender definition updates to completed gradual release cycles docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference call: # โŒ Not generally supported on Windows (before 4.18.2106.5 Defender platform) function: SetMpPreference parameters: property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel # Its former name was "SignaturesUpdatesChannel" value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad' # 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged' # โŒ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged' default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'" - category: Disable Microsoft Defender reporting children: - name: Disable Microsoft Defender logging code: |- reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f revertCode: |- # 1 as default in registry reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f - name: Disable Microsoft Defender ETW provider (Windows Event Logs) docs: - https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/ - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-views code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f revertCode: |- # 1 as default in registry reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f - name: Disable sending Watson events # Deprecated since February 2015 update http://support.microsoft.com/kb/3036437 docs: https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::reporting_disablegenericreports code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /f 2>nul - name: Minimize Windows software trace preprocessor (WPP Software Tracing) docs: - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /f 2>nul - name: Disable auditing events in Microsoft Defender Application Guard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview code: reg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /f 2>nul - category: Disable Defender user interface children: - name: Remove "Windows Security" system tray icon docs: |- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /f 2>nul - name: Remove "Scan with Microsoft Defender" from context menu docs: - https://windowsreport.com/remove-right-click-windows-defender-scan-windows-10/ - https://twigstechtips.blogspot.com/2010/06/windows-remove-with-microsoft-security.html code: |- reg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f 2>nul reg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f 2>nul reg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul reg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul reg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul revertCode: |- reg add "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f reg add "HKCR\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f reg add "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /ve /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f reg add "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f reg add "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f reg add "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f - name: Remove "Windows Security" icon from taskbar docs: |- This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703 and was originally named "Windows Defender Security Center" [1]. The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3]. The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2 and Windows 10 22H2) with default value of `%windir%\system32\SecurityHealthSystray.exe`. [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" [2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?" [3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io" code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809 revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "%windir%\system32\SecurityHealthSystray.exe" /f - name: Disable Microsoft Defender Antimalware (AM) user interface docs: |- This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially preventing user interactions with the Microsoft Defender Antivirus interface. Several reasons to hide the antivirus interface: 1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more in control of their data when they aren't constantly reminded of a running security service. 2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans. Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances. 3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently triggering options that might share data. 4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that access has been restricted by the system administrator [2]. The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the `HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1]. [1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode" [2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn" code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /f 2>nul - name: Minimize threat history access to administrators docs: # Managing with MpPreference module: - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference - https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode call: - function: SetMpPreference parameters: property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False - function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2) parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /f 2>nul - category: Disable sections in "Windows Security" docs: |- This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1]. "Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display in a restricted mode [1]. [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" children: - name: Disable "Virus and threat protection" section in "Windows Security" docs: |- - [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection) - [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /f 2>nul - name: Disable "Ransomware data recovery" section in "Windows Security" docs: |- [Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /f 2>nul - name: Disable "Family options" section in "Windows Security" docs: |- - [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options) - [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /f 2>nul - name: Disable "Device performance and health" section in "Windows Security" docs: |- - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health) - [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /f 2>nul - name: Disable "Account protection" section in "Windows Security" docs: |- - [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection) - [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /f 2>nul - name: Disable "App and browser control" section in "Windows Security" docs: |- - [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control) - [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /f 2>nul - category: Disable device security sections children: - name: Disable "Device security" section in "Windows Security" docs: |- - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security) - [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /f 2>nul - name: Disable "Clear TPM" button in "Windows Security" docs: |- - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button) - [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /f 2>nul - name: Disable "Secure boot" button in "Windows Security" docs: |- [Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /f 2>nul - name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security" docs: |- [Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /f 2>nul - name: Disable "TPM Firmware Update" recommendation in "Windows Security" docs: |- - [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation) - [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning) code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /f 2>nul - category: Disable Defender notifications children: - category: Disable Windows Security notifications docs: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications children: - name: Disable all Defender notifications docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disablenotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul - name: Disable non-critical Defender notifications docs: - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disableenhancednotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /f 2>nul - name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/ code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /f 2>nul - name: Disable all Defender Antivirus notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress code: |- reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f reg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f revertCode: |- reg delete "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul reg delete "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul - name: Disable Defender reboot notifications docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /f 2>nul - category: Disable OS components for Defender # Hackers way of disabling Defender children: - category: Disable Defender scheduled tasks children: - name: Disable "ExploitGuard MDM policy Refresh" task docs: |- This script disables the "ExploitGuard MDM policy Refresh" scheduled task. The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings". Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1]. It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1]. Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2]. MDM offers a method to remotely adjust the ExploitGuard settings on a device [2]. Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4]. Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3]. ### Overview of default task statuses `\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog" [2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn" [3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov" [4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh' taskPathPattern: \Microsoft\Windows\ExploitGuard\ taskNamePattern: ExploitGuard MDM policy Refresh - name: Disable "Windows Defender Cache Maintenance" task docs: |- This script disables the "Windows Defender Cache Maintenance" scheduled task. The task is scheduled to periodically maintain the cache used by Microsoft Defender Antivirus [1]. It runs the command `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance` [1]. The `MpCmdRun.exe` is a command-line tool used to perform various Microsoft Defender Antivirus functions [2]. Cache maintenance involves managing temporary files that Microsoft Defender is either scanning or has quarantined [3] Disabling this task prevents the system from automatically clearing the Defender cache [3]. This is particularly useful if you want to ensure that files are not removed from quarantine or the cache without your explicit action. Disabling this task is reported to optimize system boot speed [4] but it could potentially lead to increased storage use by temporary files. ### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231102111550/http://windows.fyicenter.com/4439_Windows_Defender_Cache_Maintenance_Scheduled_Task_on_Windows_8.html '"Windows Defender Cache Maintenance" Scheduled Task on Windows 8 | windows.fyicenter.com' [2]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" [4]: https://web.archive.org/web/20231102111645/https://discussions.citrix.com/topic/417772-very-slow-boot-times/ "Very slow boot times - Provisioning Server for Datacenters - Discussions | discussions.citrix.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cache Maintenance' taskPathPattern: \Microsoft\Windows\Windows Defender\ taskNamePattern: Windows Defender Cache Maintenance - name: Disable "Windows Defender Cleanup" task docs: |- This script disables the "Windows Defender Cleanup" scheduled task. This task is used by Defender to remove unnecessary files, such as corrupted or quarantined items [1]. The task is described in the Task Scheduler as "Periodic cleanup task" [2] [3]. This task executes the following command: `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup` [2] [3]. ### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Cleanup`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231103171411/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" [2]: https://web.archive.org/web/20231103171352/http://windows.fyicenter.com/4440_Windows_Defender_Cleanup_Scheduled_Task_on_Windows_8.html '"Windows Defender Cleanup" Scheduled Task on Windows 8 | windows.fyicenter.com' [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cleanup' taskPathPattern: \Microsoft\Windows\Windows Defender\ taskNamePattern: Windows Defender Cleanup - name: Disable "Windows Defender Scheduled Scan" task docs: |- This script disables the "Windows Defender Scheduled Scan" scheduled task. This scheduled task is responsible for performing automatic regular scans [1] [2]. By disabling this task, users can control the scheduling and frequency of antivirus scans, according to their needs, thus balancing security with system resource management [1] [2]. The task is known as "Periodic scan task" in the Task Scheduler [1] [3] [4]. It executes the following command: `C:\Program Files\Windows Defender\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55` [3] [4]. ### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231103171744/https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d "Schedule a scan in Microsoft Defender Antivirus - Microsoft Support | support.microsoft.com" [2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com" [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" [4]: https://web.archive.org/web/20231103171825/http://windows.fyicenter.com/4441_Windows_Defender_Scheduled_Scan_Scheduled_Task_on_Windows_8.html '"Windows Defender Scheduled Scan" Scheduled Task on Windows 8 | windows.fyicenter.com' call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Scheduled Scan' taskPathPattern: \Microsoft\Windows\Windows Defender\ taskNamePattern: Windows Defender Scheduled Scan - name: Disable "Windows Defender Verification" task docs: |- This script disables the "Windows Defender Verification" scheduled task. This task checks for issues with Defender, such as update problems or system file errors [1]. It is also linked to the creation of daily system restore points [2]. Disabling this task can prevent unnecessary system slowdowns and restore point creation, conserving disk space and system resources. It improves privacy by reducing the system state data stored on the device. The task is known as "Periodic verification task" in the Task Scheduler [3] [4]. It executes the following command: `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification` [3] [4]. ### Overview of default task statuses `\Microsoft\Windows\Windows Defender\Windows Defender Verification`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com" [2]: https://web.archive.org/web/20231103172413/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 "Windows Defender / System Restore Points - Microsoft Community | answers.microsoft.com" [3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com" [4]: https://web.archive.org/web/20231103172432/http://windows.fyicenter.com/4442_Windows_Defender_Verification_Scheduled_Task_on_Windows_8.html '"Windows Defender Verification" Scheduled Task on Windows 8 | windows.fyicenter.com' call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Verification' taskPathPattern: \Microsoft\Windows\Windows Defender\ taskNamePattern: Windows Defender Verification - category: Disable Defender services and drivers # Normally users can disable services on GUI or using commands like "sc config" # However Defender services are protected with different ways # 1. Some cannot be disabled (access error) normally but only with DisableServiceInRegistry # 2. Some cannot be disabled even using DisableServiceInRegistry, must be disabled as TrustedInstaller using RunInlineCodeAsTrustedInstaller children: - name: Disable "Microsoft Defender Antivirus Service" # โ—๏ธ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender # E.g. `Set-MpPreference -Force -MAPSReporting 0` throws: # `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.` # `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference` docs: http://batcmd.com/windows/10/services/windefend/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WinDefend" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "2" /f & sc start "WinDefend" >nul 2>&1 # - # โŒ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 # function: SoftDeleteFiles # parameters: # fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - category: Disable Defender kernel-level drivers children: # - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only - name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service docs: http://batcmd.com/windows/10/services/wdnisdrv/ call: # Excluding: # - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - function: RunInlineCodeAsTrustedInstaller parameters: # "net stop" is used to stop dependend services as well, "sc stop" fails code: net stop "WdNisDrv" /yes >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "3" /f & sc start "WdNisDrv" >nul - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\drivers\WdNisDrv.sys' grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - name: Disable "Microsoft Defender Antivirus Mini-Filter Driver" service docs: - https://www.n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/ - http://batcmd.com/windows/10/services/wdfilter/ call: # Excluding: # - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdFilter" >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "0" /f & sc start "WdFilter" >nul - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys' grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - name: Disable "Microsoft Defender Antivirus Boot Driver" service docs: http://batcmd.com/windows/10/services/wdboot/ call: # Excluding: # - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2 - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdBoot" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "0" /f & sc start "WdBoot" >nul 2>&1 - function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys' grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - name: Disable "Microsoft Defender Antivirus Network Inspection" service docs: - http://batcmd.com/windows/10/services/wdnissvc/ - https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/ call: - function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "WdNisSvc" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "2" /f & sc start "WdNisSvc" >nul 2>&1 # - # โŒ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2 # function: SoftDeleteFiles # parameters: # fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ... # grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - name: Disable "Windows Defender Advanced Threat Protection Service" service docs: http://batcmd.com/windows/10/services/sense/ call: - function: RunInlineCodeAsTrustedInstaller # We must disable it on registry level, "Access is denied" for sc config parameters: code: sc stop "Sense" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "3" /f & sc start "Sense" >nul 2>&1 # Alowed values: Boot | System | Automatic | Manual - function: SoftDeleteFiles parameters: fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe' grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - name: Disable "Windows Security Service" service docs: |- This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1]. This service provides unified device protection and health information [2] [3]. It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2]. Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1]. By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11. The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1]. [1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn" [2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com" [3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io" [4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states call: - # Windows 10: # โŒ Cannot disable through sc config as Administrator; throws "Access is denied" # โœ… Can disable using registry as Administrator; "DisableServiceInRegistry" function works # โœ… Can disable using registry as TrustedInstaller # Windows 11: # โŒ Cannot disable through sc config as administrator; throws "Access is denied" # โŒ Cannot disable using registry as Administrator; using DisableServiceInRegistry throws "Requested registry access is not allowed." # โœ… Can disable using registry as TrustedInstaller function: RunInlineCodeAsTrustedInstaller parameters: code: sc stop "SecurityHealthService" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 3 /f & sc start "SecurityHealthService" >nul 2>&1 - function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\System32\SecurityHealthService.exe' grantPermissions: true # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 - category: Disable SmartScreen docs: - https://en.wikipedia.org/wiki/Microsoft_SmartScreen - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview children: - category: Disable SmartScreen for apps and files children: - name: Disable SmartScreen for apps and files docs: - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnableSmartScreen code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /f 2>nul - name: Disable SmartScreen in File Explorer docs: - https://winaero.com/change-windows-smartscreen-settings-windows-10/ - https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/ code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f revertCode: |- reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul - name: Disable SmartScreen's prevention of application execution docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen - https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /f 2>nul - category: Disable SmartScreen in Microsoft browsers children: - name: Disable SmartScreen in Edge (Chromium) for potentially unwanted apps docs: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /f 2>nul - name: Disable Edge SmartScreen docs: - https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ # Privacy concerns - https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen - https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreen-settings - https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63713 - https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenEnabled code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f :: For Microsoft Edge version 77 or later reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul :: For Microsoft Edge version 77 or later reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /f 2>nul - name: Disable SmartScreen in Internet Explorer docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 code: reg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /f 2>nul - category: Disable SmartScreen for Windows Store apps children: - name: Disable SmartScreen's "App Install Control" feature docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen code: |- reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f revertCode: |- reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /f 2>nul - name: Disable SmartScreen's web content (URLs) checking for apps docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services code: |- reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /f 2>nul - category: Disable automatic updates docs: |- Disabling automatic updates is often considered counterintuitive when it comes to securing your system. However, there are substantial arguments to consider this option if you're privacy-centric: 1. **Patching and Pre-Approval**: Manual control over update deployment allows for pre-emptive approval of patches. This strategy is useful in environments requiring the highest level of security. For instance, military agencies frequently employ air-gapped systems that mandate careful review of each update to mitigate risks such as potential backdoors or data leaks. Similarly, financial institutions often resort to staged rollouts of updates, subjecting them to an in-depth analysis of their implications on security and privacy before broad implementation. 2. **Telemetry and Data Transmission**: Automatic updates often come embedded with telemetry data collection mechanisms. Disabling these updates facilitates granular control over the data transmitted back to Microsoft servers. Thus, the decision to disable automatic updates allows you to control the timing and nature of information relayed to these servers. 3. **Peer-to-Peer Data Exposure**: Windows employs a Peer-to-Peer (P2P) approach to facilitate update distribution, which can reveal your IP address and some system details to peer systems [1]. 4. **Configurational integrity**: Updates have the capacity to change pre-configured settings without explicit user consent. This could result in unintended alteration of your privacy settings, leaving you exposed until you realize the change. > **Caution**: While controlling updates enhances your privacy, it can leave your system vulnerable to unpatched exploits. Ensure that you manually review and apply updates on a regular basis. You're essentially trading off some security for a heightened level of privacy. [1]: https://web.archive.org/web/20230905120220/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq "Delivery Optimization Frequently Asked Questions - Windows Deployment | Microsoft Learn" children: - name: Disable Automatic Updates (AU) feature docs: |- This script deactivates the Automatic Updates feature in Windows. By disabling Automatic Updates, you gain control over when your system is updated, which may be preferable in specific privacy-sensitive environments. The script changes a specific setting in your computer's registry, with a key called `NoAutoUpdate`, which has two possible states [1] [2]: - `0`: Automatic Updates are enabled. - `1`: Automatic Updates are disabled. By default, Windows comes with Automatic Updates enabled, meaning the `NoAutoUpdate` is set to `0` [3]. Running this script will set `NoAutoUpdate` to `1`, turning off Automatic Updates [1] [2] [3]. In doing so, you prevent your computer from automatically receiving updates, which is a feature that could be considered intrusive or unwanted in some privacy-conscious settings. It configure your computer to not automatically download and install updates without your explicit permission. [1]: https://web.archive.org/web/20230807165936/https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 "Configure Automatic Updates in a Nonโ€“Active Directory Environment | Microsoft Learn" [2]: https://web.archive.org/web/20221001051250/https://support.microsoft.com/en-us/topic/incorrect-automatic-updates-notification-is-received-even-though-au-options-are-disabled-in-windows-8-1-and-windows-server-2012-r2-18b4b73a-3910-9408-809c-7eaad0e1fbc7 "Incorrect Automatic Updates notification is received even though AU options are disabled in Windows 8.1 and Windows Server 2012 R2 - Microsoft Support" [3]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn" call: function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f # Default value is `0` since Windows 10 21H2 and Windows 11 21H2 revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f - name: Disable automatic installation of Windows updates without user consent docs: |- This script changes how your Windows computer handles automatic updates by modifying the `AUOptions` registry key. After running this script, your computer will notify you before downloading any updates [1] [2] [3]. In the default setup, your Windows system is configured to download and install updates automatically without notifying you [4]. This means that new updates could be installed on your system without your explicit approval. By forcing Windows to notify you before downloading updates, this script hands back control over your system to you. This feature enhances your privacy and minimizes risks because you get to manually review and approve each update before it's installed. To explain the technical aspect, the `AUOptions` registry key is a setting stored under `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` in your computer's registry [1] [3]. A value of `2` for `AUOptions` means that you will be notified before any updates are downloaded and installed [1] [2]. On older versions of Windows, setting this key to `1` would prevent the system from even checking for updates [5]. However, starting from Windows 10, the key `1` has a different meaning [2][3]. Running this script doesn't disable updates; it just ensures that you are informed and have the final say on whether to download them or not. [1]: https://web.archive.org/web/20230807165936/https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 "Configure Automatic Updates in a Nonโ€“Active Directory Environment | Microsoft Learn" [2]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn" [3]: https://web.archive.org/web/20230815051303/https://learn.microsoft.com/en-us/windows/deployment/update/waas-restart#registry-keys-used-to-manage-restart "Manage device restarts after updates - Windows Deployment | Microsoft Learn" [4]: https://web.archive.org/web/20230826081345/https://learn.microsoft.com/en-US/troubleshoot/windows-client/deployment/update-windows-update-agent "Update Windows Update Agent to latest version - Windows Client | Microsoft Learn" [5]: https://web.archive.org/web/20221001051250/https://support.microsoft.com/en-us/topic/incorrect-automatic-updates-notification-is-received-even-though-au-options-are-disabled-in-windows-8-1-and-windows-server-2012-r2-18b4b73a-3910-9408-809c-7eaad0e1fbc7 "Incorrect Automatic Updates notification is received even though AU options are disabled in Windows 8.1 and Windows Server 2012 R2 - Microsoft Support" call: function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f # Default value is `4` since Windows 10 21H2 and Windows 11 21H2 revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "4" /f - name: Disable automatic daily installation of Windows updates docs: |- This script stops Windows from automatically installing updates every day. By doing so, you gain control over when update happen on your computer [1] [2]. By default, Windows is set to automatically update every day [2]. Having control over the update timing allows you to review what is being changed, thereby protecting your privacy and enhancing your system's security. Technically, what the script does is remove a specific setting in the computer's system registry, the `ScheduledInstallDay` key from `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` [1] [2]. Disabling the scheduled install day ensures that updates won't be forcibly applied on a specific day of the week. [1]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn" [2]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstallday "Update Policy CSP - Windows Client Management | Microsoft Learn" call: function: RunInlineCode parameters: code: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul revertCode: >- :: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2 reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul - name: Disable scheduled automatic updates docs: |- This script turns off the automatic installation of Windows updates that are set to occur at a specific time. By doing this, you take back control over when your computer updates itself [1] [2] [3]. The default behavior is to install updates at 3 AM [3]. Windows updates can be important for system security, but automatic installation could occur at inconvenient times and may even restart your computer without prior warning. This could interrupt your tasks and may send data about your system to external servers. By disabling the automatic scheduled installation time, you can manually control when updates are installed [3], ensuring that you're aware of any changes to your system. The script works by removing a specific registry key called `ScheduledInstallTime` under `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` [2] [3]. This is the system setting that controls the scheduled update time. [1]: https://web.archive.org/web/20230813094618/https://learn.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152 "Configure Automatic Updates in a Nonโ€“Active Directory Environment | Microsoft Learn" [2]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn" [3]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstalltime "Update Policy CSP - Windows Client Management | Microsoft Learn" call: function: RunInlineCode parameters: code: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul revertCode: >- :: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2 reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul - category: Disable Windows update services docs: |- The scripts in this category offer users the ability to control Windows services related to system updates. These services manage how and when your system receives updates from Microsoft. By limiting or disabling these services, users can decide when to update their system, reducing unexpected changes. Moreover, a system with fewer running services uses fewer resources, which can improve overall performance. Disabling these update services is also a privacy measure. Some updates can change privacy settings or add features that collect user data. By controlling update services, users can review and approve any changes before they take effect. children: # Excluding: # - Background Intelligent Transfer Service (BITS): Not exclusive to disabling automatic Windows updates, may break third-party apps # - Delivery Optimization (DoSvc): Not exclusive to disabling automatic Windows updates, breaks Microsoft Store downloads. - name: Disable "Windows Update" (`wuauserv`) service docs: |- This script turns off the Windows Update service, which is technically known as Windows Update Agent [1] [2]. By disabling this service, the automatic detection, download, and installation of updates for both Windows and other installed programs are halted [3] [4]. Update can often come bundled with changes that could affect your privacy settings or introduce features that collect more of your data. Taking control of when and how updates are applied provides you with the opportunity to review any changes before they take effect. By default, the service is enabled and set to start up manually [5]. If you disable this service, you won't be able to use the Windows Update feature for automatic updates [5]. Additionally, other software on your computer won't be able to access the functionalities provided by the Windows Update Agent, commonly known as WUA API [5]. [1]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231027190503/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/troubleshoot-software-update-scan-failures "Troubleshoot software update scan failures - Configuration Manager | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20230905120348/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/windows-devices-fail-boot-after-installing-kb4041676-kb4041691 "Windows devices may fail to boot after installing October 10 version of KB 4041676 or 4041691 that contained a publishing issue - Windows Client | Microsoft Learn" [4]: https://web.archive.org/web/20230905120345/https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-servicing "Patching Server Core | Microsoft Learn" [5]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" call: function: DisableService parameters: serviceName: wuauserv # Check: (Get-Service -Name 'wuauserv').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Update Orchestrator Service" (`UsoSvc`) docs: |- This script disables the Update Orchestrator Service, also known as "Update Orchestrator Service for Windows Update" [1]. This service is in charge of managing the download and installation of Windows updates [1] [2]. By default, the service is enabled and set to start up manually [1]. While updates can be crucial for the security of your system, this service can sometimes install them without your approval. This lack of control can pose risks to your privacy, as data might be sent from your system without your knowledge. Windows updates relies on this service [1] [3]. If stopped, your devices will not be able to download and install latest updates [1]. Turning off this service can affect the update process and might cause issues like freezing during update scanning [3]. [1]: https://web.archive.org/web/20231004161147/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server "Security guidelines for system services in Windows Server 2016 | Microsoft Learn" [2]: https://web.archive.org/web/20230905120348/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/windows-devices-fail-boot-after-installing-kb4041676-kb4041691 "Windows devices may fail to boot after installing October 10 version of KB 4041676 or 4041691 that contained a publishing issue - Windows Client | Microsoft Learn" [3]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" call: function: DisableService parameters: serviceName: UsoSvc # Check: (Get-Service -Name 'UsoSvc').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable "Windows Update Medic Service" (`WaaSMedicSvc`) docs: |- This script disables the Windows Update Medic Service. This service runs quietly in the background [1], making sure that parts related to Windows updates are working as they should [1] [2]. By default, the service is enabled and its startup setting is set to manual [3]. This service can undo any adjustments you've made to your Windows Update settings without your consent. For example, it can re-enable automatic Windows updates [4]. That can interfere if you've tailored these settings for better privacy or security. When you disable this service using our script, you're taking back control. You get to choose how your system handles updates and data transfers, ensuring that your privacy settings stay as you intended. This is a reliable way to strengthen both your privacy and your control over your computer. [1]: https://web.archive.org/web/20230905120805/https://support.microsoft.com/en-us/topic/kb5005322-some-devices-cannot-install-new-updates-after-installing-kb5003214-may-25-2021-and-kb5003690-june-21-2021-66edf7cf-5d3c-401f-bd32-49865343144f "KB5005322โ€”Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021) - Microsoft Support" [2]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn" [3]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn" [4]: https://github.com/undergroundwires/privacy.sexy/issues/252 call: function: DisableServiceInRegistry # Since Windows 10 21H2 and Windows 11 21H2: # - โ—๏ธ Using `sc config` results in "Access in denied", so registry should be used to disable the service. parameters: serviceName: WaaSMedicSvc # Check: (Get-Service -Name 'WaaSMedicSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - category: Disable Windows update scheduled tasks docs: |- This category includes scripts to disable scheduled tasks that are associated with the automatic functioning of the Windows Update service. These tasks are responsible for various background update-related activities such as checking for updates, downloading, and installing them in the background without user intervention. Disabling these tasks grants users more control over when and how updates are applied. This approach is often preferred by those wishing to manually manage updates or avoid unanticipated system modifications without consent, and it is considered a best practice in high-security environments where precise control over updates is crucial. However, it's important to exercise caution with these changes. Disabling automatic updates can lead to missed critical security patches and feature updates, potentially leaving the system vulnerable. To view all the scheduled tasks related to Windows Update, you can use the following PowerShell command: ```powershell @('\Microsoft\Windows\UpdateOrchestrator\*', '\Microsoft\Windows\WindowsUpdate\*', '\Microsoft\Windows\WaaSMedic\*', '\Microsoft\Windows\InstallService\*') ` | ForEach-Object { Get-ScheduledTask -TaskName '*' -TaskPath $_ -ErrorAction SilentlyContinue } ` | ForEach-Object { Write-Host "$($_.TaskPath)$($_.TaskName)" } ``` children: - name: Disable "RestoreDevice" task docs: |- This script disables the "RestoreDevice" scheduled task. This task is involved in restoring device settings or drivers as part of update processes. ### Overview of default task statuses `\Microsoft\Windows\InstallService\RestoreDevice`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 23H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'RestoreDevice' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: RestoreDevice - name: Disable "ScanForUpdates" task docs: |- This script disables the "ScanForUpdates" scheduled task. This task is responsible for performing update scans. Microsoft officially documents this task as part of the Windows updates process [1]. Microsoft suggests disabling this task as a measure to reduce data collection and improve performance [2]. This recommendation is also supported by Citrix for optimization purposes [3]. ### Overview of default task statuses `\Microsoft\Windows\InstallService\ScanForUpdates`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231111173058/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#re-enable-windows-update "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231111173043/https://www.citrix.com/blogs/2021/02/17/tm-citrix-optimizer-2-8-whats-new/ "Citrix Optimizer 2.8 โ€“ Whatโ€™s new - Citrix Blogs | www.citrix.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'ScanForUpdates' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: ScanForUpdates - name: Disable "ScanForUpdatesAsUser" task docs: |- This script disables the "ScanForUpdatesAsUser" scheduled task. This task is responsible for performing update scans under user-specific contexts. Microsoft officially documents this task as part of the Windows updates process [1]. Microsoft suggests disabling this task as a measure to reduce data collection and improve performance [2]. This recommendation is also supported by Citrix for optimization purposes [3]. ### Overview of default task statuses `\Microsoft\Windows\InstallService\ScanForUpdatesAsUser`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231111173058/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#re-enable-windows-update "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231111173043/https://www.citrix.com/blogs/2021/02/17/tm-citrix-optimizer-2-8-whats-new/ "Citrix Optimizer 2.8 โ€“ Whatโ€™s new - Citrix Blogs | www.citrix.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'ScanForUpdatesAsUser' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: ScanForUpdatesAsUser - name: Disable "SmartRetry" task docs: |- This script disables the "SmartRetry" scheduled task. This task handles the automatic retrying of failed updates, attempting to redownload or reinstall updates that didn't install successfully on the first try. Microsoft officially documents this task as part of the Windows updates process [1]. Microsoft suggests disabling this task as a measure to reduce data collection and improve performance [2]. This recommendation is also supported by Citrix for optimization purposes [3]. ### Overview of default task statuses `\Microsoft\Windows\InstallService\SmartRetry`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" [2]: https://web.archive.org/web/20231111172942/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement "ApplicationManagement Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231111173043/https://www.citrix.com/blogs/2021/02/17/tm-citrix-optimizer-2-8-whats-new/ "Citrix Optimizer 2.8 โ€“ Whatโ€™s new - Citrix Blogs | www.citrix.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'SmartRetry' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: SmartRetry - name: Disable "WakeUpAndContinueUpdates" task docs: |- This script disables the "WakeUpAndContinueUpdates" scheduled task. This task is responsible for waking the computer from sleep to continue or complete pending updates. ### Overview of default task statuses `\Microsoft\Windows\InstallService\WakeUpAndContinueUpdates`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐Ÿ”ด Disabled | | Windows 11 22H2 | ๐Ÿ”ด Disabled | | Windows 11 22H3 | ๐Ÿ”ด Disabled | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'WakeUpAndContinueUpdates' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: WakeUpAndContinueUpdates disableOnRevert: true - name: Disable "WakeUpAndScanForUpdates" task docs: |- This script disables the "WakeUpAndScanForUpdates" scheduled task. This task is responsible for waking up the system at scheduled times to check for Windows updates. ### Overview of default task statuses `\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐Ÿ”ด Disabled | | Windows 11 22H2 | ๐Ÿ”ด Disabled | | Windows 11 22H3 | ๐Ÿ”ด Disabled | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'WakeUpAndScanForUpdates' taskPathPattern: \Microsoft\Windows\InstallService\ taskNamePattern: WakeUpAndScanForUpdates disableOnRevert: true - name: Disable "Scheduled Start" task docs: |- This script disables the "Scheduled Start" scheduled task. This task initiates the Windows Update service at predetermined times or under specific conditions to perform tasks like checking for and installing updates. According to the Task Scheduler, this task initiates the Windows Update service for scheduled operations like scans [1]. It executes `%SYSTEMROOT%\System32\sc.exe start wuauserv` [1]. ### Overview of default task statuses `\Microsoft\Windows\WindowsUpdate\Scheduled Start`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231111172839/http://windows.fyicenter.com/4451_Scheduled_Start_Scheduled_Task_on_Windows_8.html '"Scheduled Start" Scheduled Task on Windows 8 | windows.fyicenter.com' call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\WindowsUpdate\' -TaskName 'Scheduled Start' taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: Scheduled Start - name: Disable "Report policies" task docs: | This script disables the "Report policies" scheduled task. This task might be responsible for reporting policy-related information to Windows Update or other system management tools. According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe ReportPolicies`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Report policies`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Report policies' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Report policies grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 10 22H2] [โ‰ฅ Windows 11 22H2] - name: Disable "Schedule Maintenance Work" task docs: |- This script disables the "Schedule Maintenance Work" scheduled task. This task is responsible for performing maintenance activities related to Windows Update, such as cleanup operations or preparation steps for update installations. According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartMaintenanceWork`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐Ÿ”ด Disabled | | Windows 11 22H2 | ๐Ÿ”ด Disabled | | Windows 11 23H2 | ๐Ÿ”ด Disabled | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Maintenance Work' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Maintenance Work disableOnRevert: true grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 10 22H2] [โ‰ฅ Windows 11 22H2] - name: Disable "Schedule Scan" task docs: |- This script disables the "Schedule Scan" scheduled task. This task responsible for periodically scanning for Windows updates. According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartScan`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Schedule Scan`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Scan' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Scan grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 10 22H2] [โ‰ฅ Windows 11 22H2] - name: Disable "Schedule Scan Static Task" task docs: |- This script disables the "Schedule Scan Static Task" scheduled task. This task is responsible for running update scans at static, predefined intervals. According to the Task Scheduler, this task conducts a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe StartScan`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Scan Static Task' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Scan Static Task grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 10 22H2] [โ‰ฅ Windows 11 22H2] - name: Disable "Schedule Wake To Work" task docs: |- This script disables the "Schedule Wake To Work" scheduled task. This task is responsible for waking the computer from sleep or low-power mode to perform Windows updates. According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartWork`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐Ÿ”ด Disabled | | Windows 11 22H2 | ๐Ÿ”ด Disabled | | Windows 11 23H2 | ๐Ÿ”ด Disabled | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Wake To Work' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Wake To Work disableOnRevert: true grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 10 22H2] [โ‰ฅ Windows 11 22H2] - name: Disable "Schedule Work" task docs: |- This script disables the "Schedule Work" scheduled task. This task is responsible for scheduling and initiating Windows updates processes at predetermined times. According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartWork`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Schedule Work`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐Ÿ”ด Disabled | | Windows 11 22H2 | ๐Ÿ”ด Disabled | | Windows 11 23H2 | ๐Ÿ”ด Disabled | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Work' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Work disableOnRevert: true grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 10 22H2] [โ‰ฅ Windows 11 22H2] - name: Disable "UpdateModelTask" task docs: |- This script disables the "UpdateModelTask Work" scheduled task. This task is responsible for updating Machine Learning (ML) models related to Windows Updates. According to the Task Scheduler, its purpose is to update ML models and it executes `%SYSTEMROOT%\System32\UsoClient.exe StartModelUpdates`. Microsoft suggests disabling it for performance optimization and reduced data collection [1]. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 23H2 | ๐ŸŸก N/A (missing) | [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'UpdateModelTask' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UpdateModelTask grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 10 22H2] - name: Disable "Start Oobe Expedite Work" task docs: |- This script disables the "Start Oobe Expedite Work" scheduled task. This task is responsible for performing tasks related to the "out-of-box experience" (OOBE) in Windows, such as updating system settings, applications, or features soon after a system update or initial setup. According to the Task Scheduler, its purpose is to perform a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe StartWork`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Start Oobe Expedite Work' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Start Oobe Expedite Work grantPermissions: true # ๐Ÿ”’ No permissions, Tested since [โ‰ฅ Windows 11 22H2] - name: Disable "StartOobeAppsScan_LicenseAccepted" task docs: |- This script disables the "StartOobeAppsScan_LicenseAccepted" scheduled task. This task is responsible for initiating a scan of applications as part of the OOBE process, after a license agreement is accepted, verifying that apps are up-to-date. According to the Task Scheduler, its purpose is to perform a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe StartOobeAppsScan`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'StartOobeAppsScan_LicenseAccepted' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: StartOobeAppsScan_LicenseAccepted grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 11 22H2] - name: Disable "StartOobeAppsScan_OobeAppReady" task docs: |- This script disables the "StartOobeAppsScan_OobeAppReady" scheduled task. This task is responsible for scanning applications during the OOBE phase, verifying that apps are ready for use after system updates. According to the Task Scheduler, it performs a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe StartOobeAppsScan`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_OobeAppReady`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'StartOobeAppsScan_OobeAppReady' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: StartOobeAppsScan_OobeAppReady grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 11 22H2] - name: Disable "StartOobeAppsScanAfterUpdate" task docs: |- This script disables the "StartOobeAppsScanAfterUpdate" scheduled task. This task is responsible for scanning applications following a system update, as part of the OOBE process, to verify that all applications are compatible with the new update. According to the Task Scheduler, it performs a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe StartOobeAppsScanAfterUpdate`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'StartOobeAppsScanAfterUpdate' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: StartOobeAppsScanAfterUpdate grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 11 22H2] - name: Disable "USO_UxBroker" task docs: |- This script disables the "USO_UxBroker" scheduled task. This task is related to the User Experience (UX) Broker process in Windows, managing user notifications or interactions required after an update. According to the Task Scheduler, this task is responsible for triggering a system reboot following update installations. It executes `%SYSTEMROOT%\System32\MusNotification.exe`. Disabling this task is recommended to reduce data collection and enhance system performance [1]. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'USO_UxBroker' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: USO_UxBroker grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 10 22H2] [โ‰ฅ Windows 11 22H2] - name: Disable "UUS Failover Task" task docs: |- This script disables the "UUS Failover Task" scheduled task. This task is responsible for the failover mechanism for updates, designed to handle scenarios where a primary update process fails or encounters issues. According to the Task Scheduler, this task is responsible for performing a scheduled Windows Update scan. It executes `%SYSTEMROOT%\System32\UsoClient.exe HandleUusFailoverSignal`. ### Overview of default task statuses `\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'UUS Failover Task' taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UUS Failover Task grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 11 22H2] - name: Disable "PerformRemediation" task docs: |- This script disables the "PerformRemediation" scheduled task. This task is responsible for performing remediation or recovery actions for update-related services, ensuring that these services are running in a supported configuration, particularly after updates. According to the Task Scheduler, this task aids in recovering update-related services to a supported configuration. This task restarts Windows Update Medic Service (`WaaSMedicSvc`), even if it is disabled manually [1]. Microsoft suggests disabling this task to minimize data collection and optimize performance [2]. ### Overview of default task statuses `\Microsoft\Windows\WaaSMedic\PerformRemediation`: | OS Version | Default status | | ---------------- | ------ | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | | Windows 11 23H2 | ๐ŸŸข Ready | [1]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days ยท Issue #272 ยท undergroundwires/privacy.sexy | github.com/undergroundwires" [2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" call: function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\WaaSMedic\' -TaskName 'PerformRemediation' taskPathPattern: \Microsoft\Windows\WaaSMedic\ taskNamePattern: PerformRemediation grantPermissions: true # ๐Ÿ”’ No permissions, tested since [โ‰ฅ Windows 10 22H2] [โ‰ฅ Windows 11 22H2] - name: Disable outdated Windows Update tasks docs: |- This script disables older scheduled tasks associated with Windows updates, which are no longer present in Windows versions since Windows 10 22H2 and Windows 11 22H2. The script is compatible with Windows 10 and newer versions, skipping any missing tasks on recent systems. These tasks are linked to specific system files and are involved in various update processes, such as downloading and installing updates, rebooting after updates, and more. Disabling these tasks can help reduce unnecessary system activity and potentially enhance privacy by limiting background update operations. ### Overview of older Windows Update tasks | Task path | Related system file | | --------- | ------- | | `\Microsoft\Windows\UpdateOrchestrator\AC Power Download` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\AC Power Install` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Backup Scan` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Battery Saver Deferred Install` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Driver Install` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Maintenance Install` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Policy Install` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Reboot` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Reboot_AC` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Refresh Settings` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Resume On Boot` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Schedule Retry Scan` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\USO_Broker_Display` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot` | `MusNotification.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Idle Start` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start` | `UsoClient.exe` | | `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant` | `UpdateAssistant.exe` | | `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantAllUsersRun` | `UpdateAssistant.exe` | | `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun` | `UpdateAssistant.exe` | | `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun` | `UpdateAssistant.exe` | | `\Microsoft\Windows\WindowsUpdate\AUScheduledInstall` | `wuaueng.dll` | | `\Microsoft\Windows\WindowsUpdate\AUSessionConnect` | `wuaueng.dll` | | `\Microsoft\Windows\WindowsUpdate\Automatic App Update` | `wuautoappupdate.dll` | | `\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler` | `PLUGscheduler.exe` | | `\Microsoft\Windows\WindowsUpdate\Scheduled Start With Network` | `wuauserv` (via `sc`) | | `\Microsoft\Windows\WindowsUpdate\sih` | `SIHClient.exe` | | `\Microsoft\Windows\WindowsUpdate\sihboot` | `SIHClient.exe` | | `\Microsoft\Windows\WindowsUpdate\sihpostreboot` | `SIHClient.exe` | call: - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: AC Power Download - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: AC Power Install - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Backup Scan - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Battery Saver Deferred Install - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Driver Install - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Maintenance Install - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: MusUx_LogonUpdateResults - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: MusUx_UpdateInterval - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Policy Install - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Reboot - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Reboot_AC - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Reboot_Battery - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Refresh Settings - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Resume On Boot - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Schedule Retry Scan - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: StartOobeAppsScan - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: USO_Broker_Display - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: USO_UxBroker_Display - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: USO_UxBroker_ReadyToReboot - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Universal Orchestrator Start - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: Universal Orchestrator Idle Start - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UpdateAssistant - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UpdateAssistantAllUsersRun - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UpdateAssistantCalendarRun - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\ taskNamePattern: UpdateAssistantWakeupRun - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: AUScheduledInstall - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: AUSessionConnect - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: Automatic App Update - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\RUXIM\ taskNamePattern: PLUGScheduler - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: Scheduled Start With Network - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: sih - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: sihboot - function: DisableScheduledTask parameters: taskPathPattern: \Microsoft\Windows\WindowsUpdate\ taskNamePattern: sihpostreboot - category: Configure how downloaded files are handled docs: |- These scripts configures Attachment Manager included in Windows that that takes further actions for files that you receive or download such as storing classification metadata and notfying other software [1]. [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" children: - name: Disable saving of zone information in downloaded files docs: |- This script disables marking file attachments by using their zone information. The default behavior is for Windows to mark file attachments with their zone information [1]. The zone information of the origin describe whether the file was downloaded from internet, intranet, local, or restricted zone [1]. It is used by Attachment Manager that is included in Windows to help protect the computer from unsafe attachments that can be recieved with e-mail message or downloaded from Internet [2]. If the Attachment Manager identifies an attachment that might be unsafe, it prevents you from opening the file, or it warns you before you open the file [2]. Preventing this information to be saved: - Increases privacy by no longer leaking information of source. - Decreases security by preventing Windows to determine risks and take risk-based actions [1]. By not preserving the zone information, Windows cannot make proper risk assessments [3]. Disabling it has **Significant** criticality as the configuration introduces additional attack surface according to US government [4]. The Attachment Manager feature warns users when opening or executing files which are marked as being from an untrusted source, unless/until the file's zone information has been removed via the "Unblock" button on the file's properties or via a separate tool such as [Microsoft Sysinternals Streams](https://docs.microsoft.com/en-us/sysinternals/downloads/streams) [4]. It is configured using `SaveZoneInformation` value in `\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4]. The value is this setting is confusing, according to Microsoft documentation `1` turns it on [2] [3], `2` turns it off [2] [3]. However, according to STIG V-63841, `1` disables saving zone information and `2` enables it [3]. According to my tests, the STIG interprets it right and `1` disables this function off. In clean Windows 10 and 11 installations, this key by default is missing for both `HKCU` and `HKLM`. [1]: https://www.stigviewer.com/stig/windows_10/2019-09-25/finding/V-63841 "Zone information must be preserved when saving attachments. | stigviewer.com" [2]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_MarkZoneOnSavedAtttachments "Do not preserve zone information in file attachments | admx.help" [4]: https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /f 2>nul - name: Disable notifications to antivirus programs for downloaded files docs: |- Prevents Windows from calling the registered antivirus programs when file attachments are opened [1] [2]. Windows registered antivirus programs for downloaded files from Internet or through e-mail attachments [1]. If multiple programs are registered, they will all be notified [1] [3]. This is disabled by default, so even if you do not configure run this script, Windows does not call the registered antivirus programs when file attachments are opened [1]. If it is enabled, Windows blocks file from being opened when antivirus program fails [1]. It is the recommended setting by Microsoft [1]. Preventing calling antivirus: - Increases privacy by not sharing your file data proactively with installed antiviruses. - Decreases by detecting and mitigating potential malicious software. Disabling it has **Moderate** criticality as it is not an appropriate antivirus configuration according to US government [4]. An updated antivirus program must be installed for this policy setting to function properly [4]. It is configured using `ScanWithAntiVirus` value in `\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4]. `3` enables the scans [1] [2] [3], `1` disables it [1] [3], and `2` leaves it optional [1]. In clean Windows 10 and 11 installations, this key by default comes with `3` value in `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus`, and key is missing for `HKCU`. [1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com" [2]: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-09-02/finding/V-14270 "The system will notify antivirus when file attachments are opened. | stigviewer.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_CallIOfficeAntiVirus "Notify antivirus programs when opening attachments | admx.help" [4]: https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov" code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "1" /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "3" /f - name: Remove "Windows Security" app (`SecHealthUI`) (breaks Windows Security user interface) docs: |- This script removes the "Windows Security" app [1], known as `SecHealthUI` [2] [3]. This app serves as the interface for Windows Security [2], helping users monitor and manage their computer's security [4]. It provides alerts and guidance on vulnerabilities through the Action Center [4]. However, uninstalling the "Windows Security" app has significant implications: - It may increase vulnerability to threats by no longer alerting users about security issues or communicating updates through the Action Center [4]. - Disabling its interface can hinder the effective management of security settings, including tamper protection [5]. Despite these risks, removing the app can enhance privacy in several ways: - **Less personal data collection**: Reduces the collection and display of personal and system data such as threats [6], limiting information used to analyze user behavior. - **More control over security settings**: Encourages managing security settings programmatically, reducing accidental misconfigurations and unauthorized access. - **Decreased notifications and alerts**: Reduces the number of notifications that may expose sensitive information. - **User choice in security tools**: Offers freedom to choose alternative privacy-focused security measures. - **Increased anonymity**: By uninstalling the app, users reduce the amount of data shared under the terms of [Microsoft's privacy policy](https://web.archive.org/web/20231006114659/https://privacy.microsoft.com/en-us/privacystatement), which allows Microsoft to collect and share data with external entities when the app is in use. This app comes pre-installed on certain versions of Windows [7] [8]. The package is named `Microsoft.Windows.SecHealthUI` on Windows 10 and `Microsoft.SecHealthUI` on Windows 11 [1] [2]. It operates independently from individual Defender features [9] and is updated separately from the operating system [10]. Uninstalling it does not disable Microsoft Defender Antivirus or Firewall [11], and Windows will continue sending security notifications unless disabled separately [12]. > **Caution**: Uninstalling "Windows Security" app can expose your system to threats and limit your ability to configure > security settings. It should only be done with a full understanding of the consequences. [1]: https://web.archive.org/web/20231006113851/https://support.microsoft.com/en-us/topic/windows-security-update-a6ac7d2e-b1bf-44c0-a028-41720a242da3 "Windows Security Update - Microsoft Support" [2]: https://github.com/undergroundwires/privacy.sexy/issues/195 "[BUG]: Uninstalling the SecHealthUI fails, despite the app being installed. ยท Issue #195 ยท undergroundwires/privacy.sexy" [3]: https://web.archive.org/web/20231006113903/https://download.microsoft.com/download/e/1/0/e10a6884-2e7a-4d80-ac2f-884c39a2a1b2/5001337.csv "Services CSV file | microsoft.com" [4]: https://web.archive.org/web/20231006113932/https://learn.microsoft.com/en-us/windows/win32/devnotes/windows-security-center "The Windows Security app - Win32 apps | Microsoft Learn" [5]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support" [6]: https://web.archive.org/web/20231006115719/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows | Microsoft Learn" [7]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [8]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [9]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center#how-windows-security-works-with-windows-security-features "Windows Security - Windows Security | Microsoft Learn" [10]: https://web.archive.org/web/20231006115836/https://support.microsoft.com/en-us/topic/kb5020779-the-vulnerable-driver-blocklist-after-the-october-2022-preview-release-3fcbe13a-6013-4118-b584-fcfbc6a09936 "KB5020779 The vulnerable driver blocklist after the October 2022 preview release - Microsoft Support" [11]: https://web.archive.org/web/20231006115845/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-worldwide "Microsoft Defender Antivirus in the Windows Security app | Microsoft Learn" [12]: https://web.archive.org/web/20231006115826/https://support.microsoft.com/en-us/windows/windows-security-notifications-6a59ce6a-e1e0-4795-b080-ba92d49644b2 "Windows Security notifications - Microsoft Support" call: - function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Windows.SecHealthUI packageName: Microsoft.Windows.SecHealthUI publisherId: cw5n1h2txyewy - function: UninstallNonRemovableStoreApp # Notes: # - Although not a system app, this app is flagged as 'NonRemovable'. # Therefore, `UninstallNonRemovableStoreApp` is preferred over `UninstallStoreApp`. # - Attempts to remove the app installation files lead to permission errors, even with file ACLs permissions granted. # Therefore, `UninstallNonRemovableStoreApp` is preferred over `UninstallNonRemovableStoreAppWithCleanup`. parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.SecHealthUI packageName: Microsoft.SecHealthUI publisherId: 8wekyb3d8bbwe - category: UI for privacy children: - name: Disable lock screen app notifications recommend: standard code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 0 /f docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687 - category: Disable online content in File Explorer children: - name: Disable online tips recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanel::AllowOnlineTips code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 1 /f - name: Disable "Internet File Association" service recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseInternetOpenWith_2 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 0 /f - name: Disable "Order Prints" picture task recommend: standard docs: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellRemoveOrderPrints_2 - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000042 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 0 /f - name: Disable "Publish to Web" option for files and folders recommend: standard docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-14255 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 0 /f - name: Disable provider list downloads for wizards recommend: standard docs: https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63621 code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 0 /f - category: Secure recent document lists children: - name: Disable history of recently opened documents recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f - name: Clear recently opened document history upon exit recommend: strict docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 01 /f - name: Disable Live Tiles push notifications recommend: standard docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Notifications::NoTileNotification code: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 1 /f revertCode: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 0 /f - name: Disable the "Look For An App In The Store" option recommend: standard docs: - https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000030 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseStoreOpenWith_1 code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 1 /f revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 0 /f - name: Disable the display of recently used files in Quick Access recommend: strict docs: - https://matthewhill.uk/windows/group-policy-disable-recent-files-frequent-folder-explorer/ # ShowRecent - https://www.howto-connect.com/delete-recent-frequent-from-file-explorer-on-windows-10/ # 3134ef9c-6b18-4996-ad04-ed5912e00eb5 - https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry # Wow6432Node code: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d 0 /t "REG_DWORD" /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f ) revertCode: |- reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d "1" /t "REG_DWORD" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit? reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f ) - name: Disable sync provider notifications code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 0 /t REG_DWORD /f revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 1 /t REG_DWORD /f - name: Disable hibernation for faster startup and to avoid sensitive data storage docs: |- This script commands your system to deactivate the hibernation feature. Hibernate is a power-saving state that saves your current work and turns off the computer [1]. When your computer hibernates, it saves the contents of its RAM to your hard disk and powers off the machine [2]. Upon starting again, your computer can restore all the open programs and documents from your hard disk to its RAM [1]. If hibernation mode is enabled, sensitive data stored in RAM are be written to disk [2]. The memory can contain private data, passwords, keys and so on. This could be accessed by malicious software or people with physical access to the computer. By disabling hibernation, this script reduces the risk of such potential privacy breaches. It configures hibernate by using `powercfg` command line tool [3]. [1]: https://web.archive.org/web/20230806164910/https://support.microsoft.com/en-us/windows/shut-down-sleep-or-hibernate-your-pc-2941d165-7d0a-a5e8-c5ad-8c972e8e6eff [2]: https://web.archive.org/web/20230712211259/https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/system-sleeping-states [3]: https://web.archive.org/web/20230806165041/https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options code: powercfg -h off revertCode: powercfg -h on - name: Enable camera on/off OSD notifications docs: - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-coremmres-nophysicalcameraled - https://www.reddit.com/r/Surface/comments/88nyln/the_webcamled_took_anyone_it_apart/dwm64p5 - https://answers.microsoft.com/en-us/windows/forum/all/enable-osd-notification-for-webcam/caf1fff4-78d3-4b93-905b-ef657097a44e code: reg add "HKLM\SOFTWARE\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /d 1 /t REG_DWORD /f revertCode: reg delete "HKLM\Software\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /f - category: Remove items from "This PC" and "Browse" in dialog boxes children: - name: Remove "3D Objects" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Desktop" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Documents" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Downloads" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Movies" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Music" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - name: Remove "Pictures" from dialog boxes code: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f revertCode: |- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f - category: Disable OS services children: - name: Disable "Microsoft Account Sign-in Assistant" service (breaks Microsoft Store and Microsoft Account sign-in) recommend: strict docs: # **Summary** # This script gives you more privacy by preventing OS access to Azure AD to store your personal # and computer information that can be used to identify you and your computer. # However it breaks many OS features so you should make a decision based on how you'd like to use # your Windows. You can also apply and revert it once you need the broken functionality. # **Service** # This service communicates with Microsoft Account cloud authentication service # Many apps and system components that depend on Microsoft Account authentication may lose functionality. - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#12-microsoft-account # It includes following description: # > Enables user sign-in through Microsoft account identity services. # > If this service is stopped, users will not be able to logon to the computer with their Microsoft account. # Microsoft states it's OK to disable - https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#microsoft-account-sign-in-assistant # Formerly it was known as "Microsoft Windows Live ID Service" # And used only for applications like Office and Windows Live Messenger - https://www.howtogeek.com/howto/30348/what-are-wlidsvc.exe-and-wlidsvcm.exe-and-why-are-they-running/ # It's part of OS and used for Microsoft account (MSA) that's used to identify your computer - https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-configuration-manual#required-endpoints - https://docs.microsoft.com/en-us/troubleshoot/mem/intune/windows-feature-updates-never-offered # **Breaks** # โ—๏ธ Breaks Azure AD sign-in # It may enrollment scenarios that rely on users to complete the enrollment. # E.g. typically, users are shown an Azure AD sign in window. # When set to Disable, the Azure AD sign in option may not show. # Instead, users are asked to accept the EULA, and create a local account, which may not be what you want. - https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#cloud-and-storage - https://docs.microsoft.com/en-us/mem/autopilot/pre-provision#user-flow # โ—๏ธ Breaks Windows Autopilot - https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot # This service is required by Windows Autopilot to obtain the Windows Autopilot profile - https://docs.microsoft.com/en-us/mem/autopilot/policy-conflicts # โ—๏ธ Breaks Microsoft Store # On Windows 11 it fails with `PUR-AuthenticationFailure v3ZtcNH7IECS00iL.36.1`` # On Windows 10 it fails with `0x800706d9` and `0x800704cf`` - https://github.com/undergroundwires/privacy.sexy/issues/100 # โ—๏ธ Breaks feature updates (but other features are still offered) # Because it breaks Subscription Activation feature (license authentication) - https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates - https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are - https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#12-microsoft-account - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant # Feature updates are released annually. Feature updates add new features and functionality to Windows. # Because they are delivered frequently (rather than every 3-5 years), they are easier to manage. - https://docs.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#types-of-updates call: function: DisableService parameters: serviceName: wlidsvc # Check: (Get-Service -Name 'wlidsvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Downloaded Maps Manager" service recommend: standard docs: http://batcmd.com/windows/10/services/mapsbroker/ call: function: DisableService parameters: serviceName: MapsBroker # Check: (Get-Service -Name 'MapsBroker').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - name: Disable "Microsoft Retail Demo" service recommend: standard docs: http://batcmd.com/windows/10/services/retaildemo/ call: function: DisableService parameters: serviceName: RetailDemo # Check: (Get-Service -Name 'RetailDemo').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - category: Disable synchronization of mail, contacts, calendar, and user data children: - name: Disable "User Data Storage" (`UnistoreSvc`) service docs: http://batcmd.com/windows/10/services/unistoresvc/ recommend: strict call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc_*").Start serviceName: UnistoreSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: Disable "Sync Host" (`OneSyncSvc`) service docs: http://batcmd.com/windows/10/services/onesyncsvc/ recommend: strict call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc_*").Start serviceName: OneSyncSvc defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual - name: Disable "Contact Data" service (disables contact data indexing) docs: http://batcmd.com/windows/10/services/pimindexmaintenancesvc/ call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_*").Start serviceName: PimIndexMaintenanceSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: Disable "User Data Access" service docs: http://batcmd.com/windows/10/services/userdatasvc/ call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc_*").Start serviceName: UserDataSvc defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: Disable "MessagingService" docs: http://batcmd.com/windows/10/services/messagingservice/ call: function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService_*").Start serviceName: MessagingService defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual - name: Disable "Windows Push Notification Service" (breaks network settings view on Windows 10) recommend: strict docs: # It enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. # In the URL below you can read more about how it communicates with other sources. - https://docs.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview # Hosts Windows notification platform, which provides support for local and push notifications. # According the uncited Wikipedia article, it bypasses VPN and connects directly to Microsoft. # It reveals real IP address of the host which circumvents the anonymity provided by VPN. - https://en.wikipedia.org/w/index.php?title=Windows_Push_Notification_Service&oldid=1012335551#Privacy_Issue # System-wide service: - http://batcmd.com/windows/10/services/wpnservice/ # Per-user service: - http://batcmd.com/windows/10/services/wpnuserservice/ # Disabling system-wide user service "WpnUserService" breaks accessing access network settings on Windows 10. # It works fine on Windows 11. - https://github.com/undergroundwires/privacy.sexy/issues/110 call: - function: ShowWarning parameters: message: Disabling Network settings on Windows 10 is known to break Network settings. ignoreWindows11: true - # Windows Push Notifications System Service function: DisableService parameters: serviceName: WpnService # Check: (Get-Service -Name 'WpnService').StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - # Windows Push Notifications User Service function: DisablePerUserService parameters: # Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService").Start # Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService_*").Start serviceName: WpnUserService defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual - category: Disable Xbox services children: - name: Disable "Xbox Live Auth Manager" service recommend: standard docs: https://batcmd.com/windows/10/services/xblauthmanager/ call: function: DisableService parameters: serviceName: XblAuthManager # Check: (Get-Service -Name 'XblAuthManager').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Xbox Live Game Save" service recommend: standard docs: https://batcmd.com/windows/10/services/xblgamesave/ call: function: DisableService parameters: serviceName: XblGameSave # Check: (Get-Service -Name 'XblGameSave').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Xbox Live Networking Service" recommend: standard docs: https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_v1.12.0.audit:413ad68866cc396f0bd1dd4ead7deb97 call: function: DisableService parameters: serviceName: XboxNetApiSvc # Check: (Get-Service -Name 'XboxNetApiSvc').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable "Volume Shadow Copy Service" (breaks System Restore and Windows Backup) # Also known as โ€ข Volume Snapshot Service โ€ข VSS โ€ข VSC recommend: strict docs: - https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service - https://www.schneier.com/blog/archives/2009/12/the_security_im.html call: function: DisableService parameters: serviceName: VSS # Check: (Get-Service -Name 'VSS').StartType defaultStartupMode: Manual # Allowed values: Automatic | Manual - name: Disable NetBios for all interfaces docs: - https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/ - https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5f3c095-1ad2-4963-b075-787f800b81f2/ call: function: RunPowerShell parameters: code: |- $key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces' Get-ChildItem $key | ForEach { Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 2 -Verbose } revertCode: |- $key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces' Get-ChildItem $key | ForEach { Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 0 -Verbose } - category: Remove bloatware children: - category: Remove Windows apps docs: |- This category covers the uninstallation of Windows apps. Windows apps were introduced with Windows 8 and are typically acquired and installed through the Store app [1]. Many of these apps come pre-installed on Windows by default [1]. Uninstalling unused or unwanted apps contributes to privacy by reducing potential data collection points and minimizing your digital footprint. The applications are categorized as: - **Installed**: Included with the OS installation [1] [2]. They are stored in the `C:\Program Files\WindowsApps\{PackageFullName}` directory [1]. - **Provisioned**: Added when you log in with a new user account for the first time [1] [2] [3]. They are located in `C:\Program Files\WindowsApps\{PackageFullName}` [1]. Following PowerShell command can be used to view all provisioned apps: `Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName, PublisherId` [3]. - **System apps**: Integral components of Windows [1] [2]. This category does not target framework apps. Framework apps are packages that get installed automatically if another application requires them [2]. If there are applications depending on these framework packages, you cannot delete the framework app individually [2]. However, if you remove those dependent applications, the associated framework package will be deleted [4]. To list all framework apps, you can use the following command: `Get-AppxPackage | Where-Object { $_.IsFramework -eq $true } | Select-Object -ExpandProperty Name`. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231003110200/https://learn.microsoft.com/en-us/windows/uwp/monetize/install-the-microsoft-advertising-libraries "Install the Microsoft Advertising SDK - Microsoft Store | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://github.com/undergroundwires/privacy.sexy/issues/200 "[BUG]: Microsoft Advertising app removal failure ยท Issue #200 ยท undergroundwires/privacy.sexy" children: # Good information for development: # - Find out package name from store ID: https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn (https://archive.ph/U46lx) # Excluded apps: # - Microsoft.Windows.ShellExperienceHost # "Start app", required for different setting windows such as WiFi and battery panes in action bar. # - Windows.immersivecontrolpanel # "Settings app", required for settings view. # - Exclude framework apps: # List out framework packages: # Get-AppxPackage | Where-Object { $_.IsFramework -eq $true } | Select-Object -ExpandProperty Name # Windows 11 (22H2) : Microsoft.UI.Xaml.CBS, Microsoft.NET.Native.Framework.2.2, Microsoft.NET.Native.Runtime.2.2, Microsoft.VCLibs.140.00.UWPDesktop # Microsoft.UI.Xaml.2.7, Microsoft.VCLibs.140.00, Microsoft.WindowsAppRuntime.1.2, Microsoft.UI.Xaml.2.4 # Windows 10 (22H2) : Microsoft.VCLibs.140.00.UWPDesktop, Microsoft.NET.Native.Framework.2.2, Microsoft.NET.Native.Runtime.2.2, Microsoft.VCLibs.140.00 # Microsoft.UI.Xaml.2.0, Microsoft.Advertising.Xaml, Microsoft.NET.Native.Framework.1.7, Microsoft.NET.Native.Runtime.1.7 - name: Remove "App Connector" app recommend: strict docs: |- This script unininstalls the "App Connector" Windows app. The App Connector app accesses elements like your location, camera, contacts, and calendars [1] [2] [3]. This raises some concerns about user privacy [2]. In simpler terms, the App Connector acts as a bridge, facilitating communication between Microsoft services and other apps over the Internet [2] [4] [5]. It's primarily aimed at developers, enabling them to connect with Microsoft cloud services, such as Azure, or with other internet-based applications [4]. It's essentially a means to allow services to interact with tools like Microsoft Power Automate, Microsoft Power Apps, and Azure Logic Apps [4]. Common services that can be connected using this include Salesforce, Office 365, Twitter, Dropbox, and Google services [4]. To secure these connections, connectors typically use OAuth or usernames and passwords [5]. [1]: https://web.archive.org/web/20231009125830/https://indiaplus.in/app-connector/ "What Is An App Connector: Windows 10 | indiaplus.in" [2]: https://web.archive.org/web/20231009125808/https://answers.microsoft.com/en-us/windows/forum/all/windows-10-app-connector-and-windows-shell/975e590b-1258-4552-b50f-f8e20e9aa285?page=2 "Windows 10 app connector and Windows Shell Experience - Microsoft Community" [4]: https://web.archive.org/web/20231009125723/https://learn.microsoft.com/en-us/connectors/connectors "Power Platform connectors overview | Microsoft Learn" [3]: https://web.archive.org/web/20231009125714/https://www.howtogeek.com/247661/nobody-knows-what-windows-10s-app-connector-is-and-microsoft-wont-explain-it/ "Nobody Knows What Windows 10's App Connector Is, and Microsoft Won't Explain It | howtogeek.com" [5]: https://web.archive.org/web/20150502190718/https://azure.microsoft.com/en-us/documentation/articles/app-service-logic-data-connectors/ "Microsoft Azure API Apps Data Connectors | API Apps microservice | azure.microsoft.com" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Appconnector packageName: Microsoft.Appconnector # Discontinued after Windows 10 1511 publisherId: 8wekyb3d8bbwe - category: Remove 3D modeling apps docs: |- This category provides scripts for uninstalling pre-installed 3D modeling applications from Windows. 3D modeling applications allow users to create, visualize, and manipulate three-dimensional objects in a virtual space. They are particularly useful for designers, artists, and professionals who need to create 3D designs for various purposes. These apps, while useful for certain users, might not be required by everyone, thus providing the option to uninstall them. children: - name: Remove "Microsoft 3D Builder" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003172322/https://apps.microsoft.com/store/detail/3d-builder/9WZDNCRFJ3T6?hl=en-us) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.3DBuilder packageName: Microsoft.3DBuilder publisherId: 8wekyb3d8bbwe - name: Remove "3D Viewer" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003172807/https://apps.microsoft.com/store/detail/3d-viewer/9NBLGGH42THS?hl=en-us) It's also known as "Microsoft 3D Viewer" [1]. This app comes pre-installed on certain versions of Windows [2] [3]. It was added in Windows 10, version 1703 [3]. [1]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Microsoft3DViewer packageName: Microsoft.Microsoft3DViewer publisherId: 8wekyb3d8bbwe - category: Remove MSN (Bing) apps docs: |- This category includes scripts to uninstall MSN (sometimes branded as "Bing" or just "Microsoft") applications from Windows. MSN apps come bundled with Windows and provide users with information from various domains such as weather, sports, news, and finance. While they offer easy access to curated content right from the desktop, not all users find them essential. If users prefer other sources or tools for this information, they might wish to uninstall these default apps to declutter their system. children: - name: Remove "MSN Weather" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003173207/https://apps.microsoft.com/store/detail/msn-weather/9WZDNCRFJ3Q2?hl=en-us) It's also known as just "Weather" app [1], or previously known as "Bing Weather" [2]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.BingWeather packageName: Microsoft.BingWeather publisherId: 8wekyb3d8bbwe - name: Remove "MSN Sports" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20221204144111/https://apps.microsoft.com/store/detail/msn-sports/9WZDNCRFHVH4?hl=en-us&gl=us) It's also known as just "Sports" app [1]. This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.BingSports packageName: Microsoft.BingSports publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft News" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003194608/https://apps.microsoft.com/store/detail/microsoft-news/9WZDNCRFHVFW?hl=en-us) It's also known as just "News" app [1]. This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.BingNews packageName: Microsoft.BingNews publisherId: 8wekyb3d8bbwe - name: Remove "MSN Money" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003195625/https://apps.microsoft.com/store/detail/msn-money/9WZDNCRFHV4V) It's also known as just "Money" app [1]. This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.BingFinance packageName: Microsoft.BingFinance publisherId: 8wekyb3d8bbwe - name: Remove "Cortana" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003195834/https://apps.microsoft.com/store/detail/cortana/9NFFX4SZZ23L) call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.549981C3F5F10 packageName: Microsoft.549981C3F5F10 publisherId: 8wekyb3d8bbwe - name: Remove "App Installer" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003200344/https://apps.microsoft.com/store/detail/app-installer/9NBLGGH4NNS1) It's also known as "Desktop App Installer" app [1]. This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.DesktopAppInstaller packageName: Microsoft.DesktopAppInstaller publisherId: 8wekyb3d8bbwe - name: Remove "Get Help" app (breaks built-in troubleshooting) docs: |- This script removes the "Get Help" app. This app comes pre-installed on certain versions of Windows [1] [2]. "Get Help" is an application designed to assist users with Windows-related issues [3]. It offers solutions through troubleshooters, instant answers, and Microsoft support articles. It connects users with Microsoft support agents and the Microsoft community for personalized assistance [3]. Removing "Get Help" not only supports a minimalist system approach but also helps reduce potential data collection. Typically, support tools like "Get Help" gather diagnostic data and user interactions, which are used to improve service and provide tailored support. By uninstalling this app, users can enhance their privacy by reducing their digital footprint. However, removing "Get Help" disrupts some system support functionalities. For instance, the built-in internet troubleshooting feature will cease to function [4]. Attempts to diagnose network problems from the system tray will result in an error message, indicating the absence of an application to manage the troubleshooting process [4]. The script also affects system-generated URLs such as `ms-contact-support://oem/`, which direct to OEM-specific support services [5]. Post-removal, users will need to identify alternative support options for system troubleshooting. See also: [Microsoft Store Page](https://web.archive.org/web/20231003200627/https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T) > **Caution:** Removing the "Get Help" app limits access to Windows' built-in support resources and troubleshooting tools. > This action may hinder your ability to receive direct assistance from Microsoft and utilize automatic problem-solving features for system issues. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231003200627/https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T "Get Help - Microsoft Store Apps | apps.microsoft.com" [4]: https://github.com/undergroundwires/privacy.sexy/issues/280 '[BUG]: Removing "Get Help" breaks internet troubleshooting ยท Issue #280 ยท undergroundwires/privacy.sexy | github.com/undergroundwires' [5]: https://web.archive.org/web/20231106214139/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-get-help-app "Customize the Get Help app | Microsoft Learn | learn.microsoft.com" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.GetHelp packageName: Microsoft.GetHelp publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Tips" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003200952/https://apps.microsoft.com/store/detail/microsoft-tips/9WZDNCRDTBJJ) This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Getstarted packageName: Microsoft.Getstarted publisherId: 8wekyb3d8bbwe - category: Remove extension apps docs: |- This category focuses on scripts designed to uninstall specific extensions from Windows. Extensions, in the context of Windows, are software components that add specific capabilities to a larger software application. These extensions can be related to media, images, videos, or other functionalities that enhance the main software's performance. Most of these extensions come pre-installed on certain versions of Windows [1]. While they offer additional functionalities, not all users require them, so the scripts provide an option to uninstall them if desired. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" children: - name: Remove "HEIF Image Extensions" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003201158/https://apps.microsoft.com/store/detail/heif-image-extensions/9PMMSR1CGPWG) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.HEIFImageExtension packageName: Microsoft.HEIFImageExtension publisherId: 8wekyb3d8bbwe - name: Remove "VP9 Video Extensions" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003201732/https://apps.microsoft.com/store/detail/vp9-video-extensions/9N4D0MSMP0PT) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.VP9VideoExtensions packageName: Microsoft.VP9VideoExtensions publisherId: 8wekyb3d8bbwe - name: Remove "Web Media Extensions" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003202207/https://apps.microsoft.com/store/detail/web-media-extensions/9N5TDP8VCMHS) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existenc : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.WebMediaExtensions packageName: Microsoft.WebMediaExtensions publisherId: 8wekyb3d8bbwe - name: Remove "Webp Image Extensions" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003202310/https://apps.microsoft.com/store/detail/webp-image-extensions/9PG2DK419DRG) This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.WebpImageExtension packageName: Microsoft.WebpImageExtension publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Messaging" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003202812/https://apps.microsoft.com/store/detail/microsoft-messaging/9WZDNCRFJBQ6) It's also known as just "Messaging" [1] or "Skype Video" [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Messaging packageName: Microsoft.Messaging publisherId: 8wekyb3d8bbwe - name: Remove "Mixed Reality Portal" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003202910/https://apps.microsoft.com/store/detail/mixed-reality-portal/9NG1H8B3ZC7M) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.MixedReality.Portal packageName: Microsoft.MixedReality.Portal publisherId: 8wekyb3d8bbwe - category: Remove Microsoft Office apps docs: |- This category focuses on scripts that help uninstall select Microsoft Office apps that may come pre-installed with Windows. Microsoft Office suite is a popular productivity suite, providing tools for a wide range of tasks like document creation, note-taking, and interactive presentation development. However, while many of these apps like Word, Excel, and PowerPoint are commonly used, some other apps like My Office, OneNote, and Sway might not be essential for all users. Especially, if users have other preferred tools or the web versions suit their needs better. children: - name: Remove "Microsoft 365 (Office)" app recommend: standard docs: |- [Microsoft Store Page](https://archive.ph/ZXfCl) It's formerly known as just "Office" app [1] [2]. This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.MicrosoftOfficeHub packageName: Microsoft.MicrosoftOfficeHub publisherId: 8wekyb3d8bbwe - name: Remove "OneNote" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003203445/https://apps.microsoft.com/store/detail/onenote/9WZDNCRFHVJL) This app was previously known as "OneNote for Windows 10" [1] [2]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Office.OneNote packageName: Microsoft.Office.OneNote publisherId: 8wekyb3d8bbwe - name: Remove "Sway" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003204225/https://apps.microsoft.com/store/detail/sway/9WZDNCRD2G0J?hl=en-us) This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Office.Sway packageName: Microsoft.Office.Sway publisherId: 8wekyb3d8bbwe - name: Remove "Feedback Hub" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231003210719/https://apps.microsoft.com/store/detail/feedback-hub/9NBLGGH4R32N) This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.WindowsFeedbackHub packageName: Microsoft.WindowsFeedbackHub publisherId: 8wekyb3d8bbwe - name: Remove "Windows Alarms and Clock" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092407/https://apps.microsoft.com/store/detail/windows-clock/9WZDNCRFJ3PR) This app was previously named "Windows Alarms & Clock" [1] [2]. This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.WindowsAlarms packageName: Microsoft.WindowsAlarms publisherId: 8wekyb3d8bbwe - name: Remove "Windows Camera" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092455/https://apps.microsoft.com/store/detail/windows-camera/9WZDNCRFJBBG) It's also known as just "Camera" [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.WindowsCamera packageName: Microsoft.WindowsCamera publisherId: 8wekyb3d8bbwe - name: Remove "Paint 3D" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092446/https://apps.microsoft.com/store/detail/paint-3d/9NBLGGH5FV99) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.MSPaint packageName: Microsoft.MSPaint publisherId: 8wekyb3d8bbwe - name: Remove "Windows Maps" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092559/https://apps.microsoft.com/store/detail/windows-maps/9WZDNCRDTBVB) It is also known as just "Maps" [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.WindowsMaps packageName: Microsoft.WindowsMaps publisherId: 8wekyb3d8bbwe - name: Remove "Minecraft for Windows" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004092835/https://apps.microsoft.com/store/detail/minecraft-for-windows/9nblggh2jhxj) call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.MinecraftUWP packageName: Microsoft.MinecraftUWP publisherId: 8wekyb3d8bbwe - category: Remove Microsoft Store apps docs: |- This category houses scripts dedicated to uninstalling specific applications related to the Microsoft Store. As the digital storefront for Microsoft, the Microsoft Store is a hub for apps, games, movies, and other content. While it provides a convenient method of obtaining software, some users might wish to uninstall or disable it for reasons like performance optimization or data privacy concerns. As always, when disabling or uninstalling core system apps, it is crucial to be informed of the potential repercussions and act carefully. children: - name: Remove "Microsoft Store" app docs: |- This script aims to uninstall the Microsoft Store app (also known as Store [1]), which comes pre-installed on modern versions of Windows [1] [2] [3]. Microsoft has mentioned that it doesn't officially support the uninstallation of this app [3] [4]. Removing it might lead to unwanted effects [4]. The Microsoft Store is subject to the data collection policies laid out in the Windows privacy statement [5]. It can collect diagnostic data about your device, its settings, and capabilities [6]. This data is sent to Microsoft and can include unique identifiers, potentially allowing Microsoft to recognize a user and their device [6]. Additionally, the data can offer insights into your device's settings, capabilities, health, visited websites, device activity (or usage), and, the memory state of your device [6]. Sometimes, this might inadvertently include parts of a file you are using [6]. From a security perspective, the Microsoft Store increases potential risks, as it has known vulnerabilities [7]. To address privacy and security concerns, it might be beneficial to disable the Microsoft Store and explore alternative methods for software package management. However, considering the official stance from Microsoft on uninstallation, it's important to understand that this action might affect some core functionalities of the operating system. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20231004094641/https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/pre-installed-microsoft-store-app-removed-logon "Pre-installed Microsoft Store app is removed at first Windows logon - Windows Client | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231004093559/https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/cannot-remove-uninstall-or-reinstall-microsoft-store-app "Can't remove, uninstall, or reinstall Microsoft Store app - Windows Client | Microsoft Learn" [5]: https://web.archive.org/web/20231004094058/https://github.com/microsoft/winget-cli/issues/179#issuecomment-631183527 "Please include ability to opt out of telemetry and clear documentation on how to opt out ยท Issue #179 ยท microsoft/winget-cli ยท GitHub" [6]: https://web.archive.org/web/20231004094657/https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319#ID0EDF "Diagnostics, feedback, and privacy in Windows - Microsoft Support" [7]: https://web.archive.org/web/20231004100105/https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=microsoft+store&queryType=phrase&search_type=all&isCpeNameSearch=false "Search: Microsoft Store | NVD - Results | nist.gov" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.WindowsStore packageName: Microsoft.WindowsStore publisherId: 8wekyb3d8bbwe - name: Remove "Store Purchase" app docs: |- This script uninstalls the "Store Purchase" app. The Store Purchase app is linked with the purchase feature in the Store app, allowing users to view their purchase history without needing to open a separate website [1]. This app is not well-documented officially by Microsoft. The app comes pre-installed on certain Windows versions [2] [3]. [1]: https://web.archive.org/web/20231004133326/https://social.technet.microsoft.com/Forums/exchange/en-US/24b1088d-0fc5-4a82-8015-c9c964532603/store-purchase-app?forum=win10itproapps "Store Purchase App | social.technet.microsoft.com" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.StorePurchaseApp packageName: Microsoft.StorePurchaseApp publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft People" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004105428/https://apps.microsoft.com/store/detail/microsoft-people/9NBLGGH10PG8) This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.People packageName: Microsoft.People publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Pay" app docs: |- This script uninstalls the Microsoft Pay app. Microsoft Pay, previously known as "Microsoft Wallet" [1] [2] [3], is a cloud-based payment and wallet technology provided by Microsoft [2]. This system enables users to make payments through Microsoft Pay on websites, within Universal Windows Platform (UWP) apps, and through Microsoft Bot Framework bots [4]. The primary function of Microsoft Pay is to facilitate payments using banks and credit cards [3]. The app integrates with the Microsoft Edge browser [5] and stores card data [4]. Microsoft Pay comes pre-installed on specific versions of Windows [1] [6] [7] [8]. [1]: https://web.archive.org/web/20231004112751/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn" [2]: https://web.archive.org/web/20231004112830/https://blogs.windows.com/windows-insider/2016/06/21/microsoft-wallet-with-tap-to-pay-is-now-available-for-windows-insiders/ "Microsoft Wallet with tap to pay is now available for Windows Insiders | Windows Insider Blog" [3]: https://web.archive.org/web/20180216173337/http://www.microsoft.com/wallet/ "Microsoft Wallet: Digital Wallet for Secure Mobile Payments" [4]: https://web.archive.org/web/20230609124956/https://stripe.com/docs/microsoft-pay "Microsoft Pay | Stripe Documentation" [5]: https://web.archive.org/web/20231004112732/https://support.microsoft.com/en-us/microsoft-edge/features-currently-not-available-in-the-new-microsoft-edge-4307f116-8184-0c59-dcb4-3c55e00f70bf "Features currently not available in the new Microsoft Edge - Microsoft Support" [6]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [7]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [8]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Wallet packageName: Microsoft.Wallet publisherId: 8wekyb3d8bbwe - name: Remove "Snipping Tool" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004133447/https://apps.microsoft.com/store/detail/snipping-tool/9MZ95KL8MR0L) This app was formerly named as "Snip & Sketch" [1] [2]. This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.ScreenSketch packageName: Microsoft.ScreenSketch publisherId: 8wekyb3d8bbwe - name: Remove "Print 3D" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20220430015415/https://www.microsoft.com/en-us/p/print-3d/9pbpch085s3s?activetab=pivot:overviewtab) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Print3D packageName: Microsoft.Print3D publisherId: 8wekyb3d8bbwe - name: Remove "Mobile Plans" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004142628/https://apps.microsoft.com/store/detail/mobile-plans/9NBLGGH5PNB1) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.OneConnect packageName: Microsoft.OneConnect publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Solitaire Collection" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20230609084501/https://apps.microsoft.com/store/detail/microsoft-solitaire-collection/9wzdncrfhwd2) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.MicrosoftSolitaireCollection packageName: Microsoft.MicrosoftSolitaireCollection publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Sticky Notes" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20230806145300/https://apps.microsoft.com/store/detail/microsoft-sticky-notes/9NBLGGH4QGHW) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.MicrosoftStickyNotes packageName: Microsoft.MicrosoftStickyNotes publisherId: 8wekyb3d8bbwe - category: Remove Xbox apps docs: |- This category contains scripts designed to uninstall specific Windows apps related to Xbox. Uninstalling these apps may enhance system performance and privacy, as fewer apps are running in the background, accessing personal data or utilizing system resources. If you're not using these services or apps, it might be beneficial to disable them for a cleaner and more privacy-focused user experience. children: - name: Remove "Xbox Console Companion" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004143830/https://apps.microsoft.com/store/detail/xbox-console-companion/9WZDNCRFJBD8) This app comes pre-installed on certain versions of Windows [1] [2] [3]. It's part of Microsoft Game Development Kit (GDK) [4]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.XboxApp packageName: Microsoft.XboxApp publisherId: 8wekyb3d8bbwe - name: Remove "Xbox Live in-game experience" app recommend: standard docs: |- This script uninstalls the "Xbox Live in-game experience" app [1]. This application provides TCUI functionality [1]. Title-callable UI (TCUI) is a feature that allows game code to invoke pre-defined user interface displays [2]. This app comes pre-installed on certain versions of Windows [1] [3]. It's part of Microsoft Game Development Kit (GDK) [4]. Uninstalling this script can contribute to user privacy by removing unnecessary apps that may have predefined interfaces linked with Xbox Live, minimizing potential data interactions with the system. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231004144304/https://github.com/MicrosoftDocs/xbox-live-docs/blob/docs/xbox-live-docs-pr/features/general/tcui/live-tcui-overview.md "xbox-live-docs/xbox-live-docs-pr/features/general/tcui/live-tcui-overview.md at docs ยท MicrosoftDocs/xbox-live-docs ยท GitHub" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Xbox.TCUI packageName: Microsoft.Xbox.TCUI publisherId: 8wekyb3d8bbwe - name: Remove "Xbox Game Bar" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004144844/https://apps.microsoft.com/store/detail/xbox-game-bar/9NZKPSTSNW4P) This app comes pre-installed on certain versions of Windows [1] [2]. It's part of Microsoft Game Development Kit (GDK) [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.XboxGamingOverlay packageName: Microsoft.XboxGamingOverlay publisherId: 8wekyb3d8bbwe - name: Remove "Xbox Game Bar Plugin" app recommend: standard docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. It's part of Microsoft Game Development Kit (GDK) [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.XboxGameOverlay packageName: Microsoft.XboxGameOverlay publisherId: 8wekyb3d8bbwe - name: Remove "Xbox Identity Provider" app recommend: standard docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004150131/https://apps.microsoft.com/store/detail/xbox-identity-provider/9WZDNCRD1HKW) This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.XboxIdentityProvider packageName: Microsoft.XboxIdentityProvider publisherId: 8wekyb3d8bbwe - name: Remove "Xbox Speech To Text Overlay" app recommend: standard docs: |- This script uninstalls the "Xbox Speech To Text Overlay" app. The app offers a speech-to-text feature for certain Xbox games. Specifically, it turns spoken words during a party chat into text which then appears on the game screen [1]. This function is also termed as "game and chat transcription", and is compatible with games that support this feature [2]. The removal of this app can help in reclaiming system resources and enhancing user privacy, as it would reduce the number of tools with potential voice data access. After uninstalling, the speech-to-text functionality in supported Xbox games may no longer be available. This app comes pre-installed on certain versions of Windows [3] [4]. [1]: https://web.archive.org/web/20231004150708/https://news.xbox.com/en-us/2021/06/15/june-2021-xbox-update/ "June Xbox Update: Party Chat Accessibility, Xbox App Official Posts, and More - Xbox Wire" [2]: https://web.archive.org/web/20231004151225/https://support.xbox.com/en-US/help/account-profile/accessibility/use-game-chat-transcription "Use game and chat transcription on Xbox and Windows devices | Xbox Support" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.XboxSpeechToTextOverlay packageName: Microsoft.XboxSpeechToTextOverlay publisherId: 8wekyb3d8bbwe - name: Remove "Mail and Calendar" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231004175316/https://apps.microsoft.com/store/detail/mail-and-calendar/9WZDNCRFHVQM) It's previously known as "Outlook Calendar and Mail" app [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage microsoft.windowscommunicationsapps packageName: microsoft.windowscommunicationsapps publisherId: 8wekyb3d8bbwe - name: Remove "Windows Media Player" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231005124745/https://apps.microsoft.com/store/detail/windows-media-player/9WZDNCRFJ3PT) This app was previously known as "Groove Music" [1] [2] [3]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.ZuneMusic packageName: Microsoft.ZuneMusic publisherId: 8wekyb3d8bbwe - name: Remove "Movies & TV" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231005124924/https://apps.microsoft.com/store/detail/movies-tv/9WZDNCRFJ3P2) It's also known as "Movies and TV" app [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.ZuneVideo packageName: Microsoft.ZuneVideo publisherId: 8wekyb3d8bbwe - name: Remove "Windows Calculator" app docs: |- [Microsoft Store Page](https://archive.ph/64EWx) It's also known as just "Calculator" [1]. This app comes pre-installed on certain versions of Windows [2] [3]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.WindowsCalculator packageName: Microsoft.WindowsCalculator publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Photos" app docs: |- [Microsoft Store Page](https://archive.ph/rBoCX) It's also known as just "Photos" apps [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.Photos packageName: Microsoft.Windows.Photos publisherId: 8wekyb3d8bbwe - name: Remove "Skype" app docs: |- [Microsoft Store Page](https://archive.ph/vL2FJ) This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.SkypeApp packageName: Microsoft.SkypeApp publisherId: kzf8qxf38zg5c - name: Remove "GroupMe" app docs: |- [Microsoft Store Page](https://archive.ph/ggBiX) call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.GroupMe10 packageName: Microsoft.GroupMe10 publisherId: kzf8qxf38zg5c - name: Remove "Windows Sound Recorder" app docs: |- [Microsoft Store Page](https://archive.ph/8Fe9K) This app is also known as "Voice recorder" [1] or "Windows Voice Recorder" [2] [3]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.WindowsSoundRecorder packageName: Microsoft.WindowsSoundRecorder publisherId: 8wekyb3d8bbwe - category: Remove Phone apps docs: |- The "Phone" category contains scripts focused on managing phone-related Windows apps. These scripts cater to apps designed to connect smartphones with Windows, telecommunication tools like dialer apps, and older or substituted phone-associated apps. The scripts' objective is to provide users the flexibility to decide on the existence and functionalities of these apps, enhancing their control over personal preferences. children: - name: Remove "Your Phone Companion" app docs: |- It was initially released in October 2018 [1]. It allows synchronization between your phone and PC [2]. It is replaced by "Phone Link" app since March 2022 [1]. It does not exist in newer versions of Windows. [1]: https://web.archive.org/web/20231006204400/https://support.microsoft.com/en-us/topic/introducing-microsoft-phone-link-and-link-to-windows-2e4bb4c0-f99a-4464-92a8-5264c7c39734 "Introducing Microsoft Phone Link and Link to Windows - Microsoft Support" [2]: https://archive.ph/TfLf1#june-10-2020 "windows-insider/wip/apps/your-phone.md at public ยท MicrosoftDocs/windows-insider | github.com" call: - function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.WindowsPhone packageName: Microsoft.WindowsPhone publisherId: 8wekyb3d8bbwe - function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Windows.Phone packageName: Microsoft.Windows.Phone publisherId: 8wekyb3d8bbwe - name: Remove "Communications - Phone" app # Deprecated in newer Windows 10 docs: |- This app is also known as "Phone (dialer)" app [1]. This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.CommsPhone packageName: Microsoft.CommsPhone publisherId: 8wekyb3d8bbwe - name: Remove "Phone Link" app docs: |- [Microsoft Store Page](https://archive.ph/Z4q70) It was initially released as "Your Phone" app in October 2018 [1]. This app comes pre-installed on certain versions of Windows [2] [3]. [1]: https://web.archive.org/web/20231006204400/https://support.microsoft.com/en-us/topic/introducing-microsoft-phone-link-and-link-to-windows-2e4bb4c0-f99a-4464-92a8-5264c7c39734 "Introducing Microsoft Phone Link and Link to Windows - Microsoft Support" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.YourPhone packageName: Microsoft.YourPhone publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Remote Desktop" app docs: |- [Microsoft Store Page](https://archive.ph/jGZBm) It's also known as just "Remote Desktop" [1]. This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.RemoteDesktop packageName: Microsoft.RemoteDesktop publisherId: 8wekyb3d8bbwe - name: Remove "Network Speed Test" app recommend: standard docs: |- [Microsoft Store Page](https://archive.ph/EpJ1B) This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.NetworkSpeedTest packageName: Microsoft.NetworkSpeedTest publisherId: 8wekyb3d8bbwe - name: 'Remove "Microsoft To Do: Lists, Tasks & Reminders" app' docs: |- [Microsoft Store Page](https://archive.ph/tOSDW) This app comes pre-installed on certain versions of Windows [1]. [1]: https://archive.ph/wt3sJ "Surface Duo 2 - Dual-Screen Mobile Productivity - Microsoft Surface | microsoft.com" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Todos packageName: Microsoft.Todos publisherId: 8wekyb3d8bbwe - category: Remove third-party apps docs: |- This category provides options to uninstall third-party applications (not developed by Microsoft) that may come preinstalled or be available for installation on specific Windows versions. children: - name: Remove "Shazam" app docs: |- [Microsoft Store Page](https://archive.ph/zjVBQ) Shazam Windows app was officially declared end-of-life on February 7, 2017 and is discontinued as Windows app [1]. [1]: https://web.archive.org/web/20231007013946/https://www.windowscentral.com/shazam-pulls-plug-windows-apps "Shazam pulls the plug on its Windows apps for PC and Mobile | Windows Central" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage ShazamEntertainmentLtd.Shazam packageName: ShazamEntertainmentLtd.Shazam publisherId: pqbynwjfrbcg4 - category: Remove Candy Crush apps docs: |- This category consists of scripts to uninstall the various Candy Crush applications that may come preinstalled or be available for installation on certain versions of Windows. children: - name: Remove "Candy Crush Saga" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231007015121/https://www.microsoft.com/en-us/p/candy-crush-saga/9nblggh18846) call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage king.com.CandyCrushSaga packageName: king.com.CandyCrushSaga publisherId: kgqvnymyfvs32 - name: Remove "Candy Crush Soda Saga" app docs: |- [Microsoft Store Page](https://web.archive.org/web/20231007015313/https://www.microsoft.com/en-us/p/candy-crush-soda-saga/9nblggh1zrpv) call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage king.com.CandyCrushSodaSaga packageName: king.com.CandyCrushSodaSaga publisherId: kgqvnymyfvs32 - name: Remove "Flipboard" app docs: |- [Microsoft Store Page](https://archive.ph/yEn8l) call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Flipboard.Flipboard packageName: Flipboard.Flipboard publisherId: 3f5azkryzdbc4 - name: Remove "Twitter" app docs: |- [Microsoft Store Page](https://archive.ph/4xGBR) call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage 9E2F88E3.Twitter packageName: 9E2F88E3.Twitter publisherId: wgeqdkkx372wm - name: 'Remove "iHeart: Radio, Music, Podcasts" app' docs: |- [Microsoft Store Page](https://archive.ph/qKiUM) call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage ClearChannelRadioDigital.iHeartRadio packageName: ClearChannelRadioDigital.iHeartRadio publisherId: a76a11dkgb644 - name: 'Remove "Duolingo - Language Lessons" app' docs: |- [Microsoft Store Page](https://archive.ph/AgJOE) This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage D5EA27B7.Duolingo-LearnLanguagesforFree packageName: D5EA27B7.Duolingo-LearnLanguagesforFree publisherId: yx6k7tf7xvsea - name: Remove "Adobe Photoshop Express" app docs: |- [Microsoft Store Page](https://archive.ph/213f5) This apps is also known as just "Photoshop Express" [1]. This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage AdobeSystemsIncorporated.AdobePhotoshop packageName: AdobeSystemsIncorporated.AdobePhotoshopExpress # Official docs is wrong (given as `AdobeSystemIncorporated.AdobePhotoshop`) publisherId: ynb6jyjzte8ga - name: Remove "Pandora" app docs: |- [Microsoft Store Page](https://archive.ph/uKHGP) This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage PandoraMediaInc.29680B314EFC2 packageName: PandoraMediaInc.29680B314EFC2 publisherId: n619g4d5j0fnw - name: Remove "Eclipse Manager" app docs: |- [Microsoft Store Page](https://archive.ph/bnllD) This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage 46928bounde.EclipseManager packageName: 46928bounde.EclipseManager publisherId: a5h4egax66k6y - name: Remove "Code Writer" app docs: |- [Microsoft Store Page](https://archive.ph/RZY0r) This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage ActiproSoftwareLLC.562882FEEB491 packageName: ActiproSoftwareLLC.562882FEEB491 publisherId: 24pqs290vpjk0 - name: 'Remove "Spotify - Music and Podcasts" app' docs: |- [Microsoft Store Page](https://archive.ph/r3VwJ) call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage SpotifyAB.SpotifyMusic packageName: SpotifyAB.SpotifyMusic publisherId: zpdnekdrzrea0 - category: Remove system apps docs: |- This category includes scripts for uninstalling default system apps in Windows. System apps are pre-installed [1] [2] applications located in the `C:\Windows*` directory [1] [2]. These apps are typically found on `C:\Windows\SystemApps\{PackageFamilyName}` or `C:\Windows\{ShortAppName}` folders. To view all system apps: 1. Open a PowerShell command prompt. 2. Execute the following command: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, PublisherId, InstallLocation` They are integral components of the Windows operating system [1]. However, by removing unnecessary system apps, users can enhance their privacy by reducing potential data collection points and streamlining their system. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" children: - name: Remove "File Picker" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage 1527c705-839a-4832-9118-54d4Bd6a0c89 packageName: 1527c705-839a-4832-9118-54d4Bd6a0c89 publisherId: cw5n1h2txyewy - name: Remove "File Explorer" app docs: | This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage c5e2524a-ea46-4f67-841f-6a9465d9d515 packageName: c5e2524a-ea46-4f67-841f-6a9465d9d515 publisherId: cw5n1h2txyewy - name: Remove "App Resolver UX" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage E2A4F912-2574-4A75-9BB0-0D023378592B packageName: E2A4F912-2574-4A75-9BB0-0D023378592B publisherId: cw5n1h2txyewy - name: Remove "Add Suggested Folders To Library" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE packageName: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE publisherId: cw5n1h2txyewy - name: Remove "InputApp" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage InputApp packageName: InputApp publisherId: cw5n1h2txyewy - name: Remove "Microsoft AAD Broker Plugin" app (breaks Night Light settings, taskbar keyboard selection and Office app authentication) # recommend: strict (Unrecommended due to too many side-effects) docs: |- This script uninstalls the "Microsoft AAD Broker Plugin" app. This app is also referred to as the "Work or school account" or "Broker plug-in" [1]. The primary purpose of this app is to offer login functionality for what used to be Azure Active Directory and is now called Microsoft Entra ID [2]. Users should be aware of the following side-effects before uninstalling: - For certain Windows versions, uninstalling this app disrupts the keyboard selection in the taskbar [3]. Clicking on the taskbar language selection icon will not show the selection dialog [3]. - The Night Light feature, which adjusts the colors on your screen to reduce eye strain during the evening and night, will stop functioning after uninstalling [4]. You can read more about the Night Light feature [here](https://web.archive.org/web/20231003182409/https://support.microsoft.com/en-us/windows/set-your-display-for-night-time-in-windows-18fe903a-e0a1-8326-4c68-fd23d7aaf136). - The authentication process for Office apps is affected, preventing users from signing in [5]. Removing this app enhances user privacy by reducing potential data collection by the app. Yet, it's important to weigh the privacy benefits against the loss of the above functionalities. Note: This app is pre-installed on specific Windows versions [1] [6] [7]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20231003182133/https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id "Microsoft Entra ID (formerly Azure Active Directory) | Microsoft Security" [3]: https://github.com/undergroundwires/privacy.sexy/issues/24 "The selection of keyboards in the taskbar disappears. ยท Issue #24 ยท undergroundwires/privacy.sexy" [4]: https://github.com/undergroundwires/privacy.sexy/issues/54 "What script disables the night light settings? ยท Issue #54 ยท undergroundwires/privacy.sexy" [5]: https://web.archive.org/web/20231003182528/https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/authentication/automatic-authentication-fails "Authentication automatically fails in Microsoft 365 services - Microsoft 365 | Microsoft Learn" [6]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [7]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.AAD.BrokerPlugin packageName: Microsoft.AAD.BrokerPlugin # Offical docs point to wrong "Microsoft.AAD.Broker.Plugin" publisherId: cw5n1h2txyewy - name: Remove "Microsoft Accounts Control" app docs: |- It is also known as "Email and accounts" [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.AccountsControl packageName: Microsoft.AccountsControl publisherId: cw5n1h2txyewy - name: Remove "Microsoft Async Text Service" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.AsyncTextService packageName: Microsoft.AsyncTextService publisherId: 8wekyb3d8bbwe - name: Remove "Hello setup UI" app (breaks biometric authentication) recommend: strict docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. See also: [Discussion about this service on Microsoft forums](https://web.archive.org/web/20231003183050/https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_store-insiderplat_pc/what-is-bio-enrollment-app/53808b5a-8694-4128-a5bd-34e3b954434a) [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.BioEnrollment packageName: Microsoft.BioEnrollment publisherId: cw5n1h2txyewy - name: Remove "Credentials Dialog Host" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2] [3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.CredDialogHost packageName: Microsoft.CredDialogHost publisherId: cw5n1h2txyewy - name: Remove "EC" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.ECApp packageName: Microsoft.ECApp publisherId: 8wekyb3d8bbwe - name: Remove "Lock" app (shows lock screen) docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. See also: [More information `LockApp.exe` process](https://web.archive.org/web/20231003183213/https://www.getwox.com/what-is-lockapp-exe/) [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.LockApp packageName: Microsoft.LockApp publisherId: cw5n1h2txyewy - category: Remove Edge (Legacy) docs: |- This category includes scripts to remove Microsoft Edge Legacy. Microsoft introduced the Legacy version based on the EdgeHTML engine [1] in 2015 [2]. However, as of March 9, 2021, they stopped supporting this version, implying it no longer gets security updates or patches [1] [2]. Keeping unsupported software on your system can pose security vulnerabilities. Initially, this version was the default browser on Windows 10 PCs [1]. Due to its tight integration with Windows, a simple uninstall might not eliminate all related files. One privacy concern with Microsoft Edge Legacy is how it handles your browsing history. When used, the browser integrates your browsing history into your device's activity log that is sent to Microsoft [3]. But, even if disabled, the data remains on your device [3]. This local storage of data can be analyzed for your behavior, potentially compromising your privacy. By utilizing this script, you ensure a comprehensive removal of the browser and its related components, thus enhancing your system's privacy and security. [1]: https://web.archive.org/web/20231004084011/https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0 "What is Microsoft Edge Legacy? - Microsoft Support" [2]: https://web.archive.org/web/20231120102054/https://learn.microsoft.com/en-us/lifecycle/products/microsoft-edge-legacy "Microsoft Edge Legacy - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231008125552/https://support.microsoft.com/en-us/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd "Windows activity history and your privacy - Microsoft Support" children: - name: Remove "Microsoft Edge" app recommend: strict docs: |- This script uninstalls the "Microsoft Edge" Windows app. This app comes pre-installed on certain versions of Windows [1] [2] [3]. As of March 9, 2021, this app stopped receiving any updates or security patches [4]. Such unsupported software can become a security risk. Furthermore, using this version means your browsing data gets integrated into your device's activity history [5]. Microsoft can access this data [5] and it remains stored locally, leaving traces of your behavior [5]. Removing this software not only minimizes potential security threats but also improves your privacy by preventing data accumulation. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231004085037/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn" [5]: https://web.archive.org/web/20231008125552/https://support.microsoft.com/en-us/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd "Windows activity history and your privacy - Microsoft Support" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.MicrosoftEdge packageName: Microsoft.MicrosoftEdge publisherId: 8wekyb3d8bbwe - name: Remove "Microsoft Edge Dev Tools Client" app recommend: strict docs: |- This script removes the Developer Tools (DevTools) app that was paired with Microsoft Edge Legacy. These tools, now outdated, haven't received updates for a while [1] [2]. If the main Edge application is uninstalled, these tools lose their relevance and should be removed as well. This app comes pre-installed on certain versions of Windows [3] [4]. Getting rid of such outdated software components helps to protect your security. They could have vulnerabilities waiting to be exploited. By uninstalling them, you're taking a step towards a more secure system. [More about Edge DevTools](https://web.archive.org/web/20200508053014/https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide) [1]: https://web.archive.org/web/20231004085037/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn" [2]: https://web.archive.org/web/20231004084959/https://learn.microsoft.com/en-us/archive/microsoft-edge/legacy/developer/ "Legacy Microsoft Edge developer documentation - Legacy Microsoft Edge developer docs | Microsoft Learn" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.MicrosoftEdgeDevToolsClient packageName: Microsoft.MicrosoftEdgeDevToolsClient publisherId: 8wekyb3d8bbwe - name: Remove Edge (legacy) file and URL associations recommend: strict docs: |- This script unlinks file and URL associations from the legacy Microsoft Edge, ensuring that it is not mistakenly recognized as the default browser on your system. When you remove Microsoft Edge and don't disconnect its associations as the default browser, certain Windows functionalities may malfunction, as reported by users [1]. The standard uninstallation method for Microsoft Edge does not unlink these associations, leading to possible issues. For newer versions of Windows (specifically, Windows 10 21H2 and Windows 11 21H2 and beyond), the Chromium-based Edge is associated with majority of default options (with ProgIDs `MSEdgePDF` and `MSEdgeHTM` [2]), however there are still associations for legacy Edge. The legacy Microsoft Edge is associated with several ProgIDs, such as `AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9` and `AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723`, all prefixed with `AppX` [3]. To check the specific file and URL associations handled by Edge, you can look under the following registry keys, although not all these keys are registered by the operating system: - `HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\URLAssociations` - `HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\FileAssociations` Within these keys: - URL associations include `http`, `https`, `microsoft-edge`, and others. - File associations include `.htm`, `.html`, `.pdf`, and `.svg`. By running this script, you help in enhancing your system's privacy and ensuring that no unintended associations remain that could potentially cause vulnerabilities or other issues. [1]: https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again ยท Issue #64 ยท undergroundwires/privacy.sexy" [2]: https://web.archive.org/web/20231001221635/https://learn.microsoft.com/en-us/deployedge/edge-default-browser "Set Microsoft Edge as the default browser on Windows and macOS | Microsoft Learn" [3]: https://web.archive.org/web/20231001223221/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationdefaults#defaultassociationsconfiguration call: function: RemoveBrowserAssociations parameters: progIdPattern: AppX* # List: # $keywords = @('AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9', 'AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723', 'AppXq0fevzme2pys62n3e0fbqa7peapykr8v', 'AppX90nv6nhay5n6a98fnetv7tpk64pp35es') # Get-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts' | ForEach-Object { $_.Property } | Where-Object { $key = $_; $keywords | Where-Object { $key -match $_ } } toastAssociations: >- AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9_.htm AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9_.html AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723_.pdf AppXq0fevzme2pys62n3e0fbqa7peapykr8v_http AppX90nv6nhay5n6a98fnetv7tpk64pp35es_https - name: Remove "Win32 Web View Host" / "Desktop App Web Viewer" app recommend: strict docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Win32WebViewHost packageName: Microsoft.Win32WebViewHost publisherId: cw5n1h2txyewy - name: Remove "Microsoft PPI Projection" app docs: |- [More about Perceptive Pixel](https://en.wikipedia.org/wiki/Perceptive_Pixel) This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" recommend: strict call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.PPIProjection packageName: Microsoft.PPIProjection publisherId: cw5n1h2txyewy - name: Remove "ChxApp" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.Apprep.ChxApp packageName: Microsoft.Windows.Apprep.ChxApp publisherId: cw5n1h2txyewy - name: Remove "Assigned Access Lock App" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.AssignedAccessLockApp packageName: Microsoft.Windows.AssignedAccessLockApp publisherId: cw5n1h2txyewy - name: Remove "Capture Picker" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.CapturePicker packageName: Microsoft.Windows.CapturePicker publisherId: cw5n1h2txyewy - name: Remove "Cloud Experience Host" app (breaks Windows Hello password/PIN sign-in options, and Microsoft cloud/corporate sign in) # recommend: strict (Unrecommended due to too many side-effects) docs: |- This script uninstall the Microsoft Cloud Experience Host service. This service is required for connecting to corporate domains or Microsoft cloud-based services. It is also referred to as the "Microsoft account" app [1]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. The Microsoft Cloud Experience Host has several functionalities: - It is responsible for connecting Microsoft accounts [4] [5]. - It enables corporate login. Cloud Experience Host application comes into action during the joining process of workplace environments or Azure Active Directory (Azure AD) [6]. It renders the experience when collecting company-provided credentials [6]. After enrolling your device with your workplace environment or Azure AD, your organization can manage your PC and collect specific data about you, including your location [6]. The organization may add or remove apps, modify settings, disable certain features, prevent account removal, or even reset your PC [6]. - It manages PIN, Biometric, and Device authentication [7]. This is needed for Windows Hello, which supports authentication through a device, biometric data, or a PIN code [7]. This functionality also assists in joining a machine to Azure AD or an on-premises AD domain [7]. - Lastly, it aids in Out-of-box experience (OOBE) troubleshooting [8]. The OOBE comprises a series of screens such as the license agreement, internet connection, and login [9]. The service helps detect errors occurring during the OOBE flow [8]. While the service does offer these essential functionalities, it also introduces notable privacy considerations. However, if one decides to uninstall it, they will encounter the following challenges: - The ability to sign in to Windows using a Microsoft account will be hampered, affecting cloud-based sign-in [10] [11]. - The password and PIN sign-in options located in "Settings > Sign-in Options" will be inaccessible [12]. [1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231007145740/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [5]: https://web.archive.org/web/20231007145741/https://answers.microsoft.com/en-us/windows/forum/all/cant-login-to-microsoft-account-because-of-cloud/0861c72d-3621-45bc-bae0-67d13121f526 "cant login to microsoft account because of cloud experience host - Microsoft Community | answers.microsoft.com" [6]: https://web.archive.org/web/20231007145756/https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology#cloud-experience-hos "How Windows Hello for Business works - technology and terms - Windows Security | Microsoft Learn" [7]: https://web.archive.org/web/20231007150204/https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning "How Windows Hello for Business works - Provisioning - Windows Security | Microsoft Learn" [8]: https://web.archive.org/web/20231007150256/https://learn.microsoft.com/en-us/windows/privacy/required-windows-11-diagnostic-events-and-fields#cloud-experience-host-events "Required diagnostic events and fields for Windows 11, version 21H2 - Windows Privacy | Microsoft Learn" [9]: https://web.archive.org/web/20231007150258/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe "Customize OOBE | Microsoft Learn" [10]: https://github.com/undergroundwires/privacy.sexy/issues/99 "Microsoft login procedure is not functional ยท Issue #99 ยท undergroundwires/privacy.sexy | github.com" [11]: https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again ยท Issue #64 ยท undergroundwires/privacy.sexy | github.com" [12]: https://github.com/undergroundwires/privacy.sexy/issues/67 "[BUG]: Unable to change PIN and Password ยท Issue #67 ยท undergroundwires/privacy.sexy | github.com" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.CloudExperienceHost packageName: Microsoft.Windows.CloudExperienceHost publisherId: cw5n1h2txyewy - name: Remove "Content Delivery Manager" app recommend: strict docs: |- This script uninstalls the "Content Delivery Manager" app. This app provides Windows Spotlight functionality [1], which automatically sets random wallpapers on the lock screen in Windows [2] [3]. The main purpose of this app is to update the Windows experience [1]. To achieve this, the app collects data about interactions with the Windows Spotlight content, such as which content is viewed, clicked on, or given feedback [1]. It records the content's ID, user actions, and other associated attributes [1]. Additionally, the app aggregates data about the state of content offers on a device, including the health of user accounts, the health status of the content delivery, and more specific metrics [1]. The app also keeps track of where the content is displayed, like on the LockScreen or Start menu, and when [1] [3]. This detailed tracking ensures that Windows stays up-to-date [1]. However, for users who prioritize privacy, understanding the data this app collects can be vital. The app comes pre-installed on certain versions of Windows [4] [5]. [1]: https://web.archive.org/web/20231007152921/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703#content-delivery-manager-events "Windows 10, version 1703 basic diagnostic events and fields (Windows 10) - Windows Privacy | Microsoft Learn" [2]: https://web.archive.org/web/20230911110727/https://support.microsoft.com/en-us/windows/personalize-your-lock-screen-81dab9b0-35cf-887c-84a0-6de8ef72bea0 "Personalize your lock screen - Microsoft Support" [3]: https://web.archive.org/web/20230911110748/https://learn.microsoft.com/en-us/windows/configuration/windows-spotlight "Configure Windows Spotlight on the lock screen - Configure Windows | Microsoft Learn" [4]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [5]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.ContentDeliveryManager packageName: Microsoft.Windows.ContentDeliveryManager publisherId: cw5n1h2txyewy - name: Remove "Search" app (breaks Windows search) docs: |- This script removes two specific apps from Windows: - `Microsoft.Windows.Cortana`: Commonly known as Cortana [1] [2] [3]. This app comes pre-installed on certain versions of Windows [1] [2] [3]. - `Microsoft.Windows.Search`: Introduced in Windows 10 2004, this app took over the role of `Microsoft.Windows.Cortana` to provide search functionality [4]. The executable for this app is `SearchApp.exe`, located at `C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe` [5] [6]. This app powers the Windows search bar [5]. Some community reports have indicated that this app may collect data to display advertisements [7] [8]. Removing these apps contributes to user privacy by eliminating potential data collection points. However, please note that running this script will disfunction the built-in Windows search functionality. Weigh the trade-off between improved privacy and the loss of search functionality before proceeding. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [4]: https://web.archive.org/web/20231007222810/https://answers.microsoft.com/en-us/windows/forum/all/applocker-blocking-windows-search-functionality/5509bfcc-061c-49e0-803d-6dbb1bc6a839 "Applocker Blocking windows search functionality Win 10 - 2004 - Microsoft Community" [5]: https://web.archive.org/web/20231007222923/https://learn.microsoft.com/en-us/answers/questions/461791/kb5003637-problem-with-windows-search-bar "KB5003637 Problem With Windows Search Bar - Microsoft Q&A" [6]: https://web.archive.org/web/20231007222844/https://learn.microsoft.com/en-us/answers/questions/842652/unable-to-start-a-dcom-server-microsoftwindows-cli?cid=kerryherger&page=2 "Unable to start a DCOM Server - MicrosoftWindows.Client.CBS_120.2212.4170.0_x64__cw5n1h2txyewy!InputApp as Unavailable/Unavailable. Error 2147942402 (TextInputHost.exe) - Microsoft Q&A" [7]: https://web.archive.org/web/20231007222907/https://learn.microsoft.com/en-us/answers/questions/175856/windows-10-20h2-searchapp-exe-network-connection "Windows 10 20H2 searchapp.exe - network connection - Microsoft Q&A" [8]: https://web.archive.org/web/20231007222922/https://learn.microsoft.com/en-us/answers/questions/893937/searchapp-exe-connecting-to-ms-for-no-reason "Searchapp.exe connecting to MS for no reason. - Microsoft Q&A" call: - function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Windows.Cortana packageName: Microsoft.Windows.Cortana # Removed since version 2004 publisherId: cw5n1h2txyewy - function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Windows.Search packageName: Microsoft.Windows.Search # Added in version Windows 10 2004, it was called "Cortana" before now it's plain "Search" publisherId: cw5n1h2txyewy - name: Remove "Holographic First Run" app recommend: standard docs: |- The "Windows Holographic First Run" app is a diagnostic tool on Windows, designed for potential users of Microsoft's Hololens, an augmented reality headset [1]. When run, the app scans your computer's hardware to determine its compatibility with the Hololens [1]. It assesses which components meet or exceed the required specifications, which might offer a subpar experience, and which fail to meet the necessary standards [1]. The app accesses hardware data to ensure that the users have a system capable of supporting the Hololens [1]. This app is pre-installed in specific Windows versions [2]. [1]: https://web.archive.org/web/20231003184605/https://www.addictivetips.com/windows-tips/check-pc-windows-holographic-app-requirements/ "Check If Your PC Meets The Windows Holographic App Requirements | addictivetips.com" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Windows.Holographic.FirstRun packageName: Microsoft.Windows.Holographic.FirstRun publisherId: cw5n1h2txyewy - category: Remove Out-of-Box Experience (OOBE) apps docs: |- This category focuses on uninstalling specific Out-of-Box Experience (OOBE) apps from Windows devices. OOBE apps are components of the Windows setup process designed to guide users through initial device setup, establishing settings and preferences, and connecting to networks [1]. [1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details "Windows 10 OOBE screen details | Microsoft Learn" children: - name: Remove "OOBE Network Captive Portal" app docs: |- This script uninstall the OOBE Network Captive Portal app. The app is part of the Out-of-Box Experience (OOBE) process in Windows [1]. When users set up their Windows system for the first time, they encounter the "Let's connect you to a network" screen [1]. This screen precedes the End User License Agreement (EULA) screen and presents available connection options, including Wi-Fi and Cellular data networks in the vicinity [1]. Some pages during the OOBE are delivered through a cloud service [1]. The app runs the `OOBENetworkCaptivePortal.exe` file, which is responsible for the Captive Portal Flow during OOBE [2]. This app is pre-installed in specific Windows versions [3] [4]. [1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details#connect-users-to-the-network "Windows 10 OOBE screen details | Microsoft Learn" [2]: https://web.archive.org/web/20231007230004/https://strontic.github.io/xcyclopedia/library/OOBENetworkCaptivePortal.exe-0DF57DA84716210304E79A34BF5F4B39.html "OOBENetworkCaptivePortal.exe | OOBE Captive Portal Flow | STRONTIC" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.OOBENetworkCaptivePortal packageName: Microsoft.Windows.OOBENetworkCaptivePortal # Offical docs point to wrong "Microsoft.Windows.OOBENetworkCaptivePort" publisherId: cw5n1h2txyewy - name: Remove "OOBE Network Connection Flow" app docs: |- This script uninstalls the "OOBE Network Connection Flow" app from Windows devices. The OOBE (Out-of-Box Experience) Network Connection Flow app assists users during their initial setup of a Windows device [1]. When setting up, users encounter the "Let's connect you to a network" screen, which lists available Wi-Fi and Cellular network options [1]. Devices with LTE capabilities and an active SIM card will automatically connect to the Cellular network, but if a Wi-Fi network is accessible, it will be preferred [1]. To ensure users don't consume excessive data during setup, Windows limits the download to essential updates when on metered networks [1]. After establishing a network connection, the device starts downloading necessary driver and Windows Zero-Day Patch (ZDP) updates, which are necessary for device performance and security [1]. Users cannot opt-out of these updates [1]. If a newer Windows version is available and the device qualifies, users will get an option to download this update at the OOBE's conclusion [1]. The primary process for this app is `OOBENetworkConnectionFlow.exe` [2]. This app comes pre-installed on certain versions of Windows [3] [4]. [1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details "Windows 10 OOBE screen details | Microsoft Learn" [2]: https://web.archive.org/web/20231007233651/https://strontic.github.io/xcyclopedia/library/OOBENetworkConnectionFlow.exe-823E4DEF469E572C9C3DC2DC332441E1.html "OOBENetworkConnectionFlow.exe | OOBE Network Connection Flow | STRONTIC" [3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.OOBENetworkConnectionFlow packageName: Microsoft.Windows.OOBENetworkConnectionFlow publisherId: cw5n1h2txyewy - name: Remove "Microsoft Family Safety" / "Parental control" app recommend: standard docs: |- This script uninstalls the parental control app for Microsoft Family Safety. A **parental control** app helps parents regulate the content their children access online, including how long they spend on devices [1]. It provides features such as content filtering, screen time limit enforcement, activity monitoring, contact blocking, and activity reports [1] [2]. **Family Safety**, a specific parental control tool from Microsoft, lets parents monitor and control their children's online activities [3]. It offers the ability to filter unsuitable web content and gives parents insight into the search terms their children use on search engines [3]. One notable function is the "safe search" feature that communicates with search engines to ensure adult material is excluded from search results [3]. However, using Family Safety means Microsoft collects personal details such as names, email addresses, birth dates, and other diagnostic data [4]. There's a privacy concern, especially regarding minors, because the tool actively logs the search terms children enter into search engines [3]. While "safe search" promotes user safety, it communicates settings to various search engine platforms, potentially sharing user preferences and identifiable information with these third parties [3]. It's also worth noting that certain browsers, like Firefox, require extra measures to ensure secure connections [3]. Without these measures, there's a risk of user data interception or manipulation. This app comes pre-installed on certain versions of Windows [5] [6]. [1]: https://web.archive.org/web/20231008130535/https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/choosing-a-parental-control-app "Choosing a parental control app that works for you - Microsoft 365" [2]: https://web.archive.org/web/20231008130516/https://www.microsoft.com/en-us/microsoft-365/family-safety "Microsoft Family Safetyโ€”Location Sharing and Screen Time App | Microsoft 365" [3]: https://web.archive.org/web/20231008130419/https://support.microsoft.com/en-us/topic/family-safety-update-improves-web-filtering-and-activity-reporting-in-windows-8-1-and-windows-rt-8-1-116efe24-0153-9680-0d0c-5f433c677336 "Family Safety update improves web filtering and activity reporting in Windows 8.1 and Windows RT 8.1 - Microsoft Support" [4]: https://web.archive.org/web/20231008130529/https://support.microsoft.com/en-us/account-billing/family-safety-data-collection-and-privacy-options-3d01b791-e48a-498f-bfa6-97f0d373cd9c "Family Safety data collection and privacy options - Microsoft Support" [5]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [6]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.ParentalControls packageName: Microsoft.Windows.ParentalControls publisherId: cw5n1h2txyewy - name: Remove "My People" app recommend: strict docs: |- This script uninstalls the "My People" app. This app is also known as "People Hub" [1] [2] or "Windows My People" [3] [4]. It allows users to pin contacts to the Windows task bar [3]. Additionally, users can drag and drop documents, photos, or videos onto a contact to share them [3]. This app comes pre-installed on certain versions of Windows [1] [2]. Its main operational file is `PeopleExperienceHost.exe`, which can typically be located at `C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\PeopleExperienceHost.exe` [4]. This process is commonly as "Windows My People" [4]. By uninstalling pre-installed apps like "My People", users can reclaim system resources and potentially enhance privacy by reducing the number of apps that could access and share their data. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231009112816/https://blogs.windows.com/windowsexperience/2016/10/26/empowering-a-new-wave-of-creativity-with-the-windows-10-creators-update-and-surface-studio/ "Empowering a new wave of creativity with the Windows 10 Creators Update and Surface Studio | Windows Experience Blog" [4]: https://web.archive.org/web/20231009111644/https://strontic.github.io/xcyclopedia/library/PeopleExperienceHost.exe-4DB57408AA06543E575368FEDC280B4A. "PeopleExperienceHost.exe | Windows My People | STRONTIC" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.PeopleExperienceHost packageName: Microsoft.Windows.PeopleExperienceHost publisherId: cw5n1h2txyewy - name: Remove "Pinning Confirmation Dialog" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.PinningConfirmationDialog packageName: Microsoft.Windows.PinningConfirmationDialog publisherId: cw5n1h2txyewy - name: Remove "Secondary Tile Experience" app recommend: strict docs: |- This script removes the Second Tile Experience app from your computer. The Second Tile Experience helps in providing a feature in Windows that lets users create quick access shortcuts, called secondary tiles, to specific content from an app on their Start menu [1]. For example, it might be a shortcut to the weather of a city or a favorite news article. Secondary tiles act as direct entry points to parts of an app, like displaying real-time updates or leading to a particular feature [1]. While these tiles share some similarities with primary tiles in terms of showing detailed content and notifications, they differ in a few ways. First, secondary tiles are created based on the user's choice, and they get a prompt from the system asking for confirmation before pinning [1]. Second, these tiles can be deleted at any time, and this doesn't affect the main app [1]. This app comes pre-installed on certain versions of Windows [2]. From a privacy perspective, it's worth noting that individual secondary tiles might track user behaviors or preferences, which could be a concern for some users. The purpose of this script is to offer users the option to uninstall this feature if they wish to prioritize their privacy. [1]: https://web.archive.org/web/20231008120335/https://learn.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/secondary-tiles "Secondary tiles - Windows apps | Microsoft Learn" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.Windows.SecondaryTileExperience packageName: Microsoft.Windows.SecondaryTileExperience publisherId: cw5n1h2txyewy - name: Remove "Take a Test" app recommend: strict docs: |- This script uninstalls the "Take a Test" application, also known as "secure assessment browser" [1] [2] [3]. It is a feature in Windows primarily used for online testing in schools [4]. The purpose of this app is to create a secure environment where students can't access external computer or internet resources while taking a test [4]. It restricts specific activities, like printing, taking screenshots, or opening other apps [4]. The software offers two usage modes: a basic secure mode and a more stringent "kiosk mode" for vital assessments [4]. Educators and administrators have the flexibility to set various rules using this application [5]. For example, they can determine if the test allows screen monitoring, if students can get keyboard text suggestions, or if a specific test should auto-launch when the app is started [5]. They can also control printing permissions and determine which user accounts are permitted to take the test [5]. The app collects data such as the username of the person taking the test and information about the particular tests being taken [5]. This app comes pre-installed on certain versions of Windows [1] [2]. Its technical implementation can be found under the name `SecureAssessmentBrowser.exe` at `C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessmentBrowser.exe`[3]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" [3]: https://web.archive.org/web/20231008122256/https://strontic.github.io/xcyclopedia/library/SecureAssessmentBrowser.exe-9997A632135DFB0C53479401E17A7367.html.html "SecureAssessmentBrowser.exe | Take a Test | STRONTIC" [4]: https://web.archive.org/web/20231008122321/https://learn.microsoft.com/en-us/education/windows/take-tests-in-windows "Take tests and assessments in Windows - Windows Education | Microsoft Learn" [5]: https://web.archive.org/web/20231008122328/https://learn.microsoft.com/en-us/windows/client-management/mdm/secureassessment-csp "SecureAssessment CSP - Windows Client Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.Windows.SecureAssessmentBrowser packageName: Microsoft.Windows.SecureAssessmentBrowser publisherId: cw5n1h2txyewy - name: Remove "Windows Feedback" app recommend: standard docs: |- This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Microsoft.WindowsFeedback packageName: Microsoft.WindowsFeedback publisherId: cw5n1h2txyewy - name: Remove "Xbox Game Callable UI" app (breaks Xbox Live games) docs: |- This script uninstalls the "Xbox Game Callable UI" (TCUI) app. This app acts as an intermediary tool that games can use to bring up common UI elements on the Xbox platform [1]. These displays, consistent with the RS5 Gamebar style, offer functionalities such as profile viewing, game invite sending, people selection, friend management, achievement viewing, user privilege checking, and navigation to game details, profile customization, user settings, and storage management [1]. This app comes pre-installed on certain versions of Windows [2] [3]. [1]: https://web.archive.org/web/20200827080253/https://docs.microsoft.com/en-us/gaming/xbox-live/features/general/tcui/live-tcui-overview "Title-callable UI (TCUI) overview - Xbox Live | Microsoft Docs" [2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" recommend: strict call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Microsoft.XboxGameCallableUI packageName: Microsoft.XboxGameCallableUI publisherId: cw5n1h2txyewy - name: Remove "CBS Preview" app recommend: standard docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Windows.CBSPreview packageName: Windows.CBSPreview publisherId: cw5n1h2txyewy - name: Remove "Contact Support" app docs: |- This app comes pre-installed on certain versions of Windows [1]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Windows.ContactSupport packageName: Windows.ContactSupport publisherId: cw5n1h2txyewy - name: Remove "Windows Print 3D" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โŒ Missing # More info : Get-AppxPackage Windows.Print3D packageName: Windows.Print3D publisherId: cw5n1h2txyewy - name: Remove "Print UI" app docs: |- This app comes pre-installed on certain versions of Windows [1] [2]. [1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs" [2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn" call: function: UninstallNonRemovableStoreAppWithCleanup parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โœ… Exists | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage Windows.PrintDialog packageName: Windows.PrintDialog publisherId: cw5n1h2txyewy - category: Remove OneDrive docs: |- Microsoft OneDrive (formerly SkyDrive) is a file hosting service operated by Microsoft [1]. First launched in August 2007, it enables registered users to share and synchronize their files [1]. Data stored on OneDrive is subject to monitoring by Microsoft [2]. There's been reports of Microsoft accessing and altering your personal files when syncing on OneDrive [3] [4]. Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5]. [1]: https://en.wikipedia.org/wiki/OneDrive "OneDrive | Wikipedia" [2]: https://en.wikipedia.org/w/index.php?title=OneDrive&oldid=1111615560#Privacy_concerns "OneDrive | Privacy concerns | Wikipedia" [3]: https://web.archive.org/web/20191002180755/https://www.intralinks.com/blog/2014/04/microsoft-onedrive-business-can-alter-files-syncs "Microsoft OneDrive for Business can Alter Your Files as It Syncs | Intralinks" [4]: https://thehackernews.com/2014/04/microsoft-onedrive-secretly-modifies.html "Microsoft OneDrive Secretly Modifies your BackUp Files | thehackernews.com" [5]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" children: - name: Kill OneDrive process recommend: strict docs: |- It stops the execution of OneDrive. Main OneDrive process is `OneDrive.exe` and it is installed in `\Microsoft\OneDrive\OneDrive.exe` [1] [2] [3] [4]. [1]: https://answers.microsoft.com/en-us/windows/forum/all/onedrive-wont-sync-and-wont-uninstall-so-i-can-re/6182d0a5-e7ea-46bb-a058-c0a4fd5e299a "Onedrive wont sync and wont uninstall so I can re-install the latest - Microsoft Community | answers.microsoft.com" [2]: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/9bd33f03-62dd-4c4f-9d29-970c1016f2f9/better-onedrive-detection-method?forum=configmanagerapps "Better OneDrive detection method | social.technet.microsoft.com" [3]: https://social.msdn.microsoft.com/Forums/en-US/072e3577-d0ff-4950-9e0b-40b037853881/starting-and-stopping-sharepoint-library-sync-with-onedrive?forum=sharepointdevelopmentprevious "Starting and stopping SharePoint library sync with OneDrive | social.msdn.microsoft.com" [4]: https://learn.microsoft.com/en-us/answers/questions/473995/onedrive-was-previously-disabled-and-now-i-can39t.html "OneDrive was previously disabled and now I can't enable it with GPO - Microsoft Q&A | learn.microsoft.com" call: function: TerminateRunningProcess parameters: executableNameWithExtension: OneDrive.exe revertExecutablePath: '%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe' revertExecutableArgs: /background - name: Remove OneDrive from startup recommend: strict docs: |- OneDrive starts on every boot in both Windows 10 and 11. It's started through `OneDrive` `REG_SZ` entry in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` [1]. The startup command is `"\Microsoft\OneDrive\OneDrive.exe" /background` [1]. [1]: https://techcommunity.microsoft.com/t5/azure-virtual-desktop/start-onedrive-when-using-a-remoteapp-in-wvd/m-p/899331 "Re: Start OneDrive when using a RemoteApp in WVD - Page 2 - Microsoft Tech Community | techcommunity.microsoft.com" code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /f 2>nul revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /t REG_SZ /d "\"%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe\" /background" /f - name: Remove OneDrive through official installer docs: |- This script will call official Microsoft uninstaller that will uninstall the application but residual files will be left. You won't lose data by uninstalling OneDrive from computer because they will be stored in cloud [1]. Running OneDrive client setup package (`OneDriveSetup.exe`) with the `/uninstall` command line switch uninstalls OneDrive [2] [3]. On Windows 10, the setup package is found on different folders (`System32` or `SysWOW64`) based on the CPU architecture [4]. On Windows 11, the setup package is always inside `System32` regarding of the CPU architecture. Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5]. [1]: https://support.microsoft.com/en-us/office/turn-off-disable-or-uninstall-onedrive-f32a17ce-3336-40fe-9c38-6efb09f944b0 "Turn off, disable, or uninstall OneDrive | support.microsoft.com" [2]: https://web.archive.org/web/20231002162805/https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016#method-2-uninstall-onedriveexe "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn" [3]: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/lists-and-libraries/cannot-open-onedrive-on-images-using-sysprep#how-to-correctly-deploy-onedrive-via-sysprep "Can't open OneDrive on images using Sysprep - SharePoint | Microsoft Learn" [4]: https://answers.microsoft.com/en-us/windows/forum/all/onedrive-on-windows-11-does-not-appear-in-file/250c679b-9d02-410f-8c8f-41cca112ccfa "OneDrive on Windows 11 - Does Not Appear in File Explorer - Microsoft Community | answers.microsoft.com" [5]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" recommend: strict code: |- if exist "%SYSTEMROOT%\System32\OneDriveSetup.exe" ( "%SYSTEMROOT%\System32\OneDriveSetup.exe" /uninstall ) else ( if exist "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" ( "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" /uninstall ) else ( echo Failed to uninstall, uninstaller could not be found. 1>&2 ) ) revertCode: |- if exist "%SYSTEMROOT%\System32\OneDriveSetup.exe" ( "%SYSTEMROOT%\System32\OneDriveSetup.exe" /silent ) else ( if exist "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" ( "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" /silent ) else ( echo Failed to install, installer could not be found. 1>&2 ) ) - name: Remove OneDrive residual files recommend: strict docs: |- This script cleans OneDrive files such as installation directories, application data, and temporary files and cache. - `C:\OneDriveCache`: Temporary cache location [1]. - `C:\ProgramData\Microsoft OneDrive`: Program data, used during setup [2] [3]. - `C:\Users\\OneDrive`: OneDrive root directory [4]. - `C:\Users\\AppData\Local\Microsoft\OneDrive`: OneDrive installation directory [5]. The folders are reported by the community [1]. According to the tests: | Directory | Windows 11 (since 22H2) | Windows 10 (since 22H2) | | --------- |:-----------------------:|:-----------------------:| | `%SYSTEMDRIVE%C:\OneDriveCache` | โŒ Missing | โŒ Missing | | `%PROGRAMDATA%\Microsoft OneDrive` | โœ… Exists | โœ… Exists | | `%LOCALAPPDATA%\Microsoft\OneDrive` | โœ… Exists | โœ… Exists | | `%USERPROFILE%\OneDrive` | โœ… Exists | โœ… Exists | [1]: https://social.microsoft.com/Forums/en-US/53263a51-856f-4e64-bc0e-a689d4cc5a8b/release-notes-for-1907-build-29711727413?forum=FSLogix "Release Notes for 1907 - build 2.9.7117.27413 | social.microsoft.com" [2]: https://techcommunity.microsoft.com/t5/sharepoint/onedrive-setup-fails-to-complete/m-p/2072446 "OneDrive setup fails to complete - Microsoft Tech Community" [3]: https://answers.microsoft.com/en-us/msoffice/forum/all/why-does-onedrive-act-as-ransomware/288e5940-b92b-493c-91ff-dafd26279bee "Why does OneDrive act as Ransomware? - Microsoft Community" [4]: https://techcommunity.microsoft.com/t5/onedrive-for-business/change-onedrive-installation-location/m-p/225064 "Change OneDrive installation location - Microsoft Tech Community | techcommunity.microsoft.com" [5]: https://learn.microsoft.com/en-us/sharepoint/install/configure-syncing-with-the-onedrive-sync-app "Configure syncing with the new OneDrive sync app - SharePoint Server | Microsoft Learn | learn.microsoft.com" call: - function: DeleteDirectory parameters: directoryGlob: '%USERPROFILE%\OneDrive' - function: DeleteDirectory parameters: directoryGlob: '%LOCALAPPDATA%\Microsoft\OneDrive' grantPermissions: true - function: DeleteDirectory parameters: directoryGlob: '%PROGRAMDATA%\Microsoft OneDrive' - function: DeleteDirectory parameters: directoryGlob: '%SYSTEMDRIVE%\OneDriveTemp' - name: Remove OneDrive shortcuts recommend: strict docs: |- This script ensures the removal of all OneDrive shortcuts from your system, even after uninstallation or cleanup. Erasing these shortcuts improves the security and privacy of your computer system, lessening the potential access points for unwanted entities. Moreover, the removal of unused shortcuts results in a more organized and efficient system, enhancing your user experience by preventing any confusion from dead shortcuts. Shortcuts that link to OneDrive are stored in various locations, such as: - `Start Menu\Programs\Microsoft OneDrive.lnk`, `Start Menu\Programs\OneDrive.lnk`, `Links\OneDrive.lnk` [1], - `ServiceProfiles\LocalService` and `ServiceProfiles\NetworkService` [1] Below are the tested shortcut file locations on default installation (since Windows 10 22H2 and Windows 11 22H2): | Path | Windows 11 | Windows 10 | | ---- |:----------:|:----------:| | `%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | โœ… Exists | โœ… Exists | | `%USERPROFILE%\Links\OneDrive.lnk` | โŒ Missing | โŒ Missing | | `%WINDIR%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | โŒ Missing | โœ… Exists | | `%WINDIR%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | โŒ Missing | โœ… Exists | In Windows 10 and higher, additional steps are necessary to delete the OneDrive icon from the navigation pane in Windows Explorer [2], which is executed by this script. [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" [2]: https://web.archive.org/web/20231002162805/https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016 "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn" call: - function: RemoveShortcutFiles parameters: targetFile: C:\Users\undergroundwires\AppData\Local\Microsoft\OneDrive\OneDrive.exe shortcutItems: |- @{ Revert = $True; Path = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } @{ Revert = $False; Path = "$env:USERPROFILE\Links\OneDrive.lnk"; } @{ Revert = $False; Path = "$env:WINDIR\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } @{ Revert = $False; Path = "$env:WINDIR\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; } - function: RunPowerShell parameters: code: |- Set-Location "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace" Get-ChildItem | ForEach-Object {Get-ItemProperty $_.pspath} | ForEach-Object { $leftnavNodeName = $_."(default)"; if (($leftnavNodeName -eq "OneDrive") -Or ($leftnavNodeName -eq "OneDrive - Personal")) { if (Test-Path $_.pspath) { Write-Host "Deleting $($_.pspath)." Remove-Item $_.pspath; } } } - name: Disable OneDrive usage recommend: strict docs: |- This script prevents [1]: - Keeping OneDrive files in sync with the cloud. - Users from automatically uploading photos and videos from the camera roll folder. - Users from accessing OneDrive from the OneDrive app and file picker. - Windows Store apps from accessing OneDrive using the WinRT API. - OneDrive from appearing in the navigation pane in File Explorer. Setting `DisableFileSyncNGSC` group policy prevents OneDrive from working on both Windows 10 and 11 [1] [2]. Windows 8 uses older `DisableFileSync` key [3]. These policies do not exist by default in clean installations. [1]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSync "Prevent the usage of OneDrive for file storage | admx.help" [2]: https://support.microsoft.com/en-us/office/onedrive-won-t-start-0c158fa6-0cd8-4373-98c8-9179e24f10f2 "OneDrive won't start | support.microsoft.com" [3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSyncForBlue "Prevent the usage of OneDrive for file storage on Windows 8.1 | admx.help" code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSyncNGSC" /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSync" /d 1 /f revertCode: |- reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSync" /f 2>nul - name: Disable automatic OneDrive installation docs: |- Windows 10 comes with `OneDriveSetup` entry in startup for automatic reinstallations even though OneDrive is uninstalled. This entry is missing in Windows 11 by default. `OneDriveSetup` is registered to reinstall OneDrive and can be removed using registry [1], as recommended by Microsoft for optimizing Windows VDIs [1]. [1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn" recommend: strict call: function: RunPowerShell parameters: code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f 2>$null revertCode: |- function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) } if (Test-IsWindows11) { Write-Host 'Skipping, no action needed on Windows 11.' } else { if([Environment]::Is64BitOperatingSystem) { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe /silent" /f } else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SYSTEMROOT%\System32\OneDriveSetup.exe /silent" /f } } - name: Remove OneDrive folder from File Explorer recommend: strict docs: |- File Explorer shows OneDrive to allow you to access files stored in OneDrive (stored online and locally cached) [1]. [CLSID](https://learn.microsoft.com/en-us/windows/win32/com/clsid-key-hklm) for OneDrive is `018D5C66-4533-4307-9B53-224DE2ED1FE6` [2] for both Windows 10 and 11. Changing pinning option for this key removed OneDrive from navigation file in File Explorer [2]. This CLSID includes `System.IsPinnedToNameSpaceTree` as value as `1` after clean installation in both Windows 10 and Windows 11. [1]: https://support.microsoft.com/en-us/office/sync-files-with-onedrive-in-windows-615391c4-2bd3-4aae-a42a-858262e42a49 "Sync files with OneDrive in Windows | support.microsoft.com" [2]: https://answers.microsoft.com/en-us/windows/forum/all/remove-onedrive-from-file-explorer-navigation-pane/38ac7524-2b35-4ffc-baab-40ad61dc5d79 "Remove OneDrive from File Explorer navigation pane - Microsoft Community | answers.microsoft.com" code: |- reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f revertCode: |- reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "1" /t REG_DWORD /f reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "1" /t REG_DWORD /f - name: Disable OneDrive scheduled tasks recommend: strict docs: |- This script disables the scheduled tasks associated with Microsoft OneDrive that typically run maintenance activities such as auto-updates [1] [2] [3] and data collection [2]. Disabling these tasks impacts OneDrive's automatic background update process [1] [2] [3]. By default, Windows 10 (since 22H2) and Windows 11 (since 22H2) include the following tasks: - `OneDrive Standalone Update Task` [1] [2] [3] - `OneDrive Reporting Task` [1] These tasks are enabled by default and lack official documentation from Microsoft. They can be identified by executing `Get-ScheduledTask 'OneDrive *' | Select -ExpandProperty TaskName` in PowerShell. These tasks are observed to persist even after OneDrive is uninstalled. The tasks appear with a Security Identifier (SID) unique to each installation [1], following this pattern: - `OneDrive Reporting Task-S-1-5-21-xxxxxx` - `OneDrive Standalone Update Task-S-1-5-21-xxxxxx` The SID, denoted by 'xxxxxx', varies per installation and represents the user account associated with the task. SID of user accounts always start with `S-1-5-21` [4], the rest of the number chages per user. To see all user SIDs, you can run `wmic useraccount get Name,sid`. The SID for your account can be confirmed using `whoami /user`. A SID which doesn't correspond to any user account may appear. This is be due to system preparation processes (`sysprep`) that use different SIDs for tasks to prevent duplication [5]. Disabling tasks with standard user SIDs is straightforward, but attempting to disable tasks with unpredictable SIDs can result in an error message: `Catastrophic failure (Exception from HRESULT: 0x80000FFF (E_UNEXPECTED))`. Nonetheless, disabling tasks with the correct SID is achievable using the provided script, which locates the full task names including the SIDs. If OneDrive is installed for all users on a machine (which is not the default behavior [6]), an additional task is present: - `OneDrive Per-Machine Standalone Update` [1] [7]. Disabling the `OneDrive Standalone Update Task` is recommended by Microsoft to improve system performance and reduce unnecessary data collection [2]. ### Overview of default task statuses `\OneDrive Reporting Task-$SID`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | `\OneDrive Standalone Update Task-$SID`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸข Ready | | Windows 11 22H2 | ๐ŸŸข Ready | `\OneDrive Per-Machine Standalone Update`: | OS Version | Default status | | ---------------- | -------------- | | Windows 10 22H2 | ๐ŸŸก N/A (missing) | | Windows 11 22H2 | ๐ŸŸก N/A (missing) | [1]: https://web.archive.org/web/20231104142218/https://docs.fra.me/blog/2023/08/04/application-optimizations-microsoft-onedrive/#scheduled-tasks "Application Optimization Essentials: Microsoft OneDrive | Frame Platform Documentation | docs.fra.me" [2]: https://web.archive.org/web/20231104142209/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-1803 "Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com" [3]: https://web.archive.org/web/20231104142301/http://windows.fyicenter.com/5623_OneDrive_Standalone_Update_Task-S-1-_Scheduled_Task_on_Windows_7.html '"OneDrive Standalone Update Task-S-1-..." Scheduled Task on Windows 7 | windows.fyicenter.com' [4]: https://web.archive.org/web/20231104133125/https://renenyffenegger.ch/notes/Windows/security/SID/index "Windows security identifiers (SID) | renenyffenegger.ch" [5]: https://en.wikipedia.org/w/index.php?title=Windows_Task_Scheduler&oldid=1086196699#Bugs "Windows Task Scheduler - Wikipedia | wikipedia.rg" [6]: https://web.archive.org/web/20231104142412/https://learn.microsoft.com/en-us/sharepoint/per-machine-installation "Install the sync app per-machine (Windows) - SharePoint in Microsoft 365 | Microsoft Learn | learn.microsoft.com" [7]: https://web.archive.org/web/20231104142343/https://docs.citrix.com/en-us/tech-zone/build/deployment-guides/microsoft-365-citrix.html "Deployment Guide: Microsoft 365 with Citrix Virtual Apps and Desktops | docs.citrix.com" call: - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'OneDrive Reporting Task-*' taskPathPattern: \ taskNamePattern: OneDrive Reporting Task-* - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'OneDrive Standalone Update Task-*' taskPathPattern: \ taskNamePattern: OneDrive Standalone Update Task-* - function: DisableScheduledTask parameters: # Check: Get-ScheduledTask -TaskPath '\' -TaskName 'OneDrive Per-Machine Standalone Update' taskPathPattern: \ taskNamePattern: OneDrive Per-Machine Standalone Update - name: Clear OneDrive environment variable recommend: strict docs: |- Since Windows 10 1809, Microsoft introduced `%OneDrive%` environment variable to reach OneDrive through an alias [1]. This variable is redundant when OneDrive is undesired. This script deletes `OneDrive` environment variable [2]. `OneDrive` key at `HKCU\Environment` is found on both Windows 10 and Windows 11. [1]: https://superuser.com/a/1397495 "Determine OneDrive synchronisation folders - Super User | superuser.com" [2]: https://stackoverflow.com/questions/46744840/export-registry-value-to-file-and-then-set-a-variable-in-batch "Export registry value to file and then set a variable in Batch - Stack Overflow | stackoverflow.com" code: reg delete "HKCU\Environment" /v "OneDrive" /f 2>nul - category: Remove Edge (Chromium) docs: |- This category automates the uninstallation of Microsoft Edge (also known as "Chromium Edge" or "New Edge" [1]), the web browser that comes pre-installed with many versions of Windows. Microsoft Edge collects various types of data, some of which pertain to your browsing habits, such as the websites you visit, your search queries, and the data you enter into forms [2]. Additionally, it tracks usage metrics and diagnostic data about your device data and how the browser is functioning [2]. These pieces of information could be used for targeted advertising or profiling. Removing Microsoft Edge ensures that it is not silently accumulating this data in the background, thereby improving your overall privacy. By default, Microsoft Edge doesn't allow uninstallation and has officially declared Microsoft Edge as uninstallable on Windows [3]. [1]: https://en.wikipedia.org/w/index.php?title=Microsoft_Edge&oldid=1174053020#New_Edge_(2019%E2%80%93present) "Microsoft Edge - Wikipedia" [2]: https://web.archive.org/web/20230907002709/https://support.microsoft.com/en-us/microsoft-edge/learn-more-about-diagnostic-data-collection-in-microsoft-edge-7fcee15b-39f7-ba02-bc59-9eef622c1a9f "Learn more about diagnostic data collection in Microsoft Edge - Microsoft Support" [3]: https://web.archive.org/web/20230907002011/https://support.microsoft.com/en-us/microsoft-edge/why-can-t-i-uninstall-microsoft-edge-ee150b3b-7d7a-9984-6d83-eb36683d526d "Why can't I uninstall Microsoft Edge? - Microsoft Support" children: - name: Remove Edge through official installer docs: |- This script uninstalls the Microsoft Edge using the official installer. 1. **Enable Uninstallation**: The script modifies a specific registry key to allow the uninstallation of Microsoft Edge. This step is crucial because, starting from version 116 of Edge, you cannot uninstall it unless this registry key is set. 2. **Run Uninstaller**: The script then finds the Microsoft Edge installer (`setup.exe`) for every Microsoft Edge installation (it is possible to have multiple versions) and executes it to perform a system-level uninstall. There's no official documentation for the Edge installer or registry keys codes, which this script relies on. However, these have been verified through testing and community support to work as expected. call: - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdateDev" /v "AllowUninstall" /t REG_DWORD /d "1" /f revertCode: reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdateDev" /v "AllowUninstall" /f 2>nul # It does not exists since Windows 10 21H2 and Windows 11 21H2 - function: RunPowerShell parameters: code: |- $installer = (Get-ChildItem "$($env:ProgramFiles)*\Microsoft\Edge\Application\*\Installer\setup.exe") if (!$installer) { Write-Host 'Installer not found. Microsoft Edge may already be uninstalled.' } else { $installer | ForEach-Object { $uninstallerPath = $_.FullName $installerArguments = @("--uninstall", "--system-level", "--verbose-logging", "--force-uninstall") Write-Output "Uninstalling through uninstaller: $uninstallerPath" $process = Start-Process -FilePath "$uninstallerPath" -ArgumentList $installerArguments -Wait -PassThru if ($process.ExitCode -eq 0 -or $process.ExitCode -eq 19) { Write-Host "Successfully uninstalled Edge." } else { Write-Error "Failed to uninstall, uninstaller failed with exit code $($process.ExitCode)." } } } revertCode: |- $edgeExePath = Get-ChildItem -Path "$($env:ProgramFiles)*\Microsoft\Edge\Application" -Filter 'msedge.exe' -Recurse if ($edgeExePath) { Write-Host 'Microsoft Edge is already installed. Skipping reinstallation.' Exit 0 } Write-Host 'Downloading Microsoft Edge...' $edgeInstallerUrl = 'https://c2rsetup.officeapps.live.com/c2r/downloadEdge.aspx?platform=Default&Channel=Stable&language=en' $downloadPath = "$($env:TEMP)\MicrosoftEdgeSetup.exe" Invoke-WebRequest -Uri "$edgeInstallerUrl" -OutFile "$downloadPath" $installerArguments = @('/install', '/silent') Write-Host 'Installing Microsoft Edge...' $process = Start-Process -FilePath "$downloadPath" -ArgumentList "$installerArguments" -Wait -PassThru Remove-Item -Path $downloadPath -Force if ($process.ExitCode -eq 0) { Write-Host 'Successfully reinstalled Microsoft Edge.' } else { Write-Error "Failed to reinstall Microsoft Edge. Installer failed with exit code $($process.ExitCode)." } - name: Remove Edge (Chromium) file and URL associations docs: |- This script disconnects file and URL associations related to the Microsoft Edge browser on your computer. When you uninstall Edge, these associations remain intact, leading to potential unexpected behaviors [1] and vulnerabilities when opening specific file types or URLs. The script is recommended for enhancing the stability and privacy of your system by avoiding unintentional interactions with these leftover settings. It particularly addresses associations found under specific registry keys: - `HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\FileAssociations` - `HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\URLAssociations` Note that not all these associations are registered for Edge by the OS by default. Specifically, the removed associations have an `MSEdge` prefix, covering program IDs such as `MSEdgePDF` and `MSEdgeHTM` [2]. Clearing these associations, which are not removed by the official Edge uninstaller, mitigates the risk of exposure to system vulnerabilities due to these lingering settings. Your system remains cleaner, more stable, and more private, ensuring a more secure user experience. [1]: https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again ยท Issue #64 ยท undergroundwires/privacy.sexy" [2]: https://web.archive.org/web/20231001221635/https://learn.microsoft.com/en-us/deployedge/edge-default-browser "Set Microsoft Edge as the default browser on Windows and macOS | Microsoft Learn" recommend: strict call: # Exclude: # - Cleanup of keys under `HKLM\SOFTWARE\Clients\StartMenuInternet` as default uninstaller already cleans it. - function: RemoveBrowserAssociations # Deleting Edge through uninstaller does not remove these (tested on Windows 11 22H2 and Windows 10 21H1 using Edge v115). parameters: progIdPattern: MSEdge* # MSEdgeHTM, MSEdgeMHT, MSEdgePDF # List: # Get-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts' | ForEach-Object { $_.Property } | Where-Object { $_ -Match 'MSEdge' } toastAssociations: >- MSEdgeHTM_.webp MSEdgeHTM_http MSEdgeHTM_https MSEdgeHTM_.htm MSEdgeHTM_ftp MSEdgeHTM_.xml MSEdgeHTM_.html MSEdgePDF_.pdf MSEdgeHTM_.svg MSEdgeHTM_mailto MSEdgeHTM_read MSEdgeHTM_.mht MSEdgeMHT_.mht MSEdgeHTM_.mhtml MSEdgeMHT_.mhtml MSEdgeHTM_.xhtml MSEdgeHTM_.xht - function: RunInlineCode # Remove association from "Open With" context menu. # Deleting Edge through uninstaller does not remove these (tested on Windows 11 22H2 and Windows 10 21H1 using Edge v115). # This associations can be found at HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\FileAssociations. parameters: code: |- # reg delete HKCR\{extension}\OpenWithProgIds\MSEdge{..} for %%A in ( htm:MSEdgeHTM, html:MSEdgeHTM, shtml:MSEdgeHTM, pdf:MSEdgePDF, svg:MSEdgeHTM, xht:MSEdgeHTM, xhtml:MSEdgeHTM, webp:MSEdgeHTM, xml:MSEdgeHTM, mht:MSEdgeMHT, mhtml:MSEdgeMHT ) do ( for /f "tokens=1,2 delims=:" %%B in ("%%A") do ( echo Removing OpenWith association for "%%C" from "%%B"... reg delete "HKCR\.%%B\OpenWithProgIds" /v "%%C" /f 2>nul ) ) revertCode: |- # Common defaults since Windows 10 21H2 and Windows 11 21H2 for %%A in ( htm:MSEdgeHTM, html:MSEdgeHTM, shtml:MSEdgeHTM, pdf:MSEdgePDF, svg:MSEdgeHTM, xht:MSEdgeHTM, xhtml:MSEdgeHTM, webp:MSEdgeHTM, mht:MSEdgeMHT, mhtml:MSEdgeMHT ) do ( for /f "tokens=1,2 delims=:" %%B in ("%%A") do ( echo Restoring OpenWith for ".%%B" to "%%C"... reg add "HKCR\.%%B\OpenWithProgids" /v "%%C" /t REG_SZ /f ) ) - name: Remove Edge shortcuts docs: |- This script removes Microsoft Edge shortcuts from specific locations on your computer, enhancing the privacy and integrity of your system. When installed, Microsoft Edge, places shortcuts in various locations on your computer. Even after uninstalling the Edge browser, some of these shortcuts may not be removed (tested since โ‰ฅ Edge v117). This script ensures the removal of these residual shortcuts. These shortcuts can serve as access points for malicious entities, potentially compromising your computer's security and privacy. By deleting these shortcuts, the script helps in reducing these vulnerabilities, thus contributing to a more secure and private computing environment. Besides contributing to privacy and security, removing these unused shortcuts also contributes to a cleaner and more organized computer system, providing an enhanced user experience. The script specifically targets and removes shortcuts from the following paths, which have been tested and verified to exist on default installations of Windows since Windows 10 22H2 and Windows 11 22H2: | Path | Windows 11 | Windows 10 | | ---- |:----------:|:----------:| | `%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk` | โœ… Exists | โœ… Exists | | `%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk` | โœ… Exists | โœ… Exists | | `%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk` | โœ… Exists | โœ… Exists | | `%PUBLIC%\Desktop\Microsoft Edge.lnk` | โœ… Exists | โœ… Exists | | `%SYSTEMROOT%\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk` | โœ… Exists | โœ… Exists | | `%USERPROFILE%\Desktop\Microsoft Edge.lnk` | โŒ Missing | โŒ Missing | call: # Exclude: # - `DisableEdgeDesktopShortcutCreation` because it's highly documented and it does not really bring value since this script already deletes `Microsoft Edge.lnk` from public folder. function: RemoveShortcutFiles parameters: targetFile: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe shortcutItems: |- @{ Revert = $True; Path = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"; } @{ Revert = $True; Path = "$env:AppData\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"; } @{ Revert = $True; Path = "$env:AppData\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"; } @{ Revert = $True; Path = "$env:Public\Desktop\Microsoft Edge.lnk"; } @{ Revert = $True; Path = "$env:SystemRoot\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"; } @{ Revert = $False; Path = "$env:UserProfile\Desktop\Microsoft Edge.lnk"; } - category: Disable built-in Windows features children: - name: Disable "Direct Play" feature call: function: DisableFeature parameters: featureName: DirectPlay - name: Disable "Internet Explorer" feature call: - function: DisableFeature parameters: featureName: Internet-Explorer-Optional-x64 - function: DisableFeature parameters: featureName: Internet-Explorer-Optional-x84 - function: DisableFeature parameters: featureName: Internet-Explorer-Optional-amd64 - name: Disable "Legacy Components" feature call: function: DisableFeature parameters: featureName: LegacyComponents - category: Disable server features children: - category: Disable Hyper-V virtualization features children: - name: Disable "Hyper-V" feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-All - name: Disable "Hyper-V GUI Management Tools" feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Management-Clients - name: Disable "Hyper-V Management Tools" feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Tools-All - name: Disable "Hyper-V Module for Windows PowerShell" feature call: function: DisableFeature parameters: featureName: Microsoft-Hyper-V-Management-PowerShell - name: Disable "Telnet Client" feature docs: https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx call: function: DisableFeature parameters: featureName: TelnetClient - name: Disable "Net.TCP Port Sharing" feature docs: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing call: function: DisableFeature parameters: featureName: WCF-TCP-PortSharing45 - name: Disable "SMB Direct" feature docs: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-direct call: function: DisableFeature parameters: featureName: SmbDirect - name: Disable "TFTP Client" feature call: function: DisableFeature parameters: featureName: TFTP - category: Disable printing features children: - category: Disable printer networking children: - name: Disable "Internet Printing Client" feature call: function: DisableFeature parameters: featureName: Printing-Foundation-InternetPrinting-Client - name: Disable "LPD Print Service" feature call: function: DisableFeature parameters: featureName: LPDPrintService - name: Disable "LPR Port Monitor" feature call: function: DisableFeature parameters: featureName: Printing-Foundation-LPRPortMonitor - name: Disable "Microsoft Print to PDF" feature call: function: DisableFeature parameters: featureName: Printing-PrintToPDFServices-Features - name: Disable "Print and Document Services" feature call: function: DisableFeature parameters: featureName: Printing-Foundation-Features - name: Disable "Work Folders Client" feature docs: https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview call: function: DisableFeature parameters: featureName: WorkFolders-Client - category: Disable XPS support features children: - name: Disable "XPS Services" feature call: function: DisableFeature parameters: featureName: Printing-XPSServices-Features - name: Disable "XPS Viewer" feature call: function: DisableFeature parameters: featureName: Xps-Foundation-Xps-Viewer - name: Disable "Media Features" feature call: function: DisableFeature parameters: featureName: MediaPlayback - name: Disable "Scan Management" feature call: function: DisableFeature parameters: featureName: ScanManagementConsole - name: Disable "Windows Fax and Scan" feature call: function: DisableFeature parameters: featureName: FaxServicesClientPackage - name: Disable "Windows Media Player" feature call: function: DisableFeature parameters: featureName: WindowsMediaPlayer - name: Disable "Windows Search" feature call: function: DisableFeature parameters: featureName: SearchEngine-Client-Package - category: Remove on-demand capabilities and features docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#fods-that-are-not-preinstalled-but-may-need-to-be-preinstalled children: - category: Remove preinstalled features on demand children: - name: Remove "DirectX Configuration Database" capability call: function: UninstallCapability parameters: capabilityName: DirectX.Configuration.Database - name: Remove "Internet Explorer 11" capability call: function: UninstallCapability parameters: capabilityName: Browser.InternetExplorer - name: Remove "Math Recognizer" capability call: function: UninstallCapability parameters: capabilityName: MathRecognizer - name: Remove "OneSync" capability (breaks Mail, People, and Calendar) recommend: strict docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#onesync call: function: UninstallCapability parameters: capabilityName: OneCoreUAP.OneSync - name: Remove "OpenSSH client" capability call: function: UninstallCapability parameters: capabilityName: OpenSSH.Client - name: Remove "PowerShell ISE" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.Windows.PowerShell.ISE - name: Remove "Print Management Console" capability call: function: UninstallCapability parameters: capabilityName: Print.Management.Console - name: Remove "Quick Assist" capability call: function: UninstallCapability parameters: capabilityName: App.Support.QuickAssist - name: Remove "Steps Recorder" capability call: function: UninstallCapability parameters: capabilityName: App.StepsRecorder - name: Remove "Windows Fax and Scan" capability call: function: UninstallCapability parameters: capabilityName: Print.Fax.Scan # Following are excluded because: # 1. They are not widely considered as "bloatware" as the community # 2. Do not have known privacy issues # 3. Make Windows more functional when running all scripts # - # name: Remove "WordPad" capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.WordPad # - # name: Remove "Paint" capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.MSPaint # - # name: Remove "Notepad" capability # call: # function: UninstallCapability # parameters: # capabilityName: Microsoft.Windows.Notepad - category: Remove not preinstalled features on demand children: - name: Remove ".NET Framework" capability call: function: UninstallCapability parameters: capabilityName: NetFX3 - name: Remove "Mixed Reality" capability call: function: UninstallCapability parameters: capabilityName: Analog.Holographic.Desktop - name: Remove "Wireless Display" capability call: function: UninstallCapability parameters: capabilityName: App.WirelessDisplay.Connect - name: Remove "Accessibility - Braille Support" capability call: function: UninstallCapability parameters: capabilityName: Accessibility.Braille - name: Remove "Developer Mode" capability call: function: UninstallCapability parameters: capabilityName: Tools.DeveloperMode.Core - name: Remove "Graphics Tools" capability call: function: UninstallCapability parameters: capabilityName: Tools.Graphics.DirectX - name: Remove "IrDA" capability call: function: UninstallCapability parameters: capabilityName: Network.Irda - name: Remove "Microsoft WebDriver" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.WebDriver - name: Remove "MSIX Packaging Tool Driver" capability call: function: UninstallCapability parameters: capabilityName: Msix.PackagingTool.Driver - category: Remove networking capabilities children: - name: Remove "RAS Connection Manager Administration Kit (CMAK)" capability call: function: UninstallCapability parameters: capabilityName: RasCMAK.Client - name: Remove "RIP Listener" capability call: function: UninstallCapability parameters: capabilityName: RIP.Listener - name: Remove "Simple Network Management Protocol (SNMP)" capability call: function: UninstallCapability parameters: capabilityName: SNMP.Client - name: Remove "SNMP WMI Provider" capability call: function: UninstallCapability parameters: capabilityName: WMI-SNMP-Provider.Client - name: Remove "OpenSSH Server" capability call: function: UninstallCapability parameters: capabilityName: OpenSSH.Server - category: Remove printing capabilities children: - name: Remove "Enterprise Cloud Print" capability call: function: UninstallCapability parameters: capabilityName: Print.EnterpriseCloudPrint - name: Remove "Mopria Cloud Service" capability call: function: UninstallCapability parameters: capabilityName: Print.MopriaCloudService - category: Remove Remote Server Administration Tools (RSAT) children: - name: Remove "Active Directory Domain Services and Lightweight Directory Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.ActiveDirectory.DS-LDS.Tools - name: Remove "BitLocker Drive Encryption Administration Utilities" capability call: function: UninstallCapability parameters: capabilityName: Rsat.BitLocker.Recovery.Tools - name: Remove "Active Directory Certificate Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.CertificateServices.Tools - name: Remove "DHCP Server Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.DHCP.Tools - name: Remove "DNS Server Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.Dns.Tools - name: Remove "Failover Clustering Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.FailoverCluster.Management.Tools - name: Remove "File Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.FileServices.Tools - name: Remove "Group Policy Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.GroupPolicy.Management.Tools - name: Remove "IP Address Management (IPAM) Client" capability call: function: UninstallCapability parameters: capabilityName: Rsat.IPAM.Client.Tools - name: Remove "Data Center Bridging LLDP Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.LLDP.Tools - name: Remove "Network Controller Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.NetworkController.Tools - name: Remove "Network Load Balancing Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.NetworkLoadBalancing.Tools - name: Remove "Remote Access Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.RemoteAccess.Management.Tools - name: Remove "Server Manager Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.ServerManager.Tools - name: Remove "Shielded VM Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.Shielded.VM.Tools - name: Remove "Storage Replica Module for Windows PowerShell" capability call: function: UninstallCapability parameters: capabilityName: Rsat.StorageReplica.Tools - name: Remove "Volume Activation Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.VolumeActivation.Tools - name: Remove "Windows Server Update Services Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.WSUS.Tools - name: Remove "Storage Migration Service Management Tools" capability call: function: UninstallCapability parameters: capabilityName: Rsat.StorageMigrationService.Management.Tools - name: Remove "Systems Insights Module for Windows PowerShell" capability call: function: UninstallCapability parameters: capabilityName: Rsat.SystemInsights.Management.Tools - category: Remove storage capabilities children: - name: Remove "Windows Storage Management" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.Windows.StorageManagement - name: Remove "OneCore Storage Management" capability call: function: UninstallCapability parameters: capabilityName: Microsoft.OneCore.StorageManagement - name: Remove "Windows Emergency Management Services and Serial Console" capability call: function: UninstallCapability parameters: capabilityName: Windows.Desktop.EMS-SAC.Tools - name: Remove "XPS Viewer" capability call: function: UninstallCapability parameters: capabilityName: XPS.Viewer - category: Remove Widgets docs: |- Windows 11 adds a new taskbar flyout named "Widgets", which displays a panel with Microsoft Start, a news aggregator with personalized stories and content (expanding upon the "news and interests" panel introduced in later builds of Windows 10) [1]. It's rebranding/future version of older "Windows 10 News and Interests" feature [2]. The user can customize the panel by adding or removing widgets, rearranging, resizing, and personalizing the content [1]. It has privacy implications as it collects data about your usage of the computer such as diagnostics data [3]. [1]: https://en.wikipedia.org/wiki/Features_new_to_Windows_11#Windows_shell "Features new to Windows 11 | Wikipedia" [2]: https://www.bleepingcomputer.com/news/microsoft/windows-10-news-and-interests-enabled-for-everyone-in-latest-update/ "Windows 10 News and Interests enabled for everyone in latest update | Bleeping Computer" [3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "What data does Microsoft collect? | Widgets | Microsoft" children: - name: Remove Widgets from taskbar docs: |- To control whether the Widgets button is visible on the taskbar, Microsoft introduced `TaskbarDa` registry value [1]. Possible `DWORD` 32-bit settings for the `TaskbarDa` value are [1] [2]: 1. 0 = Hidden 2. 1 = Visible This registry key does not exist in Windows 11 installations by default. [1]: https://www.elevenforum.com/t/add-or-remove-widgets-button-on-taskbar-in-windows-11.32/ " Add or Remove Widgets Button on Taskbar in Windows 11 | Windows Eleven Forum" [2]: https://www.bleepingcomputer.com/news/microsoft/new-windows-11-registry-hacks-to-customize-your-device/ "New Windows 11 registry hacks to customize your device | Bleeping Computer" recommend: strict code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d "0" /f revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /f 2>nul - name: Remove "Windows Web Experience Pack" (breaks Widgets) recommend: strict docs: |- Windows Web Experience Pack is a store app that enables Widgets feature [1]. The app is not needed and not known to break other OS functionality if you do not wish to use Widgets feature. This app is known to collect diagnostics data, individual widgets might also collect data [2]. See its [Windows Store Page](https://apps.microsoft.com/store/detail/windows-web-experience-pack/9MSSGKG348SP). It requires you to agree with Microsoft's general privacy terms, see [privacy agreement](http://go.microsoft.com/fwlink/?LinkID=521839) [3]. The agreement allows Microsoft to collect your personal data [3]. [1]: https://support.microsoft.com/en-us/windows/how-to-update-the-windows-web-experience-pack-in-the-microsoft-store-a16c9bf1-f042-4dc9-a523-740cca1e1e60 "How to update the Windows Web Experience Pack in the Microsoft Store | support.microsoft.com" [2]: https://apps.microsoft.com/store/detail/windows-web-experience-pack/9MSSGKG348SP "Windows Web Experience Pack - Microsoft Store Apps | apps.microsoft.com/store" [3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "Stay up to date with widgets | support.microsoft.com" call: function: UninstallStoreApp parameters: # Existence : Windows 10 (โ‰ฅ 22H2): โŒ Missing | Windows 11 (โ‰ฅ 22H2): โœ… Exists # More info : Get-AppxPackage MicrosoftWindows.Client.WebExperience packageName: MicrosoftWindows.Client.WebExperience publisherId: cw5n1h2txyewy - name: Remove Meet Now icon from taskbar recommend: strict docs: # Skype feature, introduced in 20H2, KB4580364 update - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TaskBar2::HideSCAMeetNow - https://www.windowscentral.com/how-disable-meet-now-feature-windows-10 code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /t REG_DWORD /d 1 /f revertCode: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /f - category: Advanced settings children: - name: Set NTP (time) server to `pool.ntp.org` # Marked: stop-service-do-stuff-restart-service docs: https://www.pool.ntp.org/en/use.html recommend: strict # `sc queryex` output is same in every OS language code: |- :: Configure time source w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" :: Stop time service if running SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||( net stop w32time ) :: Start time service and sync now net start w32time w32tm /config /update w32tm /resync revertCode: |- :: Configure time source w32tm /config /syncfromflags:manual /manualpeerlist:"time.windows.com" :: Stop time service if running SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||( net stop w32time ) :: Start time servie and sync now net start w32time w32tm /config /update w32tm /resync - name: Disable reserved storage for updates # since 19H1 (1903) docs: - https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState - https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves - https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy code: |- dism /online /Set-ReservedStorageState /State:Disabled /NoRestart reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "2" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f revertCode: |- DISM /Online /Set-ReservedStorageState /State:Enabled /NoRestart reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f - name: Run script on startup [EXPERIMENTAL] code: |- del /f /q %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat copy "%~dpnx0" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat" revertCode: del /f /q %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat functions: - name: TerminateRunningProcess parameters: - name: executableNameWithExtension # Name of the executable file, including its extension, to be terminated. - name: revertExecutablePath # Path of the executable to be run during the revert process. optional: true - name: revertExecutableArgs # Arguments to pass to the executable during the revert process. optional: true docs: |- This function is designed to terminate a specified running process. It checks if the process is currently running and, if so, uses the `taskkill` command to forcibly terminate it. This function is particularly useful for stopping processes that may interfere with system configurations or other operations. call: - function: Comment parameters: codeComment: Check and terminate the running process "{{ $executableNameWithExtension }}" revertCodeComment: >- {{ with $revertExecutablePath }} Optionally start the process "{{ $executableNameWithExtension }}" if not running {{ end }} - function: RunInlineCode parameters: code: |- tasklist /fi "ImageName eq {{ $executableNameWithExtension }}" /fo csv 2>NUL | find /i "{{ $executableNameWithExtension }}">NUL && ( echo {{ $executableNameWithExtension }} is running and will be killed. taskkill /f /im {{ $executableNameWithExtension }} ) || ( echo Skipping, {{ $executableNameWithExtension }} is not running. ) # `start` command is used to start processes without blocking execution of rest of the script, see https://ss64.com/nt/start.html. revertCode: |- {{ with $revertExecutablePath }} tasklist /fi "ImageName eq {{ $executableNameWithExtension }}" /fo csv 2>NUL | find /i "{{ $executableNameWithExtension }}">NUL && ( echo Skipping, {{ $executableNameWithExtension }} is already running. ) || ( if exist "{{ . }}" ( start "" "{{ . }}" {{ with $revertExecutableArgs }}{{ . }}{{ end }} echo Executed {{ . }} {{ with $revertExecutableArgs }}{{ . }}{{ end }} ) else ( echo Failed to run the file, it does not exist. 1>&2 ) ) {{ end }} - name: TerminateExecutableOnLaunch parameters: - name: executableNameWithExtension # Filename of the executable (including its extension) to be terminated upon launch. docs: |- It immediately terminates a specified process whenever it starts. The function adds `Debugger` registry value to point to the `taskkill.exe` utility, a command-line tool used for terminating processes. This effectively means that every time the process attempts to start, `taskkill.exe` is invoked instead, leading to the immediate termination of the process. call: - function: TerminateRunningProcess parameters: executableNameWithExtension: '{{ $executableNameWithExtension }}' - function: Comment parameters: codeComment: Configure termination of "{{ $executableNameWithExtension }}" immediately upon its startup revertCodeComment: Remove configuration preventing "{{ $executableNameWithExtension }}" from starting - function: RunInlineCode parameters: code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{{ $executableNameWithExtension }}" /v "Debugger" /t REG_SZ /d "%WINDIR%\System32\taskkill.exe" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{{ $executableNameWithExtension }}" /v "Debugger" /f 2>nul - name: DisableFeature parameters: - name: featureName code: dism /Online /Disable-Feature /FeatureName:"{{ $featureName }}" /NoRestart revertCode: dism /Online /Enable-Feature /FeatureName:"{{ $featureName }}" /NoRestart - name: UninstallStoreApp parameters: - name: packageName - name: publisherId call: - function: RunPowerShell parameters: codeComment: Uninstall '{{ $packageName }}' Microsoft Store app. code: Get-AppxPackage '{{ $packageName }}' | Remove-AppxPackage # This script attempts to reinstall the app that was just uninstalled, if necessary. # Re-installation strategy: # 1. Attempt to locate the package from another user's installation: # - Utilizes the `Get-AppxPackage` command with the `-AllUsers` flag to search across all user installations. # - Iterates through the results to locate the manifest file required for re-installation. # 2. Attempt to locate the package from the system installation: # - Utilizes the `Get-AppxPackage` command with `-RegisterByFamilyName` to search for the manifest file in the system installation. # - The app's package family name is constructed using its name and publisher ID. # Package Family Name is: `_` # Learn more about package identity: https://learn.microsoft.com/en-us/windows/apps/desktop/modernize/package-identity-overview#publisher-id (https://archive.ph/Sx4JC) # - Based on tests, Windows attempts to locate the file in the installation location of the package. # This location can be identified using commands such as `(Get-AppxPackage -AllUsers 'Windows.PrintDialog').InstallLocation`. # Possible installation locations include: # - `%WINDIR%\SystemApps\{PackageFamilyName}` (for system apps) # - `%WINDIR%\{ShortAppName}` (for system apps) # - `%SYSTEMDRIVE%\Program Files\WindowsApps\{PackageName}` (for non-system apps) # View all package locations: `Get-AppxPackage | Sort Name | Format-Table Name, InstallLocation` revertCodeComment: Reinstall '{{ $packageName }}' if it was previously uninstalled. revertCode: |- $packageName='{{ $packageName }}' $publisherId='{{ $publisherId }}' if (Get-AppxPackage -Name $packageName) { Write-Host "Skipping, `"$packageName`" is already installed for the current user." exit 0 } Write-Host "Starting the installation process for `"$packageName`"..." # Attempt installation using the manifest file Write-Host "Checking if `"$packageName`" is installed on another user profile..." $packages = @(Get-AppxPackage -AllUsers $packageName) if (!$packages) { Write-Host "`"$packageName`" is not installed on any other user profiles." } else { foreach ($package in $packages) { Write-Host "Found package `"$($package.PackageFullName)`"." $installationDir = $package.InstallLocation if ([string]::IsNullOrWhiteSpace($installationDir)) { Write-Warning "Installation directory for `"$packageName`" is not found or invalid." continue } $manifestPath = Join-Path -Path $installationDir -ChildPath 'AppxManifest.xml' try { if (-Not (Test-Path "$manifestPath")) { Write-Host "Manifest file not found for `"$packageName`" on another user profile: `"$manifestPath`"." continue } } catch { Write-Warning "An error occurred while checking for the manifest file: $($_.Exception.Message)" continue } Write-Host "Manifest file located. Trying to install using the manifest: `"$manifestPath`"..." try { Add-AppxPackage -DisableDevelopmentMode -Register "$manifestPath" -ErrorAction Stop Write-Host "Successfully installed `"$packageName`" using its manifest file." exit 0 } catch { Write-Warning "Error installing from manifest: $($_.Exception.Message)" } } } # Attempt installation using the package family name $packageFamilyName = "$($packageName)_$($publisherId)" Write-Host "Trying to install `"$packageName`" using its package family name: `"$packageFamilyName`" from system installation..." try { Add-AppxPackage -RegisterByFamilyName -MainPackage $packageFamilyName -ErrorAction Stop Write-Host "Successfully installed `"$packageName`" using its package family name." exit 0 } catch { Write-Warning "Error installing using package family name: $($_.Exception.Message)" } throw "Unable to reinstall the requested package ($packageName). " + ` "It appears to no longer be included in this version of Windows. " + ` "You may search for it or an alternative in the Microsoft Store or " + ` "consider using an earlier version of Windows where this package was originally provided." - function: RunInlineCode # This script prevents specified applications from being automatically reinstalled during Windows updates. # Windows has a feature where certain pre-installed applications (also known as provisioned apps) are reinstalled # when you perform a major update, even if they were previously uninstalled. # For detailed information, refer to the following Microsoft documentation: # - Deprovisioning Apps: https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update#create-registry-keys-for-deprovisioned-apps # - Archived versions: https://archive.ph/04108, https://web.archive.org/web/20231023131048/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update#create-registry-keys-for-deprovisioned-apps # - In-place Upgrade Recommendations: https://learn.microsoft.com/en-us/mem/configmgr/osd/understand/in-place-upgrade-recommendations#remove-default-apps # - Archived versions: https://archive.ph/I7Dwc, https://web.archive.org/web/20231023132613/https://learn.microsoft.com/en-us/mem/configmgr/osd/understand/in-place-upgrade-recommendations#remove-default-apps parameters: code: |- :: Mark '{{ $packageName }}' as deprovisioned to block reinstall during Windows updates. reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\{{ $packageName }}_{{ $publisherId }}" /f revertCode: |- :: Remove '{{ $packageName }}' from deprovisioned list to allow reinstall during updates. reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\{{ $packageName }}_{{ $publisherId }}" /f 2>nul - name: UninstallNonRemovableStoreApp parameters: - name: packageName - name: publisherId call: - # โ—๏ธ ORDERING: Run before `UninstallStoreApp` to enable removal of system apps. function: CreateRegistryKey parameters: codeComment: Enable removal of system app '{{ $packageName }}' by marking it as "EndOfLife" # This script modifies the system registry to enable the uninstallation of a specified app. # Some apps (including system apps) are marked as non-removable, which prevents uninstallation and results in error 0x80070032 if an uninstall is attempted. # To bypass this, the script marks the app as 'EndOfLife' in the registry, tricking the system into allowing the uninstallation keyName: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }} replaceSid: 'true' - function: UninstallStoreApp parameters: packageName: '{{ $packageName }}' publisherId: '{{ $publisherId }}' - # โ—๏ธ ORDERING: Run after `UninstallStoreApp` to restore the app to its default state. function: DeleteRegistryKey parameters: codeComment: Revert '{{ $packageName }}' to its default, non-removable state. # This script reverses the previous modification made to the Windows registry to enable its uninstallation. # By removing the 'EndOfLife' status from the registry entry, the app is restored to its default, non-removable state. # Restoring (removing) this key is important for maintaining the stability of Windows Updates (for details: https://github.com/undergroundwires/privacy.sexy/issues/287). keyName: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }} replaceSid: 'true' - name: UninstallNonRemovableStoreAppWithCleanup # โ—๏ธ Prefer `UninstallNonRemovableStoreApp` for new scripts # ๐Ÿ’ก Purpose: # This function is designed for comprehensive cleanup, removing the store app along with associated data such as installation directories, user data, and metadata. # # It is maintained primarily for backward compatibility, supporting users who need to reverse changes made by earlier versions of privacy.sexy scripts that included app data removal. # Historically, due to limitations in uninstalling non-removable apps through Windows package management tools (like `Remove-AppxPackage`), earlier versions of privacy.sexy scripts # relied on a soft-deletion approach for app data. Newer scripts can now effectively use Windows package management to remove such apps. # # For general usage in new scripts, prefer `UninstallNonRemovableStoreApp`. It offers a simpler, safer, and less invasive approach. The extensive cleanup performed by # this function is typically unnecessary for most users. parameters: - name: packageName - name: publisherId call: - function: ClearStoreAppDataBeforeUninstallation parameters: packageName: '{{ $packageName }}' publisherId: '{{ $publisherId }}' - function: UninstallNonRemovableStoreApp parameters: packageName: '{{ $packageName }}' publisherId: '{{ $publisherId }}' - function: ClearStoreAppDataAfterUninstallation parameters: packageName: '{{ $packageName }}' publisherId: '{{ $publisherId }}' - name: ClearStoreAppDataBeforeUninstallation parameters: - name: packageName - name: publisherId call: - # โ—๏ธ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting. # Clear: Installation (SystemApps, Directory I) # - Folder : %WINDIR%\SystemApps\{PackageFamilyName} # - Example : C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy # - Check : (Get-AppxPackage -AllUsers 'Windows.CBSPreview').InstallLocation # - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation function: SoftDeleteFiles parameters: fileGlob: '%WINDIR%\SystemApps\{{ $packageName }}_{{ $publisherId }}\*' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 recurse: 'true' - # โ—๏ธ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting. # Clear: Installation (SystemApps, Directory II) # - Folder : %WINDIR%\{ShortAppName} # - Example : C:\Windows\PrintDialog # - Check : (Get-AppxPackage -AllUsers 'Windows.PrintDialog').InstallLocation # - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation function: SoftDeleteFiles parameters: fileGlob: >- %WINDIR%\$(("{{ $packageName }}" -Split '\.')[-1])\* grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 recurse: 'true' - # โ—๏ธ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting. # Clear: Installation (non-system i.e. provisioned and installed apps) # - Folder : %SYSTEMDRIVE%\Program Files\WindowsApps\{PackageFullName} # - Example : C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe # - Check : (Get-AppxPackage -AllUsers 'Microsoft.BingWeather').InstallLocation # - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "Store" } | Sort Name | Format-Table Name, InstallLocation function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMDRIVE%\Program Files\WindowsApps\{{ $packageName }}_*_{{ $publisherId }}\*' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 (when deleting `Microsoft.SecHealthUI`) recurse: 'true' - name: ClearStoreAppDataAfterUninstallation parameters: - name: packageName - name: publisherId call: - # โ—๏ธ ORDERING: Run after `UninstallStoreApp` to ensure only leftover files are removed without keeping unnecessary files on the system. # Clear: User-specific data # - Folder : %LOCALAPPDATA%\Packages\{PackageFamilyName} # - Example : C:\Users\undergroundwires\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy # - Check : "$env:LOCALAPPDATA\Packages\$((Get-AppxPackage -AllUsers 'Windows.CBSPreview').PackageFamilyName)" function: SoftDeleteFiles parameters: fileGlob: '%LOCALAPPDATA%\Packages\{{ $packageName }}_{{ $publisherId }}\*' recurse: 'true' - # โ—๏ธ ORDERING: Run after `UninstallStoreApp` to ensure only leftover files are removed without keeping unnecessary files on the system. # Clear: Metadata # - Folder : %PROGRAMDATA%\Microsoft\Windows\AppRepository\Packages\{PackageFullName} # - Example : C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Windows.CBSPreview_10.0.19580.1000_neutral_neutral_cw5n1h2txyewy # - Check : "$env:PROGRAMDATA\Microsoft\Windows\AppRepository\Packages\$((Get-AppxPackage -AllUsers 'Windows.CBSPreview').PackageFullName)" function: SoftDeleteFiles parameters: fileGlob: '%PROGRAMDATA%\Microsoft\Windows\AppRepository\Packages\{{ $packageName }}_*_{{ $publisherId }}\*' grantPermissions: 'true' # ๐Ÿ”’๏ธ Protected on Windows 10 since 22H2 | ๐Ÿ”’๏ธ Protected on Windows 11 since 22H2 recurse: 'true' - name: UninstallCapability parameters: - name: capabilityName call: function: RunPowerShell parameters: code: Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' | Remove-WindowsCapability -Online revertCode: |- $capability = Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' Add-WindowsCapability -Name "$capability.Name" -Online - name: SoftDeleteFiles # ๐Ÿ’ก Purpose: # Renames files matching a given glob pattern by appending a `.OLD` extension, effectively "soft deleting" them. # It does not touch any of the folders. # This allows for easier restoration and less immediate disruption compared to permanent deletion. # ๐Ÿค“ Implementation: # 1. (with `grantPermissions`:) Elevate script privileges. # 2. Iterate every file in the given directory, and for each file: # - (with `grantPermissions`:) Grant permissions to file to be able to modify it. # - Rename the file. # - (with `grantPermissions`:) Restore permissions of the file to its original state # 3. (with `grantPermissions`:) Remove elevated script privileges. parameters: - name: fileGlob - name: grantPermissions optional: true - name: recurse optional: true call: - function: Comment parameters: codeComment: >- Soft delete files matching pattern {{ with $grantPermissions }}(with additional permissions){{ end }} : "{{ $fileGlob }}" revertCodeComment: >- Restore files matching pattern {{ with $grantPermissions }}(with additional permissions){{ end }} : "{{ $fileGlob }}" - function: IterateGlob parameters: pathGlob: '{{ $fileGlob }}' revertPathGlob: '{{ $fileGlob }}.OLD' recurse: '{{ with $recurse }}{{ . }}{{ end }}' # Elevating privileges: # Another (simpler) implementation would be: # ``` # $setPrivilegeFunction = [System.Diagnostics.Process].GetMethods(42) | Where-Object { $_.Name -eq 'SetPrivilege' } # $privileges = @('SeRestorePrivilege', 'SeTakeOwnershipPrivilege') # foreach ($privilege in $privileges) { # $setPrivilegeFunction.Invoke($null, @($privilege, 2)) # } # ``` beforeIteration: |- $renamedCount = 0 $skippedCount = 0 $failedCount = 0 {{ with $grantPermissions }} Add-Type -TypeDefinition @" using System; using System.Runtime.InteropServices; public class Privileges { [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen); [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok); [DllImport("advapi32.dll", SetLastError = true)] internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid); [StructLayout(LayoutKind.Sequential, Pack = 1)] internal struct TokPriv1Luid { public int Count; public long Luid; public int Attr; } internal const int SE_PRIVILEGE_ENABLED = 0x00000002; internal const int TOKEN_QUERY = 0x00000008; internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020; public static bool AddPrivilege(string privilege) { try { bool retVal; TokPriv1Luid tp; IntPtr hproc = GetCurrentProcess(); IntPtr htok = IntPtr.Zero; retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); tp.Count = 1; tp.Luid = 0; tp.Attr = SE_PRIVILEGE_ENABLED; retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); return retVal; } catch (Exception ex) { throw new Exception("Failed to adjust token privileges", ex); } } public static bool RemovePrivilege(string privilege) { try { bool retVal; TokPriv1Luid tp; IntPtr hproc = GetCurrentProcess(); IntPtr htok = IntPtr.Zero; retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); tp.Count = 1; tp.Luid = 0; tp.Attr = 0; // This line is changed to revoke the privilege retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); return retVal; } catch (Exception ex) { throw new Exception("Failed to adjust token privileges", ex); } } [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern IntPtr GetCurrentProcess(); } "@ [Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null [Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]) $adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( ` $adminAccount, ` [System.Security.AccessControl.FileSystemRights]::FullControl, ` [System.Security.AccessControl.AccessControlType]::Allow ` ) {{ end }} # Marked: refactor-with-variables # Granting permission is identical to `DisableScheduledTask`. duringIteration: |- if (Test-Path -Path $path -PathType Container) { Write-Host "Skipping folder (not its contents): `"$path`"." $skippedCount++ continue } if($revert -eq $true) { if (-not $path.EndsWith('.OLD')) { Write-Host "Skipping non-backup file: `"$path`"." $skippedCount++ continue } } else { if ($path.EndsWith('.OLD')) { Write-Host "Skipping backup file: `"$path`"." $skippedCount++ continue } } $originalFilePath = $path Write-Host "Processing file: `"$originalFilePath`"." if (-Not (Test-Path $originalFilePath)) { Write-Host "Skipping, file `"$originalFilePath`" not found." $skippedCount++ exit 0 } {{ with $grantPermissions }} $originalAcl = Get-Acl -Path "$originalFilePath" $accessGranted = $false try { $acl = Get-Acl -Path "$originalFilePath" $acl.SetOwner($adminAccount) # Take Ownership (because file is owned by TrustedInstaller) $acl.AddAccessRule($adminFullControlAccessRule) # Grant rights to be able to move the file Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop $accessGranted = $true } catch { Write-Warning "Failed to grant access to `"$originalFilePath`": $($_.Exception.Message)" } {{ end }} if ($revert -eq $true) { $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4) } else { $newFilePath = "$($originalFilePath).OLD" } try { Move-Item -LiteralPath "$($originalFilePath)" -Destination "$newFilePath" -Force -ErrorAction Stop Write-Host "Successfully processed `"$originalFilePath`"." $renamedCount++ {{ with $grantPermissions }} if ($accessGranted) { try { Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop } catch { Write-Warning "Failed to restore access on `"$newFilePath`": $($_.Exception.Message)" } } {{ end }} } catch { Write-Error "Failed to rename `"$originalFilePath`" to `"$newFilePath`": $($_.Exception.Message)" $failedCount++ {{ with $grantPermissions }} if ($accessGranted) { try { Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop } catch { Write-Warning "Failed to restore access on `"$originalFilePath`": $($_.Exception.Message)" } } {{ end }} } afterIteration: |- if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) { Write-Host "Successfully processed $renamedCount items and skipped $skippedCount items." } if ($failedCount -gt 0) { Write-Warning "Failed to processed $($failedCount) items." } {{ with $grantPermissions }} [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null [Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null {{ end }} - name: SetVsCodeSetting parameters: - name: setting - name: powerShellValue call: function: RunPowerShell parameters: code: |- $settingKey='{{ $setting }}' $settingValue={{ $powerShellValue }} $jsonFilePath = "$($env:APPDATA)\Code\User\settings.json" if (!(Test-Path $jsonFilePath -PathType Leaf)) { Write-Host "Skipping, no updates. Settings file was not at `"$jsonFilePath`"." exit 0 } try { $fileContent = Get-Content $jsonFilePath -ErrorAction Stop } catch { throw "Error, failed to read the settings file: `"$jsonFilePath`". Error: $_" } if ([string]::IsNullOrWhiteSpace($fileContent)) { Write-Host "Settings file is empty. Treating it as default empty JSON object." $fileContent = "{}" } try { $json = $fileContent | ConvertFrom-Json } catch { throw "Error, invalid JSON format in the settings file: `"$jsonFilePath`". Error: $_" } $existingValue = $json.$settingKey if ($existingValue -eq $settingValue) { Write-Host "Skipping, `"$settingKey`" is already configured as `"$settingValue`"." exit 0 } $json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force $json | ConvertTo-Json | Set-Content $jsonFilePath Write-Host "Successfully applied the setting to the file: `"$jsonFilePath`"." revertCode: |- $settingKey='{{ $setting }}' $settingValue={{ $powerShellValue }} $jsonFilePath = "$($env:APPDATA)\Code\User\settings.json" if (!(Test-Path $jsonFilePath -PathType Leaf)) { Write-Host "Skipping, no need to revert because settings file is not found: `"$jsonFilePath`"." exit 0 } try { $fileContent = Get-Content $jsonFilePath -ErrorAction Stop } catch { throw "Error, failed to read the settings file: `"$jsonFilePath`". Error: $_" } if ([string]::IsNullOrWhiteSpace($fileContent)) { Write-Host "Skipping, no need to revert because settings file is empty: `"$jsonFilePath`"." exit 0 } try { $json = $fileContent | ConvertFrom-Json } catch { throw "Error, invalid JSON format in the settings file: `"$jsonFilePath`". Error: $_" } if (!$json.PSObject.Properties[$settingKey]) { Write-Host "Skipping, no need to revert because setting `"$settingKey`" does not exist." exit 0 } if ($json.$settingKey -ne $settingValue) { Write-Host "Skipping, setting (`"$settingKey`") has different configuration than `"$settingValue`": `"$($json.$settingKey)`"." exit 0 } $json.PSObject.Properties.Remove($settingKey) $json | ConvertTo-Json | Set-Content $jsonFilePath Write-Host "Successfully reverted the setting from file: `"$jsonFilePath`"." - name: RunPowerShell parameters: - name: code - name: revertCode optional: true - name: codeComment optional: true - name: revertCodeComment optional: true call: - function: Comment parameters: codeComment: '{{ with $codeComment }}{{ . }}{{ end }}' revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}' - function: RunInlineCode parameters: code: PowerShell -ExecutionPolicy Unrestricted -Command "{{ $code | inlinePowerShell | escapeDoubleQuotes }}" revertCode: |- {{ with $revertCode }} PowerShell -ExecutionPolicy Unrestricted -Command "{{ . | inlinePowerShell | escapeDoubleQuotes }}" {{ end }} - name: DisablePerUserService parameters: - name: serviceName - name: defaultStartupMode # Alowed values: Boot | System | Automatic | Manual # More about per-user services: https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows call: - # System-wide variant: every per-user service has also system-wide counterpart with same default startup mode function: DisableServiceInRegistry parameters: serviceName: '{{ $serviceName }}' defaultStartupMode: '{{ $defaultStartupMode }}' - # Per-user variant function: DisableServiceInRegistry parameters: serviceName: '{{ $serviceName }}_*' defaultStartupMode: '{{ $defaultStartupMode }}' - name: RunInlineCode parameters: - name: code optional: true - name: revertCode optional: true code: '{{ with $code }}{{ . }}{{ end }}' revertCode: '{{ with $revertCode }}{{ . }}{{ end }}' - name: RunPowerShellWithSameCodeAndRevertCode parameters: - name: code - name: codeComment optional: true call: function: RunPowerShell parameters: code: '{{ $code }}' revertCode: '{{ $code }}' codeComment: '{{ with $codeComment }}{{ . }}{{ end }}' revertCodeComment: '{{ with $codeComment }}{{ . }}{{ end }}' - name: RunInlineCodeAsTrustedInstaller parameters: - name: code - name: revertCode optional: true call: function: RunPowerShell parameters: # PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks. # Seen e.g. on Windows 11 when reverting scripts after executing them and reboot. # They are seen to throw different exceptions: # - `Unregister-ScheduledTask : The system cannot find the file specified` # `ObjectNotFound: (MSFT_ScheduledTask:Root/Microsoft/...T_ScheduledTask)` with `HRESULT 0x80070002` # - `No MSFT_ScheduledTask objects found with property 'TaskName'` # - Because task is already running but `Get-ScheduledTask` cannot find it it throws: # `Failed to execute with exit code: 267009` # Solution # Checking if task is running: # - โŒ Not using `$(schtasks.exe /query /tn "$taskName" 2>$null)".Contains('Running')` because it outputs # different text (not always "Running") in German/English versions. # - โŒ Not using `(Get-ScheduledTask $taskName -ErrorAction Ignore).State -eq 'Running' # because `Get-ScheduledTask `sometimes fails. # - โœ… Using `(Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009` where "267009" indicates running. # Deleting existing task: # - โŒ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002` # - โœ… Using `schtasks.exe /delete /tn "$taskName" /f` with additional `| Out-Null` or `2>&1 | Out-Null` # to suppress errors. code: |- $command = '{{ $code }}' $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]) $streamOutFile = New-TemporaryFile $batchFile = New-TemporaryFile try { $batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru "@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII $taskName = 'privacy.sexy invoke' schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output $taskAction = New-ScheduledTaskAction ` -Execute 'cmd.exe' ` -Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1" $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries Register-ScheduledTask ` -TaskName $taskName ` -Action $taskAction ` -Settings $settings ` -Force ` -ErrorAction Stop ` | Out-Null try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect() $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null $timeOutLimit = (Get-Date).AddMinutes(5) Write-Host "Running as $trustedInstallerName" while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200 if((Get-Date) -gt $timeOutLimit) { Write-Warning "Skipping results, it took so long to execute script." break; } } if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "Failed to execute with exit code: $result." } } finally { schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors } Get-Content $streamOutFile } finally { Remove-Item $streamOutFile, $batchFile } revertCode: |- # Duplicated until custom pipes are implemented {{ with $revertCode }} $command = '{{ . }}' $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464') $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]) $streamOutFile = New-TemporaryFile $batchFile = New-TemporaryFile try { $batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru "@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII $taskName = 'privacy.sexy invoke' schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output $taskAction = New-ScheduledTaskAction ` -Execute 'cmd.exe' ` -Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1" $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries Register-ScheduledTask ` -TaskName $taskName ` -Action $taskAction ` -Settings $settings ` -Force ` -ErrorAction Stop ` | Out-Null try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect() $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null $timeOutLimit = (Get-Date).AddMinutes(5) Write-Host "Running as $trustedInstallerName" while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200 if((Get-Date) -gt $timeOutLimit) { Write-Warning "Skipping results, it took so long to execute script." break; } } if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "Failed to execute with exit code: $result." } } finally { schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors } Get-Content $streamOutFile } finally { Remove-Item $streamOutFile, $batchFile } {{ end }} - name: DisableServiceInRegistry parameters: - name: serviceName - name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual call: function: RunPowerShell parameters: code: |- # We do registry way because GUI, "sc config" or "Set-Service" won't not work $serviceQuery = '{{ $serviceName }}' # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue if(!$service) { Write-Host "Service query `"$serviceQuery`" did not yield any results, no need to disable it." Exit 0 } $serviceName = $service.Name Write-Host "Disabling service: `"$serviceName`"." # -- 2. Stop if running if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is running, trying to stop it." try { Stop-Service -Name "$serviceName" -Force -ErrorAction Stop Write-Host "Stopped `"$serviceName`" successfully." } catch { Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_" } } else { Write-Host "`"$serviceName`" is not running, no need to stop." } # -- 3. Skip if service info is not found in registry $registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" if(!(Test-Path $registryKey)) { Write-Host "`"$registryKey`" is not found in registry, cannot enable it." Exit 0 } # -- 4. Skip if already disabled if( $(Get-ItemProperty -Path "$registryKey").Start -eq 4) { Write-Host "`"$serviceName`" is already disabled from start, no further action is needed." Exit 0 } # -- 5. Disable service try { Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop Write-Host "Disabled `"$serviceName`" successfully." } catch { Write-Error "Could not disable `"$serviceName`": $_" } revertCode: |- $serviceQuery = '{{ $serviceName }}' $defaultStartupMode = '{{ $defaultStartupMode }}' # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue if(!$service) { Write-Warning "Service query `"$serviceQuery`" did not yield and results, cannot enable it." Exit 1 } $serviceName = $service.Name Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start." # -- 2. Skip if service info is not found in registry $registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" if(!(Test-Path $registryKey)) { Write-Warning "`"$registryKey`" is not found in registry, cannot enable it." Exit 1 } # -- 3. Enable if not already enabled $defaultStartupRegValue = ` if ($defaultStartupMode -eq 'Boot') { '0' } ` elseif($defaultStartupMode -eq 'System') { '1' } ` elseif($defaultStartupMode -eq 'Automatic') { '2' } ` elseif($defaultStartupMode -eq 'Manual') { '3' } ` else { throw "Unknown start mode: $defaultStartupMode"} if( $(Get-ItemProperty -Path "$registryKey").Start -eq $defaultStartupRegValue) { Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start." } else { try { Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer." } catch { Write-Error "Could not enable `"$serviceName`": $_" Exit 1 } } # -- 4. Start if not running (must be enabled first) if($defaultStartupMode -eq 'Automatic') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is not running, trying to start it." try { Start-Service $serviceName -ErrorAction Stop Write-Host "Started `"$serviceName`" successfully." } catch { Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_" } } else { Write-Host "`"$serviceName`" is already running, no need to start." } } - name: SetMpPreference # Configures preferences for Microsoft Defender scans and updates. # โ—๏ธ Requires "WinDefend" service in running state, otherwise fails parameters: - name: property - name: value - # When provided, it sets defaults using `Set-MpPreference`. # Used by default in Windows 10 as `Remove-MpPreference` cmdlet is very limited/poor in Windows 10. # Ignored by default in Windows 11 with providing a value for `setDefaultOnWindows11` name: default optional: true - # When reverting in Windows 11, `Set-MpPreference` is called instead of `Remove-MpPreference` # Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11. name: setDefaultOnWindows11 optional: true call: function: RunPowerShell parameters: # Unsupported arguments -> # Skips when error contains "Cannot convert", this happens e.g. when trying to set `PlatformUpdatesChannel`, # `EngineUpdatesChannel`, `DefinitionUpdatesChannel` to `Broad`. `Broad` is not supported on all platforms # and throws e.g. with: # `Cannot process argument transformation on parameter 'EngineUpdatesChannel'. Cannot convert value # "Broad" to type "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType". # Error: "Unable to match the identifier name Broad to a valid enumerator name. Specify one of the # following enumerator names and try again: NotConfigured, Beta, Preview"` code: |- $propertyName = '{{ $property }}' $value = {{ $value }} if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) { Write-Host "Skipping. `"$propertyName`" is already `"$value`" as desired." exit 0 } $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Set-MpPreference".' exit 0 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName `$value -ErrorAction Stop" Set-MpPreference -Force -{{ $property }} $value -ErrorAction Stop Write-Host "Successfully set `"$propertyName`" to `"$value`"." exit 0 } catch { if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" exit 0 } elseif (($_ | Out-String) -like '*Cannot convert*') { Write-Host "Skipping. Argument `"$value`" for property `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } else { Write-Error "Failed to set using $($command.Name): $_" exit 1 } } # `Remove-MpPreference` is different in Windows 11 / 10 # Windows 11 and 10 have different revert behavior which is caused by different `Remove-MpPreference` cmdlet versions used # Windows 10 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2019-ps # Windows 11 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2022-ps # On Windows 11: # - By default, `Remove-MpPreference` sets default values for settings for all cases. # - `setDefaultOnWindows11` parameter changes this behavior to set the default value using `Set-MpPreference` # On Windows 10: # - If `default` argument is is provided, it's set using `Set-MpPreference` # - `default` argument should not be provided if `Remove-MpPreference` is supported in Windows 10. revertCode: |- $propertyName = '{{ $property }}' {{ with $default }} $defaultValue = {{ . }} {{ end }} $setDefaultOnWindows10 = {{ with $default }} $true # {{ end }} $false $setDefaultOnWindows11 = {{ with $setDefaultOnWindows11 }} $true # {{ end }} $false $osVersion = [System.Environment]::OSVersion.Version function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) } function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) } # ------ Set-MpPreference ------ if(($setDefaultOnWindows10 -and (Test-IsWindows10)) -or ($setDefaultOnWindows11 -and (Test-IsWindows11))) { if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $defaultValue) { Write-Host "Skipping. `"$propertyName`" is already configured as desired `"$defaultValue`"." exit 0 } $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Set-MpPreference".' exit 1 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName `$defaultValue -ErrorAction Stop" Write-Host "Successfully restored `"$propertyName`" to its default `"$defaultValue`"." exit 0 } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" } else { Write-Error "Failed to set using $($command.Name): $_" } exit 1 } } # ------ Remove-MpPreference ------ $command = Get-Command 'Remove-MpPreference' -ErrorAction Ignore if (!$command) { Write-Warning 'Skipping. Command not found: "Remove-MpPreference".' exit 1 } if(!$command.Parameters.Keys.Contains($propertyName)) { Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"." exit 0 } try { Invoke-Expression "$($command.Name) -Force -$propertyName -ErrorAction Stop" Write-Host "Successfully restored `"$propertyName`" to its default." exit 0 } catch { if ($_.FullyQualifiedErrorId -like '*0x800106ba*') { Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?" } else { Write-Error "Failed to set using $($command.Name): $_" } exit 1 } - name: DisableService parameters: - name: serviceName - name: defaultStartupMode # Allowed values: Automatic | Manual call: function: RunPowerShell # Careful with Set-Service cmdlet: # 1. It exits with positive code even if service is disabled # 2. It had breaking API change for `-StartupMode` parameter: # Powershell >= 6.0 : Automatic, AutomaticDelayedStart, Disabled, InvalidValue, Manual # PowerShell <= 5 : Boot, System, Automatic, Manual, Disabled # So "Disabled", "Automatic" and "Manual" are only consistent ones. # Read more: # https://github.com/PowerShell/PowerShell/blob/v7.2.0/src/Microsoft.PowerShell.Commands.Management/commands/management/Service.cs#L2966-L2978 # https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.1 parameters: code: |- $serviceName = '{{ $serviceName }}' Write-Host "Disabling service: `"$serviceName`"." # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if(!$service) { Write-Host "Service `"$serviceName`" could not be not found, no need to disable it." Exit 0 } # -- 2. Stop if running if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is running, stopping it." try { Stop-Service -Name "$serviceName" -Force -ErrorAction Stop Write-Host "Stopped `"$serviceName`" successfully." } catch { Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_" } } else { Write-Host "`"$serviceName`" is not running, no need to stop." } # -- 3. Skip if already disabled $startupType = $service.StartType # Does not work before .NET 4.6.1 if(!$startupType) { $startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode } } if($startupType -eq 'Disabled') { Write-Host "$serviceName is already disabled, no further action is needed" } # -- 4. Disable service try { Set-Service -Name "$serviceName" -StartupType Disabled -Confirm:$false -ErrorAction Stop Write-Host "Disabled `"$serviceName`" successfully." } catch { Write-Error "Could not disable `"$serviceName`": $_" } revertCode: |- $serviceName = '{{ $serviceName }}' $defaultStartupMode = '{{ $defaultStartupMode }}' Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start." # -- 1. Skip if service does not exist $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue if(!$service) { Write-Warning "Service `"$serviceName`" could not be not found, cannot enable it." Exit 1 } # -- 2. Enable or skip if already enabled $startupType = $service.StartType # Does not work before .NET 4.6.1 if(!$startupType) { $startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode if(!$startupType) { $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode } } if($startupType -eq "$defaultStartupMode") { Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start, no further action is needed." } else { try { Set-Service -Name "$serviceName" -StartupType "$defaultStartupMode" -Confirm:$false -ErrorAction Stop Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer." } catch { Write-Error "Could not enable `"$serviceName`": $_" Exit 1 } } # -- 4. Start if not running (must be enabled first) if($defaultStartupMode -eq 'Automatic') { if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) { Write-Host "`"$serviceName`" is not running, starting it." try { Start-Service $serviceName -ErrorAction Stop Write-Host "Started `"$serviceName`" successfully." } catch { Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_" } } else { Write-Host "`"$serviceName`" is already running, no need to start." } } - name: ShowWarning parameters: - name: message - name: ignoreWindows11 # Ignores warning message on Windows 11, allowed values: true | false, default: false - name: ignoreWindows10 # Ignores warning message on Windows 10, allowed values: true | false, default: false call: function: RunPowerShell parameters: code: |- $warningMessage = '{{ $message }}' $ignoreWindows10 = {{ with $ignoreWindows10 }} $true # {{ end }} $false $ignoreWindows11 = {{ with $ignoreWindows11 }} $true # {{ end }} $false $osVersion = [System.Environment]::OSVersion.Version function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) } function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) } if (($ignoreWindows10 -and (Test-IsWindows10)) -or ($ignoreWindows11 -and (Test-IsWindows11))) { exit 0 # Skip } Write-Warning "$warningMessage" # revertCode: No warnings needed when reverting - name: RemoveBrowserAssociations parameters: - name: progIdPattern - name: toastAssociations call: - function: RunPowerShell # See all default OS assocations: # 1. Open an elevated prompt # 2. Run `dism /online /export-defaultappassociations:C:\appassoc.xml` # 3. Inspect `C:\appassoc.xml` # Registry locations: # - File associations: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\{extension}\UserChoice` # - URL associations: `HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\{url}\UserChoice` parameters: # - # This script uses WMI StdRegProv methods to modify the registry. # Because deleting key with `Remove-Item -Path $path -Recurse -Force -ErrorAction Stop` fails with: # Cannot delete a subkey tree because the subkey does not exist. # CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException # FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException code: |- $programIdPattern = '{{ $progIdPattern }}' $defaultAssociations = @( @{ Type = 'File'; Ext = '.htm'; } @{ Type = 'File'; Ext = '.html'; } @{ Type = 'File'; Ext = '.pdf'; } @{ Type = 'File'; Ext = '.mht'; } @{ Type = 'File'; Ext = '.mhtml'; } @{ Type = 'File'; Ext = '.svg'; } @{ Type = 'File'; Ext = '.url'; } @{ Type = 'File'; Ext = '.website'; } @{ Type = 'File'; Ext = '.xht'; } @{ Type = 'File'; Ext = '.xhtml'; } @{ Type = 'URL'; Ext = 'ftp'; } @{ Type = 'URL'; Ext = 'http'; } @{ Type = 'URL'; Ext = 'https'; } @{ Type = 'URL'; Ext = 'microsoft-edge'; } @{ Type = 'URL'; Ext = 'microsoft-edge-holographic'; } @{ Type = 'URL'; Ext = 'ms-xbl-3d8b930f'; } @{ Type = 'URL'; Ext = 'read'; } ) foreach ($assoc in $defaultAssociations) { $path = $null if ($assoc.Type -eq 'File') { $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\$($assoc.Ext)\UserChoice" } elseif ($assoc.Type -eq 'URL') { $path = "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\$($assoc.Ext)\UserChoice" } else { throw "Error, unknown type: $($assoc.Type)" } $currentProgramId = Get-ItemProperty -Path $path -Name 'Progid' -ErrorAction Ignore | Select-Object -ExpandProperty Progid if (!$currentProgramId) { Write-Host "Skipping, no association found for `"$($assoc.Ext)`" in `"$path`" matching `"$programIdPattern`"." continue } if ($currentProgramId -notlike $programIdPattern) { Write-Host "Skipping, association found `"$currentProgramId`" in `"$path`" does not match pattern `"$programIdPattern`"." continue } $hkcuHiveId = 2147483649 $pathWithoutHive = ($path -split ':\\')[1] $wmi = Get-WmiObject -List -Namespace root\default | Where-Object {$_.Name -eq 'StdRegProv'} $result = $wmi.DeleteKey($hkcuHiveId, $pathWithoutHive) if ($result.ReturnValue -ne 0) { Write-Error "Failed to delete `"$path`": Return code $($result.ReturnValue)" continue } Write-Host "Successfully removed `"$($assoc.Ext)`" association in `"$path`"." } # Differences in OS defaults: # - `.url` : `InternetShortcut` in Windows 11, and `IE.AssocFile.URL` in Windows 10 # - `.website`: N/A (missing) in Windows 11, `IE.AssocFile.WEBSITE` in Windows 10 # Setting keys work fine on Windows 11 but fails with access error on Windows 10, so this script modifies ACLs. revertCode: |- $defaultAssociations = @( @{ Type = 'File'; Ext = '.htm'; ProgId = 'MSEdgeHTM'; } @{ Type = 'File'; Ext = '.html'; ProgId = 'MSEdgeHTM'; } @{ Type = 'File'; Ext = '.pdf'; ProgId = 'MSEdgePDF'; } @{ Type = 'File'; Ext = '.mht'; ProgId = 'MSEdgeMHT'; } @{ Type = 'File'; Ext = '.mhtml'; ProgId = 'MSEdgeMHT'; } @{ Type = 'File'; Ext = '.svg'; ProgId = 'MSEdgeHTM'; } @{ Type = 'File'; Ext = '.url'; ProgId = 'InternetShortcut'; } @{ Type = 'File'; Ext = '.website'; ProgId = 'IE.AssocFile.WEBSITE'; } @{ Type = 'File'; Ext = '.xht'; ProgId = 'MSEdgeHTM'; } @{ Type = 'File'; Ext = '.xhtml'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'ftp'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'http'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'https'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'microsoft-edge'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'microsoft-edge-holographic'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'ms-xbl-3d8b930f'; ProgId = 'MSEdgeHTM'; } @{ Type = 'URL'; Ext = 'read'; ProgId = 'MSEdgeHTM'; } ) foreach ($assoc in $defaultAssociations) { $path = $null if ($assoc.Type -eq 'File') { $path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\$($assoc.Ext)\UserChoice" } elseif ($assoc.Type -eq 'URL') { $path = "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\$($assoc.Ext)\UserChoice" } else { throw "Unknown type: $($assoc.Type)" } $currentValue = Get-ItemProperty -Path $path -Name 'Progid' -ErrorAction SilentlyContinue if ($currentValue -and ($currentValue.Progid -eq $assoc.ProgId)) { Write-Host "Skipping, `"$($assoc.Ext)`" association already has the desired value. No changes needed." continue } if ($currentValue -and $currentValue.Progid) { Write-Host "Updating existing `"$($currentValue.Progid)`" to `"$($assoc.ProgId)`"." } else { Write-Host "Adding new association `"$($assoc.ProgId)`"." } if (-Not (Test-Path $path)) { New-Item -Path $path -Force | Out-Null Write-Host "Successfully created missing `"$path`"." } # Remove deny access rules $pathWithoutHive = ($path -split ':\\')[1] $registrySubKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey($pathWithoutHive, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::ChangePermissions) $accessControlList = $registrySubKey.GetAccessControl() $denyAccessRules = @($accessControlList.Access.Where({ $_.AccessControlType -eq "Deny" })) foreach ($denyAccessRule in $denyAccessRules) { $accessControlList.RemoveAccessRule($denyAccessRule) } if ($denyAccessRules.Count -gt 0) { $registrySubKey.SetAccessControl($accessControlList) $registrySubKey.Close() Write-Host "Successfully removed deny access rules from `"$pathWithoutHive`"." } # Update registry key Set-ItemProperty -Path $path -Name 'Progid' -Value $assoc.ProgId -Force -ErrorAction Continue Write-Host "Successfully updated association for `"$($assoc.Ext)`"" # Restore permissions if ($denyAccessRules.Count -gt 0) { foreach ($denyAccessRule in $denyAccessRules) { $accessControlList.AddAccessRule($denyAccessRule) } $registrySubKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey($pathWithoutHive, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::ChangePermissions) $registrySubKey.SetAccessControl($accessControlList) $registrySubKey.Close() Write-Host "Successfully added back deny access rules to `"$pathWithoutHive`"." } } - # Remove association Open With context menu # Edge uninstallers do not remove these associations function: RunPowerShell # When reverting, using batch (`reg add /t REG_NONE`) does not add the exactly same default value # This associations can be found at: # - New, chromium : HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\FileAssociations # - Legacy, store : HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\FileAssociations # - See Microsoft docs for default associations: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/272f15b1d7ea4768e79eb74cfe24d584823970ef/windows/client-management/mdm/policy-csp-applicationdefaults.md?plain=1#L80-L87 parameters: code: |- $extensions = @('.htm', '.html', '.pdf', '.svg') foreach ($extension in $extensions) { $path = "HKCU:\Software\Classes\$extension\OpenWithProgids" Write-Host "Removing association for `"$extension`": `"$path`"..." Remove-Item -Path $path -Force -ErrorAction SilentlyContinue } revertCode: |- # Common defaults since Windows 10 21H2 and Windows 11 21H2 $defaultContextMenuAssociations = @( @{ Extension='.htm'; Name='AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9'; } @{ Extension='.html'; Name='AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9'; } @{ Extension='.pdf'; Name='AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723'; } @{ Extension='.svg'; Name='AppXde74bfzw9j31bzhcvsrxsyjnhhbq66cs'; } ) foreach ($assoc in $defaultContextMenuAssociations) { $path = "HKCU:\Software\Classes\$($assoc.Extension)\OpenWithProgids" $value = Get-ItemProperty -Path $path -Name $assoc.Name -ErrorAction SilentlyContinue if ($value -and [System.BitConverter]::ToString($value.$($assoc.Name)) -eq '') { Write-Host "Skipping, no changes needed for `"$($assoc.Name)`" association." continue } if (-Not (Test-Path $path)) { New-Item -Path $path -Force | Out-Null } Set-ItemProperty -Path $path -Name $assoc.Name -Value ([byte[]]@()) -Type None -Force Write-Host "Successfully reverted association for `"$($assoc.Name)`"." } - function: RunInlineCode # Clean application toasts associations # Description: # The HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts registry key in Windows stores user preferences for file type and application associations. # When a user opens a file with a non-default application, Windows may display a "toast" notification suggesting the use of the default application for that file type. The user's # response to this suggestion is recorded in the ApplicationAssociationToasts registry key. This allows Windows to remember the user's application preferences for specific file types # and determine whether to show the notification again in the future. parameters: code: |- for %%a in ( {{ $toastAssociations }} ) do ( echo Removing association toast for "%%a"... reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" /v "%%a" /f 2>nul ) revertCode: |- for %%a in ( {{ $toastAssociations }} ) do ( echo Restoring association toast for "%%a"... reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" /v "%%a" /t "REG_DWORD" /d "0" /f ) - name: RemoveShortcutFiles parameters: - name: shortcutItems - name: targetFile call: function: RunPowerShell parameters: code: |- $shortcuts = @( {{ $shortcutItems }} ) foreach ($shortcut in $shortcuts) { if (-Not (Test-Path $shortcut.Path)) { Write-Host "Skipping, shortcut does not exist: `"$($shortcut.Path)`"." continue } try { Remove-Item -Path $shortcut.Path -Force -ErrorAction Stop Write-Output "Successfully removed shortcut: `"$($shortcut.Path)`"." } catch { Write-Error "Encountered an issue while attempting to remove shortcut at: `"$($shortcut.Path)`"." } } revertCode: |- $targetFile = "{{ $targetFile }}" $shortcuts = @( {{ $shortcutItems }} ) if (-Not (Test-Path $targetFile)) { Write-Warning "Target file `"$targetFile`" does not exist." } $wscriptShell = $null try { $wscriptShell = New-Object -ComObject WScript.Shell } catch { throw "Failed to create WScript.Shell object: $($_.Exception.Message)" } foreach ($shortcut in $shortcuts) { if (-Not $shortcut.Revert) { Write-Host "Skipping, revert operation is not needed for: `"$($shortcut.Path)`"." continue } if (Test-Path $shortcut.Path) { Write-Host "Shortcut already exists, skipping: `"$($shortcut.Path)`"." continue } try { $shellShortcut = $wscriptShell.CreateShortcut($shortcut.Path) $shellShortcut.TargetPath = $targetFile $shellShortcut.Save() Write-Output "Successfully created shortcut at `"$($shortcut.Path)`"." } catch { Write-Error "An error occurred while creating the shortcut at `"$($shortcut.Path)`"." } } - name: Comment # ๐Ÿ’ก Purpose: # Adds a comment in the executed code for better readability and debugging. # This function does not affect the execution flow but helps in understanding the purpose of subsequent code. parameters: - name: codeComment optional: true - name: revertCodeComment optional: true call: function: RunInlineCode parameters: code: '{{ with $codeComment }}:: {{ . }}{{ end }}' revertCode: '{{ with $revertCodeComment }}:: {{ . }}{{ end }}' - # โ„น๏ธ Behavior: # Searches for files and directories based on a Unix-style glob pattern and iterates over them. # Similar to the `ls` command. # Primarily supports the `*` wildcard; compatibility with other patterns is not tested. # ๐Ÿ’ก Usage: # This is a low-level function. Favor using other functions in script calls. # It provides following variables for the code in argument value: # - `$expandedPath` : Expanded path glob pattern. # - `$path` : Current iterated path (only available for `duringIteration`) name: IterateGlob parameters: - name: pathGlob # Glob pattern for search. - name: revertPathGlob # Glob pattern for reverting changes. optional: true - name: beforeIteration # (Iteration callback) Code to run before iteration. optional: true - name: duringIteration # (Iteration callback) Code to run for each found item. - name: afterIteration # (Iteration callback) Code to run after iteration. optional: true - name: recurse # If set, includes all files and directories recursively. optional: true call: function: RunPowerShell parameters: code: |- $pathGlobPattern = "{{ $pathGlob }}" $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern) Write-Host "Searching for items matching pattern: `"$($expandedPath)`"." {{ with $beforeIteration }} {{ . }} {{ end }} $foundAbsolutePaths = @() {{ with $recurse }} Write-Host 'Iterating files and directories recursively.' try { $foundAbsolutePaths += @( Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName ) } catch [System.Management.Automation.ItemNotFoundException] { # Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions } {{ end }} try { $foundAbsolutePaths += @( Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName ) } catch [System.Management.Automation.ItemNotFoundException] { # Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions } $foundAbsolutePaths = $foundAbsolutePaths ` | Select-Object -Unique ` | Sort-Object -Property { $_.Length } -Descending if (!$foundAbsolutePaths) { Write-Host 'Skipping, no items available.' exit 0 } Write-Host "Initiating processing of $($foundAbsolutePaths.Count) items from `"$expandedPath`"." foreach ($path in $foundAbsolutePaths) { {{ $duringIteration }} } {{ with $afterIteration }} {{ . }} {{ end }} # Marked: refactor-with-variables # Unfortunately a lot of duplication here as privacy.sexy compiler does not support better way for now. # The difference from this script and `code` is that: # - It sets `$revert` variable to `$true`. # - It uses value of `$revertPathGlob` instead of `$pathGlob` revertCode: |- {{ with $revertPathGlob }} $revert = $true $pathGlobPattern = "{{ . }}" $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern) Write-Host "Searching for items matching pattern: `"$($expandedPath)`"." {{ with $beforeIteration }} {{ . }} {{ end }} $foundAbsolutePaths = @() {{ with $recurse }} Write-Host 'Iterating files and directories recursively.' try { $foundAbsolutePaths += @( Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName ) } catch [System.Management.Automation.ItemNotFoundException] { # Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions } {{ end }} try { $foundAbsolutePaths += @( Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName ) } catch [System.Management.Automation.ItemNotFoundException] { # Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions } $foundAbsolutePaths = $foundAbsolutePaths ` | Select-Object -Unique ` | Sort-Object -Property { $_.Length } -Descending if (!$foundAbsolutePaths) { Write-Host 'Skipping, no items available.' exit 0 } Write-Host "Initiating processing of $($foundAbsolutePaths.Count) items from `"$expandedPath`"." foreach ($path in $foundAbsolutePaths) { {{ $duringIteration }} } {{ with $afterIteration }} {{ . }} {{ end }} {{ end }} - name: DeleteGlob # โ„น๏ธ Behavior: # Deletes files and directories based on a Unix-style glob pattern. # Optionally, it can grant full permissions to the items before deletion. # ๐Ÿ’ก Usage: # This is a low-level function. Favor higher-level functions like `ClearDirectoryContents`, `DeleteDirectory`, and `DeleteFiles` # for clearer intent and enhanced security when applicable. # ๐Ÿšซ Limitations: # The function might not perform as expected if the current user lacks read permissions on the parent directory. # This specific use case is not addressed in the implementation because it has not been deemed necessary for the function's intended # applications. parameters: - name: pathGlob # Glob pattern for search. - name: grantPermissions # Grants permission on items of the parent directory recursively (including all files and directories) to be able to delete them. optional: true - name: beforeIteration # (Iteration callback) Code to run before iteration. optional: true - name: duringIteration # (Iteration callback) Code to run for each found item. optional: true - name: afterIteration # (Iteration callback) Code to run after iteration. optional: true - name: recurse # If set, deletes all files and directories recursively. optional: true call: function: IterateGlob parameters: pathGlob: '{{ $pathGlob }}' recurse: '{{ with $recurse }}{{ . }}{{ end }}' # Granting permissions has limitations for wildcard due to `takeown` and `icacls`. These commands are used for their simplicity to avoid adjusting token privileges. # However, adjusting token privileges is already implemented by `SoftFileDelete`, when this kind of implementations are reusable, this script can be improved to # use `Get-Acl`, `Set-Acl` instead for better wildcards support. # Marked: refactor-with-variables beforeIteration: |- {{ with $grantPermissions }} # Not using `Get-Acl`/`Set-Acl` to avoid adjusting token privileges $parentDirectory = [System.IO.Path]::GetDirectoryName($expandedPath) $fileName = [System.IO.Path]::GetFileName($expandedPath) if ($parentDirectory -like '*[*?]*') { throw "Unable to grant permissions to glob path parent directory: `"$parentDirectory`", wildcards in parent directory are not supported by ``takeown`` and ``icacls``." } if (($fileName -ne '*') -and ($fileName -like '*[*?]*')) { throw "Unable to grant permissions to glob path file name: `"$fileName`", wildcards in file name is not supported by ``takeown`` and ``icacls``." } Write-Host "Taking ownership of `"$expandedPath`"." $cmdPath = $expandedPath if ($cmdPath.EndsWith('\')) { $cmdPath += '\' # Escape trailing backslash for correct handling in batch commands } $takeOwnershipCommand = "takeown /f `"$cmdPath`" /a" # `icacls /setowner` does not succeed, so use `takeown` instead. if (-not (Test-Path -Path "$expandedPath" -PathType Leaf)) { $takeOwnershipCommand += ' /r /d y' } $takeOwnershipOutput = cmd /c "$takeOwnershipCommand 2>&1" # `stderr` message is misleading, e.g. "ERROR: The system cannot find the file specified." is not an error. if ($LASTEXITCODE -eq 0) { Write-Host "Successfully took ownership of `"$expandedPath`" (using ``$takeOwnershipCommand``)." } else { Write-Host "Did not take ownership of `"$expandedPath`" using ``$takeOwnershipCommand``, status code: $LASTEXITCODE, message: $takeOwnershipOutput." # Do not write as error or warning, because this can be due to missing path, it's handled in next command. # `takeown` exits with status code `1`, making it hard to handle missing path here. } Write-Host "Granting permissions for `"$expandedPath`"." $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]) $adminAccountName = $adminAccount.Value $grantPermissionsCommand = "icacls `"$cmdPath`" /grant `"$($adminAccountName):F`" /t" $icaclsOutput = cmd /c "$grantPermissionsCommand" if ($LASTEXITCODE -eq 3) { Write-Host "Skipping, no items available for deletion according to: ``$grantPermissionsCommand``." exit 0 } elseif ($LASTEXITCODE -ne 0) { Write-Host "Take ownership message:`n$takeOwnershipOutput" Write-Host "Grant permissions:`n$icaclsOutput" Write-Warning "Failed to assign permissions for `"$expandedPath`" using ``$grantPermissionsCommand``, status code: $LASTEXITCODE." } else { $fileStats = $icaclsOutput | ForEach-Object { $_ -match '\d+' | Out-Null; $matches[0] } | Where-Object { $_ -ne $null } | ForEach-Object { [int]$_ } if ($fileStats.Count -gt 0 -and ($fileStats | ForEach-Object { $_ -eq 0 } | Where-Object { $_ -eq $false }).Count -eq 0) { Write-Host "Skipping, no items available for deletion according to: ``$grantPermissionsCommand``." exit 0 } else { Write-Host "Successfully granted permissions for `"$expandedPath`" (using ``$grantPermissionsCommand``)." } } {{ end }} $deletedCount = 0 $failedCount = 0 {{ with $beforeIteration }} {{ . }} {{ end }} duringIteration: |- {{ with $duringIteration }} {{ . }} {{ end }} if (-not (Test-Path $path)) { # Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories). Write-Host "Successfully deleted: $($path) (already deleted)." $deletedCount++ continue } try { Remove-Item -Path $path -Force -Recurse -ErrorAction Stop $deletedCount++ Write-Host "Successfully deleted: $($path)" } catch { $failedCount++ Write-Warning "Unable to delete $($path): $_" } afterIteration: |- {{ with $afterIteration }} {{ . }} {{ end }} Write-Host "Successfully deleted $($deletedCount) items." if ($failedCount -gt 0) { Write-Warning "Failed to delete $($failedCount) items." } - name: ClearDirectoryContents # ๐Ÿ’ก Purpose: # Empties the contents of a directory recursively (including all of its files and subfolders) while preserving # the directory itself. # This is beneficial when other applications depend on the existence of the directory. # For deleting the directory itself too, use `DeleteDirectory`. # ๐Ÿค“ Implementation: # - Formats the provided glob pattern to ensure only contents are targeted, then delegates to `DeleteGlob`. # - Provides a user-friendly comment in code. parameters: - name: directoryGlob - name: grantPermissions optional: true call: - function: Comment parameters: codeComment: >- Clear directory contents {{ with $grantPermissions }}(with additional permissions){{ end }} : "{{ $directoryGlob }}" - function: DeleteGlob parameters: # Ensure path ends with '\*': # - 'C:\' becomes 'C:\*' # - 'C:' becomes 'C:\*' # - 'C:\*' remains 'C:\*' pathGlob: >- $($directoryGlob = '{{ $directoryGlob }}'; if ($directoryGlob.EndsWith('\*')) { $directoryGlob } elseif ($directoryGlob.EndsWith('\')) { "$($directoryGlob)*" } else { "$($directoryGlob)\*" } ) grantPermissions: '{{ with $grantPermissions }}true{{ end }}' recurse: 'true' # Logs every deleted file name - name: DeleteDirectory # ๐Ÿ’ก Purpose: # Deletes an entire directory, including its contents. # โ—๏ธ Use with caution; if you intend to preserve the directory and delete only its contents, use `ClearDirectoryContents`. # ๐Ÿค“ Implementation: # Formats the provided glob pattern to target the directory, then delegates to `DeleteGlob`. # - Provides a user-friendly comment in code. parameters: - name: directoryGlob # The directory to delete along with its files and subdirectories - name: grantPermissions # Grants permission on the parent directory and its sub-items recursively (including all files and directories) to be able to delete them. optional: true call: - function: Comment parameters: codeComment: >- Delete directory {{ with $grantPermissions }}(with additional permissions){{ end }} : "{{ $directoryGlob }}" - function: DeleteGlob parameters: # Ensure path ends with '\': # - 'C:\' remains 'C:\' # - 'C:' becomes 'C:\' pathGlob: >- $($directoryGlob = '{{ $directoryGlob }}'; if (-Not $directoryGlob.EndsWith('\')) { $directoryGlob += '\' }; $directoryGlob ) grantPermissions: '{{ with $grantPermissions }}true{{ end }}' recurse: 'true' # Logs every deleted file name - name: DeleteFiles # ๐Ÿ’ก Purpose: # Deletes files but does not touch any directories. # Use `DeleteDirectory` or `ClearDirectoryContents` to delete directories. parameters: - name: fileGlob # File glob pattern to delete. - name: grantPermissions # Grants permission on the files found to be able to delete them. optional: true call: - function: Comment parameters: codeComment: >- Delete files matching pattern: "{{ $fileGlob }}" - function: DeleteGlob parameters: pathGlob: '{{ $fileGlob }}' grantPermissions: '{{ with $grantPermissions }}true{{ end }}' beforeIteration: |- $skippedCount = 0 duringIteration: |- if (Test-Path -Path $path -PathType Container) { Write-Host "Skipping, the path is not a file but a folder: $($path)." $skippedCount++ continue } afterIteration: |- if ($skippedCount -gt 0) { Write-Host "Skipped $($skippedCount) items." } - name: DeleteFilesFromFirefoxProfiles parameters: - name: pathGlob # File name inin profile file call: - # Windows XP function: DeleteFiles parameters: fileGlob: '%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\*\{{ $pathGlob }}' - # Windows Vista and newer function: DeleteFiles parameters: fileGlob: '%APPDATA%\Mozilla\Firefox\Profiles\*\{{ $pathGlob }}' - name: DisableScheduledTask parameters: - name: taskPathPattern - name: taskNamePattern - name: disableOnRevert optional: true - name: grantPermissions optional: true call: - function: Comment parameters: codeComment: "Disable scheduled task(s): `{{ $taskPathPattern }}{{ $taskNamePattern }}`" revertCodeComment: "Restore scheduled task(s) to default state: `{{ $taskPathPattern }}{{ $taskNamePattern }}`" - function: RunPowerShell parameters: # Marked: refactor-with-variables # Granting permission is identical to `SoftDeleteFiles`. # It's also duplicated in `code` and `revertCode` code: |- $taskPathPattern='{{ $taskPathPattern }}' $taskNamePattern='{{ $taskNamePattern }}' Write-Output "Disabling tasks matching pattern `"$taskNamePattern`"." $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore) if (-Not $tasks) { Write-Output "Skipping, no tasks matching pattern `"$taskNamePattern`" found, no action needed." exit 0 } $operationFailed = $false foreach ($task in $tasks) { $taskName = $task.TaskName if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) { Write-Output "Skipping, task `"$taskName`" is already disabled, no action needed." continue } {{ with $grantPermissions }} $taskFullPath = "$($task.TaskPath)$($task.TaskName)" $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]) $taskFilePath="$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)" $accessGranted = $false try { $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop $modifiedAcl.SetOwner($adminAccount) $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( ` $adminAccount, ` [System.Security.AccessControl.FileSystemRights]::FullControl, ` [System.Security.AccessControl.AccessControlType]::Allow ` ) $modifiedAcl.SetAccessRule($taskFileAccessRule) Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop Write-Host "Successfully granted permissions for `"$taskFullPath`" ." $accessGranted = $true } catch { Write-Warning "Failed to grant access to `"$taskFullPath`": $($_.Exception.Message)" } {{ end }} try { $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null Write-Output "Successfully disabled task `"$taskName`"." } catch { Write-Error "Failed to disable task `"$taskName`": $($_.Exception.Message)" $operationFailed = $true } {{ with $grantPermissions }} if ($accessGranted) { try { Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop Write-Host "Successfully restored permissions for `"$taskFullPath`" ." } catch { Write-Warning "Failed to restore access on `"$taskFilePath`": $($_.Exception.Message)" } } {{ end }} } if ($operationFailed) { Write-Output 'Failed to disable some tasks. Check error messages above.' exit 1 } # Not failing if tasks cannot be found because all tasks disabled by privacy.sexy do not exist in all Windows versions by default. revertCode: |- $taskPathPattern='{{ $taskPathPattern }}' $taskNamePattern='{{ $taskNamePattern }}' $shouldDisable = {{ with $disableOnRevert }} $true # {{ end }} $false Write-Output "Enabling tasks matching pattern `"$taskNamePattern`"." $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore) if (-Not $tasks) { Write-Warning ( ` "Missing task: Cannot enable, no tasks matching pattern `"$taskNamePattern`" found." ` + " This task appears to be not included in this version of Windows." ` ) exit 0 } $operationFailed = $false foreach ($task in $tasks) { $taskName = $task.TaskName if ($shouldDisable) { if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) { Write-Output "Skipping, task `"$taskName`" is already disabled, no action needed." continue } } else { if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) ` -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) { Write-Output "Skipping, task `"$taskName`" is already enabled, no action needed." continue } } {{ with $grantPermissions }} $taskFullPath = "$($task.TaskPath)$($task.TaskName)" $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]) $taskFilePath="$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)" $accessGranted = $false try { $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop $modifiedAcl.SetOwner($adminAccount) $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( ` $adminAccount, ` [System.Security.AccessControl.FileSystemRights]::FullControl, ` [System.Security.AccessControl.AccessControlType]::Allow ` ) $modifiedAcl.SetAccessRule($taskFileAccessRule) Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop Write-Host "Successfully granted permissions for `"$taskFullPath`" ." $accessGranted = $true } catch { Write-Warning "Failed to grant access to `"$taskFullPath`": $($_.Exception.Message)" } {{ end }} try { if ($shouldDisable) { $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null Write-Output "Successfully disabled task `"$taskName`"." } else { $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null Write-Output "Successfully enabled task `"$taskName`"." } } catch { Write-Error "Failed to restore task `"$taskName`": $($_.Exception.Message)" $operationFailed = $true } {{ with $grantPermissions }} if ($accessGranted) { try { Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop Write-Host "Successfully restored permissions for `"$taskFullPath`" ." } catch { Write-Warning "Failed to restore access on `"$taskFilePath`": $($_.Exception.Message)" } } {{ end }} } if ($operationFailed) { Write-Output 'Failed to restore some tasks. Check error messages above.' exit 1 } - name: CreateRegistryKey parameters: - name: keyName # Full path of the subkey or entry to be added. - name: replaceSid # Replaces "$CURRENT_USER_SID" string in registry key with user SID. optional: true - name: codeComment optional: true - name: revertCodeComment optional: true call: # Marked: refactor-with-variables # Replacing SID is same as `DeleteRegistryKey` function: RunPowerShell parameters: code: |- $keyName='{{ $keyName }}' $replaceSid={{ with $replaceSid }} $true # {{ end }} $false $registryHive = $keyName.Split('\')[0] $registryPath = "$($registryHive):$($keyName.Substring($registryHive.Length))" {{ with $replaceSid }} $userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value $registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid) {{ end }} if (Test-Path $registryPath) { Write-Host "Skipping, no action needed, registry path `"$registryPath`" already exists." exit 0 } try { New-Item -Path $registryPath -Force -ErrorAction Stop | Out-Null Write-Host "Successfully created the registry key at path `"$registryPath`"." } catch { Write-Error "Failed to create the registry key at path `"$registryPath`": $($_.Exception.Message)" } codeComment: '{{ with $codeComment }}{{ . }}{{ end }}' revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}' - name: DeleteRegistryKey parameters: - name: keyName # Full path of the subkey or entry to be added. - name: replaceSid # Replaces "$CURRENT_USER_SID" string in registry key with user SID. optional: true - name: codeComment optional: true - name: revertCodeComment optional: true call: # Marked: refactor-with-variables # Replacing SID is same as `CreateRegistryKey` function: RunPowerShell parameters: code: |- $keyName='{{ $keyName }}' $replaceSid={{ with $replaceSid }} $true # {{ end }} $false $registryHive = $keyName.Split('\')[0] $registryPath = "$($registryHive):$($keyName.Substring($registryHive.Length))" {{ with $replaceSid }} $userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value $registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid) {{ end }} if (-not (Test-Path $registryPath)) { Write-Host "Skipping, no action needed, registry path `"$registryPath`" does not exist." exit 0 } try { Remove-Item -Path $registryPath -Force -ErrorAction Stop | Out-Null Write-Host "Successfully removed the registry key at path `"$registryPath`"." } catch { Write-Error "Failed to remove the registry key at path `"$registryPath`": $($_.Exception.Message)" } codeComment: '{{ with $codeComment }}{{ . }}{{ end }}' revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}'