44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0466b86f1013341c966a9bbf6513990337b16598
privacy.sexy/src/application/collections/windows.yaml
undergroundwires 0466b86f10 win, linux: unify & improve Firefox clean-up #273 
This commit unifies some of the logic, documentation and naming for
Firefox clean-up with improvements on both Linux and Windows platforms.

Windows:

- 'Clear browsing history and cache':
  - Not recommend.
  - Align script name and logic with Linux implementation.
  - New documentation and not including the script in recommendation
    provides safety against unintended data loss as discussed in #273.
- 'Clear Firefox user profiles, settings, and data':
  - Rename to 'Clear all Firefox user information and preferences' for
    improved clarity.
  - Add more documentation.

Linux:

- Replace `DeleteFromFirefoxProfiles` with
  `DeleteFilesFromFirefoxProfiles`.
- Migrate implementation to Python:
  - Add more user-friendly outputs.
  - Exclude removing directory itself for additional safety.

Both Linux and Windows:

- Improve documentation for:
  - 'Clear Firefox user profiles, settings, and data'
  - 'Clear Firefox history'
2023-11-02 13:18:54 +01:00

11825 lines
1.0 MiB
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Structure is documented in "docs/collection-files.md"
os: windows
scripting:
language: batchfile
startCode: |-
@echo off
:: {{ $homepage }} — v{{ $version }} — {{ $date }}
:: Ensure admin privileges
fltmc >nul 2>&1 || (
echo Administrator privileges are required.
PowerShell Start -Verb RunAs '%0' 2> nul || (
echo Right-click on the script and select "Run as administrator".
pause & exit 1
)
exit 0
)
:: Initialize environment
setlocal EnableExtensions DisableDelayedExpansion
endCode: |-
:: Pause the script to view the final state
pause
:: Restore previous environment settings
endlocal
:: Exit the script successfully
exit /b 0
actions:
-
category: Privacy cleanup
children:
-
category: Clear third-party application data
children:
-
name: Clear Listary search index
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Listary\UserData'
-
name: Clear Java cache
recommend: strict
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Sun\Java\Deployment\cache'
-
name: Clear Flash Player traces
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Macromedia\Flash Player'
-
category: Clear Steam data
children:
-
name: Clear Steam dumps
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%PROGRAMFILES(X86)%\Steam\Dumps'
-
name: Clear Steam traces
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%PROGRAMFILES(X86)%\Steam\Traces'
-
name: Clear Steam cache
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%ProgramFiles(x86)%\Steam\appcache'
-
category: Clear Visual Studio usage data
docs: |-
Visual Studio is an integrated development environment (IDE) from Microsoft that is used to develop software [1].
Visual Studio store data such as your usage of the software and also information about your hardware [2].
The data is stored both in Microsoft cloud [3] and locally on computer.
These scripts allow you to delete the local data that might reveal your personally identifiable data about you
or the way you use the product.
[1]: https://en.wikipedia.org/wiki/Visual_Studio "Visual Studio | Wikipedia"
[2]: https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program "Visual Studio Customer Experience Improvement Program | Microsoft Learn"
[3]: https://www.infoworld.com/article/2609774/microsoft-reinvents-visual-studio-as-an-azure-cloud-service.html "Microsoft reinvents Visual Studio as an Azure cloud service | InfoWorld"
children:
-
category: Clear Visual Studio telemetry and feedback data
docs: |-
These scripts delete data about you and your behavior that's locally stored by Visual Studio on your computer.
These do not clear data that's already collected in Microsoft servers, but it can prevent sending more data by
deleting data waiting to be sent.
children:
-
name: Clear offline Visual Studio usage telemetry data
recommend: standard
docs: |-
SQM files are text files that are created and used by Microsoft [1].
SQM stands for "Service Quality Monitoring" [1].
When unable to connect to internet Visual Studio stores SQM files in `%LOCALAPPDATA%\Microsoft\VSCommon\<vs_version>\SQM` [2].
The number of files grows continuously and it can get to thousands. Cleaning these files speeds up Visual
Studio significantly according to community reports [2].
[1]: https://techshift.net/how-to-open-sqm-file/ "What is a .SQM File And How To Open It - Microsoft (Visual Guide) | TechShift.net"
[2]: https://stackoverflow.com/a/38862596 "Process monitor - Slow Visual Studio, related to SQMClient? | Stack Overflow"
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\14.0\SQM'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\15.0\SQM'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\16.0\SQM'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\17.0\SQM'
-
name: Clear Visual Studio Application Insights logs
recommend: standard
docs: |-
Application Insights for Visual Studio stores diagnostic data for e.g. exceptions and performance [1].
Application Insights store `.TRN` files that might grow and exceed thousands [2] [3].
[1]: https://azuredevopslabs.com/labs/vsts/monitor/ "Monitoring Applications using Application Insights | Azure DevOps Hands-on-Labs"
[2]: https://developercommunity.visualstudio.com/t/visual-studio-freezes-randomly/224181#T-N257722-N277241-N407607 "Visual Studio freezes randomly | Visual Studio Feedback"
[3]: https://stackoverflow.com/a/53754481 "Visual Studio 2017 (15.3.1) keeps hanging/freezing | Stack Overflow"
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\VSApplicationInsights'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%PROGRAMDATA%\Microsoft\VSApplicationInsights'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\Microsoft\VSApplicationInsights'
-
name: Clear Visual Studio telemetry data
recommend: standard
docs: |-
`vstelemetry` is a folder created by both Visual Studio [1] and also by SQL Server Management Studio [2] to
store telemetry data.
There has been security vulnerabilities through these folders that were patched in 2020 by Microsoft [2].
[1]: http://processchecker.com/file/VsHub.exe.html "What is VsHub.exe ? VsHub.exe info | Processchecker.com"
[2]: https://herolab.usd.de/en/security-advisories/usd-2020-0030/ "usd-2020-0030 - usd HeroLab"
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\vstelemetry'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%PROGRAMDATA%\vstelemetry'
-
name: Clear Visual Studio temporary telemetry and log data
recommend: standard
docs: |-
These logs area created by different tools that Visual Studio uses such as its launcher, installer or
data collection agents.
Folders include `VSFaultInfo` [1], `VSFeedbackPerfWatsonData` [2], `VSFeedbackCollector` [2],
`VSFeedbackVSRTCLogs` [3], `VSRemoteControl` [4] [5], `VSFeedbackIntelliCodeLogs` [4] [5],
`VSTelem` [6] [7], `VSTelem.Out` [6].
There are more log and cache data stored by Visual Studio, but not all of them come with privacy
implications. These files can be useful for faster loading, so this script removes only the
sensitive data stored instead of cleaning all the cache completely.
[1]: https://developercommunity.visualstudio.com/t/visual-studio-installer-crashes-after-updating-to/1356122 "Visual Studio Installer crashes after updating to version 16.9.0 - Visual Studio Feedback | Visual Studio Developer Community"
[2]: https://developercommunity.visualstudio.com/t/microsoft-visual-studio-1/588200#T-N588861-N594783 "MSTF help | Visual Studio Developer Community"
[3]: https://github.com/MicrosoftDocs/live-share/issues/3584 "Agent logs in %TEMP%\VSFeedbackVSRTCLogs taking up over 87GB · Issue #3584 · MicrosoftDocs/live-share | GitHub"
[4]: https://developercommunity.visualstudio.com/t/please-keep-my-temp-folder-clean/731637 "Please keep my TEMP folder clean! - Visual Studio Feedback | Visual Studio Developer Community"
[5]: https://stackoverflow.com/q/60974427 "Reduce log and other temporary file creation in Visual Studio 2019 | Stack Overflow"
[6]: https://stackoverflow.com/q/72341126 "Visual Studio 2022 - Telemetry | Stack Overflow"
[7]: https://social.msdn.microsoft.com/Forums/vstudio/en-US/5b2a0baa-748f-40e0-b504-f6dfad9b7b4d/vstelem-folder-24000-files-2064kb?forum=msbuild "VSTELEM folder 24000 files 2064Kb | MSDN Forums"
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSFaultInfo'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSFeedbackPerfWatsonData'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSFeedbackVSRTCLogs'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSFeedbackIntelliCodeLogs'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSRemoteControl'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\Microsoft\VSFeedbackCollector'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSTelem'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSTelem.Out'
-
category: Clear Visual Studio licenses
docs: |-
Visual Studio stores a local copy of your product key. This information is kept even though
Visual Studio is uninstalled [1] which may reveal unnecessary data and not be desired.
This key is not only stored for purchased Visual Studio products but also for the free trials.
[1]: https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow"
children:
-
name: Clear Visual Studio 2010 licenses
docs: "[How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow](https://stackoverflow.com/a/14810695)"
code: reg delete "HKCR\Licenses\77550D6B-6352-4E77-9DA3-537419DF564B" /va /f
-
name: Clear Visual Studio 2015 licenses
docs: "[How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow](https://stackoverflow.com/a/32482322)"
code: reg delete "HKCR\Licenses\4D8CFBCB-2F6A-4AD2-BABF-10E28F6F2C8F" /va /f
-
name: Clear Visual Studio 2017 licenses
docs: "[Is Visual Studio Community a 30 day trial? | Stack Overflow](https://stackoverflow.com/a/51570570)"
code: reg delete "HKCR\Licenses\5C505A59-E312-4B89-9508-E162F8150517" /va /f
-
name: Clear Visual Studio 2019 licenses
docs: "[How to change Visual Studio 2017 License Key? | Stack Overflow](https://stackoverflow.com/a/46974337)"
code: reg delete "HKCR\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA" /va /f
-
name: Clear Visual Studio 2022 licenses
docs: |-
Different keys have been reported by community for VS 2022 license [1]. This may depend on different preview versions.
The latest reported key is `1299B4B9-DFCC-476D-98F0-F65A2B46C96D` [2] [3]. I have tested and verified this along with some
other keys of preview versions. This scripts deletes all mentioned keys.
[1]: https://github.com/beatcracker/VSCELicense/issues/14 "VS 2022 Key Discussion | beatcracker/VSCELicense | GitHub"
[2]: https://learn.microsoft.com/en-us/answers/questions/673243/how-do-i-remove-a-license-from-visual-studio-2022.html "MSFT Answer | Microsoft Learn"
[3]: https://stackoverflow.com/a/71624750 "How to change Visual Studio 2017 License Key? | Stack Overflow"
code: |-
reg delete "HKCR\Licenses\B16F0CF0-8AD1-4A5B-87BC-CB0DBE9C48FC" /va /f
reg delete "HKCR\Licenses\10D17DBA-761D-4CD8-A627-984E75A58700" /va /f
reg delete "HKCR\Licenses\1299B4B9-DFCC-476D-98F0-F65A2B46C96D" /va /f
-
category: Clear most recently used (MRU) lists
children:
-
category: Clear Quick Access (jump) lists
docs: https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf
children:
-
name: Clear recently accessed files list
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations'
-
name: Clear pinned items for the user
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Microsoft\Windows\Recent\CustomDestinations'
-
category: Clear Windows Registry usage data
docs: |-
The Windows Registry is a hierarchical database that stores settings, configurations, and options for the operating system, installed
applications, and user preferences. Over time, as users interact with their system and software, usage data and traces get stored in
the registry.
This category focuses on clearing specific types of this usage data, ensuring privacy and potentially improving system responsiveness.
children:
-
name: Clear last `regedit` key
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
-
name: Clear favorite keys in `regedit`
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
-
name: Clear recently opened applications list
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f
-
name: Clear "Adobe Media Browser" most recently used (MRU) list
recommend: standard
code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f
-
name: Clear "MSPaint" most recently used (MRU) list
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
-
name: Clear "Wordpad" most recently used (MRU) list
recommend: standard
code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f
-
name: Clear "Map Network Drive" most recently used (MRU) list
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
-
name: Clear "Windows Search Assistant" history
recommend: standard
code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f
-
name: Clear recently opened files list for each file type
recommend: standard
code: |-
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
-
name: Clear Windows Media Player recent files and URLs
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
-
name: Clear most recent DirectX application usage
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f
-
name: Clear "Windows Run" most recently used (MRU) list and typed paths
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f
-
name: Clear Dotnet CLI telemetry
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%USERPROFILE%\.dotnet\TelemetryStorageService'
-
category: Clear browser history
children:
-
category: Clear Internet Explorer history
children:
-
name: Clear Internet Explorer cache
recommend: standard
docs:
# INetCache
- https://support.microsoft.com/en-us/help/260897/how-to-delete-the-contents-of-the-temporary-internet-files-folder
- https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache
# WebCache
- https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\WebCache'
-
name: Clear Internet Explorer recent URLs
recommend: strict
docs:
- https://web.archive.org/web/20160304232740/http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/
- https://web.archive.org/web/20160321221849/http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/
- https://web.archive.org/web/20150601014235/http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html
- http://sketchymoose.blogspot.com/2014/02/typedurls-registry-key.html
code: |-
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f
-
name: Clear "Temporary Internet Files" (browser cache)
recommend: standard
docs:
- https://en.wikipedia.org/wiki/Temporary_Internet_Files
- https://www.windows-commandline.com/delete-temporary-internet-files/ # %LOCALAPPDATA%\Temporary Internet Files
- https://www.thewindowsclub.com/temporary-internet-files-folder-location # %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files and INetCache
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%USERPROFILE%\Local Settings\Temporary Internet Files'
grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 📂 Unprotected on Windows 11 since 22H2
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files'
# This directory consists of 4 additional folders:
# - C:\Users\undergroundwires\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
# - C:\Users\undergroundwires\AppData\Local\Microsoft\Windows\Temporary Internet Files\IE
# - C:\Users\undergroundwires\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
# - C:\Users\undergroundwires\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
# Since Windows 10 22H2 and Windows 11 22H2, data files are observed in this subdirectories but not on the parent.
# Especially in `IE` folder includes many files. These folders are protected and hidden by default.
grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCache'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Temporary Internet Files'
grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Clear Internet Explorer feeds cache
recommend: standard
docs: https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Feeds Cache'
-
name: Clear Internet Explorer cookies
recommend: strict
docs:
- https://docs.microsoft.com/en-us/windows/win32/wininet/managing-cookies
- https://docs.microsoft.com/en-us/internet-explorer/kb-support/ie-edge-faqs
- https://www.thewindowsclub.com/cookies-folder-location-windows
call:
-
function: ClearDirectoryContents
parameters: # Windows 7 browsers
directoryGlob: '%APPDATA%\Microsoft\Windows\Cookies'
-
function: ClearDirectoryContents
parameters: # Windows 8 and higher
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCookies'
-
name: Clear Internet Explorer DOMStore
recommend: standard
docs: https://web.archive.org/web/20100416135352/http://msdn.microsoft.com/en-us/library/cc197062(VS.85).aspx
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\InternetExplorer\DOMStore'
-
name: Clear Internet Explorer usage data
docs:
- https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+Data
- https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data
- https://www.forensafe.com/blogs/internetexplorer.html
# Includes Internet Explorer cache, tab recovery data, persistance storage (DOMStore, indexed DB etc.)
# Folders: CacheStorage\, Tracking Protection\, Tiles\, TabRoaming\, IECompatData\
# DOMStore\, Recovery\ (that includes browser history), DomainSuggestions\,
# VersionManager\, UrlBlockManager\, Indexed DB\, imagestore\, IEFlipAheadCache\
# EUPP\, EmieUserList\, EmieSiteList\, EmieBrowserModeList\
# Files: brndlog.txt, brndlog.bak, ie4uinit-ClearIconCache.log, ie4uinit-UserConfig.log,
# MSIMGSIZ.DAT
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Internet Explorer'
-
category: Clear Chrome history
children:
-
name: Clear Chrome crash reports
recommend: standard
docs: https://www.chromium.org/developers/crash-reports
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Google\CrashReports'
-
name: Clear Google's "Software Reporter Tool" logs
recommend: standard
docs: https://support.google.com/chrome/forum/AAAAP1KN0B0T8qnffV5gwM/
call:
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Google\Software Reporter Tool\*.log'
-
name: Clear Chrome user data
docs: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md
call:
- # Windows XP
function: ClearDirectoryContents
parameters:
directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data'
- # Windows Vista and newer
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Google\Chrome\User Data'
-
category: Clear Firefox history
docs: |-
This category encompasses a series of scripts aimed at helping users manage and delete their browsing history and related data in Mozilla Firefox.
The scripts are designed to target different aspects of user data stored by Firefox, providing users options for maintaining privacy and freeing up disk space.
children:
-
name: Clear Firefox browsing history (URLs, downloads, bookmarks, visits, etc.)
# This script (name, documentation and code) is same in Linux and Windows collections.
# Changes should be done at both places.
# Marked: refactor-with-partials
docs: |-
This script targets the Firefox browsing history, including URLs, downloads, bookmarks, and site visits, by deleting specific database entries.
Firefox stores various user data in a file named `places.sqlite`. This file includes:
- Annotations, bookmarks, and favorite icons (`moz_anno_attributes`, `moz_annos`, `moz_favicons`) [1]
- Browsing history, a record of pages visited (`moz_places`, `moz_historyvisits`) [1]
- Keywords and typed URLs (`moz_keywords`, `moz_inputhistory`) [1]
- Item annotations (`moz_items_annos`) [1]
- Bookmark roots such as places, menu, toolbar, tags, unfiled (`moz_bookmarks_roots`) [1]
The `moz_places` table holds URL data, connecting to various other tables like `moz_annos`, `moz_bookmarks`, `moz_inputhistory`, and `moz_historyvisits` [2].
Due to these connections, the script removes entries from all relevant tables simultaneously to maintain database integrity.
**Bookmarks**: Stored across several tables (`moz_bookmarks`, `moz_bookmarks_folders`, `moz_bookmarks_roots`) [3], with additional undocumented tables like `moz_bookmarks_deleted` [4].
**Downloads**: Stored in the 'places.sqlite' database, within the 'moz_annos' table [5]. The entries in `moz_annos` are linked to `moz_places` that store the actual history entry
(`moz_places.id = moz_annos.place_id`) [6]. Associated URL information is stored within the 'moz_places' table [5]. Downloads have been historically stored in `downloads.rdf` for Firefox 2.x
and below [7], and `downloads.sqlite` later on [7].
**Favicons**: Older Firefox versions stored favicons in `places.sqlite` within the `moz_favicons` table [5], while newer versions use `favicons.sqlite` and the `moz_icons` table [5].
By executing this script, users can ensure their Firefox browsing history, bookmarks, and downloads are thoroughly removed, contributing to a cleaner and more private browsing experience.
[1]: https://web.archive.org/web/20221029141626/https://kb.mozillazine.org/Places.sqlite "Places.sqlite - MozillaZine Knowledge Base | kb.mozillazine.org"
[2]: https://web.archive.org/web/20221030160803/https://wiki.mozilla.org/images/0/08/Places.sqlite.schema.pdf "Places.sqlite.schema.pdf | Mozilla Wiki"
[3]: https://web.archive.org/web/20221029145432/https://wiki.mozilla.org/Places:BookmarksComments "Places:BookmarksComments | MozillaWiki | wiki.mozilla.org"
[4]: https://web.archive.org/web/20221029145447/https://github.com/mozilla/application-services/issues/514 "Add a `moz_bookmarks_deleted` table for tombstones · Issue #514 · mozilla/application-services | GitHub | github.com"
[5]: https://web.archive.org/web/20221029145535/https://www.foxtonforensics.com/browser-history-examiner/firefox-history-location "Mozilla Firefox History Location | Firefox History Viewer | foxtonforensics.com"
[6]: https://web.archive.org/web/20221029145550/https://support.mozilla.org/en-US/questions/1319253 "Where does Firefox store SQLITE download history | Firefox Support Forum | Mozilla Support | support.mozilla.org"
[7]: https://web.archive.org/web/20221029145712/https://kb.mozillazine.org/Downloads.rdf "Downloads.rdf | MozillaZine Knowledge Base | kb.mozillazine.org"
call:
-
function: DeleteFilesFromFirefoxProfiles
parameters:
pathGlob: downloads.rdf
-
function: DeleteFilesFromFirefoxProfiles
parameters:
pathGlob: downloads.sqlite
-
function: DeleteFilesFromFirefoxProfiles
parameters:
pathGlob: places.sqlite
-
function: DeleteFilesFromFirefoxProfiles
parameters:
pathGlob: favicons.sqlite
-
name: Clear all Firefox user information and preferences
docs: |-
This script performs a reset of Mozilla Firefox, erasing all user profiles, settings, and personalized data to restore the
browser to its default state.
Firefox user profiles, encompassing bookmarks, browsing history, passwords, extensions, themes, and preferences [1].
These folders are in:
- `C:\Documents and Settings\<Windows login/user name>\Application Data\Mozilla\Firefox\Profiles\<profile folder>` on Windows XP and earlier [1],
- `%APPDATA%\Mozilla\Firefox\Profiles\<profile folder>` on Windows 10 and later [1].
**Considerations**:
- Using this script results in a total loss of all personalized Firefox data.
- If your goal is solely to clear browsing data while retaining settings and extensions, this script is not recommended.
- Close Firefox before running this script to prevent potential issues.
[1]: https://web.archive.org/web/20231101125909/https://kb.mozillazine.org/Profile_folder_-_Firefox#Windows "Profile folder - Firefox - MozillaZine Knowledge Base | kb.mozillazine.org"
call:
- # Windows XP
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Mozilla\Firefox\Profiles'
- # Windows Vista and newer
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Mozilla\Firefox\Profiles'
-
name: Clear Opera history (user profiles, settings, and data)
call:
- # Windows XP
function: ClearDirectoryContents
parameters:
directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Opera\Opera'
- # Windows Vista and newer
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Opera\Opera'
- # Windows Vista and newer
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Opera\Opera'
-
category: Clear Safari history
children:
-
name: Clear Webpage Icons
recommend: standard
docs: https://www.sans.org/blog/safari-browser-forensics/
call:
- # Windows XP
function: DeleteFiles
parameters:
fileGlob: '%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db'
- # Windows Vista and newer
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\WebpageIcons.db'
-
name: Clear Safari cache
recommend: standard
docs: https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari
call:
- # Windows XP
function: DeleteFiles
parameters:
fileGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db'
- # Windows Vista and newer
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\Cache.db'
-
name: Clear Safari cookies
recommend: strict
docs: https://kb.digital-detective.net/display/BF/Location+of+Safari+Data
call:
- # Windows XP
function: DeleteFiles
parameters:
fileGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cookies.db'
- # Windows Vista and newer
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\Cookies.db'
-
name: Clear all Safari data (user profiles, settings, and data)
docs:
- https://kb.digital-detective.net/display/BF/Location+of+Safari+Data
- https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari
- https://zerosecurity.org/2013/04/safari-forensic-tutorial
call:
- # Windows XP
function: ClearDirectoryContents
parameters:
directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari'
- # Windows Vista and newer
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Apple Computer\Safari'
-
category: Clear temporary Windows files
docs: |-
This category covers removal of temporary Windows files.
It is recommended to clean these files as they can be used for unauthorized analysis of user behavior and system usage [1].
They may also potentially host malicious software [2] [3].
Eliminating these files significantly enhances the security and privacy of the system.
Microsoft advises this cleanup for enhanced security [2]. Besides enhancing security, removing these files also frees up disk space.
However, removing temporary files might lead to a slight delay in initial application/system load times.
By regularly clearing these files, users reduce the chance of malware residing [2] [3] in these folders and prevent the unauthorized
use of their information for forensic analysis [1], serving as a simple and effective strategy for maintaining a secure and private system environment.
[1]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University"
[2]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com"
[3]: https://web.archive.org/web/20231001145930/https://nvd.nist.gov/vuln/detail/CVE-2019-11644 "NVD - CVE-2019-11644 | nist.gov"
children:
-
name: Clear temporary system folder
recommend: standard
docs: |-
This script eliminates the contents of the `%WINDIR%\Temp\` directory, also known as the Windows Temp directory [1].
This directory is located within the Windows system folder `%SystemDrive%\Windows\Temp\` [1] [2].
It is used by the system and system-level processes to store temporary files, including those generated by the operating
system and other system-level software.
This folder, protected by specific access control lists (ACL) [3] [4], is accessible only to system-level accounts [2].
Known for being utilized by malware, cleaning this directory is recommended for maintaining system security [2] [5]. Moreover,
it's used for forensics to analyze user behavior [6], thus raising privacy concerns.
Microsoft underscores the importance of cleaning this folder to free up disk space [7], resolve system application issues [1] [8] [9],
and counteract malware [2]. Some system applications may populate this folder, taking up considerable disk space [7] [9] [10].
This script only deletes the contents of the `%WINDIR%\Temp\` directory, not the directory itself, to maintain system integrity,
security, and privacy, avoiding potential issues caused by unintentional directory deletion without proper ACL. Deleting the directory
itself might disrupt certain applications, such as `dism` [11], and application installers [12], while also removing the special ACL
that secures the folder.
[1]: https://web.archive.org/web/20231001145018/https://learn.microsoft.com/en-us/troubleshoot/windows-server/deployment/error-0x800f0922-uninstall-role-feature "Error 0x800f0922 when you uninstall roles - Windows Server | Microsoft Learn"
[2]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com"
[3]: https://web.archive.org/web/20231001145051/https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-postmortem-debugging#window-sysinternals-procdump "Enabling Postmortem Debugging - Windows drivers | Microsoft Learn"
[4]: https://web.archive.org/web/20231001150053/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892%28v=vs.85%29 "About User Profiles (Windows) | Microsoft Learn"
[5]: https://web.archive.org/web/20231001145930/https://nvd.nist.gov/vuln/detail/CVE-2019-11644 "NVD - CVE-2019-11644 | nist.gov"
[6]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University"
[7]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
[8]: https://web.archive.org/web/20231001150108/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/adr-updates-download-failure "Automatic deployment rule (ADR) fails to download updates - Configuration Manager | Microsoft Learn"
[9]: https://web.archive.org/web/20231001150158/https://support.microsoft.com/en-us/topic/error-message-112-setup-is-unable-to-decompress-and-copy-all-the-program-files-c8dadf2a-4e7e-11bf-6543-ab5560b7fc19 'Error Message 112 "Setup Is Unable to Decompress and Copy All the Program Files" - Microsoft Support'
[10]: https://web.archive.org/web/20231001150233/https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/unifiedcontent-folder-fills-up-drive "Exchange UnifiedContent folder fills up the drive - Exchange | Microsoft Learn"
[11]: https://github.com/undergroundwires/privacy.sexy/pull/176 "Do not delete temp dirs by iam-py-test · Pull Request #176 · undergroundwires/privacy.sexy"
[12]: https://github.com/undergroundwires/privacy.sexy/issues/89 "Some installer failed to installer · Issue #89 · undergroundwires/privacy.sexy"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%WINDIR%\Temp'
-
name: Clear temporary user folder
recommend: standard
docs: |-
This script deletes the contents of the `%TEMP%\` (or `%LOCALAPPDATA%\Temp\` [1], `%TMP%\` [2]) directory, used by applications
and processes to store temporary files. This directory is situated within the user profile
`%SystemDrive%\Users\<username>\AppData\Local\Temp` [1] [2] [3]. Only the respective profile user can read and write to this folder [4].
This folder's usage for understanding user behavior in forensics [5] raises privacy concerns. Its content deletion, a regular operation performed
by Windows system tools like SilentCleanup (`cleanmgr.exe`) or Storage Sense (`storsvc.exe`) [8], does not harm the system. On cloud machines,
Microsoft does not retain contents of this directory and conducts automatic clean-ups to prevent data accumulation [6].
This script, while removing the contents, retains the directory to preserve the access control list (ACL) assigned by Microsoft [7], preventing potential
misconfigurations due to unintentional folder creation without proper ACL.
Microsoft recommends cleaning this folder to free disk space [8] and eliminate potential malware [9].
Post-script execution, a reboot is recommended to ensure smooth application functionality accessing `%TEMP%` [8].
[1]: https://github.com/undergroundwires/privacy.sexy/pull/176 "Do not delete temp dirs by iam-py-test · Pull Request #176 · undergroundwires/privacy.sexy"
[2]: https://web.archive.org/web/20231001150554/https://learn.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables "Recognized environment variables - Windows Deployment | Microsoft Learn"
[3]: https://web.archive.org/web/20231001150603/https://learn.microsoft.com/en-us/dotnet/api/system.io.path.gettemppath?view=net-7.0#examples "Path.GetTempPath Method (System.IO) | Microsoft Learn"
[4]: https://web.archive.org/web/20231001150917/https://learn.microsoft.com/en-us/windows/win32/shell/about-user-profiles "About User Profiles - Win32 apps | Microsoft Learn"
[5]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University"
[6]: https://web.archive.org/web/20231001150713/https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-troubleshoot-default-temp-folder-size-too-small-web-worker-role "Default TEMP folder size is too small for a role | Microsoft Learn"
[7]: https://web.archive.org/web/20231001150053/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892%28v=vs.85%29 "About User Profiles (Windows) | Microsoft Learn"
[8]: https://web.archive.org/save/https://learn.microsoft.com/en-us/troubleshoot/windows-server/shell-experience/temp-folder-with-logon-session-id-deleted "The %TEMP% folder with logon session ID is deleted - Windows Server | Microsoft Learn"
[9]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%'
-
name: Clear prefetch folder
recommend: standard
docs: |-
This script deletes the contents of `%WINDIR%\Prefetch\*`, typically pointing to `C:\Windows\Prefetch\` [1] [2].
**What is Prefetch?**
Introduced in Windows XP [2], Prefetch was developed by Windows to expedite application startup [1] and the boot process [1] [2].
It works by preemptively loading data and code pages into memory from the disk before requests [2], monitoring application's startup
page faults [2], and storing the gathered data in the Prefetch directory [2].
**Why Clear the Prefetch Directory?**
Over time, many files accumulate in the Prefetch directory. Clearing this directory enhances privacy and potentially frees disk space
by removing traces of recently used applications and files in the system, making unauthorized tracking of application usage more difficult.
Despite its design for improving application startup times [1], Prefetch can inadvertently expose information about the applications and files
accessed on the system [1]. Clearing the Prefetch directory addresses this issue by eliminating these traces.
Microsoft suggests deleting the Prefetch directory and its contents if significant system configuration changes occur, like adjustments to drivers,
services, or applications that start automatically [3]. This action eradicates any outdated prefetched data [3], ensuring that the system operates
with the most up-to-date and relevant data for application startups [3].
The files in the Prefetch directory are used for forensic purposes [4] [5], adding to the privacy concerns. They reveal information about application usage,
including data layout [4], access history on disk [4], last execution time [5], and the total number of times an application has been run [5]. Additionally,
they contain historical process information such as loaded libraries and process dependencies [6]. Erasing these files mitigates the risk of
this information being used for unauthorized tracking or analysis, improving your privacy.
**Trade-Off**
Clearing the Prefetch might cause a minor delay in application startup times until the necessary data is regenerated as applications are used again [2].
This is a compromise for heightened privacy and potentially freed disk space.
[1]: https://web.archive.org/web/20231001151015/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices "Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn"
[2]: https://web.archive.org/web/20231001151029/https://learn.microsoft.com/en-us/sysinternals/resources/archive/v03n02#windows-xp-prefetching "Sysinternals Newsletter Vol. 3, No. 2 - Sysinternals | Microsoft Learn"
[3]: https://web.archive.org/web/20230829142700/https://download.microsoft.com/download/7/e/7/7e7662cf-cbea-470b-a97e-ce7ce0d98dc2/win7perf.docx "Performance Testing Guide for Windows | Microsoft"
[4]: https://web.archive.org/web/20231001151107/https://ccsweb.lanl.gov/~kei/mypubbib/papers/TOS_13_diskseen.pdf "A Prefetching Scheme Exploiting both Data Layout and Access History on Disk | ccsweb.lanl.gov"
[5]: https://web.archive.org/web/20231001151150/https://www.justice.gov/sites/default/files/usao/legacy/2008/02/04/usab5601.pdf "Computer Forensics | justice.gov"
[6]: https://web.archive.org/web/20231001151207/https://par.nsf.gov/servlets/purl/10333089 "Malware Family Classification via Residual Prefetch Artifacts | par.nsf.gov"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%WINDIR%\Prefetch'
-
category: Clear Windows log and caches
children:
-
name: Clear thumbnail cache
call:
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Microsoft\Windows\Explorer\*.db'
-
category: Clear Windows system log files
children:
-
category: Clear Windows Update system logs
children:
-
name: Clear Windows update and SFC scan logs
recommend: standard
docs: https://answers.microsoft.com/en-us/windows/forum/all/cwindowslogscbs/fe4e359a-bcb9-4988-954d-563ef83bac1c
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Temp\CBS'
-
name: Clear Windows Update Medic Service logs
recommend: standard
docs: https://answers.microsoft.com/en-us/windows/forum/all/what-is-this-waasmedic-and-why-it-required-to/e5e55a95-d5bb-4bf4-a7ce-4783df371de4
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Logs\waasmedic'
-
name: Clear "Cryptographic Services" diagnostic traces
recommend: standard
docs: |-
This script removes specific files associated with the "Cryptographic Services".
The files include:
- `%SYSTEMROOT%\System32\catroot2\dberr.txt`
- `%SYSTEMROOT%\System32\catroot2.log`
- `%SYSTEMROOT%\System32\catroot2.jrs`
- `%SYSTEMROOT%\System32\catroot2.edb`
- `%SYSTEMROOT%\System32\catroot2.chk`
The "Cryptographic Services" (`CryptSvc`) service manages services such as key management for the computer [1] [2].
This service is used by different features, including Windows Updates [3] [4] [5].
There is no official documentation available for these files from Microsoft. However, after analyzing the internal workings of Windows, below
is a detailed explanation of the purpose, collected data, and privacy implications for each file:
| File name | Purpose | Data Collected | Privacy Implications |
| --------- | ------- | -------------- | -------------------- |
| `dberr.txt` | Logging database errors | Error messages and codes related to database operations | Potential system issues or vulnerabilities |
| `catroot2.log` | Logging activities, errors, or transactions related to cryptographic operations | Log data including status messages, error codes | System configurations and vulnerabilities |
| `catroot2.jrs` | Journal file for data integrity in cryptographic operations | Transaction logs or temporary cryptographic data | System's state and cryptographic operations |
| `catroot2.edb` | Storing certificate and signature data for Windows Update | Certificate and signature validation data, update details | Update history and security state |
| `catroot2.chk` | Ensuring data consistency in the ESE database | Information for database recovery | System state information |
This script deletes these files, improving user privacy by removing sensitive information related to system configurations, vulnerabilities, and
cryptographic operations is not readily available.
[1]: https://web.archive.org/web/20231025233132/https://www.windows-security.org/windows-service/cryptographic-services "Cryptographic Services | Windows security encyclopedia | windows-security.org"
[2]: https://web.archive.org/web/20231025233145/https://revertservice.com/10/cryptsvc/ "Cryptographic Services (CryptSvc) Defaults in Windows 10 | revertservice.com"
[3]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20231025233228/https://support.microsoft.com/en-us/topic/claims-to-windows-token-service-c2wts-not-starting-after-rebooting-server-52a2d131-cb9d-bf28-77d4-1663a99d03b3 "Claims to Windows Token Service (c2WTS) not starting after rebooting server - Microsoft Support | support.microsoft.com"
[5]: https://web.archive.org/web/20231025233251/https://learn.microsoft.com/en-us/troubleshoot/windows-server/backup-and-storage/vss-error-8193-restart-cryptographic-services "VSS event 8193 when you restart the Cryptographic Services service after you install the DHCP role - Windows Server | Microsoft Learn | learn.microsoft.com"
call:
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\catroot2\dberr.txt'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\catroot2.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\catroot2.jrs'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\catroot2.edb'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\catroot2.chk'
-
name: Clear Server-initiated Healing Events system logs
docs: |-
These are logs related to Windows Update [1] [2].
It stores event trace log (ETL) files [3].
While the logs are largely technical, like many diagnostic logs, there's a potential for some data that could be considered personally identifiable information
(PII), such as usernames or machine names, to be included.
From a forensic standpoint, they offer valuable data for reconstructing system events related to software updates [3] :
- **Update History**: The logs can provide a history of updates, including those that failed and required remediation. This could be used to establish a timeline of events on a system.
- **System Integrity**: In forensic scenarios where the integrity of the system is in question, the SIH logs could be used to determine if there were any issues with updates, including
any that were automatically remediated.
- **Behavior Analysis**: While the primary purpose of the logs is not to capture user behavior, they can be part of a broader set of logs and data used in behavioral analysis, especially
when reconstructing events leading up to a particular system state or incident.
[1]: https://web.archive.org/web/20231020011710/https://raw.githubusercontent.com/Azure/azure-diskinspect-service/master/docs/manifest_by_file.md "Official Microsoft Documentation | azure-diskinspect-service/docs/manifest_by_file.md at master · Azure/azure-diskinspect-service | github.com"
[2]: https://web.archive.org/web/20231020012236/https://answers.microsoft.com/es-es/windows/forum/all/windows-10-carpeta-y-archivos-sih/4d318121-fed6-4202-8b92-d4dc236b468e "Windows 10 | Carpeta y archivos SIH - Microsoft Community"
[3]: https://tzworks.com/prototypes/tela/tela.users.guide.pdf "TZWorks Shim Database Parser (shims) Users Guide"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Logs\SIH'
-
name: Clear Windows Update logs
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Traces\WindowsUpdate'
-
name: Clear Optional Component Manager and COM+ components logs
recommend: standard
call:
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\comsetup.log'
-
name: Clear "Distributed Transaction Coordinator (DTC)" logs
recommend: standard
call:
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\DtcInstall.log'
-
name: Clear logs for pending/unsuccessful file rename operations
docs: |-
This script is used to clear the log files created by Windows whenever there are pending file rename operations
that are not successfully completed. The logged operations might include renaming, moving or deleting a file that is
currently in use [1].
[1]: https://web.archive.org/web/20230806191624/https://support.microsoft.com/en-us/topic/how-to-install-multiple-windows-updates-or-hotfixes-with-only-one-reboot-6247def4-7f39-c1a0-efe5-61f82849fb7c "How to install multiple Windows updates or hotfixes with only one reboot - Microsoft Support"
call:
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\PFRO.log'
-
name: Clear Windows update installation logs
recommend: standard
docs: |-
This script is used to clear the log files created during the Windows update installation process. This includes both
the actions log (`setupact.log`) and the error log (`setuperr.log`).
These files contains information about initializing setup and typically used if setup fails to launch [1].
[1]: https://web.archive.org/web/20230806191844/https://learn.microsoft.com/en-us/windows/deployment/upgrade/log-files "Log files and resolving upgrade errors - Windows Deployment | Microsoft Learn"
call:
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\setupact.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\setuperr.log'
-
name: Clear Windows setup logs
recommend: standard
docs: https://support.microsoft.com/en-gb/help/927521/windows-vista-windows-7-windows-server-2008-r2-windows-8-1-and-windows
call:
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\setupapi.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\inf\setupapi.app.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\inf\setupapi.dev.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\inf\setupapi.offline.log'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Panther'
-
name: Clear "Windows System Assessment Tool (`WinSAT`)" logs
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/win32/winsat/windows-system-assessment-tool-portal
call:
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\Performance\WinSAT\winsat.log'
-
name: Clear password change events
recommend: standard
call:
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\debug\PASSWD.LOG'
-
name: Clear user web cache database
recommend: standard
docs: https://support.microsoft.com/en-gb/help/4056823/performance-issue-with-custom-default-user-profile
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\WebCache'
-
name: Clear system temp folder when not logged in
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\ServiceProfiles\LocalService\AppData\Local\Temp'
-
name: Clear DISM (Deployment Image Servicing and Management) system logs
recommend: standard
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files
call:
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\Logs\CBS\CBS.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\Logs\DISM\DISM.log'
-
name: Clear Windows update files # Marked: stop-service-do-stuff-restart-service
docs: |-
This script clears the contents of the `%SYSTEMROOT%\SoftwareDistribution\` directory.
This action is sometimes called *resetting the Windows Update Agent* or *resetting Windows Update components* by Microsoft [1].
This directory contains Windows Update files [2] [3].
It includes logs of Windows updates [2] [4], downloaded updates [5], and database files related to the updates [2].
Over time, the size of this folder can increase [5], leading to potential disk space issues. Clearing this directory can help free up disk space [5].
This folder is used by Windows Updates [1] [6].
The `wuauserv` service, also known as "Windows Update Service" [7], uses this folder for its operations [1] [8] [9].
This service manages the Windows Update Agent (WUA) functionality [7].
Clearing this directory is generally safe, and sometimes, Microsoft even recommends this action to troubleshoot and resolve update-related
errors [1] [5] [6] [9] [10].
This script contributes to users' privacy and system efficiency by cleaning up old and potentially unnecessary update files.
[1]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update#how-do-i-reset-windows-update-components "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231027190239/https://support.microsoft.com/en-us/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc "Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158) - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide#windows-update-files-or-automatic-update-files "Microsoft Defender Antivirus exclusions on Windows Server | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20231027190425/https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs "Windows Update log files - Windows Deployment | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20231027190439/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/address-disk-space-issues-caused-by-winsxs "Large WinSxS directory causes disk space issues - Windows Client | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20231027190148/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/common-windows-update-errors "Common Windows Update errors - Windows Client | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20231027190357/https://revertservice.com/10/wuauserv/ "Windows Update (wuauserv) Service Defaults in Windows 10 | revertservice.com"
[8]: https://web.archive.org/web/20231027190213/https://support.microsoft.com/en-us/windows/troubleshoot-problems-updating-windows-188c2b0f-10a7-d72f-65b8-32d177eb136c#WindowsVersion=Windows_11 "Troubleshoot problems updating Windows - Microsoft Support | support.microsoft.com"
[9]: https://web.archive.org/web/20231027190503/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/troubleshoot-software-update-scan-failures "Troubleshoot software update scan failures - Configuration Manager | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20231029172022/https://support.microsoft.com/en-us/topic/you-receive-an-administrators-only-error-message-in-windows-xp-when-you-try-to-visit-the-windows-update-web-site-or-the-microsoft-update-web-site-d2c732b6-21e0-a2ce-8d18-303ed71736c9 'You receive an "Administrators only" error message in Windows XP when you try to visit the Windows Update Web site or the Microsoft Update Web site - Microsoft Support | support.microsoft.com'
code: |- # `sc queryex` output is the same in every OS language
setlocal EnableDelayedExpansion
SET /A wuau_service_running=0
SC queryex "wuauserv"|Find "STATE"|Find /v "RUNNING">Nul||(
SET /A wuau_service_running=1
net stop wuauserv
)
del /q /s /f "%SYSTEMROOT%\SoftwareDistribution\*"
IF !wuau_service_running! == 1 (
net start wuauserv
)
endlocal
-
name: Clear Common Language Runtime system logs
recommend: standard
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\CLR_v4.0\UsageTraces'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageTraces'
-
name: Clear Network Setup Service Events system logs
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Logs\NetSetup'
-
name: Clear logs generated by Disk Cleanup Tool (`cleanmgr.exe`)
docs: |-
This script is used to clear the log files generated by the Disk Cleanup Tool (cleanmgr.exe). These logs are
generated when the Disk Cleanup Tool is used to free up disk space. Log files for this tool are stored in
`C:\Windows\System32\LogFiles\setupcln\` [1].
Erasing these logs can enhance user privacy by removing traces of the cleanup process. These logs are known to
be used in forensic analysis [2].
[1]: https://web.archive.org/web/20230806192546/https://ss64.com/nt/cleanmgr.html "Cleanmgr - Delete Junk and Temp files - Windows CMD - SS64.com"
[2]: https://web.archive.org/web/20230806192800/https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ "Beyond good ol Run key, Part 86 | Hexacorn"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\System32\LogFiles\setupcln'
-
name: Clear diagnostics tracking logs # Marked: stop-service-do-stuff-restart-service ("DiagTrack")
recommend: standard
docs: |-
This script deletes primary telemetry files in Windows.
These files store event trace logs that are collected by the `DiagTrack` service [1] [2].
This service is also known as "Diagnostics Tracking Service" [3] or "Connected User Experiences and Telemetry" service [4].
These files are stored as Event Trace Log (`.etl`) files, also known as a trace logs [5].
Contents of these files are transmitted to Microsoft servers [1] [2].
This services uses *AutoLogger* logs.
*AutoLogger* allows saving trace logs early in the operating system boot process before the user logs in [6].
This data is collected during system boot and shut-down, and typically read and deleted at each system boot [3].
The information collected is divided into two files:
- `%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl` [1] [2]
- `%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl` [1] [2]
To modify or delete these files, `SYSTEM` rights are required [1], which this script provides.
The collected data varies based on the telemetry level set [2] and may include information about websites visited, application
and system performance, device activity, and memory dumps [7].
By deleting these telemetry files, this script prevents the `DiagTrack` service from sending a specific set of diagnostic and
usage data to Microsoft, enhancing user privacy by reducing data sharing.
[1]: https://web.archive.org/web/20231027164549/https://it-forensik.fiw.hs-wismar.de/images/a/a3/MT_MReuter.pdf "Options for using Event Tracing for Windows (ETW) to support forensic analyzes of process behavior in Windows 10 | University of Wismar"
[2]: https://web.archive.org/web/20230215084038/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/Analyse_Telemetriekomponente_1_2.pdf?__blob=publicationFile&v=3 "Analyse der Telemetriekomponente in Windows 10 | The national cyber security authority in Germany | bsi.bund.de"
[3]: https://web.archive.org/web/20231027164826/https://troopers.de/downloads/troopers19/TROOPERS19_DM_Telemetry.pdf "The Anatomy of Windows Telemetry | The national cyber security authority in Germany | troopers.de"
[4]: https://web.archive.org/web/20231027165627/https://revertservice.com/10/diagtrack/ "Connected User Experiences and Telemetry (DiagTrack) Service Defaults in Windows 10 | revertservice.com"
[5]: https://web.archive.org/web/20231027164529/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-log "Trace Log - Windows drivers | Microsoft Learn"
[6]: https://web.archive.org/web/20231027164510/https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session "Configuring and Starting an AutoLogger Session - Win32 apps | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20231027164821/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
-
function: DeleteFiles
parameters:
fileGlob: '%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl'
grantPermissions: true
-
function: DeleteFiles
parameters:
fileGlob: '%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl'
grantPermissions: true
-
name: Clear event logs in Event Viewer application
docs: https://serverfault.com/questions/407838/do-windows-events-from-the-windows-event-log-have-sensitive-information
code: |-
REM https://social.technet.microsoft.com/Forums/en-US/f6788f7d-7d04-41f1-a64e-3af9f700e4bd/failed-to-clear-log-microsoftwindowsliveidoperational-access-is-denied?forum=win10itprogeneral
wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)
for /f "tokens=*" %%i in ('wevtutil.exe el') DO (
echo Deleting event log: "%%i"
wevtutil.exe cl %1 "%%i"
)
-
name: Clear Defender scan (protection) history
docs: |-
This script deletes the scan history kept by Microsoft Defender on your computer. Microsoft Defender logs detected threats but also gathers
and stores data about various other files it scans [1] [2]. While removing this history enhances your privacy, it might decrease security,
as these logs assist in monitoring threats. By eliminating traces of your system's files, activities and any threats detected, you ensure
no residual data can be utilized to study or analyze your computer's activities, thus protecting your privacy.
Defender keeps a log of various details whenever it scans your computer for threats. This includes [3] [4]:
- **Time**: The moment the threat was discovered.
- **Threat Status**: The action carried out against the threat.
- **Virus Type**: The type or category of the virus.
- **Threat ID**: A unique identifier for the threat.
- **Virus Name**: The name of the virus.
- **File Path**: The location of the threat on your computer.
- **File Hash**: A unique code representing the file.
- **Quarantine File Name (GUID)**: The name given to the quarantined threat.
- **File Size**: The size of the file.
When you first set up Windows, it conducts an initial scan [1]. This scan identifies system files that won't require future
scans [1]. These 'safe' files are saved in a unique folder, which becomes a part of the scan history [1].
If a threat is recognized, Microsoft Defender will notify you [4]. Regardless of whether you choose to run the file or not, a
`DetectionHistory` file is created [2]. This file is stored in a specific folder
(`%ProgramData%\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\[numbered folder]\`), and it contains a
system-generated ID for the event [2].
> **Caution**: Deleting these logs may decrease your security. These logs help in keeping track of potential threats and their sources,
allowing for a more proactive response in future encounters. Without this history, Microsoft Defender might not recognize recurring threats
as quickly, possibly leaving your system more vulnerable. It's essential to understand that you're making a trade-off between enhanced
privacy and potentially reduced security.
[1]: https://web.archive.org/web/20230829142700/https://download.microsoft.com/download/7/e/7/7e7662cf-cbea-470b-a97e-ce7ce0d98dc2/win7perf.docx "Performance Testing Guide for Windows | Microsoft"
[2]: https://web.archive.org/web/20230829143754/https://www.sans.org/blog/uncovering-windows-defender-real-time-protection-history-with-dhparser/ "Uncovering Windows Defender Real-time Protection History with DHParser | SANS Alumni Blog"
[3]: https://web.archive.org/web/20230829144957/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/defender/msft-mpthreatdetection "MSFT\_MpThreatDetection class | Microsoft Learn"
[4]: https://web.archive.org/web/20230829144434/https://forensafe.com/blogs/windows_defender.html "Windows Defender | Forensafe"
call:
function: ClearDirectoryContents # Otherwise it cannot access/delete files under `Scans\History`, see https://github.com/undergroundwires/privacy.sexy/issues/246
parameters:
directoryGlob: '%ProgramData%\Microsoft\Windows Defender\Scans\History'
grantPermissions: true # Running as TrustedInstaller is not needed, and causes Defender to alarm https://github.com/undergroundwires/privacy.sexy/issues/264
-
name: Clear credentials in Windows Credential Manager
call:
function: RunPowerShell
parameters:
code: |-
$cmdkeyPath = Get-Command cmdkey -ErrorAction SilentlyContinue
if (-not $cmdkeyPath) {
throw 'Failed to find the `cmdkey` utility on this system.'
}
$cmdkeyListOutput = & $cmdkeyPath /list
if ($LASTEXITCODE -ne 0) {
throw "Failed to execute `cmdkey /list`. Exit code: $LASTEXITCODE."
}
if (-not $cmdkeyListOutput) {
throw 'Failed to retrieve credentials list. The output from `cmdkey /list` is empty.'
}
$credentialEntries = @($cmdkeyListOutput | Select-String 'Target')
if (-not $credentialEntries) {
Write-Host 'Skipping: No credentials found for deletion.'
exit 0
}
$allCredentialsDeletedSuccessfully = $true
Write-Host "Total of $($credentialEntries.Length) credential(s) found. Initiating deletion..."
foreach ($credentialEntry in $credentialEntries) {
if ($credentialEntry -notmatch 'Target:(.+)') {
Write-Error "Failed to parse credential from output: $credentialEntry"
$allCredentialsDeletedSuccessfully = $false
continue
}
$credentialTargetName = $matches[1].Trim()
Write-Host "Deleting credential: `"$credentialTargetName`"..."
& $cmdkeyPath /delete:$credentialTargetName
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to delete credential '$credentialTargetName'. `cmdkey` returned exit code: $LASTEXITCODE."
$allCredentialsDeletedSuccessfully = $false
} else {
Write-Host "Successfully deleted credential: `"$credentialTargetName`"."
}
}
if (-not $allCredentialsDeletedSuccessfully) {
Write-Warning 'Failed to delete some credentials. Please check the error messages above.'
} else {
Write-Host "Successfully deleted all $($credentialEntries.Length) credential(s)."
}
-
name: Remove the controversial `default0` user
docs: https://github.com/undergroundwires/privacy.sexy/issues/30
recommend: standard
code: net user defaultuser0 /delete 2>nul
-
name: Empty trash (Recycle Bin)
call:
function: RunPowerShell
parameters:
code: |-
$bin = (New-Object -ComObject Shell.Application).NameSpace(10)
$bin.items() | ForEach {
Write-Host "Deleting $($_.Name) from Recycle Bin"
Remove-Item $_.Path -Recurse -Force
}
-
name: Minimize DISM "Reset Base" update data
recommend: standard
docs: |-
This script diminishes unnecessary system data, thus enhancing your privacy and performance.
The **DISM tool** is used to manage Windows images and is often used to fix issues with the Windows operating system [1].
The **"Reset Base"** option can help to reduce the size of the WinSxS folder [2]. Once, "Reset Base" is enabled, you cannot
uninstall any previous updates [2]. This script activates the **"Reset Base"** feature, minimizing the size of WinSxS folder.
It contributes to the reduction of redundant data, enhancing both the performance of your system and your privacy.
The **WinSxS folder**, also known as the "Windows Side by Side" folder, is a component of the Windows operating system [3].
It is located in the Windows directory (for example, `C:\Windows\WinSxS`) [3]. The WinSxS folder is used to store system
components that are required for the installation of Windows [3]. It also stores components that are added to the system
through Windows updates [3].
**Windows Component Store** contains all the files that are required to Windows features on demand [3].
WARNING: Once the "Reset Base" operation is activated, you will not be able to uninstall previous updates. However, this
small trade-off improves your privacy and control over system data.
[1]: https://web.archive.org/web/20230806160623/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/what-is-dism?view=windows-11 "DISM Overview | Microsoft Learn"
[2]: https://web.archive.org/web/20230806160827/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder?view=windows-11 "Clean Up the WinSxS Folder | Microsoft Learn"
[3]: https://web.archive.org/web/20230710000943/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/manage-the-component-store?view=windows-11 "Manage the Component Store | Microsoft Learn"
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f
-
name: Remove Windows product key from registry
# Helps to protect it from being stolen and used for identity theft or identifying you.
docs: https://winaero.com/blog/remove-windows-10-product-key-from-registry-and-protect-it-from-being-stolen/
# We use cscript.exe to execute instead of `slmgr` command directly to keep the output but surpress the dialogs.
code: cscript.exe //nologo "%SystemRoot%\system32\slmgr.vbs" /cpky
-
name: Clear volume backups (shadow copies)
docs:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
code: vssadmin delete shadows /all /quiet
-
name: Remove associations of default apps
recommend: standard
code: dism /online /Remove-DefaultAppAssociations
-
name: Clear System Resource Usage Monitor (SRUM) data # Marked: stop-service-do-stuff-restart-service
recommend: standard
docs: |-
This script deletes the Windows System Resource Usage Monitor (SRUM) database file.
SRUM tracks the usage of desktop applications, services, Windows applications, and network connections [1] [2] [3]. SRUM stores its file at
`C:\Windows\System32\sru\SRUDB.dat` [1] [3] [4].
Before deleting the file, the script temporarily stops the Diagnostic Policy Service (DPS). The DPS helps Windows detect and solve problems with its
components [4]. Stopping this service is required as modifications to the SRUM file require it to be turned off [5].
Deleting this file can enhance user privacy as it contains usage data and is often used for forensic analysis of user behavior [1] [6].
[1]: https://web.archive.org/web/20231013164746/https://raw.githubusercontent.com/libyal/esedb-kb/main/documentation/System%20Resource%20Usage%20Monitor%20%28SRUM%29.asciidoc "esedb-kb/documentation/System Resource Usage Monitor (SRUM).asciidoc at main · libyal/esedb-kb | github.com"
[2]: https://web.archive.org/web/20231004161112/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809 "Windows 10, version 1809 basic diagnostic events and fields (Windows 10) - Windows Privacy | Microsoft Learn"
[3]: https://web.archive.org/web/20231004161132/https://security.opentext.com/appDetails/SRUM-Database-Parser "SRUM Database Parser | security.opentext.com"
[4]: https://web.archive.org/web/20231004161147/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#diagnostic-policy-service "Security guidelines for system services in Windows Server 2016 | Microsoft Learn"
[5]: https://web.archive.org/web/20231008135321/https://devblogs.microsoft.com/sustainable-software/measuring-your-application-power-and-carbon-impact-part-1/ "Measuring Your Application Power and Carbon Impact (Part 1) - Sustainable Software | devblogs.microsoft.com"
[6]: https://web.archive.org/web/20231008135333/https://www.sciencedirect.com/science/article/abs/pii/S1742287615000031 "Forensic implications of System Resource Usage Monitor (SRUM) data in Windows 8 | Yogesh Khatri | sciencedirect.com"
call:
function: RunPowerShell
parameters:
# If the service is not stopped, following error is thrown:
# Failed to delete SRUM database file at: "C:\Windows\System32\sru\SRUDB.dat". Error Details: The process cannot access
# the file 'C:\Windows\System32\sru\SRUDB.dat' because it is being used by another process.
code: |-
$srumDatabaseFilePath = "$env:WINDIR\System32\sru\SRUDB.dat"
if (!(Test-Path -Path $srumDatabaseFilePath)) {
Write-Output "Skipping, SRUM database file not found at `"$srumDatabaseFilePath`". No actions are required."
exit 0
}
$dps = Get-Service -Name 'DPS' -ErrorAction Ignore
$isDpsInitiallyRunning = $false
if ($dps) {
$isDpsInitiallyRunning = $dps.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running
if ($isDpsInitiallyRunning) {
Write-Output "Stopping the Diagnostic Policy Service (DPS) to delete the SRUM database file."
$dps | Stop-Service -Force
$dps.WaitForStatus([System.ServiceProcess.ServiceControllerStatus]::Stopped)
Write-Output "Successfully stopped Diagnostic Policy Service (DPS)."
}
} else {
Write-Output "Diagnostic Policy Service (DPS) not found. Proceeding without stopping the service."
}
try {
Remove-Item -Path $srumDatabaseFilePath -Force -ErrorAction Stop
Write-Output "Successfully deleted the SRUM database file at `"$srumDatabaseFilePath`"."
} catch {
throw "Failed to delete SRUM database file at: `"$srumDatabaseFilePath`". Error Details: $($_.Exception.Message)"
} finally {
if ($isDpsInitiallyRunning) {
try {
if ((Get-Service -Name 'DPS').Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Output "Restarting the Diagnostic Policy Service (DPS)."
$dps | Start-Service
}
} catch {
throw "Failed to restart the Diagnostic Policy Service (DPS). Error Details: $($_.Exception.Message)"
}
}
}
-
name: Clear previous Windows installations
call:
function: DeleteDirectory
parameters:
directoryGlob: '%SYSTEMDRIVE%\Windows.old'
grantPermissions: true
-
category: Disable OS data collection
children:
-
category: Disable Application Compatibility Framework
docs: |-
This category disables the Application Compatibility (AppCompat) framework on Windows.
The Application Compatibility (AppCompat) framework is a feature in Windows that collects data about application compatibility.
This includes gathering information about application crashes, issues, and other operational details to help improve the
compatibility of applications on Windows [1].
It is controlled by a set of policies within the Microsoft Windows operating system aimed at enabling applications designed
for older versions of Windows to function properly on newer versions [1].
However, the Application Compatibility framework involves various forms of data collection that may be considered invasive from
a privacy standpoint [1]. It can potentially be exploited to reveal more data about your application usage or to inject your
computer with malware [2] [3] [4].
By disabling the AppCompat framework, this script contributes to enhancing users' privacy by limiting potential data collection
and exposure to malware exploitation.
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230927174707/https://docplayer.net/15700963-The-active-use-and-exploitation-of-microsoft-s-application-compatibility-framework-jon-erickson.html "'The active use and exploitation of Microsoft's Application Compatibility Framework' by Jon Erickson"
[3]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com"
[4]: https://web.archive.org/web/20230927174559/https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf "Malicious Application Compatibility Shims | blackhat.com"
children:
# Excluding "Application Experience" service (`AeLookupSvc`) as it does not exists since Windows 10 21H1 and Windows 11 22H2
-
name: Disable Application Impact Telemetry (AIT)
recommend: standard
docs: |-
This script disables Application Impact Telemetry (AIT).
Application Impact Telemetry (AIT) is a function that tracks the usage of certain Windows system components by
various applications [1]. Turning this feature off stops the collection of usage data [1], enhancing your privacy
by ensuring that your usage patterns and behaviors are not sent to external servers.
Disabling telemetry will take effect on any newly launched applications [1]. To ensure that telemetry collection has
stopped for all applications, please reboot your machine [1].
Note that if the Customer Experience Improvement Program (CEIP) is turned off, Application Telemetry will be disabled
regardless of this setting [1].
This script performs its function by modifying a specific registry key:
`HKLM\Software\Policies\Microsoft\Windows\AppCompat!AITEnable`. This is the switch that controls the AIT setting
within the operating system [1].
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffapplicationimpacttelemetry "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2
-
name: Disable Application Compatibility Engine
recommend: standard
docs: |-
This script disables the Application Compatibility Engine on Windows systems.
The Application Compatibility Engine examines a compatibility database every time an application starts [1]. If it finds a match
for the application, it either applies compatibility fixes or displays a help message for known problems with the application [1].
This process may inadvertently reveal data about the applications you run on your system, especially if the query functions are
intercepted [2]. Moreover, this database can be utilized by malware creators to modify an application and make it perform unintended
actions [3].
Disabling the Application Compatibility Engine leads to enhanced system performance [1]. However, this might compromise the compatibility
of many older, popular applications and permit the installation of known incompatible applications [1]. Additionally, certain Windows
features like Windows Resource Protection and User Account Control use this engine to resolve application issues [1]. Without the engine,
these solutions won't be applied, and applications may not install or run correctly [1].
This option is suitable for users seeking faster performance who are knowledgeable about the compatibility of the applications they use [1].
Keep in mind that any changes to this setting require a system reboot to take effect as many system processes cache this setting's value for
performance reasons [1].
The script achieves its goal by altering a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableEngine` [1].
By disabling this engine, known to be a vulnerability exploited by malware [4], the script reduces the potential attack surface on the system,
enhancing overall security.
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffengine "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230927174559/https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf "Malicious Application Compatibility Shims | blackhat.com"
[3]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com"
[4]: https://web.archive.org/web/20230927174707/https://docplayer.net/15700963-The-active-use-and-exploitation-of-microsoft-s-application-compatibility-framework-jon-erickson.html "'The active use and exploitation of Microsoft's Application Compatibility Framework' by Jon Erickson"
code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableEngine" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableEngine" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2
-
name: Remove "Program Compatibility" tab from file properties (context menu)
recommend: strict
docs: |-
This script removes the "Program Compatibility" tab from the file properties context menu. This tab is visible on the property context menu
of any program shortcut or executable file, and displays options that can be applied to the application to solve common issues affecting
older applications [1].
When enabled, this script prevents the compatibility property page from appearing in the context menus, though it does not impact any prior
compatibility settings applied to applications through this interface [1].
This script achieves its functionality by modifying a specific registry key:
`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePropPage` [1].
This setting is often used in organizational environments to prevent end-users from modifying the compatibility settings of applications.
It ensures that applications operate with the settings considered most suitable by the system administrator or IT department. This restriction
aids in upholding system stability and security by ensuring users cannot run applications in modes recognized to be insecure or unstable.
This script assists in upholding a more secure and stable environment by barring unauthorized changes to application compatibility settings.
The security benefits include:
- **Restricting User Actions**: By limiting the actions that a user can perform, administrators can prevent unintended security vulnerabilities.
Users may inadvertently (or intentionally) choose settings that could expose the system to risks, and this script helps in preventing
such scenarios.
- **Maintaining Known Configurations**: By ensuring that applications can only run in certain compatibility modes, administrators can more
effectively manage and secure their environments. They can thoroughly test and verify the security of the allowed configurations, leading to
a more robust security posture.
- **Preventing Exploitation of Vulnerabilities**: Some compatibility settings might make applications run in a less secure mode to maintain
compatibility with older software or systems. Preventing users from enabling such settings can help in avoiding potential vulnerabilities
associated with these modes.
By preventing users from changing compatibility settings, you could prevent them from selecting settings that send additional data to
software vendors (for example, certain compatibility modes might enable additional telemetry or error reporting). Though primarily aimed at
control and stability, this restriction indirectly contributes to privacy protection by reducing potential unwanted data transmission.
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatremoveprogramcompatproppage "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePropPage" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePropPage" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2
-
name: Disable Steps Recorder (collects screenshots, mouse/keyboard input and UI data)
recommend: standard
docs: |-
This script disables Steps Recorder on your device.
Steps Recorder, formerly known as Problem Steps Recorder [1] [2], is a tool that records the actions taken on a computer, including keyboard and mouse inputs,
user interface interactions, and screenshots with every click [2] [3].This tool is used to diagnose and troubleshoot problems by capturing the exact steps
taken when an issue occurs [1]. The data collected by Steps Recorder can be sent to Microsoft or third-party developers [3] [4], potentially revealing sensitive
user information.
By running this script, the Steps Recorder functionality will be turned off by altering a specific registry key:
`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableUAR` [3]. This prevents the automatic recording and sharing of user action data, enhancing the
privacy and security of the user's device.
Not running this script leaves the Steps Recorder enabled by default on Windows [3], allowing it to record and potentially share user actions and information.
Using this script enhances user privacy by ensuring that personal actions taken on a computer are not automatically recorded and shared without the
user's knowledge or consent. It's a straightforward measure to increase your control over your own device and data. Additionally, disabling Steps Recorder
is recommended by The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) [5].
While enhancing privacy, this script may complicate the troubleshooting process as Steps Recorder will not be available to easily record and share encountered
issues.
[1]: https://web.archive.org/web/20230927120359/https://support.microsoft.com/en-us/windows/record-steps-to-reproduce-a-problem-46582a9b-620f-2e36-00c9-04e25d784e47 "Record steps to reproduce a problem - Microsoft Support"
[2]: https://web.archive.org/web/20230927120405/https://cloudblogs.microsoft.com/dynamics365/no-audience/2016/03/08/capturing-repro-scenarios-using-windows-steps-recorder/ "Capturing Repro Scenarios Using Windows Steps Recorder - Microsoft Dynamics 365 Blog"
[3]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffuseractionrecord "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
[4]: https://web.archive.org/web/20230927120745/https://learn.microsoft.com/en-us/windows/win32/win7appqual/windows-error-reporting-problem-steps-recorder "Windows Error Reporting Problem Steps Recorder - Win32 apps | Microsoft Learn"
[5]: https://web.archive.org/web/20210729125842/https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-1909-workstations "Hardening Microsoft Windows 10 version 1909 Workstations | Cyber.gov.au"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2
-
name: Disable "Inventory Collector" task
recommend: standard
docs: |-
This script disables the "Inventory Collector" task on your computer.
The Inventory Collector is a feature in Windows that gathers data about the applications, files, devices, and drivers on your system and sends
this information to Microsoft [1]. This process is used to help solve compatibility problems, ensuring that your software and hardware work
together without issues [1].
Running this script will turn off the Inventory Collector, ensuring no data is sent to Microsoft [1]. It also stops the collection of installation
data through the Program Compatibility Assistant [1]. By disabling these features, you prevent potentially sensitive information from being shared
and avoid uncontrolled updates to your system [2] [3]. If not disabled, the Inventory Collector remains active, continuing to send data [1].
If the Customer Experience Improvement Program is turned off, the Inventory Collector will already be inactive, and running this script will have no
effect [1].
Disabling Inventory Collector is advised by several organizations and authorities for enhanced security:
- The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) [4]
- The Department of Defense (DoD) information systems in the USA [2]
- Microsoft, as part of Windows security baseline for Azure [3]
- National Institute of Standards and Technology (NIST) in the USA [5]
This advice is based on the principle of limiting the amount of data shared, contributing to better privacy and security.
When you run this script, it modifies a specific registry key (`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableInventory`) to turn off the
Inventory Collector [1]. Note that disabling the Inventory Collector could impact the functionality of certain features that rely on system information
and updates [2] [3].
By running this script, the functionality will be turned off by altering a specific registry key:
`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableInventory` [1].
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffprograminventory "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230927174739/https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63663 "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft | stigviewer.com"
[3]: https://web.archive.org/web/20230927174824/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#windows-components "Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn"
[4]: https://web.archive.org/web/20210729125842/https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-1909-workstations "Hardening Microsoft Windows 10 version 1909 Workstations | Cyber.gov.au"
[5]: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls "USGCB Windows Settings | nist.gov"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2
-
category: Disable Program Compatibility Assistant (PCA)
docs: |-
This category covers disabling the Program Compatibility Assistant (PCA) in Windows.
The PCA is designed to help users run desktop applications created for earlier versions of Windows by tracking and identifying known compatibility
issues [1]. When an issue is detected, PCA offers the user a recommended fix to help the app run better on Windows [1].
**Privacy Implications:**
1. **Tracking and Monitoring of Application Activities:** PCA tracks the activities and behaviors of applications to identify symptoms of compatibility
issues [1]. Continuous monitoring could inadvertently collect user data, depending on the nature of the applications being monitored and the specifics
of the compatibility issues. This persistent oversight could be seen as an invasion of privacy as users' application usage is consistently observed.
2. **Application and System Data Access:** PCA accesses data about the application and system to determine appropriate compatibility modes and fixes [1].
Access to application and system data might inadvertently lead to access to sensitive or personal information. The extent of PCA's access to such information
is not clear from the official documentations, presenting a potential privacy concern.
3. **Automatic Modifications and Permissions:** PCA automatically applies certain compatibility modes to resolve issues, such as giving applications
administrative privileges or preventing an app from freeing a DLL from memory [1]. Automatic changes in application permissions or behavior could potentially
introduce security risks, as apps might gain access to resources or data they would not normally have access to. Users may not be fully aware of the extent of
the changes applied, leading to unintentional security or privacy vulnerabilities.
4. **User Notification and Consent:** While PCA does notify users and often requires their input to apply recommended settings, some fixes are applied silently [1].
Users might not be aware of all the changes PCA makes to application settings and system configurations, limiting their control over their own system and potential
impacts on their privacy.
5. **User Feedback and Data Sharing with Microsoft**: At the end of each scenario, after the app is run with recommended compatibility settings, the Program Compatibility
Assistant (PCA) will ask the user a simple question to gather feedback on whether the app worked or failed with the compatibility setting [1]. This data is sent to
Microsoft [1]. Users may have concerns about sending any kind of data to Microsoft. Some users might be wary of potential data mishandling or misuse. It's crucial
to ensure that the data collected is securely stored and processed, and that users are adequately informed about what data is being collected and how it will be used.
6. **Detection and Mitigation Measures by PCA**: The PCA automatically detects issues with applications and applies various mitigation measures [1]. The automatic
detection and mitigation by PCA imply that the system is continuously monitoring application behavior, which might be seen as invasive by some users. There could be
concerns regarding what kind of data is accessed by PCA during this monitoring and whether any sensitive data could potentially be exposed.
7. **Downloading Missing Components for Apps:** PCA provides a recommendation to download missing components and install them after the app terminates [1].
This could involve downloading software from the internet, which may introduce security and privacy risks [1]. Users might inadvertently download malicious software or
software with privacy-invasive features if not adequately guided [1].
8. **Handling of Administrative Privileges:** PCA handles various scenarios involving administrative privileges and User Account Control (UAC) dialogs, including applying
the `RUNASADMIN` compatibility mode to certain installers and applets [1]. This handling of administrative privileges could potentially be exploited by malicious software
to gain elevated privileges without adequate user knowledge or consent. It is important to ensure that the mechanisms for handling administrative privileges are secure and
not prone to exploitation.
9. **Using the Compatibility Troubleshooter**: The Compatibility Troubleshooter allows users to apply recommended fixes to get apps working properly [1]. Use of the
Compatibility Troubleshooter involves sharing more data regarding app behavior and issues with Microsoft, raising similar concerns as mentioned above regarding data sharing.
By disabling PCA, these potential privacy and security concerns can be mitigated, giving users more control over their data and application behavior, and reducing the risk
of unintentional data collection and sharing.
[1]: https://web.archive.org/web/20230928141226/https://learn.microsoft.com/en-us/windows/compatibility/pca-scenarios-for-windows-8 "Program Compatibility Assistant scenarios - Compatibility Cookbook | Microsoft Learn"
children:
-
name: Disable "Program Compatibility Assistant (PCA)" feature
recommend: standard
docs: |-
This script disables the Program Compatibility Assistant (PCA) feature in Windows [1].
The purposes include:
- Enhances privacy by stopping the continuous monitoring and data collection by PCA. The PCA monitors applications run by the user [1].
- Users gain more control over their system by manually managing application compatibility issues. When a potential compatibility issue with an
application is detected, the PCA will prompt the user with recommended solutions [1].
- Potentially avoids the automatic changes made by PCA that might introduce security risks.
- It increases the system performance. Microsoft recommends turning off the PCA can be useful for those who require better performance and are
already aware of application compatibility issues [1].
This script modifies a specific registry key (`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePCA`) to turn off the PCA [1].
As a result, users will not receive automatic solutions to known compatibility issues when running applications [1], ensuring that they have
control over the solutions they apply.
By default, if you do not run this script or disable PCA manually, the PCA will be turned on [1].
Once this script is executed and PCA is turned off, the user won't be presented with solutions to known compatibility issues when running applications [1].
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffprogramcompatibilityassistant_2 "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /f 2>nul # Missing key since Windows 10 21H1 and Windows 11 22H2
-
name: Disable "Program Compatibility Assistant Service" (`PcaSvc`)
recommend: standard
docs: |-
This script disables the "Program Compatibility Assistant Service" (`PcaSvc`) in Windows [1].
The `PcaSvc` assists the Program Compatibility Assistant (PCA) in monitoring programs installed and run by the user [1], detecting known compatibility problems [1],
and aiding in Windows appraiser data collection [2]. By disabling this service, the script prevents PCA from functioning [1], thereby halting application monitoring
and data collection, leading to enhanced user privacy.
This script turns off the `PcaSvc` which is, by default, automatically started in Windows [1].
Microsoft has clarified that disabling this service does not have a negative impact on the system's functionality, affirming that it's safe to execute this action [1].
By running this script, you prevent the continuous surveillance and data gathering activities conducted by PCA.
[1]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#program-compatibility-assistant-service "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
[2]: https://web.archive.org/web/20230928142052/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#appraiser-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn"
call:
function: DisableService
parameters:
serviceName: PcaSvc # Check: (Get-Service -Name 'PcaSvc').StartType
# Windows 10 21H1: Manual | Windows 11 22H2: Automatic
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
category: Disable Windows telemetry and data collection
children:
-
name: Disable Customer Experience Improvement Program (CEIP)
docs: https://docs.microsoft.com/en-us/windows/win32/devnotes/ceipenable
recommend: standard
code: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f
-
category: Disable diagnostics telemetry services
children:
-
name: Disable "Connected User Experiences and Telemetry" (`DiagTrack`) service # Connected User Experiences and Telemetry
recommend: standard
docs: http://batcmd.com/windows/10/services/diagtrack/
call:
function: DisableService
parameters:
serviceName: DiagTrack # Check: (Get-Service -Name DiagTrack).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable WAP push notification routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service
recommend: standard
docs: http://batcmd.com/windows/10/services/dmwappushservice/
call:
function: DisableService
parameters:
serviceName: dmwappushservice # Check: (Get-Service -Name dmwappushservice).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Diagnostics Hub Standard Collector" service
docs: http://batcmd.com/windows/10/services/diagnosticshub-standardcollector-service/
call:
function: DisableService
parameters:
serviceName: diagnosticshub.standardcollector.service # Check: (Get-Service -Name diagnosticshub.standardcollector.service).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Diagnostic Execution Service" (`diagsvc`)
docs: http://batcmd.com/windows/10/services/diagsvc/
call:
function: DisableService
parameters:
serviceName: diagsvc # Check: (Get-Service -Name diagsvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Customer Experience Improvement Program
recommend: standard
code: |-
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE
revertCode: |-
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /ENABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /ENABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /ENABLE
-
category: Disable Webcam Telemetry (`devicecensus.exe`)
docs:
- https://www.ghacks.net/2019/09/23/what-is-devicecensus-exe-on-windows-10-and-why-does-it-need-internet-connectivity/
- https://answers.microsoft.com/en-us/windows/forum/windows_10-security/devicecensusexe-and-host-process-for-windows-task/520d42a2-45c1-402a-81de-e1116ecf2538
children:
-
name: Disable `devicecensus.exe` (telemetry) task
recommend: standard
code: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /enable
-
name: Disable `devicecensus.exe` (telemetry) process
recommend: standard
call:
function: KillProcessWhenItStarts
parameters:
processName: DeviceCensus.exe
-
category: Disable Compatibility Telemetry (Application Experience)
children:
-
category: Disable Microsoft Compatibility Appraiser
docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/
children:
-
name: Disable Microsoft Compatibility Appraiser task
recommend: standard
code: schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /enable
-
name: Disable CompatTelRunner.exe (Microsoft Compatibility Appraiser) process
recommend: standard
call:
function: KillProcessWhenItStarts
parameters:
processName: CompatTelRunner.exe
-
name: Disable sending information to Customer Experience Improvement Program
recommend: standard
docs:
- https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/
- https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/permanently-disabling-windows-compatibility/6bf71583-81b0-4a74-ae2e-8fd73305aad1
code: schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /enable
-
name: Disable Application Impact Telemetry Agent task
recommend: standard
docs: https://www.shouldiblockit.com/aitagent.exe-6181.aspx
code: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /enable
-
name: Disable the reminder to "Disable apps to improve performance"
recommend: strict
docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/
code: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /enable
-
category: Disable enterprise/business focused data collection
docs: |-
This category contains scripts to disable data collection capabilities focused on enterprise/business uses.
The scripts target various Windows features like Desktop Analytics, Windows Update for Business, and Azure services.
These capabilities are meant to provide insights for IT administrators but collect and transmit data from end user devices.
By disabling these enterprise/business focused data collection features, you can increase privacy and reduce data sharing
from your personal device. However, note that some functionality expected by business IT administrators may be reduced.
These scripts can help limit enterprise/Microsoft visibility into your device, but may limit management capabilities on
managed business devices.
children:
-
category: Disable Desktop Analytics telemetry
docs: |-
Desktop Analytics is a cloud-based service that provides insights about Windows devices in an organization.
The service provides insight and intelligence from user data [1].
Desktop Analytics collects diagnostic data from enrolled Windows devices and sends it to Microsoft cloud services [1].
It creates an inventory of apps running in an organization. This data provides insights about application compatibility
and pilot identification to help IT administrators in organizations evaluate the readiness and compatibility of devices
for Windows feature updates [1].
To enable data collection, Desktop Analytics configures settings on the device registry and group policies related
to commercial ID, telemetry levels, and data sharing [2].
While this data sharing raises potential privacy concerns, Microsoft states that privacy controls allow organizations
to limit data collection [1].
Desktop Analytics is retired since November 30, 2022 in favor of Microsoft Intune and Configuration Manager [3].
[1]: https://web.archive.org/web/20230528031527/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn"
[2]: https://web.archive.org/web/20230531234446/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn"
[3]: https://web.archive.org/web/20230601065209/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/whats-new "What's new in Desktop Analytics - Configuration Manager | Microsoft Learn"
children:
-
name: Disable processing of Desktop Analytics
recommend: strict
docs: |-
This script ensures that Microsoft does not process Windows diagnostic data from your device [1].
When activated, it modifies a setting known as the Group Policy object on your device. This object is a set of policies that determine how your system operates.
The script disables a policy related to Microsoft's Desktop Analytics service. This service is designed to provide insights into the health and usage of your
devices but may involve processing diagnostic data [2].
By disabling this policy, the script helps to enhance the privacy of your device by preventing the processing of its diagnostic data by Microsoft. This means
that information about the usage and performance of your device will not be sent to Microsoft's Desktop Analytics service [1][2].
[1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowdesktopanalyticsprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs"
[2]: https://web.archive.org/web/20211127031547/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDesktopAnalyticsProcessing "Allow Desktop Analytics Processing | admx.help"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /f
-
name: Disable sending device name in Windows diagnostic data
recommend: strict
docs: |-
This script enhances privacy by ensuring that the name of your device is anonymized in any diagnostic data collected by Microsoft Desktop Analytics [1].
In other words, instead of your actual device name, "Unknown" will appear in the data [1].
Since the release of Windows 10, version 1803, the device name is not included in the diagnostic data by default [1].
This script guarantees that this privacy-enhancing measure remains in place [1].
When implemented, it changes a specific registry setting, `AllowDeviceNameInTelemetry`, which controls whether the device name is included
in Windows diagnostic data [2]. The script sets this value to `0`, thus disabling the inclusion of the device name in the data [2].
[1]: https://web.archive.org/web/20220903043346/https://docs.microsoft.com/en-US/mem/configmgr/desktop-analytics/enroll-devices#device-name "Enroll devices in Desktop Analytics - Configuration Manager | Microsoft Docs"
[2]: https://web.archive.org/web/20210228151919/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDeviceNameInDiagnosticData "Allow device name to be sent in Windows diagnostic data"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /f
-
name: Disable collection of Edge browsing data for Desktop Analytics
recommend: strict
docs: |-
This script configures Microsoft Edge to prevent it from sending your browsing history data to Desktop Analytics [1].
This browsing data can include information from either your intranet or internet history, or both [1].
When you use Microsoft Edge for browsing, it can collect and send your browsing history to Desktop Analytics, a Microsoft
service that helps enterprises to analyze and improve their IT environment. If this setting is disabled, Microsoft Edge
does not send any browsing history data, thereby enhancing your privacy.
The script achieves this by modifying a specific value in the Windows Registry. The specific value that the script modifies
is `MicrosoftEdgeDataOptIn` located at `HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection`. The script sets this value
to `0`, which indicates to Microsoft Edge that it should not send browsing history data to Desktop Analytics [1].
While enhancing privacy, this could limit the functionality of Desktop Analytics for enterprises that rely on this service
for IT insights. However, for individual users, this script can help prevent unwanted data collection and transmission,
contributing to an overall safer browsing experience [1].
[1]: https://web.archive.org/web/20220524020212/https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.MicrosoftEdge::ConfigureTelemetryForMicrosoft365Analytics "Configure collection of browsing data for Desktop Analytics"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /f
-
name: Disable diagnostics data processing for Business cloud
recommend: strict
docs: |-
This script controls whether diagnostic data from your device is processed by Windows Update for Business cloud [1] [2].
If enabled, the script can enhance privacy by ensuring that diagnostic data from your device is not processed by the
Windows Update for Business cloud (WufB) [1], an update management service provided by Microsoft [3]. This service
typically helps businesses manage updates on their devices efficiently. But if privacy is a concern, you can opt
to disable it [3].
The policy is applicable to devices joined to Azure Active Directory [1]. Azure Active Directory is a Microsoft cloud
service that provides identity and access capabilities.
Disabling this policy means that some features of the Windows Update for Business deployment service might not be
available. However, your device will gain an added layer of privacy as diagnostic data will not be processed by the
business cloud [1].
[1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowwufbcloudprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs"
[2]: https://web.archive.org/web/20210307173837/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowWUfBCloudProcessing "Allow WUfB Cloud Processing"
[3]: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-management-for-windows-on-a-windows-365-cloud-pc/ba-p/3452703
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowWUfBCloudProcessing" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowWUfBCloudProcessing" /f
-
name: Disable Update Compliance processing of diagnostics data
recommend: standard
docs: |-
Update Compliance is a service provided by Microsoft hosted in Azure, which uses Windows diagnostic data [1].
This service doesn't meet the US Government community compliance (GCC) requirements [1], and is utilized by
both Desktop Analytics and Azure Update Management [1].
This script is designed to disable the Update Compliance processing of diagnostic data on your device. When
this script is run, it modifies the system registry to prevent diagnostic data from your device being processed
by Update Compliance. This change in settings increases the privacy of your device by limiting the diagnostic data
that can be accessed and analyzed by Microsoft's services.
Diagnostic data, in this context, includes information about device health, system events, and usage metrics. By
disabling the processing of this data, the script helps protect the privacy of your activities on your device [1].
This script can be reversed at any time by using the provided `revertCode` if you decide to re-enable the processing
of diagnostic data by Update Compliance.
In technical terms, the script sets the `AllowUpdateComplianceProcessing` value in the
`HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection` registry path to 0, which disables the processing of
diagnostic data by Update Compliance [2].
[1]: https://web.archive.org/web/20220703201221/https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started "Get started with Update Compliance - Windows Deployment | Microsoft Docs"
[2]: https://web.archive.org/web/20220610123725/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowUpdateComplianceProcessing "Allow Update Compliance Processing"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowUpdateComplianceProcessing" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowUpdateComplianceProcessing" /f
-
name: Disable commercial usage of collected data
recommend: standard
docs: |-
This protects your privacy by placing a limit on the commercial usage of your data. It manages
how Windows diagnostic data is handled by controlling whether Microsoft is a processor or controller
for Windows diagnostic data collected from your device [1] [2].
In the default setting, Microsoft operates as the controller of this diagnostic data, thus enabling it to use the data
for commercial purposes. This script alters that setting to limit the commercial usage of your data [1] [2].
This script does not affect the operation of optional analytics processor services like Desktop Analytics and
Windows Update for Business reports. Moreover, it doesn't change whether diagnostic data is collected or the ability
of the user to change the level.
[1]: https://web.archive.org/web/20230803142206/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline "System Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230330140620/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowCommercialDataPipeline "Allow commercial data pipeline"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /f
-
name: Disable diagnostic and usage telemetry
recommend: standard
docs: |-
This script improves your privacy by blocking the transmission of diagnostic and usage telemetry data
from your Windows device [1]. This includes data about your device's usage, app compatibility, and
system performance, which can be sensitive in nature. By stopping this data from being sent, you reduce
the amount of personal information that could potentially be accessed by third parties.
The script works by configuring the Group Policy Object (GPO) and Local Policy preferences, which
essentially govern your device's data sharing policies [2]. These modifications restrict the data that Windows
and its built-in apps can collect and send.
Upon executing this script, Desktop Analytics will be disabled, as it relies on basic diagnostic data to
function [2]. Desktop Analytics is a cloud-based service provided by Microsoft [4]. It provides insights
and intelligence for IT administrators [4]. Desktop Analytics is deprecated and was retired on November 30, 2022.
Once this script is executed, even if the policy permits a telemetry setting of Security or Basic, users
will not have the capability to opt for a higher data sharing level [3]. This restriction is limited to the
operating system and apps included with Windows, and does not pertain to third-party apps installed on your
device [3].
[1]: https://web.archive.org/web/20230731225232/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry "System Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230731225319/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn"
[3]: https://web.archive.org/web/20211129155126/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection%3A%3AAllowTelemetry "Allow Telemetry"
[4]: https://web.archive.org/web/20230731225544/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn"
code: |-
# Using Local policy preference
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
# Using Group policy object (GPO)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
revertCode: |-
# Using Local policy preference
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 1 /f
# Using Group policy object (GPO)
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /f
-
name: Disable automatic cloud configuration downloads
recommend: strict
docs: |-
This script turns off the OneSettings service, a feature from Microsoft that downloads configuration settings [1].
This action can enhance the privacy and security of your Windows desktop environment by managing a feature called
the Services Configuration [1].
Services Configuration is a mechanism that various Windows components and apps use to update their settings dynamically [2] [3].
By default, Windows periodically tries to connect with the OneSettings service to download configuration settings [1].
This script turns off that function, reducing the chance of data being shared with third-party vendors [1].
This script is recommended by CIS Microsoft Windows Desktop Benchmarks [1]. Please be aware that turning off this service might
affect how certain apps that rely on this service work [3].
The script changes a registry setting to disable OneSettings downloads [3] [1]. It also provides a revert code to undo this change,
if needed, which returns the system to its previous state.
If you want to limit how much data is sent to Microsoft, turning off the OneSettings service can help enhance your privacy [1].
For more information about the impact of OneSettings on privacy, visit
[docs.microsoft.com](https://web.archive.org/web/20230803030919/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809).
This script lets you manage your privacy by restricting the automatic configuration updates of Windows components and apps,
including telemetry services, from the cloud [3] [1].
By using this script, Windows will not connect to OneSettings to fetch any configuration settings [1].
This reduces the amount of data sent to third-party vendors, which can help alleviate potential security concerns [1].
However, please be aware that while this setting can enhance privacy, turning off this service could lead to some applications
not working properly. These applications may depend on dynamic configuration updates that will be stopped when the service is
disabled [3] [1].
[1]: https://web.archive.org/web/20230803030428/https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker_v1.12.0.audit:b3aec171f406cbe87f37e57bc9dd1411 "18.9.17.3 Ensure 'Disable OneSettings Downloads' is set to 'En... | Tenable"
[2]: https://web.archive.org/web/20230803024926/https://learn.microsoft.com/en-us/windows/win32/services/service-configuration "Service Configuration - Win32 apps | Microsoft Learn"
[3]: https://web.archive.org/web/20230731230134/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
code: reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableOneSettingsDownloads" /t "REG_DWORD" /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableOneSettingsDownloads" /f
-
name: Disable license telemetry
recommend: standard
code: reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t "REG_DWORD" /d "1" /f
-
name: Disable error reporting
recommend: standard
docs:
# Settings
- https://docs.microsoft.com/en-us/windows/win32/wer/wer-settings
- https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493
# Windows Error Reporting Service
- http://batcmd.com/windows/10/services/wersvc/
# Problem Reports Control Panel Support
- http://batcmd.com/windows/10/services/wercplsupport/
call:
-
function: RunInlineCode
parameters:
code: |-
:: Disable Windows Error Reporting (WER)
reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f
:: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f
:: Disable WER sending second-level data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
:: Disable WER crash dialogs, popups
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
revertCode: |-
:: Enable Windows Error Reporting (WER)
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f
:: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "0" /f
:: Enable WER sending second-level data
reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /f
:: Enable WER crash dialogs, popups
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "0" /f
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Enable
- # Windows Error Reporting Service
function: DisableService
parameters:
serviceName: wersvc # Check: (Get-Service -Name wersvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- # Problem Reports Control Panel Support
function: DisableService
parameters:
serviceName: wercplsupport # Check: (Get-Service -Name wercplsupport).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
category: Disable Windows Update data collection
children:
-
category: Disable automatic driver updates by Windows Update
children:
-
name: Disable device metadata retrieval (breaks auto updates)
recommend: strict
docs:
- https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f
-
name: Disable inclusion of drivers with Windows updates
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::ExcludeWUDriversInQualityUpdate
recommend: strict
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 0 /f
-
name: Disable Windows Update device driver search
docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965
recommend: strict
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 1 /f
-
category: Disable obtaining updates from other PCs on the Internet (delivery optimization)
docs: |-
Windows Delivery Optimization is a feature introduced by Microsoft to facilitate a more efficient downloading process for Windows
updates, upgrades, and applications [1] [2]. Instead of exclusively relying on Microsoft's servers, this feature identifies other
PCs on a user's local network or even across the internet that already possess the desired updates or applications [2]. By breaking
the download into smaller segments and fetching each from the fastest and most reliable source, which can include other PCs, the
system ensures more efficient downloads [2]. To support this process, Delivery Optimization uses a local cache to temporarily store
downloaded files [2].
While Delivery Optimization is designed for speed and reliability, its operation raises privacy concerns. Specifically, when enabled,
it can distribute updates and applications from one user's PC to others [2], sharing users' data such as their IP addresses [3].
Benefits of disabling Delivery Optimization for privacy:
- **Minimizing Data Sharing**: By turning off Delivery Optimization, users ensure that updates and apps are neither downloaded from nor sent
to other devices [2]. This guarantees that all data remains strictly on the user's device [2] and the user IP is not shared [3].
- **Storage Conservation**: Users can save storage space by eliminating the local cache utilized by Delivery Optimization.
- **Guaranteed Source Authenticity**: Although Microsoft ensures the authenticity of updates and apps shared via Delivery Optimization [2],
disabling the feature guarantees that all updates and apps come directly from Microsoft's servers, eliminating potential intermediaries.
- **Bandwidth Conservation**: With the feature off, updates are restricted to direct downloads from Microsoft [1]. This is beneficial
for users on metered or capped internet connections, as it allows for more effective bandwidth monitoring [2].
- **Enhanced Security**: Devices using Delivery Optimization open port 7680 to accept peer requests [4]. Disabling the feature avoids this,
ensuring users are not exposed to unwanted inbound traffic and enhancing security [5].
- **VPN Protection**: Although Delivery Optimization attempts to detect VPNs and halts uploads when a VPN connection is detected [4], disabling
it removes any risk of unintended data sharing over a VPN.
Notably, the USA government [5] and Department of Defense (DoD) in the USA [6] recommends disabling this feature.
[1]: https://web.archive.org/web/20230914164204/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization "What is Delivery Optimization? - Windows Deployment | Microsoft Learn"
[2]: https://web.archive.org/web/20230914164355/https://support.microsoft.com/en-us/windows/windows-update-delivery-optimization-and-privacy-bf86a244-8f26-a3c7-a137-a43bfbe688e8 "Windows Update Delivery Optimization and privacy - Microsoft Support"
[3]: https://web.archive.org/web/20230914164646/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-monitor "Monitor Delivery Optimization - Windows Deployment | Microsoft Learn"
[4]: https://web.archive.org/web/20230905120220/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq "Delivery Optimization Frequently Asked Questions - Windows Deployment | Microsoft Learn"
[5]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov"
[6]: https://web.archive.org/web/20230914171410/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-65681 "Windows Update must not obtain updates from other PCs on the Internet | stigviewer.com"
children:
-
name: Disable peering download method for Windows Updates
recommend: standard
docs: |-
This script modifies Delivery Optimization's download method for Windows Updates [1] to disable peering. When this script is run, it sets the
download method to `0`, which means "HTTP only, no peering" [1] [2]. As a result, Windows Updates are downloaded solely from the internet and
not from other computers on the network (referred to as "peer-to-peer") [3].
Peer-to-peer is a method where multiple computers share data amongst themselves. For Windows Updates, the default setting is for computers
within a network to share updates (called LAN mode, represented by the value `1`) [1] [2].
Changing the setting to "HTTP only" reduces potential vulnerabilities [3]. When updates are fetched only from official servers, there's
less chance of unwanted or malicious data entering the system. This is why the Department of Defense (DoD) in the USA [4] and USA government [3]
recommends this setting. They assert that leaving it in its default configuration could expose the system to additional risks [3].
[1]: https://web.archive.org/web/20230914171524/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization "DeliveryOptimization Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230914171842/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference "Delivery Optimization reference - Windows Deployment | Microsoft Learn"
[3]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov"
[4]: https://web.archive.org/web/20230914171410/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-65681 "Windows Update must not obtain updates from other PCs on the Internet | stigviewer.com"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t "REG_DWORD" /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /f 2>nul # Key does not exist since Windows 10 21H2, Windows 11 22H2
-
name: Disable "Delivery Optimization" service (breaks Microsoft Store downloads)
recommend: strict
docs: |-
Delivery Optimization is a Windows feature that provides the Windows Updates through peer-to-peer sharing [1]. In simple terms, instead of solely
relying on Microsoft's servers for updates, your computer can also fetch them from other devices that already possess the necessary files.
The "Delivery Optimization" service manages these content delivery tasks [2] [3]. It orchestrates the retrieval of updates both from other Windows users [3].
In doing so, it connects to various Microsoft service points to collect data, such as policies, content details, device specifications, and information about
other Windows users [3]. This data sharing raises privacy concerns.
This service also logs IP addresses [4] of peers which can be considered personal data. It listens on port 7680 for TCP/UDP traffic [5] that may expose the user
to unwanted inbound traffic and enhancing security [6].
By default, the "Delivery Optimization" service is set to start automatically when Windows boots up [2]. This script alters that behavior, ensuring
it doesn't run unless explicitly started by the user.
Taking control of this service prevents Microsoft from activating peer-to-peer sharing, enhancing user privacy. It ensures your device doesn't share update data
or fetch it from arbitrary peers.
> **Caution**: Disabling this service affects the functionality of Windows Store. It plays a role not just in Windows Updates but also in Microsoft Store app
downloads, especially since Windows 11 [7]. There have been reported issues with some app downloads on Windows 10 [8].
[1]: https://web.archive.org/web/20230914164204/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization "What is Delivery Optimization? - Windows Deployment | Microsoft Learn"
[2]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#delivery-optimization "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
[3]: https://web.archive.org/web/20230914172129/https://learn.microsoft.com/en-us/windows/deployment/do/delivery-optimization-workflow "Delivery Optimization client-service communication explained - Windows Deployment | Microsoft Learn"
[4]: https://web.archive.org/web/20230914164646/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-monitor "Monitor Delivery Optimization - Windows Deployment | Microsoft Learn"
[5]: https://web.archive.org/web/20230914172319/https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-deployment "Deploying a privileged access solution | Microsoft Learn"
[6]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov"
[7]: https://web.archive.org/web/20230914164355/https://support.microsoft.com/en-us/windows/windows-update-delivery-optimization-and-privacy-bf86a244-8f26-a3c7-a137-a43bfbe688e8 "Windows Update Delivery Optimization and privacy - Microsoft Support"
[8]: https://github.com/undergroundwires/privacy.sexy/issues/173 "[BUG] Error 0x80004002 on Microsoft Store when attempting to download an app · Issue #173 · undergroundwires/privacy.sexy"
call:
function: DisableServiceInRegistry
# Using registry way because other options such as "sc config" or
# "Set-Service" returns "Access is denied" since Windows 10 1809.
parameters:
serviceName: DoSvc # Check: (Get-Service -Name 'DoSvc').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable cloud-based speech recognition
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech
code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f
-
name: Disable active probing to Microsoft NCSI server
recommend: strict
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
-
name: Opt out of Windows privacy consent
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 1 /f
-
name: Disable Windows feedback collection
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
-
name: Disable text and handwriting data collection
recommend: standard
code: |-
reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f
-
category: Disable app access to personal information
children:
-
name: Disable app access to location
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesslocation # LetAppsAccessLocation
- https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ # ConsentStore\location
- https://social.technet.microsoft.com/Forums/en-US/63904312-04af-41e5-8b57-1dd446ea45c5/ # lfsvc\Service\Configuration
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Deny" /f
:: For older Windows (before 1903)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Allow" /f
:: For older Windows (before 1903)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "1" /t REG_DWORD /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /f
-
name: Disable app access to account information, name, and picture
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Deny" /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Allow" /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /f
-
name: Disable app access to motion data
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /f
-
name: Disable app access to phone
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone
code: |-
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /f
-
name: Disable app access to trusted devices
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices
recommend: standard
code: |-
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /f
-
name: Disable app sync with devices (unpaired, beacons, TVs, etc.)
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices
code: |-
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /f
-
name: Disable app access to camera
docs:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kscategory-video-camera
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscamera
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /f
-
name: Disable app access to microphone
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /f
-
name: Disable app share and sync for non-explicitly paired wireless devices
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Deny" /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Allow" /f
-
name: Disable app access to diagnostic information about other apps
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Deny" /t REG_SZ /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Allow" /t REG_SZ /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /f
-
category: Disable app access to your file system
children:
-
name: Disable app access to "Documents" folder
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Disable app access to "Pictures" folder
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Disable app access to "Videos" folder
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Disable app access to other filesystems
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Disable app access to your contacts
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /f
-
name: Disable app access to Notifications
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO (re-activation through GUI is not possible)
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /f
-
name: Disable app access to Calendar
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /f
-
name: Disable app access to call history
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory
code: |-
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /f
-
name: Disable app access to email
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /f
-
name: Disable app access to tasks
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Deny" /t REG_SZ /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Allow" /t REG_SZ /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /f
-
name: Disable app access to messaging (SMS / MMS)
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Deny" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Allow" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /f
-
name: Disable app access to radios
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d DENY /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /f
-
name: Disable app access to Bluetooth devices
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Allow" /t REG_SZ /f
-
category: Disable app access to voice activation
children:
-
name: Disable voice activation for apps including Cortana
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoice
code: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 0 /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /t REG_DWORD /d 2 /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 1 /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /f
-
name: Disable voice activation for apps including Cortana on locked system
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoiceAboveLock
code: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 0 /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /t REG_DWORD /d 2 /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 1 /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /f
-
category: Disable location access
children:
-
name: Disable Windows Location Provider
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "0" /f
-
name: Disable location scripting
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "0" /f
-
name: Disable location
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f
:: For older Windows (before 1903)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Deny" /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "0" /t REG_DWORD /f
:: For older Windows (before 1903)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Allow" /f
-
name: Disable device sensors
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "0" /f
-
category: Disable Windows search data collection
children:
-
category: Disable Cortana
children:
-
name: Disable Cortana when searching
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowCortana
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /f
-
name: Disable Cortana experience
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 1 /f
-
name: Disable Cortana's access to cloud services such as OneDrive and SharePoint
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 1 /f
-
name: Disable Cortana speech interaction while the system is locked
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-abovelock
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /f
-
name: Disable participation in Cortana data collection
recommend: standard
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 10 /f
-
name: Disable enabling of Cortana
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 1 /f
-
name: Disable Cortana (Internet search results in start menu)
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f
-
category: Disable Cortana history
children:
-
name: Disable Cortana's history display
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /f
-
name: Disable Cortana's device history usage
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /f
-
name: Remove Cortana taskbar icon
recommend: standard
code: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /t REG_DWORD /d 0 /f
revertCode: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /f
-
name: Disable Cortana in ambient mode
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 1 /f
-
category: Disable Cortana voice listening
children:
-
name: Disable "Hey Cortana" voice activation
recommend: standard
code: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 1 /f
-
name: Disable Cortana listening to commands on Windows key + C
recommend: standard
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 1 /f
-
name: Disable Cortana on locked device
recommend: standard
code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 1 /f
-
name: Disable automatic update of Speech Data
recommend: standard
code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /f
-
name: Disable Cortana voice support during Windows setup
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /f
-
category: Configure Windows search indexing
children:
-
name: Disable indexing of encrypted items and stores
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowindexingencryptedstoresoritems
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /f
-
name: Disable automatic language detection when indexing
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-alwaysuseautolangdetection
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 1 /f
-
name: Disable search's access to location
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 1 /f
-
name: Disable web search in search bar
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DisableWebSearch
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 0 /f
-
name: Disable web search and results in search
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 1 /f
-
name: Disable Bing search
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 1 /f
-
category: Disable targeted advertisements and marketing
children:
-
name: Disable ad customization with Advertising ID
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "0" /f
-
category: Disable cloud-based advertising and tips
children:
-
name: Disable Windows Tips
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "0" /f
-
name: Disable Windows Spotlight (shows random wallpapers on lock screen)
recommend: strict
docs: |-
The script disables the Windows Spotlight feature. Windows Spotlight is a feature in Windows 10 and Windows 11 [1] that automatically downloads
and displays random wallpapers on the lock screen [1] [2]. These images are sourced from the internet [1] [2] [3]. At times, it might also promote
various Microsoft products, services [1] [2], or even third-party apps and content [4].
When the lock screen fetches images from the internet, there's a silent data exchange happening. This can inadvertently reveal details about the
user's device or their preferences.
To mitigate this potential privacy risk, the script makes a change to a key (`DisableWindowsSpotlightFeatures`) in the Windows operating system [3].
Originally, Windows Spotlight is turned on unless the user decides otherwise [2].
By applying this script, users can be sure their lock screen remains private and doesn't retrieve wallpapers from the internet, eliminating potential
data leaks.
[1]: https://web.archive.org/web/20230911110727/https://support.microsoft.com/en-us/windows/personalize-your-lock-screen-81dab9b0-35cf-887c-84a0-6de8ef72bea0 "Personalize your lock screen - Microsoft Support"
[2]: https://web.archive.org/web/20230911110748/https://learn.microsoft.com/en-us/windows/configuration/windows-spotlight "Configure Windows Spotlight on the lock screen - Configure Windows | Microsoft Learn"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[4]: https://web.archive.org/web/20230911110921/https://download.microsoft.com/download/8/F/B/8FBD2E85-8852-45EC-8465-92756EBD9365/Windows10andWindowsServer2016PolicySettings.xlsx "Group Policy Settings Reference - Microsoft"
code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /f 2>nul # Key does not exist since Windows 10 21H2, Windows 11 22H2
-
name: Disable Microsoft Consumer Experiences
recommend: standard
docs:
- https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-71771
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics
code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "0" /f
-
name: Disable suggested content in Settings app
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004
- https://www.blogsdna.com/28017/how-to-disable-turn-off-suggested-content-on-windows-10-setting-app.htm
code: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "0" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "1" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "1" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "1" /t REG_DWORD /f
-
category: Disable biometrics (breaks fingerprinting/facial login)
children:
-
name: Disable use of biometrics
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f
-
name: Disable biometric logon
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f
-
name: Disable Windows Biometric Service
recommend: strict
docs:
- https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-biometric-service
- http://batcmd.com/windows/10/services/wbiosrvc/
call:
function: DisableService
parameters:
serviceName: WbioSrvc # Check: (Get-Service -Name WbioSrvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Wi-Fi Sense
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f
-
name: Disable app launch tracking (hides most-used apps)
docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10
recommend: strict
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 0 /t REG_DWORD /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 1 /t REG_DWORD /f
-
name: Disable Website Access of Language List
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general
code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 0 /f
-
name: Disable automatic map downloads
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f
-
name: Disable game screen recording
recommend: standard
code: |-
reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 0 /f
-
name: Disable internet access for Windows DRM
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
-
name: Disable typing feedback (sends typing data)
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
-
name: Disable Activity Feed feature
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f
-
category: Disable Windows Insider Program
children:
-
name: Disable Windows Insider Service
docs:
- https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-insider-service
- http://batcmd.com/windows/10/services/wisvc/
recommend: standard
call:
function: DisableService
parameters:
serviceName: wisvc # Check: (Get-Service -Name wisvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Microsoft feature trials
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /f
reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /f
-
name: Disable receipt of Windows preview builds
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /f
-
name: Remove "Windows Insider Program" from Settings
docs: https://winaero.com/how-to-hide-the-windows-insider-program-page-from-the-settings-app-in-windows-10/
code: reg add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /t "REG_DWORD" /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /f
-
category: Disable cloud sync
docs: https://support.microsoft.com/en-us/help/4026102/windows-10-about-sync-settings
children:
-
name: Disable all settings synchronization
recommend: standard
# This script is a master switch that disables all other types of setting synchronizations in this category.
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f
-
name: Disable "Application" setting synchronization
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable "App Sync" setting synchronization
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable "Credentials" setting synchronization
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f
-
name: Disable "Desktop Theme" setting synchronization
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable "Personalization" setting synchronization
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable "Start Layout" setting synchronization
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable "Web Browser" setting synchronization
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable "Windows" setting synchronization
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable "Language" setting synchronization
recommend: standard
docs:
- https://winaero.com/turn-on-off-sync-settings-windows-10/
- https://www.thewindowsclub.com/how-to-configure-windows-10-sync-settings-using-registry-editor
- https://tuxicoman.jesuislibre.net/blog/wp-content/uploads/Windows10_Telemetrie_1709.pdf # from guide on confidentiality and privacy with Windows 10 distributed to the French police, previous version of guide: https://www.pmenier.net/dotclear/docext/win10/.Windows10-Presentation.pdf
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 1 /f
-
category: Configure programs
children:
-
category: Disable Visual Studio data collection
docs: |-
These scripts disable future local and cloud data collection by Visual Studio about you and your behavior.
These do not clean existing data collected about you locally or on cloud servers.
children:
-
name: Disable participation in Visual Studio Customer Experience Improvement Program (VSCEIP)
recommend: standard
docs: |-
`VSCEIP` collects information about errors, computer hardware, and how people use Visual Studio [1].
The information is sent to Microsoft servers for further analysis.
This was previously known as Customer Experience Improvement Program (`PerfWatson`) for Visual Studio
that primarily collected your personal usage and related performance data [2].
For more information about the information collected, processed, or transmitted by the `VSCEIP`, see the
[Microsoft Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement).
Visual Studio uses different keys based on CPU architecture of the host operating system (32bit or 64bit) [1]:
- 32bit: `HKLM\SOFTWARE\Microsoft\VSCommon`
- 64bit: `HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon`
Key `OptIn` can have two different values [1]:
- `0` is opted out (turn off)
- `1` is opted in (turn on)
The default installation sets the key as `1` (opt-in by default) since Visual Studio 2022.
[1]: https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program "Customer Experience Improvement Program - Visual Studio (Windows) | Microsoft Learn"
[2]: https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/ "How we use your PerfWatson data to identify Unresponsive areas | Visual Studio Blog"
code: |-
:: Using OS keys
if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit?
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
) else (
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
)
:: Using GPO key
reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
revertCode: |-
:: Using OS keys
if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit?
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
) else (
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
)
:: Using GPO key
reg delete "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /f 2>nul
-
name: Disable Visual Studio telemetry
docs: |-
This key was first seen to be used in Visual Studio 15 (2017) [1] [2].
By default (after clean installation) the registry key set by this script does not exist
since Visual Studio 2022.
[1]: https://developercommunity.visualstudio.com/t/bad-crashes-when-visualstudiotelemetryturnoffswitc/208693 "Bad crashes when VisualStudio\Telemetry\TurnOffSwitch is set to 0 | Visual Studio Feedback"
[2]: https://social.msdn.microsoft.com/Forums/vstudio/en-US/7796f0c5-ec9a-4fc8-9f62-584a663f9016/vs2015-pro-upd-3-quotthe-application-cannot-startquot-exception-in-obtainoptinstatus 'VS2015 (pro + upd 3): "Forum post showing logs for TurnOffSwitch key | MSDN Forums'
recommend: standard
code: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /f 2>nul
-
name: Disable Visual Studio feedback
docs: |-
Feedback tool in Visual Studio allows users to report a problem from either Visual Studio or its installer.
It collects rich diagnostic information along with personally identifiable information [1]. Information includes large log files,
crash information, screenshots, repro recording, and other artifacts [1].
This script disables feedback dialog and screenshot capture/email input that's prompted to be sent as part of the feedback.
By default (after clean installation) the registry keys are not configured/set since Visual Studio 2022. Having these settings no
set imply that feedback is enabled.
[1]: https://learn.microsoft.com/en-us/visualstudio/ide/how-to-report-a-problem-with-visual-studio "Report a problem with Visual Studio - Visual Studio (Windows) | Microsoft Learn"
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /f 2>nul
-
name: Stop and disable Visual Studio Standard Collector Service
docs: |-
Visual Studio Standard Collector Service is a service that is part of
[Microsoft Visual Studio and .NET Log Collection Tool](https://www.microsoft.com/en-us/download/details.aspx?id=12493) [1].
This service collects logs for Diagnostics Hub just like Diagnostic Hub Standard Collector [2].
It has been known to be vulnerable to privilege elavation [3].
Disabling this service is recommended because otherwise it would:
- Increase the attack surface of your computer, making it open to potential future vulnerabilities.
- Use computer resources in favor of collecting more data about you and your behavior.
[1]: https://learn.microsoft.com/en-us/answers/questions/891356/i-can39t-start-vsstandardcollectorservice150.html#answer-929168 "I can't start VSStandardCollectorService150 | Microsoft Q&A"
[2]: https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service "CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service | Atredis Partners"
[3]: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0952 "Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability"
recommend: standard
call:
function: DisableService
parameters:
serviceName: VSStandardCollectorService150 # (Get-Service -Name VSStandardCollectorService150).StartType
defaultStartupMode: Manual # Manual since Visual Studio 2022, allowed values: Automatic | Manual
-
name: Disable Diagnostics Hub log collection
docs: |-
Diagnostics Hub is online data collection point for diagnostic tools used by Visual Studio.
It can be disabled by deleting `LogLevel` and `LogDirectory` registry keys [1] and enabled by adding them [2] [3] [4] [5].
The registry keys are not set after installation since Visual Studio 2022.
[1]: https://developercommunity.visualstudio.com/t/cant-disable-diagnostics-hub-in-visual-stuido/1449322#T-N1449680 "Can't disable Diagnostics hub in visual stuido | Visual Studio Feedback"
[2]: https://developercommunity.visualstudio.com/t/diagnostic-tool-no-registered-class/1099781#T-N1106849 "diagnostic tool No registered class | Visual Studio Feedback"
[3]: https://stackoverflow.com/a/39380284 "c# - Visual Studio 2015 diagnostic tools no longer working | Stack Overflow"
[4]: https://developercommunity.visualstudio.com/t/collectionstartfailedhubexception-on-profiler-laun/414212#T-N447791 "CollectionStartFailedHubException on profiler launch | Visual Studio Feedback"
[5]: https://developercommunity.visualstudio.com/t/diagnostics-tools-failed-unexpectedly-unable-to-st/437117#T-N447777 "Diagnostics tools failed unexpectedly--unable to start standard collector | Visual Studio Feedback"
code: |-
reg delete "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /f 2>nul
revertCode: |-
"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -property catalog_productDisplayVersion >Nul | findstr "15." >nul && (
reg add "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /t REG_SZ /d "All" /f
)
-
name: Disable participation in IntelliCode data collection
recommend: standard
docs: |-
[IntelliCode for Visual Studio](https://learn.microsoft.com/en-us/visualstudio/intellicode/intellicode-visual-studio) provides AI based
suggestions for the code.
IntelliCode does not send any code to Microsoft servers as long as team completion model training is not used [1] [2]. This script opts-out
from it without breaking the functionality of IntelliCode for local models.
The registry keys set by this script do not exist by default after installation since Visual Studio 2022.
[1]: https://docs.microsoft.com/en-us/visualstudio/intellicode/intellicode-privacy "IntelliCode privacy - Visual Studio IntelliCode | Microsoft Learn"
[2]: https://github.com/MicrosoftDocs/intellicode/blob/50ea60c91a7175e749ed5e094403568a583a292e/docs/intellicode-privacy.md
code: |-
:: Global policy
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f
:: Local policy
reg add "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f
revertCode: |-
:: Global policy
reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul
:: Local policy
reg delete "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul
reg delete "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul
-
name: Disable NET Core CLI telemetry
recommend: standard
code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1
revertCode: setx DOTNET_CLI_TELEMETRY_OPTOUT 0
-
name: Disable PowerShell telemetry
recommend: standard
docs: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry
code: setx POWERSHELL_TELEMETRY_OPTOUT 1
revertCode: setx POWERSHELL_TELEMETRY_OPTOUT 0
-
category: Disable Nvidia telemetry
docs:
- https://github.com/privacysexy-forks/nVidia-modded-Inf
- https://github.com/privacysexy-forks/Disable-Nvidia-Telemetry
- https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20
children:
-
name: Remove Nvidia telemetry tasks
recommend: standard
code: |-
if exist "%ProgramFiles%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL" (
rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer
rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry
)
-
name: Remove Nvidia telemetry components
recommend: standard
call:
-
function: SoftDeleteFiles
parameters:
fileGlob: '%PROGRAMFILES(X86)%\NVIDIA Corporation\NvTelemetry\*'
recurse: true
-
function: SoftDeleteFiles
parameters:
fileGlob: '%PROGRAMFILES%\NVIDIA Corporation\NvTelemetry\*'
recurse: true
-
name: Disable Nvidia telemetry drivers
recommend: standard
call:
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\DriverStore\FileRepository\NvTelemetry*.dll'
recurse: true
-
name: Disable participation in Nvidia telemetry
recommend: standard
call:
function: RunInlineCode
parameters:
code: |-
reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d 0 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /f
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /f
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /f
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /f
-
name: Disable Nvidia Telemetry Container service
docs: https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/
call:
function: DisableService
parameters:
serviceName: NvTelemetryContainer
# Display name: "NVIDIA Telemetry Container"
# Description: "Container service for NVIDIA Telemetry"
defaultStartupMode: Automatic
-
name: Disable Nvidia telemetry services
recommend: standard
code: |-
schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE
schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE
schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE
revertCode: |-
schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE
schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE
schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE
-
category: Disable Visual Studio Code data collection
docs:
- https://code.visualstudio.com/updates/v1_26#_offline-mode
- https://code.visualstudio.com/docs/getstarted/settings
children:
-
name: Disable Visual Studio Code telemetry
docs: https://code.visualstudio.com/docs/getstarted/telemetry
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: telemetry.enableTelemetry
powerShellValue: $false
-
name: Disable Visual Studio Code crash reporting
docs: https://code.visualstudio.com/docs/getstarted/telemetry
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: telemetry.enableCrashReporter
powerShellValue: $false
-
name: Disable online experiments by Microsoft in Visual Studio Code
docs: https://github.com/privacysexy-forks/vscode/blob/1aee0c194cff72d179b9f8ef324e47f34555a07d/src/vs/workbench/contrib/experiments/node/experimentService.ts#L173
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: workbench.enableExperiments
powerShellValue: $false
-
name: Disable Visual Studio Code automatic updates in favor of manual updates
call:
function: SetVsCodeSetting
parameters:
setting: update.mode
powerShellValue: manual
-
name: Disable fetching release notes from Microsoft servers after an update
call:
function: SetVsCodeSetting
parameters:
setting: update.showReleaseNotes
powerShellValue: $false
-
name: Automatically check extensions from Microsoft online service
call:
function: SetVsCodeSetting
parameters:
setting: extensions.autoCheckUpdates
powerShellValue: $false
-
name: Fetch recommendations from Microsoft only on demand
call:
function: SetVsCodeSetting
parameters:
setting: extensions.showRecommendationsOnlyOnDemand
powerShellValue: $true
-
name: Disable automatic fetching of remote repositories in Visual Studio Code
call:
function: SetVsCodeSetting
parameters:
setting: git.autofetch
powerShellValue: $false
-
name: Disable fetching package information from NPM and Bower in Visual Studio Code
call:
function: SetVsCodeSetting
parameters:
setting: npm.fetchOnlinePackageInfo
powerShellValue: $false
-
category: Disable Microsoft Office telemetry
docs: https://docs.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office
children:
-
name: Disable Microsoft Office logging
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f
-
name: Disable Microsoft Office client telemetry
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f
-
name: Disable Microsoft Office Customer Experience Improvement Program
docs: https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f
-
name: Disable Microsoft Office feedback
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f
-
name: Disable Microsoft Office telemetry agent
recommend: standard
code: |-
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /DISABLE
revertCode: |-
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /ENABLE
# - (breaks office, see https://answers.microsoft.com/en-us/office/forum/office_2016-officeapps/office-2016-click-to-run-service-is-it-necessary/07f87963-7193-488a-9885-d6339105824b)
# name: Disable ClickToRun Service Monitor
# docs: https://web.archive.org/web/20180201221907/https://technet.microsoft.com/en-us/library/jj219427.aspx
# call:
# -
# function: RunInlineCode
# parameters:
# code: schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /DISABLE
# revertCode: schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /ENABLE
# -
# function: DisableService
# parameters:
# serviceName: ClickToRunSvc # Check: (Get-Service -Name ClickToRunSvc).StartType
# defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable Microsoft Office Subscription Heartbeat
code: |-
schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /DISABLE
schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /DISABLE
revertCode: |-
schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /ENABLE
schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /ENABLE
-
category: Configure browsers
children:
-
category: Configure Edge
children:
-
category: Configure Edge (Chromium) settings
children:
-
name: Disable Edge diagnostic data sending (shows "Your browser is managed")
recommend: standard
docs:
- http://archive.today/2023.08.26-152941/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::DiagnosticData
- https://learn.microsoft.com/DeployEdge/microsoft-edge-policies#diagnosticdata
- http://archive.today/2023.08.26-152952/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::MetricsReportingEnabled
- https://learn.microsoft.com/en-gb/DeployEdge/microsoft-edge-policies#metricsreportingenabled
- http://archive.today/2023.08.26-153019/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SendSiteInfoToImproveServices
- https://learn.microsoft.com/DeployEdge/microsoft-edge-policies#sendsiteinfotoimproveservices
code: |-
:: Disabling metrics and site info sending for Edge v88 ≥
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /t REG_DWORD /d 0 /f
:: Disabling diagnostic data (replacing metrics and site info sending since Edge v89 ≤)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "DiagnosticData" /t REG_DWORD /d 0 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "DiagnosticData" /f 2>nul
-
name: Disable automatic installation of Edge (Chromium)
docs:
- https://admx.help/?Category=EdgeChromium_Blocker&Policy=Microsoft.Policies.EdgeUpdate::NoUpdate
- https://web.archive.org/web/20210118230052/https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit
code: reg add "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /f
-
name: Disable Live Tile data collection
recommend: standard
docs:
- https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection
code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 0 /f
-
name: Disable MFU tracking
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableMFUTracking
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 0 /f
-
name: Disable recent apps
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableRecentApps
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 0 /f
-
name: Disable backtracking
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::TurnOffBackstack
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 0 /f
-
name: Disable Search Suggestions in Edge
docs:
- https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/address-bar-settings-gp
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 1 /f
-
category: Configure Internet Explorer
children:
-
name: Disable Internet Explorer geolocation
recommend: standard
code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 0 /f
-
name: Disable Internet Explorer InPrivate logging
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 0 /f
-
name: Disable Internet Explorer CEIP (Customer Experience Improvement Program)
recommend: standard
docs: https://www.stigviewer.com/stig/internet_explorer_8/2014-07-03/finding/V-15492
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 1 /f
-
name: Disable legacy WCM policy calls
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 1 /f
-
name: Disable SSLv3 fallback
recommend: standard
docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-04-02/finding/V-64729
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 3 /f
-
name: Disable certificate error ignoring
recommend: standard
docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2017-03-01/finding/V-64717
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 0 /f
-
category: Configure Chrome
children:
-
name: Disable Chrome Software Reporter Tool
recommend: standard
code: |-
icacls "%LOCALAPPDATA%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)"
cacls "%LOCALAPPDATA%\Google\Chrome\User Data\SwReporter" /e /c /d %username%
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "software_reporter_tool.exe" /f
revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /f
-
category: Configure Chrome cleanup
children:
-
name: Disable sharing scanned software data with Google (shows "Your browser is managed")
recommend: standard
docs:
- https://www.chromium.org/administrators/policy-list-3#ChromeCleanupReportingEnabled
- https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81593
code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /f
-
name: Disable Chrome system cleanup scans (shows "Your browser is managed")
recommend: standard
docs:
- https://www.chromium.org/administrators/policy-list-3#ChromeCleanupEnabled
- https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81591
code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /f
-
name: Disable Chrome metrics reporting (shows "Your browser is managed")
recommend: standard
docs: https://www.stigviewer.com/stig/google_chrome_v23_windows/2013-01-11/finding/V-35780
code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /f
-
category: Configure Firefox
children:
-
category: Disable default browser agent reporting
children:
-
name: Disable default browser agent reporting
recommend: standard
docs: https://www.bleepingcomputer.com/news/software/firefox-now-tells-mozilla-what-your-default-browser-is-every-day/
code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 1 /f
revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 0 /f
-
name: Disable services that report the default browser agent
recommend: standard
code: |-
schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
revertCode: |-
schtasks.exe /change /enable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
schtasks.exe /change /enable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
-
name: Disable Firefox metrics reporting
recommend: standard
docs: https://github.com/privacysexy-forks/policy-templates#disabletelemetry
code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 1 /f
revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 0 /f
-
name: Disable Google update services
recommend: standard
docs:
- https://websetnet.net/how-to-disable-google-chrome-automatic-updates-in-windows-10/
- https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-25791.html #gupdate
- https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-26582.html #gupdatem
call:
-
function: RunInlineCode
parameters:
code: |-
schtasks /change /disable /tn "GoogleUpdateTaskMachineCore"
schtasks /change /disable /tn "GoogleUpdateTaskMachineUA"
revertCode: |-
schtasks /change /enable /tn "GoogleUpdateTaskMachineCore"
schtasks /change /enable /tn "GoogleUpdateTaskMachineUA"
-
function: DisableService
parameters:
serviceName: gupdate # Check: (Get-Service -Name gupdate).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: gupdatem # Check: (Get-Service -Name gupdatem).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable Adobe Acrobat update services
recommend: standard
call:
-
function: DisableService
parameters:
serviceName: AdobeARMservice # Check: (Get-Service -Name AdobeARMservice).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: adobeupdateservice # Check: (Get-Service -Name adobeupdateservice).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: adobeflashplayerupdatesvc # Check: (Get-Service -Name adobeflashplayerupdatesvc).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: RunInlineCode
parameters:
code: |-
schtasks /change /tn "Adobe Acrobat Update Task" /disable
schtasks /change /tn "Adobe Flash Player Updater" /disable
revertCode: |-
schtasks /change /tn "Adobe Acrobat Update Task" /enable
schtasks /change /tn "Adobe Flash Player Updater" /enable
-
name: Disable "Razer Game Scanner Service"
recommend: standard
call:
function: DisableService
parameters:
serviceName: Razer Game Scanner Service # Check: (Get-Service -Name 'Razer Game Scanner Service').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Logitech Gaming Registry Service"
recommend: standard
call:
function: DisableService
parameters:
serviceName: LogiRegistryService # Check: (Get-Service -Name 'LogiRegistryService').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable Dropbox automatic update services
recommend: standard
call:
-
function: DisableService
parameters:
serviceName: dbupdate # Check: (Get-Service -Name 'dbupdate').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: dbupdatem # Check: (Get-Service -Name 'dbupdatem').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: RunInlineCode
parameters:
code: |-
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineCore"
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA"
revertCode: |-
schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineCore"
schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineUA"
-
category: Disable Media Player data collection
children:
-
name: Disable sending Windows Media Player statistics
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f
-
name: Disable metadata retrieval
recommend: standard
code: |-
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
-
name: Disable "Windows Media Player Network Sharing Service" (`WMPNetworkSvc`)
docs: http://batcmd.com/windows/10/services/wmpnetworksvc/
recommend: standard
call:
function: DisableService
parameters:
serviceName: WMPNetworkSvc # Check: (Get-Service -Name 'WMPNetworkSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable CCleaner data collection
code: |-
reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 1 /f
-
category: Security improvements
children:
-
category: Enable protection against Meltdown and Spectre
docs: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot
children:
-
name: Mitigate Spectre Variant 2 and Meltdown in host operating system
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f
wmic cpu get name | findstr "Intel" >nul && (
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 0 /f
)
wmic cpu get name | findstr "AMD" >nul && (
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 64 /f
)
revertCode: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f
-
name: Mitigate Spectre Variant 2 and Meltdown in Hyper-V
code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f
-
name: Disable administrative shares
recommend: standard
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 1 /f
-
name: Enable Data Execution Prevention (DEP)
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 1 /f
-
name: Disable AutoPlay and AutoRun
docs:
- https://en.wikipedia.org/wiki/AutoRun
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673
recommend: standard
code: |-
:: 255 (0xff) means all drives
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 2 /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /f
-
name: Disable remote assistance feature
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f
-
name: Disable lock screen camera access
recommend: standard
docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /f
-
name: Disable storage of the LAN Manager password hashes
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 0 /f
-
name: Disable "Always install with elevated privileges" in Windows Installer
recommend: standard
docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f
-
name: Disable Basic Authentication usage in WinRM
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 1 /f
-
name: Disable anonymous enumeration of shares
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 0 /f
-
name: Disable usage of insecure authentication
recommend: standard
docs:
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801
- https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 5 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 3 /f
-
name: Enable Structured Exception Handling Overwrite Protection (SEHOP)
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f
-
name: Disable anonymous enumeration of SAM accounts
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 0 /f
-
name: Disable anonymous access to named pipes and shares
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 0 /f
-
category: Disable unsafe features
children:
-
name: Disable unsafe SMBv1 protocol
recommend: standard
docs: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
code: |-
dism /online /Disable-Feature /FeatureName:"SMB1Protocol" /NoRestart
dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart
dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart
revertCode: |-
dism /online /Enable-Feature /FeatureName:"SMB1Protocol" /NoRestart
dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart
dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart
-
name: Enable security against PowerShell 2.0 downgrade attacks
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637
code: |-
dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart
dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart
revertCode: |-
dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart
dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart
-
name: Disable "Windows Connect Now" wizard
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now
- https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698
code: |-
reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f
-
category: Secure cryptography on IIS (Internet Information Services) server
children:
-
name: Increase Diffie-Hellman key (DHK) exchange to 4096 bits
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ServerMinKeyBitLength /t REG_DWORD /d 0x00001000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00001000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v Enabled /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ServerMinKeyBitLength" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ClientMinKeyBitLength" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "Enabled" /f
-
name: Increase RSA key exchange to 2048 bits
docs: |-
In 2012, Microsoft began transitioning minimum RSA key length across various applications from 1024 to 2048 bits.
1024-Bit key exchange algorithms are still supported in Windows despite being considered deprecated for some time.
NIST 800-131A Rev. 2 cites RSA Key Agreement and Key Transport schemes with len(n) < 2048 are disallowed. Generally,
RSA 2048-bit+ key exchange algorithms are widely supported. While supported cipher suites remain a roundabout way to
address supported key exchange algorithms, these can also be specified independently (although there are still constraints
based on negotiated cipher suite) and provide a supplemental baseline to enforce using strong cryptography.
This script works by creating the non-default key and value called PKCS at
`HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\` with a name of `ClientMinKeyBitLength`
and value of `0x00000800` (2048). The revert deletes the `ClientMinKeyBitLength` value.
See also:
- [Transport Layer Security (TLS) registry settings | learn.microsoft.com](https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#keyexchangealgorithm---client-rsa-key-sizes)
- [Pull request by bricedobson | undergroundwires/privacy.sexy | GitHub.com](https://github.com/undergroundwires/privacy.sexy/pull/165)
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00000800
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS" /v "ClientMinKeyBitLength" /f
-
name: Disable RC2 cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v "Enabled" /f
-
name: Disable RC4 cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v "Enabled" /f
-
name: Disable DES cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v "Enabled" /f
-
name: Disable 3DES (Triple DES) cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v "Enabled" /f
-
name: Disable MD5 hash function
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /v "Enabled" /f
-
name: Disable SHA1
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /v "Enabled" /f
-
name: Disable null cipher
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v "Enabled" /f
-
name: Disable response to renegotiation requests
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoClients /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoServers /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v DisableRenegoOnServer /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v UseScsvForTls /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoClients" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoServers" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "DisableRenegoOnServer" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "UseScsvForTls" /f
-
name: Disable DTLS 1.0
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "DisabledByDefault" /f
-
name: Disable DTLS 1.1
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "DisabledByDefault" /f
-
name: Enable DTLS 1.3 # Windows 10 and Windows Server 10 version 1903 and newer support DTLS 1.3
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "DisabledByDefault" /f
-
name: Disable TLS 1.0
docs: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls # After disabling TLS 1.0 must be (will be) activated SchUseStrongCrypto for .NET apps
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
-
name: Disable TLS 1.1
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /f
-
name: Enable TLS 1.3
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "DisabledByDefault" /f
-
name: Enable strong authentication for .NET applications using TLS 1.2
docs: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications
code: |-
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
-
name: Disable SSLv2
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /f
-
name: Disable SSLv3
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /f
-
category: Privacy over security
children:
-
category: Disable Microsoft Defender
docs: https://en.wikipedia.org/wiki/Windows_Firewall
# See defender status: Get-MpComputerStatus
children:
-
category: Disable Microsoft Defender firewall # Also known as Windows Firewall, Microsoft Defender Firewall
children:
-
category: Disable Microsoft Defender Firewall services and drivers (breaks Microsoft Store and `netsh advfirewall` CLI)
children:
-
name: Disable "Windows Defender Firewall Authorization Driver" service
docs:
- http://batcmd.com/windows/10/services/mpsdrv/
# ❗️ Breaks: `netsh advfirewall set`
# Disabling and stopping it breaks "netsh advfirewall set" commands such as
# `netsh advfirewall set allprofiles state on`, `netsh advfirewall set allprofiles state off`.
# More about `netsh firewall` context: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
# ! Breaks: Windows Store
# The Windows Defender Firewall service depends on this service.
# Disabling this will also disable the Windows Defender Firewall service, breaking Microsoft Store.
# https://i.imgur.com/zTmtSwT.png
call:
-
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters:
serviceName: mpsdrv # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\mpsdrv").Start
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\drivers\mpsdrv.sys'
grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Windows Defender Firewall" service
docs:
- http://batcmd.com/windows/10/services/mpssvc/
- https://en.wikipedia.org/wiki/Windows_Firewall
# More information about MpsSvc:
- https://web.archive.org/web/20110203202612/http://technet.microsoft.com/en-us/library/dd364391(v=WS.10).aspx
# More information about boot time protection and stopping the firewall service:
- https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx
# Stopping the service associated with Windows Firewall is not supported by Microsoft:
- https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx
# ❗️ Breaks Microsoft Store
# Can no longer update nor install apps, they both fail with 0x80073D0A
# Also breaks some of Store apps such as Photos:
# - https://answers.microsoft.com/en-us/windows/forum/all/microsoft-store-windows-defender-windows-firewall/f2f68cd7-64ec-4fe1-ade4-9d12cde057f9
# - https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791
# > The MpsSvc service host much more functionality than just windows firewall. For instance, Windows
# Service hardening which is a windows protection of system services. It also host network isolatio
# which is a crucial part of the confidence model for Windows Store based applications. 3rd party firewalls
# know this fact and instead of disabling the firewall service they coordinate through public APIs with Windows
# Firewall so that they can have ownership of the firewall policies of the computer. Hence you do not have to do
# anything special once you install a 3rd party security product.
# Source: https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/
# ❗️ Breaks: `netsh advfirewall set`
# Disabling and stopping it breaks "netsh advfirewall set" commands such as
# `netsh advfirewall set allprofiles state on`, `netsh advfirewall set allprofiles state off`.
# More about `netsh firewall` context: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
call:
-
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters:
serviceName: MpsSvc # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MpsSvc").Start
defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\mpssvc.dll'
grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable firewall via command-line utility
# ❗️ Following must be enabled and in running state:
# - mpsdrv ("Windows Defender Firewall Authorization Driver")
# - bfe (Base Filtering Engine)
# - mpssvc ("Windows Defender Firewall")
# If the dependent services are not running, the script fails with:
# "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again."
# Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc
docs: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
call:
function: RunPowerShell
parameters:
code: |-
if(!(Get-Command 'netsh' -ErrorAction Ignore)) {
throw '"netsh" does not exist, is system installed correctly?'
}
$message=netsh advfirewall set allprofiles state off 2>&1
if($?) {
Write-Host "Successfully disabled firewall."
} else {
if($message -like '*Firewall service*') {
Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?'
} else {
throw "Cannot disable: $message"
}
}
revertCode: |-
if(!(Get-Command 'netsh' -ErrorAction Ignore)) {
throw '"netsh" does not exist, is system installed correctly?'
}
$message=netsh advfirewall set allprofiles state on 2>&1
if($?) {
Write-Host "Successfully enabled firewall."
} else {
if($message -like '*Firewall service*') {
Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?'
} else {
throw "Cannot enable: $message"
}
}
-
name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning
docs:
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2
code: |-
:: Policy based
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
:: Non-policy based
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
# When reverting HKLM\SOFTWARE\Policies profiles are deleted as they are not included in clean installation
# On the other hand "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet
# so they're not deleted but set to default state
revertCode: |- # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
:: Policy based
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /f 2>nul
:: Non-policy based
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
-
name: Disable "Firewall & network protection" section in "Windows Security"
docs: |-
This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was
called "Windows Defender Security Center" [1].
The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status
of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see
this section in the "Windows Security" interface [3].
This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry
key to hide the Firewall and network protection area [3].
[1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn"
[2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn"
[3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /f 2>nul
-
name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f 2>nul
-
category: Disable Defender features
# Status: Get-MpPreference
children:
-
category: Disable Defender Antivirus cloud protection service
docs: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus
# Also known as Microsoft MAPS (Microsoft Active Protection Service) or Microsoft SpyNet
children:
-
category: Disable Defender cloud protection features
children:
-
name: Disable block at first sight
docs:
# What is block at first sight? How does it work? How to turn on/off?
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: SetMpPreference
parameters:
property: DisableBlockAtFirstSeen # Status: Get-MpPreference | Select-Object -Property DisableBlockAtFirstSeen
value: $True # Set: Set-MpPreference -Force -DisableBlockAtFirstSeen $True
default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableBlockAtFirstSeen | Set-MpPreference -Force -DisableBlockAtFirstSeen $False
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /f 2>nul
-
name: Maximize time for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required"
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpBafsExtendedTimeout
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /f 2>nul
-
name: Minimize cloud protection level # Requires "Join Microsoft MAPS"
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpCloudBlockLevel
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /f 2>nul
-
name: Disable notifications to turn off security intelligence # Requires "Join Microsoft MAPS"
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureDisableNotification
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /f 2>nul
-
category: Disable Defender cloud export for analysis
children:
-
name: Disable Microsoft Defender SpyNet reporting
recommend: strict
docs:
- https://www.stigviewer.com/stig/windows_7/2012-07-02/finding/V-15713
# Manage with registry policy
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
# Managing with MDM policy
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#mapsreporting
call:
# 0: Disabled, 1: Basic, 2: Advanced (default)
-
function: SetMpPreference
parameters:
property: MAPSReporting # Status: Get-MpPreference | Select-Object -Property MAPSReporting
value: "'0'" # Set: Set-MpPreference -Force -MAPSReporting 0
default: "'2'" # Default: 2 (Advanced) | Remove-MpPreference -Force -MAPSReporting | Set-MpPreference -Force -MAPSReporting 2
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /f 2>nul
-
name: Disable sending file samples for further analysis
recommend: strict
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SubmitSamplesConsent
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#submitsamplesconsent
call:
# 0 = 'Always Prompt', 1 = 'Send safe samples automatically' (default), 2 = 'Never send', 3 = 'Send all samples automatically'
-
function: SetMpPreference
parameters:
property: SubmitSamplesConsent # Status: Get-MpPreference | Select-Object -Property SubmitSamplesConsent
value: "'2'" # Set: Set-MpPreference -Force -SubmitSamplesConsent 2
default: "'1'" # Default: 1 (Send safe samples automatically) | Remove-MpPreference -Force -SubmitSamplesConsent | Set-MpPreference -Force -SubmitSamplesConsent 1
setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 1 (OS default) in Windows 11
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /f 2>nul
-
name: Disable "Malicious Software Reporting" tool diagnostic data
recommend: strict
docs: |-
This script disables the diagnostic data sent by Microsoft's Malicious Software Removal Tool (MSRT) [1].
Starting from its version 5.39 in August 2016, MSRT was observed to transmit a "Heartbeat Report" to Microsoft every time it operated [2].
This happens even when the Customer Experience Improvement Program (CEIP) is turned off, and even if "DiagTrack" is not installed on the
computer [2]. Such a report can be confirmed by viewing the MRT log located at `%windir%\debug\mrt.log` [2].
This script enhances user privacy by setting a specific system key, `HKLM\SOFTWARE\Policies\Microsoft\MRT!DontReportInfectionInformation`,
to halt this data sharing with Microsoft [1] [2].
[1]: https://web.archive.org/web/20231009135123/https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection "Disable Malicious Software Reporting tool diagnostic data | admx.help"
[2]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /f 2>nul
-
name: Disable uploading files for threat analysis in real-time # Requires "Join Microsoft MAPS"
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_RealtimeSignatureDelivery
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /f 2>nul
-
name: Disable Potentially Unwanted Application (PUA) feature # Already disabled as default
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus
- https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/
- https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: SetMpPreference
parameters:
# 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode'
property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection
value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0
default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0
-
function: RunInlineCode
parameters:
code: |-
:: For legacy versions: Windows 10 v1809 and Windows Server 2019
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
:: For newer Windows versions
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f
revertCode: |-
:: For legacy versions: Windows 10 v1809 and Windows Server 2019
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /f 2>nul
:: For newer Windows versions
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /f 2>nul
-
name: Disable tamper protection # Added in Windows 10, version 1903
docs:
- https://www.thewindowsclub.com/how-to-enable-tamper-protection-in-windows-10
- https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-tamperprotection
call:
-
function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2)
# ❌ Fails with "ERROR: Access is denied." in Windows 11 21H2 | ✅ Works in Windows 10 >= 20H2
parameters:
code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /f 2>nul
-
function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2)
parameters:
code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /f 2>nul
-
name: Disable file hash computation feature # Added in Windows 10, version 2004
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation
- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /f 2>nul
-
category: Disable "Windows Defender Exploit Guard"
docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
children:
-
name: Disable prevention of users and apps from accessing dangerous websites
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /f 2>nul
-
name: Disable controlled folder access
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /f 2>nul
-
category: Disable network inspection system features
children:
-
name: Disable protocol recognition
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /f 2>nul
-
name: Disable definition retirement
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /f 2>nul
-
name: Minimize rate of detection events
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /f 2>nul
-
category: Disable real-time protection
children:
-
name: Disable real-time monitoring
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring
call: # Enabled by default (DisableRealtimeMonitoring is false)
-
function: SetMpPreference
parameters:
property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring
value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True
# ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /f 2>nul
-
name: Disable intrusion prevention system (IPS)
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem
call:
-
function: SetMpPreference
parameters:
property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem
value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True
# ❌ Windows 11 and Windows 10: Does not fail but does not change the value
default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False
# ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /f 2>nul
-
name: Disable Information Protection Control (IPC)
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /f 2>nul
-
category: Disable Defender monitoring of behavior
children:
-
name: Disable behavior monitoring
docs:
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring
call:
-
function: SetMpPreference
parameters:
property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring
value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True
# ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /f 2>nul
-
name: Disable sending raw write notifications to behavior monitoring
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /f 2>nul
-
category: Disable monitoring of downloads and attachments in Defender
children:
-
name: Disable scanning of all downloaded files and attachments
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection
call:
-
function: SetMpPreference
parameters:
property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection
value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True
# ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected
default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /f 2>nul
-
name: Disable scanning files larger than 1 KB (minimum possible)
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /f 2>nul
-
category: Disable Defender monitoring of file and program activity
children:
-
name: Disable file and program activity monitoring
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /f 2>nul
-
name: Disable bidirectional scan for incoming and outgoing file and program activities
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection
call:
# 0='Both': bi-directional (full on-access, default)
# 1='Incoming': scan only incoming (disable on-open)
# 2='Outcoming': scan only outgoing (disable on-close)
-
function: SetMpPreference
parameters:
property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection
value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1
default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /f 2>nul
-
name: Disable real-time protection process scanning
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /f 2>nul
-
category: Disable Defender remediation
children:
-
name: Disable routine remediation
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#admx-microsoftdefenderantivirus-disableroutinelytakingaction
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /f 2>nul
-
name: Disable running scheduled auto-remediation
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday
call:
# 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never'
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /f 2>nul
-
function: SetMpPreference
parameters:
property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay
value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8
default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0
-
name: Disable remediation actions
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
# None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10
call: # Not using ThreatIdDefaultAction as it requires known threat IDs
-
function: SetMpPreference
# https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction
parameters:
property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction
# Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value):
# `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`.
# E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed.
# Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction`
value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9
# Default: 0 (none)
# Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction`
# works on both Windows 10 and Windows 11
-
function: RunInlineCode
parameters:
code: |-
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f
:: 1: Clean, 2: Quarantine, 3: Remove, 6: Allow, 8: Ask user, 9: No action, 10: Block, NULL: default (based on the update definition)
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f
revertCode: |-
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /f 2>nul
-
name: Enable automatically purging items from quarantine folder
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay
call:
# Values:
# Default: 90 on both Windows 10 21H1 and Windows 11 21H2
# Minimum: 1
# 0 means indefinitely
-
function: SetMpPreference
parameters:
property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay
value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1
default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90
setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /f 2>nul
-
name: Disable always running antimalware service
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /f 2>nul
# - Too good to disable, also no reported privacy issues
# category: Disable Microsoft Defender "Device Guard" and "Credential Guard"
# docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419
# children:
# -
# name: Disable LSA protection (disabled by default)
# docs:
# - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
# - https://itm4n.github.io/lsass-runasppl/
# - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# code: |-
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
# reg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
# revertCode: |- # Already disabled by default, so just delete the keys
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f 2>nul
# reg delete "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /f 2>nul
# -
# name: Disable virtualization-based security (disabled by default)
# docs:
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
# code: |-
# :: Virtualization features
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul
# :: Lock
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul
# :: HypervisorEnforcedCodeIntegrity
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f 2>nul
# revertCode: |-
# :: Virtualization features
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul
# :: Lock
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul
# :: HypervisorEnforcedCodeIntegrity
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul
# -
# name: Disable System Guard Secure Launch
# docs:
# - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection
# - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch
# code: |-
# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 2 /f
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /t REG_DWORD /d 0 /f
# revertCode: |-
# reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /f 2>nul
# -
# name: Disable Windows Defender Application Control Code Integrity Policy
# docs:
# - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# call:
# -
# function: RunInlineCode
# parameters:
# code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /t REG_DWORD /d 0 /f
# revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /v "Enabled" /f 2>nul
# -
# function: DeleteFiles
# parameters:
# fileGlob: '%WINDIR%\System32\CodeIntegrity\SIPolicy.p7b'
-
name: Disable auto-exclusions
docs:
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions
call:
-
function: SetMpPreference
parameters:
property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions
value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True
default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False
setDefaultOnWindows11: true # `Remove-MpPreference` has no affect (does not change the value) in Windows 11
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /f 2>nul
-
category: Disable Defender scans
children:
-
category: Disable scan actions
children:
-
name: Disable signature verification before scanning # Default configuration
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan
call:
-
function: SetMpPreference
parameters:
property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan
value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False
default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False
-
function: RunInlineCode
parameters: # Default: Does not exist
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /f 2>nul
-
name: Disable creation of daily system restore points # Default behavior
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint
call:
-
function: SetMpPreference
parameters:
property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint
value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True
default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /f 2>nul
-
name: Minimize retention time for files in scan history
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay
call: # Default is 15, minimum is 0 which means never removing items
-
function: SetMpPreference
parameters:
property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay
value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1
default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /f 2>nul
-
category: Disable catch-up scans
children:
-
name: Maximize days until mandatory catch-up scan
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup
# Default and minumum is 2, maximum is 20
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /f 2>nul
-
name: Disable catch-up full scans # Disabled by default
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan
call:
-
function: SetMpPreference
parameters:
property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan
value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True
default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /f 2>nul
-
name: Disable catch-up quick scans
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan
call:
-
function: SetMpPreference
parameters:
property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan
value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True
default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /f 2>nul
-
category: Disable Defender scan options
children:
-
name: Disable scan heuristics
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /f 2>nul
-
category: Minimize CPU usage during scans
children:
-
name: Minimize CPU usage during scans
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor
call:
# Default: 50, minimum 1
-
function: SetMpPreference
parameters:
property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor
value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1
default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /f 2>nul
-
name: Minimize CPU usage during idle scans
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: SetMpPreference
parameters:
property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans
value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False
default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /f 2>nul
-
name: Disable scanning when not idle # Default OS setting
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled
call:
-
function: SetMpPreference
parameters:
property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled
value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True
default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /f 2>nul
-
name: Disable scheduled anti-malware scanner (MRT)
docs: |-
This script disables the scheduled scans by the Malicious Software Removal Tool (MSRT) provided by Microsoft.
Starting from version 5.39 in August 2016, MSRT sends a "Heartbeat Report" to Microsoft every time it runs [1]. This behavior occurs even if certain user
preferences like the Customer Experience Improvement Program (CEIP) are turned off or if "DiagTrack" is not on the computer [1]. A record of this "Successfully
Submitted Heartbeat Report" can be checked in the MRT log, found at `%windir%\debug\mrt.log` [1].
By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft.
[1]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody"
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /f 2>nul
-
category: Minimize scanned areas
children:
-
name: Disable e-mail scanning # Disabled by default
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning
call:
-
function: SetMpPreference
parameters:
property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning
value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False
default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /f 2>nul
-
name: Disable script scanning
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning
call:
function: SetMpPreference
parameters:
property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning
value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True
# ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False
-
name: Disable reparse point scanning
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /f 2>nul
-
name: Disable scanning mapped network drives during full scan
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /f 2>nul
-
function: SetMpPreference
parameters:
property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan
value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False
default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True
-
name: Disable network file scanning
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /f 2>nul
-
function: SetMpPreference
parameters:
property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles
value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True
default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False
-
name: Disable scanning packed executables
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /f 2>nul
-
category: Disable scanning archive files
children:
-
name: Disable scanning archive files
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /f 2>nul
-
function: SetMpPreference
parameters:
property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning
value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True
default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False
-
name: Minimize scanning depth of archive files
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /f 2>nul
-
name: Minimize file size for scanning archive files
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /f 2>nul
-
name: Disable scanning removable drives
docs:
# Disabled by default
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /f 2>nul
-
function: SetMpPreference
parameters:
property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning
value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False
default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True
-
category: Disable auto-scans
children:
-
name: Disable scheduled scans
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday
call:
# Options are:
# 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday',
# 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never'
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /f 2>nul
-
function: SetMpPreference
parameters:
property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay
value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8'
default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0'
-
name: Disable randomizing scheduled task times
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /f 2>nul
-
function: SetMpPreference
parameters:
property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes
value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False
default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True
-
name: Disable scheduled full-scans
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters
call:
# Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan'
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /f 2>nul
-
function: SetMpPreference
parameters:
property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters
value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1'
default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1'
setDefaultOnWindows11: true # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11
-
name: Minimize daily quick scan frequency
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /f 2>nul
-
name: Disable scanning after security intelligence (signature) update
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /f 2>nul
-
category: Disable Defender updates
children:
-
category: Disable Defender Security Intelligence (signature) updates
children:
-
name: Disable forced security intelligence (signature) updates from Microsoft Update
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /f 2>nul
-
name: Disable security intelligence (signature) updates when running on battery power
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /f 2>nul
-
name: Disable startup check for latest virus and spyware security intelligence (signature)
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /f 2>nul
-
name: Disable catch-up security intelligence (signature) updates # default is one day
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval
call:
# Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /f 2>nul
-
function: SetMpPreference
parameters:
property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval
value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0'
default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1'
-
name: Minimize spyware security intelligence (signature) updates # default is one day, recommended is 7 days
# Maximize period when spyware security intelligence (signature) is considered up-to-dates
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /f 2>nul
-
name: Minimize virus security intelligence (signature) updates # default is one day, recommended is 7 days
# Maximize period when virus security intelligence (signature) is considered up-to-date
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /f 2>nul
-
name: Disable security intelligence (signature) update on startup
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /f 2>nul
-
function: SetMpPreference
parameters:
property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine
value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True
default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False
-
name: Disable automatic checks for security intelligence (signature) updates # Already disabled by default
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday
call:
# Options:
# 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday'
# 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default)
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /f 2>nul
-
function: SetMpPreference
parameters:
property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay
value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8'
default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8'
-
name: Minimize checks for security intelligence (signature) updates
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval
call:
# Valid values range from 1 (every hour) to 24 (once per day).
# If not specified (0), parameter, Microsoft Defender checks at the default interval
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /f 2>nul
-
function: SetMpPreference
parameters:
property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval
value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24'
default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0'
-
category: Disable alternate definition updates
children:
-
name: Disable definition updates via WSUS and Microsoft Malware Protection Center
docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /f 2>nul
-
name: Disable definition updates through both WSUS and Windows Update
docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /f 2>nul
-
name: Minimize Defender updates to completed gradual release cycles
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: SetMpPreference
parameters:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease
value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True
default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease
-
name: Minimize Defender engine updates to completed release cycles
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: SetMpPreference
parameters:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel
value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad'
# Valid values:
# 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged'
# ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'"
-
name: Minimize Defender platform updates to completed release cycles
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: SetMpPreference
parameters:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel
value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad'
# Valid values:
# 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged'
# ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'"
-
name: Minimize Defender definition updates to completed gradual release cycles
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
function: SetMpPreference
parameters:
property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel
# Its former name was "SignaturesUpdatesChannel"
value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad'
# 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged'
# ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'"
-
category: Disable Microsoft Defender reporting
children:
-
name: Disable Microsoft Defender logging
code: |-
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
revertCode: |- # 1 as default in registry
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f
-
name: Disable Microsoft Defender ETW provider (Windows Event Logs)
docs:
- https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-views
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f
revertCode: |- # 1 as default in registry
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f
-
name: Disable sending Watson events
# Deprecated since February 2015 update http://support.microsoft.com/kb/3036437
docs: https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::reporting_disablegenericreports
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /f 2>nul
-
name: Minimize Windows software trace preprocessor (WPP Software Tracing)
docs:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /f 2>nul
-
name: Disable auditing events in Microsoft Defender Application Guard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /f 2>nul
-
category: Disable Defender user interface
children:
-
name: Remove "Windows Security" system tray icon
docs: |-
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /f 2>nul
-
name: Remove "Scan with Microsoft Defender" from context menu
docs:
- https://windowsreport.com/remove-right-click-windows-defender-scan-windows-10/
- https://twigstechtips.blogspot.com/2010/06/windows-remove-with-microsoft-security.html
code: |-
reg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f 2>nul
reg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f 2>nul
reg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul
reg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul
reg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul
revertCode: |-
reg add "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f
reg add "HKCR\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
reg add "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /ve /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f
reg add "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
-
name: Remove "Windows Security" icon from taskbar
docs: |-
This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703
and was originally named "Windows Defender Security Center" [1].
The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3].
The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2
and Windows 10 22H2) with default value of `%windir%\system32\SecurityHealthSystray.exe`.
[1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn"
[2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?"
[3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io"
code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "%windir%\system32\SecurityHealthSystray.exe" /f
-
name: Disable Microsoft Defender Antimalware (AM) user interface
docs: |-
This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially
preventing user interactions with the Microsoft Defender Antivirus interface.
Several reasons to hide the antivirus interface:
1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing
its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more
in control of their data when they aren't constantly reminded of a running security service.
2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans.
Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share
more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances.
3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender
Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to
a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently
triggering options that might share data.
4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface
but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that
access has been restricted by the system administrator [2].
The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the
`HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1].
[1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode"
[2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn"
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /f 2>nul
-
name: Minimize threat history access to administrators
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode
call:
-
function: SetMpPreference
parameters:
property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode
value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True
default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False
-
function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2)
parameters:
code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /f 2>nul
-
category: Disable sections in "Windows Security"
docs: |-
This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in
Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1].
"Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display
in a restricted mode [1].
[1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn"
children:
-
name: Disable "Virus and threat protection" section in "Windows Security"
docs: |-
- [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection)
- [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /f 2>nul
-
name: Disable "Ransomware data recovery" section in "Windows Security"
docs: |-
[Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /f 2>nul
-
name: Disable "Family options" section in "Windows Security"
docs: |-
- [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options)
- [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /f 2>nul
-
name: Disable "Device performance and health" section in "Windows Security"
docs: |-
- [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health)
- [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /f 2>nul
-
name: Disable "Account protection" section in "Windows Security"
docs: |-
- [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection)
- [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /f 2>nul
-
name: Disable "App and browser control" section in "Windows Security"
docs: |-
- [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control)
- [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /f 2>nul
-
category: Disable device security sections
children:
-
name: Disable "Device security" section in "Windows Security"
docs: |-
- [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security)
- [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /f 2>nul
-
name: Disable "Clear TPM" button in "Windows Security"
docs: |-
- [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button)
- [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /f 2>nul
-
name: Disable "Secure boot" button in "Windows Security"
docs: |-
[Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /f 2>nul
-
name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security"
docs: |-
[Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /f 2>nul
-
name: Disable "TPM Firmware Update" recommendation in "Windows Security"
docs: |-
- [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation)
- [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /f 2>nul
-
category: Disable Defender notifications
children:
-
category: Disable Windows Security notifications
docs: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications
children:
-
name: Disable all Defender notifications
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disablenotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul
-
name: Disable non-critical Defender notifications
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disableenhancednotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /f 2>nul
-
name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above
docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /f 2>nul
-
name: Disable all Defender Antivirus notifications
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress
code: |-
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
revertCode: |-
reg delete "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul
reg delete "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul
-
name: Disable Defender reboot notifications
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /f 2>nul
-
category: Disable OS components for Defender # Hackers way of disabling Defender
children:
-
category: Disable Defender tasks
children:
-
name: Disable "Windows Defender ExploitGuard" task
docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
code: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Enable
-
name: Disable "Windows Defender Cache Maintenance" task
# Cache Maintenance is the storage for temporary files that are being either quarantined by Microsoft Defender
# or being checked. Running this will Clear Cache.
docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable
-
name: Disable "Windows Defender Cleanup" task
docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae
# Periodic cleanup task
# Clears up files that are not needed anymore by Microsoft Defender.
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Enable
-
name: Disable "Windows Defender Scheduled Scan" task # Does not exist in Windows 11
docs:
- https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d
- https://winbuzzer.com/2020/05/26/windows-defender-how-to-perform-a-scheduled-scan-in-windows-10-xcxwbt/
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Enable 2>nul
-
name: Disable "Windows Defender Verification" task
# Check if there are any problems with your Windows Defender like in updates, system files, etc,.
# Creates daily restore points
docs:
- https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae
- https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426
- https://www.windowsphoneinfo.com/threads/same-problems-with-windows-defender-verification-and-scan-tasks.121489/#Same_problems_with_Windows_Defender_Verification_and_Scan_Tasks
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Enable
-
category: Disable Defender services and drivers
# Normally users can disable services on GUI or using commands like "sc config"
# However Defender services are protected with different ways
# 1. Some cannot be disabled (access error) normally but only with DisableServiceInRegistry
# 2. Some cannot be disabled even using DisableServiceInRegistry, must be disabled as TrustedInstaller using RunInlineCodeAsTrustedInstaller
children:
-
name: Disable "Microsoft Defender Antivirus Service"
# ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender
# E.g. `Set-MpPreference -Force -MAPSReporting 0` throws:
# `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.`
# `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference`
docs: http://batcmd.com/windows/10/services/windefend/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WinDefend" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "2" /f & sc start "WinDefend" >nul 2>&1
# - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2
# function: SoftDeleteFiles
# parameters:
# fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ...
# grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
category: Disable Defender kernel-level drivers
children:
# - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only
-
name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service
docs: http://batcmd.com/windows/10/services/wdnisdrv/
call:
# Excluding:
# - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2
-
function: RunInlineCodeAsTrustedInstaller
parameters:
# "net stop" is used to stop dependend services as well, "sc stop" fails
code: net stop "WdNisDrv" /yes >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "3" /f & sc start "WdNisDrv" >nul
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\drivers\WdNisDrv.sys'
grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Microsoft Defender Antivirus Mini-Filter Driver" service
docs:
- https://www.n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/
- http://batcmd.com/windows/10/services/wdfilter/
call:
# Excluding:
# - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WdFilter" >nul & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "0" /f & sc start "WdFilter" >nul
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys'
grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Microsoft Defender Antivirus Boot Driver" service
docs: http://batcmd.com/windows/10/services/wdboot/
call:
# Excluding:
# - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WdBoot" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "0" /f & sc start "WdBoot" >nul 2>&1
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys'
grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Microsoft Defender Antivirus Network Inspection" service
docs:
- http://batcmd.com/windows/10/services/wdnissvc/
- https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WdNisSvc" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "2" /f & sc start "WdNisSvc" >nul 2>&1
# - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2
# function: SoftDeleteFiles
# parameters:
# fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ...
# grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Windows Defender Advanced Threat Protection Service" service
docs: http://batcmd.com/windows/10/services/sense/
call:
-
function: RunInlineCodeAsTrustedInstaller # We must disable it on registry level, "Access is denied" for sc config
parameters:
code: sc stop "Sense" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "3" /f & sc start "Sense" >nul 2>&1 # Alowed values: Boot | System | Automatic | Manual
-
function: SoftDeleteFiles
parameters:
fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe'
grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Windows Security Service" service
docs: |-
This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1].
This service provides unified device protection and health information [2] [3].
It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2].
Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1].
By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11.
The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1].
[1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn"
[2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com"
[3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io"
[4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states
call:
-
# Windows 10:
# ❌ Cannot disable through sc config as Administrator; throws "Access is denied"
# ✅ Can disable using registry as Administrator; "DisableServiceInRegistry" function works
# ✅ Can disable using registry as TrustedInstaller
# Windows 11:
# ❌ Cannot disable through sc config as administrator; throws "Access is denied"
# ❌ Cannot disable using registry as Administrator; using DisableServiceInRegistry throws "Requested registry access is not allowed."
# ✅ Can disable using registry as TrustedInstaller
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "SecurityHealthService" >nul 2>&1 & reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 3 /f & sc start "SecurityHealthService" >nul 2>&1
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\SecurityHealthService.exe'
grantPermissions: true # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
category: Disable SmartScreen
docs:
- https://en.wikipedia.org/wiki/Microsoft_SmartScreen
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview
children:
-
category: Disable SmartScreen for apps and files
children:
-
name: Disable SmartScreen for apps and files
docs:
- https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnableSmartScreen
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /f 2>nul
-
name: Disable SmartScreen in File Explorer
docs:
- https://winaero.com/change-windows-smartscreen-settings-windows-10/
- https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul
-
name: Disable SmartScreen's prevention of application execution
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen
- https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /f 2>nul
-
category: Disable SmartScreen in Microsoft browsers
children:
-
name: Disable SmartScreen in Edge (Chromium) for potentially unwanted apps
docs: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /f 2>nul
-
name: Disable Edge SmartScreen
docs:
- https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ # Privacy concerns
- https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen
- https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreen-settings
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63713
- https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenEnabled
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f
:: For Microsoft Edge version 77 or later
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul
reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul
reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul
:: For Microsoft Edge version 77 or later
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /f 2>nul
-
name: Disable SmartScreen in Internet Explorer
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9
code: reg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /f 2>nul
-
category: Disable SmartScreen for Windows Store apps
children:
-
name: Disable SmartScreen's "App Install Control" feature
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen
code: |-
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f
revertCode: |-
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /f 2>nul
-
name: Disable SmartScreen's web content (URLs) checking for apps
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /f 2>nul
-
category: Disable automatic updates
docs: |-
Disabling automatic updates is often considered counterintuitive when it comes to securing your system. However, there are substantial arguments
to consider this option if you're privacy-centric:
1. **Patching and Pre-Approval**: Manual control over update deployment allows for pre-emptive approval of patches. This strategy is useful
in environments requiring the highest level of security. For instance, military agencies frequently employ air-gapped systems that mandate
careful review of each update to mitigate risks such as potential backdoors or data leaks. Similarly, financial institutions often
resort to staged rollouts of updates, subjecting them to an in-depth analysis of their implications on security and privacy before broad
implementation.
2. **Telemetry and Data Transmission**: Automatic updates often come embedded with telemetry data collection mechanisms. Disabling these
updates facilitates granular control over the data transmitted back to Microsoft servers. Thus, the decision to disable automatic updates
allows you to control the timing and nature of information relayed to these servers.
3. **Peer-to-Peer Data Exposure**: Windows employs a Peer-to-Peer (P2P) approach to facilitate update distribution, which can
reveal your IP address and some system details to peer systems [1].
4. **Configurational integrity**: Updates have the capacity to change pre-configured settings without explicit user consent. This could
result in unintended alteration of your privacy settings, leaving you exposed until you realize the change.
**Security implications**: While controlling updates enhances your privacy, it can leave your system vulnerable to unpatched exploits.
Ensure that you manually review and apply updates on a regular basis. You're essentially trading off some security for a heightened level of
privacy.
[1]: https://web.archive.org/web/20230905120220/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq "Delivery Optimization Frequently Asked Questions - Windows Deployment | Microsoft Learn"
children:
-
name: Disable Automatic Updates (AU) feature
docs: |-
This script deactivates the Automatic Updates feature in Windows. By disabling Automatic Updates,
you gain control over when your system is updated, which may be preferable in specific
privacy-sensitive environments.
The script changes a specific setting in your computer's registry, with a key called `NoAutoUpdate`, which has
two possible states [1] [2]:
- `0`: Automatic Updates are enabled.
- `1`: Automatic Updates are disabled.
By default, Windows comes with Automatic Updates enabled, meaning the `NoAutoUpdate` is set to `0` [3].
Running this script will set `NoAutoUpdate` to `1`, turning off Automatic Updates [1] [2] [3].
In doing so, you prevent your computer from automatically receiving updates, which is a feature
that could be considered intrusive or unwanted in some privacy-conscious settings.
It configure your computer to not automatically download and install updates without your explicit permission.
[1]: https://web.archive.org/web/20230807165936/https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 "Configure Automatic Updates in a NonActive Directory Environment | Microsoft Learn"
[2]: https://web.archive.org/web/20221001051250/https://support.microsoft.com/en-us/topic/incorrect-automatic-updates-notification-is-received-even-though-au-options-are-disabled-in-windows-8-1-and-windows-server-2012-r2-18b4b73a-3910-9408-809c-7eaad0e1fbc7 "Incorrect Automatic Updates notification is received even though AU options are disabled in Windows 8.1 and Windows Server 2012 R2 - Microsoft Support"
[3]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn"
call:
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f
# Default value is `0` since Windows 10 21H2 and Windows 11 21H2
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f
-
name: Disable automatic installation of Windows updates without user consent
docs: |-
This script changes how your Windows computer handles automatic updates by modifying the `AUOptions` registry key.
After running this script, your computer will notify you before downloading any updates [1] [2] [3].
In the default setup, your Windows system is configured to download and install updates automatically without notifying you [4].
This means that new updates could be installed on your system without your explicit approval.
By forcing Windows to notify you before downloading updates, this script hands back control over your system to you.
This feature enhances your privacy and minimizes risks because you get to manually review and approve each update before it's installed.
To explain the technical aspect, the `AUOptions` registry key is a setting stored under
`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` in your computer's registry [1] [3].
A value of `2` for `AUOptions` means that you will be notified before any updates are downloaded and installed [1] [2].
On older versions of Windows, setting this key to `1` would prevent the system from even checking for updates [5].
However, starting from Windows 10, the key `1` has a different meaning [2][3].
Running this script doesn't disable updates; it just ensures that you are informed and have the final say on
whether to download them or not.
[1]: https://web.archive.org/web/20230807165936/https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 "Configure Automatic Updates in a NonActive Directory Environment | Microsoft Learn"
[2]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn"
[3]: https://web.archive.org/web/20230815051303/https://learn.microsoft.com/en-us/windows/deployment/update/waas-restart#registry-keys-used-to-manage-restart "Manage device restarts after updates - Windows Deployment | Microsoft Learn"
[4]: https://web.archive.org/web/20230826081345/https://learn.microsoft.com/en-US/troubleshoot/windows-client/deployment/update-windows-update-agent "Update Windows Update Agent to latest version - Windows Client | Microsoft Learn"
[5]: https://web.archive.org/web/20221001051250/https://support.microsoft.com/en-us/topic/incorrect-automatic-updates-notification-is-received-even-though-au-options-are-disabled-in-windows-8-1-and-windows-server-2012-r2-18b4b73a-3910-9408-809c-7eaad0e1fbc7 "Incorrect Automatic Updates notification is received even though AU options are disabled in Windows 8.1 and Windows Server 2012 R2 - Microsoft Support"
call:
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f
# Default value is `4` since Windows 10 21H2 and Windows 11 21H2
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "4" /f
-
name: Disable automatic daily installation of Windows updates
docs: |-
This script stops Windows from automatically installing updates every day. By doing so, you gain control over when update
happen on your computer [1] [2].
By default, Windows is set to automatically update every day [2]. Having control over the update timing allows you to review
what is being changed, thereby protecting your privacy and enhancing your system's security.
Technically, what the script does is remove a specific setting in the computer's system registry, the `ScheduledInstallDay` key
from `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` [1] [2].
Disabling the scheduled install day ensures that updates won't be forcibly applied on a specific day of the week.
[1]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn"
[2]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstallday "Update Policy CSP - Windows Client Management | Microsoft Learn"
call:
function: RunInlineCode
parameters:
code: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul
revertCode: >-
:: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul
-
name: Disable scheduled automatic updates
docs: |-
This script turns off the automatic installation of Windows updates that are set to occur at a specific time.
By doing this, you take back control over when your computer updates itself [1] [2] [3].
The default behavior is to install updates at 3 AM [3].
Windows updates can be important for system security, but automatic installation could occur at inconvenient times and may even
restart your computer without prior warning. This could interrupt your tasks and may send data about your system to external servers.
By disabling the automatic scheduled installation time, you can manually control when updates are installed [3], ensuring that you're
aware of any changes to your system.
The script works by removing a specific registry key called `ScheduledInstallTime` under
`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` [2] [3]. This is the system setting that controls the scheduled update time.
[1]: https://web.archive.org/web/20230813094618/https://learn.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152 "Configure Automatic Updates in a NonActive Directory Environment | Microsoft Learn"
[2]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn"
[3]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstalltime "Update Policy CSP - Windows Client Management | Microsoft Learn"
call:
function: RunInlineCode
parameters:
code: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul
revertCode: >-
:: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul
-
category: Disable Windows update services
docs: |-
The scripts in this category offer users the ability to control Windows services related to system updates.
These services manage how and when your system receives updates from Microsoft. By limiting or disabling these services,
users can decide when to update their system, reducing unexpected changes. Moreover, a system with fewer running
services uses fewer resources, which can improve overall performance.
Disabling these update services is also a privacy measure. Some updates can change privacy settings or add features that
collect user data. By controlling update services, users can review and approve any changes before they take effect.
children:
-
name: Disable "Windows Update" (`wuauserv`) service
docs: |-
This script turns off the Windows Update service, which is technically known as Windows Update Agent [1] [2].
By disabling this service, the automatic detection, download, and installation of updates for both Windows and other
installed programs are halted [3] [4].
Update can often come bundled with changes that could affect your privacy settings or introduce features that collect
more of your data. Taking control of when and how updates are applied provides you with the opportunity to review any changes
before they take effect.
By default, the service is enabled and set to start up manually [5].
If you disable this service, you won't be able to use the Windows Update feature for automatic updates [5]. Additionally,
other software on your computer won't be able to access the functionalities provided by the Windows Update Agent,
commonly known as WUA API [5].
[1]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231027190503/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/troubleshoot-software-update-scan-failures "Troubleshoot software update scan failures - Configuration Manager | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230905120348/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/windows-devices-fail-boot-after-installing-kb4041676-kb4041691 "Windows devices may fail to boot after installing October 10 version of KB 4041676 or 4041691 that contained a publishing issue - Windows Client | Microsoft Learn"
[4]: https://web.archive.org/web/20230905120345/https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-servicing "Patching Server Core | Microsoft Learn"
[5]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
call:
function: DisableService
parameters:
serviceName: wuauserv # Check: (Get-Service -Name 'wuauserv').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Update Orchestrator Service" (`UsoSvc`)
docs: |-
This script disables the Update Orchestrator Service, also known as "Update Orchestrator Service for Windows Update" [1].
This service is in charge of managing the download and installation of Windows updates [1] [2].
By default, the service is enabled and set to start up manually [1].
While updates can be crucial for the security of your system, this service can sometimes install them without your approval.
This lack of control can pose risks to your privacy, as data might be sent from your system without your knowledge.
Windows updates relies on this service [1] [3].
If stopped, your devices will not be able to download and install latest updates [1].
Turning off this service can affect the update process and might cause issues like freezing during update scanning [3].
[1]: https://web.archive.org/web/20231004161147/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server "Security guidelines for system services in Windows Server 2016 | Microsoft Learn"
[2]: https://web.archive.org/web/20230905120348/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/windows-devices-fail-boot-after-installing-kb4041676-kb4041691 "Windows devices may fail to boot after installing October 10 version of KB 4041676 or 4041691 that contained a publishing issue - Windows Client | Microsoft Learn"
[3]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
call:
function: DisableService
parameters:
serviceName: UsoSvc # Check: (Get-Service -Name 'UsoSvc').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable "Windows Update Medic Service" (`WaaSMedicSvc`)
docs: |-
This script disables the Windows Update Medic Service. This service runs quietly in the background [1],
making sure that parts related to Windows updates are working as they should [1] [2].
By default, the service is enabled and its startup setting is set to manual [3].
This service can undo any adjustments you've made to your Windows Update settings without your consent.
For example, it can re-enable automatic Windows updates [4].
That can interfere if you've tailored these settings for better privacy or security.
When you disable this service using our script, you're taking back control. You get to choose how your system
handles updates and data transfers, ensuring that your privacy settings stay as you intended. This is a reliable
way to strengthen both your privacy and your control over your computer.
[1]: https://web.archive.org/web/20230905120805/https://support.microsoft.com/en-us/topic/kb5005322-some-devices-cannot-install-new-updates-after-installing-kb5003214-may-25-2021-and-kb5003690-june-21-2021-66edf7cf-5d3c-401f-bd32-49865343144f "KB5005322—Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021) - Microsoft Support"
[2]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
[3]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
[4]: https://github.com/undergroundwires/privacy.sexy/issues/252
call:
function: DisableServiceInRegistry
# Since Windows 10 21H2 and Windows 11 21H2:
# - Using `sc config` resulsts in "Access in denied", so registry should be used to disable the service.
# - Default startup mode is Manual
parameters:
serviceName: WaaSMedicSvc # Check: (Get-Service -Name 'WaaSMedicSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
category: Configure how downloaded files are handled
docs: |-
These scripts configures Attachment Manager included in Windows that that takes further actions for
files that you receive or download such as storing classification metadata and notfying other software [1].
[1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com"
children:
-
name: Disable saving of zone information in downloaded files
docs: |-
This script disables marking file attachments by using their zone information.
The default behavior is for Windows to mark file attachments with their zone information [1].
The zone information of the origin describe whether the file was downloaded from internet,
intranet, local, or restricted zone [1].
It is used by Attachment Manager that is included in Windows to help protect the computer from
unsafe attachments that can be recieved with e-mail message or downloaded from Internet [2].
If the Attachment Manager identifies an attachment that might be unsafe, it prevents you from
opening the file, or it warns you before you open the file [2].
Preventing this information to be saved:
- Increases privacy by no longer leaking information of source.
- Decreases security by preventing Windows to determine risks and take risk-based actions [1].
By not preserving the zone information, Windows cannot make proper risk assessments [3].
Disabling it has **Significant** criticality as the configuration introduces additional attack
surface according to US government [4].
The Attachment Manager feature warns users when opening or executing files which are marked as
being from an untrusted source, unless/until the file's zone information has been removed via
the "Unblock" button on the file's properties or via a separate tool such as
[Microsoft Sysinternals Streams](https://docs.microsoft.com/en-us/sysinternals/downloads/streams) [4].
It is configured using `SaveZoneInformation` value in
`\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4].
The value is this setting is confusing, according to Microsoft documentation
`1` turns it on [2] [3], `2` turns it off [2] [3]. However, according to STIG V-63841, `1` disables
saving zone information and `2` enables it [3]. According to my tests, the STIG interprets it right
and `1` disables this function off.
In clean Windows 10 and 11 installations, this key by default is missing for both `HKCU` and `HKLM`.
[1]: https://www.stigviewer.com/stig/windows_10/2019-09-25/finding/V-63841 "Zone information must be preserved when saving attachments. | stigviewer.com"
[2]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com"
[3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_MarkZoneOnSavedAtttachments "Do not preserve zone information in file attachments | admx.help"
[4]: https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov"
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /f 2>nul
-
name: Disable notifications to antivirus programs for downloaded files
docs: |-
Prevents Windows from calling the registered antivirus programs when file attachments are opened [1] [2].
Windows registered antivirus programs for downloaded files from Internet or through e-mail attachments [1].
If multiple programs are registered, they will all be notified [1] [3].
This is disabled by default, so even if you do not configure run this script, Windows does not call the registered
antivirus programs when file attachments are opened [1].
If it is enabled, Windows blocks file from being opened when antivirus program fails [1]. It is the recommended setting
by Microsoft [1].
Preventing calling antivirus:
- Increases privacy by not sharing your file data proactively with installed antiviruses.
- Decreases by detecting and mitigating potential malicious software. Disabling it has **Moderate**
criticality as it is not an appropriate antivirus configuration according to US government [4].
An updated antivirus program must be installed for this policy setting to function properly [4].
It is configured using `ScanWithAntiVirus` value in
`\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4].
`3` enables the scans [1] [2] [3], `1` disables it [1] [3], and `2` leaves it optional [1].
In clean Windows 10 and 11 installations, this key by default comes with `3` value in
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus`,
and key is missing for `HKCU`.
[1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com"
[2]: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-09-02/finding/V-14270 "The system will notify antivirus when file attachments are opened. | stigviewer.com"
[3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_CallIOfficeAntiVirus "Notify antivirus programs when opening attachments | admx.help"
[4]: https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov"
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "ScanWithAntiVirus" /t REG_DWORD /d "3" /f
-
name: Remove "Windows Security" app (`SecHealthUI`) (breaks Windows Security user interface)
docs: |-
This script uninstalls the "Windows Security app" [1], also known as `SecHealthUI` [1] [2] [3].
The Windows Security app is a tool that aids users in safeguarding their computer systems [4]. It monitors the computer's health
state and provides alerts and guidance to address vulnerabilities, making these alerts visible through the Action Center [4].
While this enhances privacy, there's a trade-off with security. It can make the computer more vulnerable to threats, as it will no
longer alert the user about existing vulnerabilities and will not communicate updates to Action Center, where they are displayed to
the end user [4]. It will also break the user interface that allows you to configure other Windows security features, such as
Tamper Protection [5].
Uninstalling the Windows Security app enhances privacy by reducing the digital footprints and amount of personal and system data collected and
made visible:
- **Reduced Digital Footprints**: Disabling the Windows Security app can minimize the amount of personal and system data that is collected, shown
and sent to Microsoft, providing users with more control over their information. This reduces amount of data that can be used to study your
behavior, such as by inspecting detected threats that are visibhle in your Windows Security app [6]. So the Windows Security app, the system
leaves fewer digital traces that can be exploited to track user behavior or gather sensitive information.
- **More control over security settings**: Removing the user interface enforces the system owner to do changes programetically, removing the
risks for unintended misconfigurations, or restricting access to the users of the computer.
- **Limited Notifications and Alerts:** Users gain freedom from incessant notifications and alerts, which may sometimes inadvertently share
sensitive system or user data.
- **User Autonomy Over System Security:**: Users have the autonomy to choose alternative security measures and software, potentially opting
for solutions that prioritize privacy and have a more robust commitment to not sharing user data.
- **Enhanced anonymity**: This application is under [Microsoft's privacy policy](https://web.archive.org/web/20231006114659/https://privacy.microsoft.com/en-us/privacystatement)
which allows Microsoft to send your data remote entities, constantly comunicate with Microsoft servers.
This app comes pre-installed on certain versions of Windows [7] [8].
This is a separate app from each of the individual Defender features [9], and it is updated independently from the OS [10]. Even after
uninstallation, Windows will continue to send security notifications unless those notifications are separately disabled [11]. In a similar manner,
uninstalling the Windows Security app does not disable Microsoft Defender Antivirus or the Microsoft Defender Firewall [12].
> **Caution:** Uninstalling the Windows Security app is a significant action that should be undertaken with a clear understanding of the implications for
the security and operation of your computer system.
[1]: https://web.archive.org/web/20231006113851/https://support.microsoft.com/en-us/topic/windows-security-update-a6ac7d2e-b1bf-44c0-a028-41720a242da3 "Windows Security Update - Microsoft Support"
[2]: https://github.com/undergroundwires/privacy.sexy/issues/195 "[BUG]: Uninstalling the SecHealthUI fails, despite the app being installed. · Issue #195 · undergroundwires/privacy.sexy"
[3]: https://web.archive.org/web/20231006113903/https://download.microsoft.com/download/e/1/0/e10a6884-2e7a-4d80-ac2f-884c39a2a1b2/5001337.csv "Services CSV file | microsoft.com"
[4]: https://web.archive.org/web/20231006113932/https://learn.microsoft.com/en-us/windows/win32/devnotes/windows-security-center "The Windows Security app - Win32 apps | Microsoft Learn"
[5]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support"
[6]: https://web.archive.org/web/20231006115719/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows | Microsoft Learn"
[7]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[8]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[9]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center#how-windows-security-works-with-windows-security-features "Windows Security - Windows Security | Microsoft Learn"
[10]: https://web.archive.org/web/20231006115836/https://support.microsoft.com/en-us/topic/kb5020779-the-vulnerable-driver-blocklist-after-the-october-2022-preview-release-3fcbe13a-6013-4118-b584-fcfbc6a09936 "KB5020779 The vulnerable driver blocklist after the October 2022 preview release - Microsoft Support"
[11]: https://web.archive.org/web/20231006115826/https://support.microsoft.com/en-us/windows/windows-security-notifications-6a59ce6a-e1e0-4795-b080-ba92d49644b2 "Windows Security notifications - Microsoft Support"
[12]: https://web.archive.org/web/20231006115845/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-worldwide "Microsoft Defender Antivirus in the Windows Security app | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Windows.SecHealthUI
packageName: Microsoft.Windows.SecHealthUI
publisherId: cw5n1h2txyewy
-
category: UI for privacy
children:
-
name: Disable lock screen app notifications
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 0 /f
docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687
-
category: Disable online content in File Explorer
children:
-
name: Disable online tips
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanel::AllowOnlineTips
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 1 /f
-
name: Disable "Internet File Association" service
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseInternetOpenWith_2
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 0 /f
-
name: Disable "Order Prints" picture task
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellRemoveOrderPrints_2
- https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000042
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 0 /f
-
name: Disable "Publish to Web" option for files and folders
recommend: standard
docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-14255
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 0 /f
-
name: Disable provider list downloads for wizards
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63621
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 0 /f
-
category: Secure recent document lists
children:
-
name: Disable history of recently opened documents
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f
-
name: Clear recently opened document history upon exit
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 01 /f
-
name: Disable Live Tiles push notifications
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Notifications::NoTileNotification
code: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 0 /f
-
name: Disable the "Look For An App In The Store" option
recommend: standard
docs:
- https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000030
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseStoreOpenWith_1
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 0 /f
-
name: Disable the display of recently used files in Quick Access
recommend: strict
docs:
- https://matthewhill.uk/windows/group-policy-disable-recent-files-frequent-folder-explorer/ # ShowRecent
- https://www.howto-connect.com/delete-recent-frequent-from-file-explorer-on-windows-10/ # 3134ef9c-6b18-4996-ad04-ed5912e00eb5
- https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry # Wow6432Node
code: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d 0 /t "REG_DWORD" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit?
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
)
revertCode: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d "1" /t "REG_DWORD" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit?
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
)
-
name: Disable sync provider notifications
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 0 /t REG_DWORD /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 1 /t REG_DWORD /f
-
name: Disable hibernation for faster startup and to avoid sensitive data storage
docs: |-
This script commands your system to deactivate the hibernation feature. Hibernate is a power-saving state that saves your current work and turns
off the computer [1]. When your computer hibernates, it saves the contents of its RAM to your hard disk and powers off the machine [2]. Upon starting
again, your computer can restore all the open programs and documents from your hard disk to its RAM [1].
If hibernation mode is enabled, sensitive data stored in RAM are be written to disk [2]. The memory can contain private data, passwords, keys and so
on. This could be accessed by malicious software or people with physical access to the computer. By disabling hibernation, this script reduces the risk
of such potential privacy breaches.
It configures hibernate by using `powercfg` command line tool [3].
[1]: https://web.archive.org/web/20230806164910/https://support.microsoft.com/en-us/windows/shut-down-sleep-or-hibernate-your-pc-2941d165-7d0a-a5e8-c5ad-8c972e8e6eff
[2]: https://web.archive.org/web/20230712211259/https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/system-sleeping-states
[3]: https://web.archive.org/web/20230806165041/https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
code: powercfg -h off
revertCode: powercfg -h on
-
name: Enable camera on/off OSD notifications
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-coremmres-nophysicalcameraled
- https://www.reddit.com/r/Surface/comments/88nyln/the_webcamled_took_anyone_it_apart/dwm64p5
- https://answers.microsoft.com/en-us/windows/forum/all/enable-osd-notification-for-webcam/caf1fff4-78d3-4b93-905b-ef657097a44e
code: reg add "HKLM\SOFTWARE\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /d 1 /t REG_DWORD /f
revertCode: reg delete "HKLM\Software\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /f
-
category: Remove items from "This PC" and "Browse" in dialog boxes
children:
-
name: Remove "3D Objects" from dialog boxes
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Remove "Desktop" from dialog boxes
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Remove "Documents" from dialog boxes
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Remove "Downloads" from dialog boxes
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Remove "Movies" from dialog boxes
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Remove "Music" from dialog boxes
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Remove "Pictures" from dialog boxes
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
category: Disable OS services
children:
-
name: Disable "Microsoft Account Sign-in Assistant" service (breaks Microsoft Store and Microsoft Account sign-in)
recommend: strict
docs:
# **Summary**
# This script gives you more privacy by preventing OS access to Azure AD to store your personal
# and computer information that can be used to identify you and your computer.
# However it breaks many OS features so you should make a decision based on how you'd like to use
# your Windows. You can also apply and revert it once you need the broken functionality.
# **Service**
# This service communicates with Microsoft Account cloud authentication service
# Many apps and system components that depend on Microsoft Account authentication may lose functionality.
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#12-microsoft-account
# It includes following description:
# > Enables user sign-in through Microsoft account identity services.
# > If this service is stopped, users will not be able to logon to the computer with their Microsoft account.
# Microsoft states it's OK to disable
- https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#microsoft-account-sign-in-assistant
# Formerly it was known as "Microsoft Windows Live ID Service"
# And used only for applications like Office and Windows Live Messenger
- https://www.howtogeek.com/howto/30348/what-are-wlidsvc.exe-and-wlidsvcm.exe-and-why-are-they-running/
# It's part of OS and used for Microsoft account (MSA) that's used to identify your computer
- https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-configuration-manual#required-endpoints
- https://docs.microsoft.com/en-us/troubleshoot/mem/intune/windows-feature-updates-never-offered
# **Breaks**
# ❗️ Breaks Azure AD sign-in
# It may enrollment scenarios that rely on users to complete the enrollment.
# E.g. typically, users are shown an Azure AD sign in window.
# When set to Disable, the Azure AD sign in option may not show.
# Instead, users are asked to accept the EULA, and create a local account, which may not be what you want.
- https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#cloud-and-storage
- https://docs.microsoft.com/en-us/mem/autopilot/pre-provision#user-flow
# ❗️ Breaks Windows Autopilot
- https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot
# This service is required by Windows Autopilot to obtain the Windows Autopilot profile
- https://docs.microsoft.com/en-us/mem/autopilot/policy-conflicts
# ❗️ Breaks Microsoft Store
# On Windows 11 it fails with `PUR-AuthenticationFailure v3ZtcNH7IECS00iL.36.1``
# On Windows 10 it fails with `0x800706d9` and `0x800704cf``
- https://github.com/undergroundwires/privacy.sexy/issues/100
# ❗️ Breaks feature updates (but other features are still offered)
# Because it breaks Subscription Activation feature (license authentication)
- https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates
- https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#12-microsoft-account
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant
# Feature updates are released annually. Feature updates add new features and functionality to Windows.
# Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- https://docs.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#types-of-updates
call:
function: DisableService
parameters:
serviceName: wlidsvc # Check: (Get-Service -Name 'wlidsvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Downloaded Maps Manager" service
recommend: standard
docs: http://batcmd.com/windows/10/services/mapsbroker/
call:
function: DisableService
parameters:
serviceName: MapsBroker # Check: (Get-Service -Name 'MapsBroker').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable "Microsoft Retail Demo" service
recommend: standard
docs: http://batcmd.com/windows/10/services/retaildemo/
call:
function: DisableService
parameters:
serviceName: RetailDemo # Check: (Get-Service -Name 'RetailDemo').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
category: Disable synchronization of mail, contacts, calendar, and user data
children:
-
name: Disable "User Data Storage" (`UnistoreSvc`) service
docs: http://batcmd.com/windows/10/services/unistoresvc/
recommend: strict
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc_*").Start
serviceName: UnistoreSvc
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
name: Disable "Sync Host" (`OneSyncSvc`) service
docs: http://batcmd.com/windows/10/services/onesyncsvc/
recommend: strict
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc_*").Start
serviceName: OneSyncSvc
defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual
-
name: Disable "Contact Data" service (disables contact data indexing)
docs: http://batcmd.com/windows/10/services/pimindexmaintenancesvc/
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_*").Start
serviceName: PimIndexMaintenanceSvc
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
name: Disable "User Data Access" service
docs: http://batcmd.com/windows/10/services/userdatasvc/
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc_*").Start
serviceName: UserDataSvc
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
name: Disable "MessagingService"
docs: http://batcmd.com/windows/10/services/messagingservice/
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService_*").Start
serviceName: MessagingService
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
name: Disable "Windows Push Notification Service" (breaks network settings view on Windows 10)
recommend: strict
docs:
# It enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service.
# In the URL below you can read more about how it communicates with other sources.
- https://docs.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview
# Hosts Windows notification platform, which provides support for local and push notifications.
# According the uncited Wikipedia article, it bypasses VPN and connects directly to Microsoft.
# It reveals real IP address of the host which circumvents the anonymity provided by VPN.
- https://en.wikipedia.org/w/index.php?title=Windows_Push_Notification_Service&oldid=1012335551#Privacy_Issue
# System-wide service:
- http://batcmd.com/windows/10/services/wpnservice/
# Per-user service:
- http://batcmd.com/windows/10/services/wpnuserservice/
# Disabling system-wide user service "WpnUserService" breaks accessing access network settings on Windows 10.
# It works fine on Windows 11.
- https://github.com/undergroundwires/privacy.sexy/issues/110
call:
-
function: ShowWarning
parameters:
message: Disabling Network settings on Windows 10 is known to break Network settings.
ignoreWindows11: true
- # Windows Push Notifications System Service
function: DisableService
parameters:
serviceName: WpnService # Check: (Get-Service -Name 'WpnService').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
- # Windows Push Notifications User Service
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService_*").Start
serviceName: WpnUserService
defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual
-
category: Disable Xbox services
children:
-
name: Disable "Xbox Live Auth Manager" service
recommend: standard
docs: https://batcmd.com/windows/10/services/xblauthmanager/
call:
function: DisableService
parameters:
serviceName: XblAuthManager # Check: (Get-Service -Name 'XblAuthManager').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Xbox Live Game Save" service
recommend: standard
docs: https://batcmd.com/windows/10/services/xblgamesave/
call:
function: DisableService
parameters:
serviceName: XblGameSave # Check: (Get-Service -Name 'XblGameSave').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Xbox Live Networking Service"
recommend: standard
docs: https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_v1.12.0.audit:413ad68866cc396f0bd1dd4ead7deb97
call:
function: DisableService
parameters:
serviceName: XboxNetApiSvc # Check: (Get-Service -Name 'XboxNetApiSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Volume Shadow Copy Service" (breaks System Restore and Windows Backup) # Also known as • Volume Snapshot Service • VSS • VSC
recommend: strict
docs:
- https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service
- https://www.schneier.com/blog/archives/2009/12/the_security_im.html
call:
function: DisableService
parameters:
serviceName: VSS # Check: (Get-Service -Name 'VSS').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable NetBios for all interfaces
docs:
- https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/
- https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5f3c095-1ad2-4963-b075-787f800b81f2/
call:
function: RunPowerShell
parameters:
code: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 2 -Verbose
}
revertCode: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 0 -Verbose
}
-
category: Remove bloatware
children:
-
category: Remove Windows apps
docs: |-
This category focuses on the uninstallation of Windows apps.
Windows apps were introduced with Windows 8 and are typically acquired and installed through the Store app [1].
Many of these apps come pre-installed on Windows by default [1].
This category does not target framework apps. Framework apps are packages that get installed automatically if another application requires them [2]. If there are
applications depending on these framework packages, you cannot delete the framework app individually [2]. However, if you remove those dependent applications, the
associated framework package will be deleted [3]. To list all framework apps, you can use the following command:
`Get-AppxPackage | Where-Object { $_.IsFramework -eq $true } | Select-Object -ExpandProperty Name`.
Uninstalling unused or unwanted apps contributes to privacy by reducing potential data collection points and minimizing your digital footprint.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231003110200/https://learn.microsoft.com/en-us/windows/uwp/monetize/install-the-microsoft-advertising-libraries "Install the Microsoft Advertising SDK - Microsoft Store | Microsoft Learn"
[3]: https://github.com/undergroundwires/privacy.sexy/issues/200 "[BUG]: Microsoft Advertising app removal failure · Issue #200 · undergroundwires/privacy.sexy"
children:
# Good information for development:
# - Find out package name from store ID: https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn (https://archive.ph/U46lx)
# Excluded apps:
# - Microsoft.Windows.ShellExperienceHost
# "Start app", required for different setting windows such as WiFi and battery panes in action bar.
# - Windows.immersivecontrolpanel
# "Settings app", required for settings view.
# - Exclude framework apps:
# List out framework packages:
# Get-AppxPackage | Where-Object { $_.IsFramework -eq $true } | Select-Object -ExpandProperty Name
# Windows 11 (22H2) : Microsoft.UI.Xaml.CBS, Microsoft.NET.Native.Framework.2.2, Microsoft.NET.Native.Runtime.2.2, Microsoft.VCLibs.140.00.UWPDesktop
# Microsoft.UI.Xaml.2.7, Microsoft.VCLibs.140.00, Microsoft.WindowsAppRuntime.1.2, Microsoft.UI.Xaml.2.4
# Windows 10 (22H2) : Microsoft.VCLibs.140.00.UWPDesktop, Microsoft.NET.Native.Framework.2.2, Microsoft.NET.Native.Runtime.2.2, Microsoft.VCLibs.140.00
# Microsoft.UI.Xaml.2.0, Microsoft.Advertising.Xaml, Microsoft.NET.Native.Framework.1.7, Microsoft.NET.Native.Runtime.1.7
-
category: Remove provisioned Windows apps
docs: |-
This category addresses the uninstallation of provisioned Windows apps.
Provisioned Windows apps are those that get installed in a user account upon the first sign-in with a new user account [1].
They are typically located in `C:\Program Files\WindowsApps\{PackageName}` [1].
To view all provisioned apps:
1. Open a PowerShell command prompt.
2. Execute the following command: `Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName, PublisherId`
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#provisioned-windows-apps "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
children:
-
name: Remove "App Connector" app
recommend: strict
docs: |-
This scripts unininstalls the "App Connector" Windows app.
The App Connector app in Windows is designed to access elements like your location, camera, contacts, and calendars [1] [2] [3].
This raises some concerns about user privacy [2].
In simpler terms, the App Connector acts as a bridge, facilitating communication
between Microsoft services and other apps over the Internet [2] [4] [5]. It's primarily aimed at developers, enabling them to connect with
Microsoft cloud services, such as Azure, or with other internet-based applications [4]. It's essentially a means to allow services to interact with tools
like Microsoft Power Automate, Microsoft Power Apps, and Azure Logic Apps [4]. Common services that can be connected using this include Salesforce,
Office 365, Twitter, Dropbox, and Google services [4].
To secure these connections, connectors typically use OAuth or usernames and passwords [5].
It's worth noting that the exact functionality and detailed documentation about the App Connector from Microsoft is somewhat scarce [1] [3].
[1]: https://web.archive.org/web/20231009125830/https://indiaplus.in/app-connector/ "What Is An App Connector: Windows 10 | indiaplus.in"
[2]: https://web.archive.org/web/20231009125808/https://answers.microsoft.com/en-us/windows/forum/all/windows-10-app-connector-and-windows-shell/975e590b-1258-4552-b50f-f8e20e9aa285?page=2 "Windows 10 app connector and Windows Shell Experience - Microsoft Community"
[4]: https://web.archive.org/web/20231009125723/https://learn.microsoft.com/en-us/connectors/connectors "Power Platform connectors overview | Microsoft Learn"
[3]: https://web.archive.org/web/20231009125714/https://www.howtogeek.com/247661/nobody-knows-what-windows-10s-app-connector-is-and-microsoft-wont-explain-it/ "Nobody Knows What Windows 10's App Connector Is, and Microsoft Won't Explain It | howtogeek.com"
[5]: https://web.archive.org/web/20150502190718/https://azure.microsoft.com/en-us/documentation/articles/app-service-logic-data-connectors/ "Microsoft Azure API Apps Data Connectors | API Apps microservice | azure.microsoft.com"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Appconnector
packageName: Microsoft.Appconnector # Discontinued after Windows 10 1511
publisherId: 8wekyb3d8bbwe
-
category: Remove 3D modeling apps
docs: |-
This category provides scripts for uninstalling pre-installed 3D modeling applications from Windows.
3D modeling applications allow users to create, visualize, and manipulate three-dimensional objects in a virtual space.
They are particularly useful for designers, artists, and professionals who need to create 3D designs for various purposes.
These apps, while useful for certain users, might not be required by everyone, thus providing the option to uninstall them.
children:
-
name: Remove "Microsoft 3D Builder" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003172322/https://apps.microsoft.com/store/detail/3d-builder/9WZDNCRFJ3T6?hl=en-us)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.3DBuilder
packageName: Microsoft.3DBuilder
publisherId: 8wekyb3d8bbwe
-
name: Remove "3D Viewer" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003172807/https://apps.microsoft.com/store/detail/3d-viewer/9NBLGGH42THS?hl=en-us)
It's also known as "Microsoft 3D Viewer" [1].
This app comes pre-installed on certain versions of Windows [2] [3]. It was added in Windows 10, version 1703 [3].
[1]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Microsoft3DViewer
packageName: Microsoft.Microsoft3DViewer
publisherId: 8wekyb3d8bbwe
-
category: Remove MSN (Bing) apps
docs: |-
This category covers scripts designed to uninstall MSN (sometimes branded as "Bing" or just "Microsoft") applications from Windows.
MSN apps typically come bundled with Windows and provide users with information from various domains such as weather, sports, news,
and finance. While they offer easy access to curated content right from the desktop, not all users find them essential.
If users prefer other sources or tools for this information, they might wish to uninstall these default apps to declutter their system.
children:
-
name: Remove "MSN Weather" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003173207/https://apps.microsoft.com/store/detail/msn-weather/9WZDNCRFJ3Q2?hl=en-us)
It's also known as just "Weather" app [1], or previously known as "Bing Weather" [2].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.BingWeather
packageName: Microsoft.BingWeather
publisherId: 8wekyb3d8bbwe
-
name: Remove "MSN Sports" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20221204144111/https://apps.microsoft.com/store/detail/msn-sports/9WZDNCRFHVH4?hl=en-us&gl=us)
It's also known as just "Sports" app [1].
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.BingSports
packageName: Microsoft.BingSports
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft News" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003194608/https://apps.microsoft.com/store/detail/microsoft-news/9WZDNCRFHVFW?hl=en-us)
It's also known as just "News" app [1].
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.BingNews
packageName: Microsoft.BingNews
publisherId: 8wekyb3d8bbwe
-
name: Remove "MSN Money" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003195625/https://apps.microsoft.com/store/detail/msn-money/9WZDNCRFHV4V)
It's also known as just "Money" app [1].
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.BingFinance
packageName: Microsoft.BingFinance
publisherId: 8wekyb3d8bbwe
-
name: Remove "Cortana" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003195834/https://apps.microsoft.com/store/detail/cortana/9NFFX4SZZ23L)
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.549981C3F5F10
packageName: Microsoft.549981C3F5F10
publisherId: 8wekyb3d8bbwe
-
name: Remove "App Installer" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003200344/https://apps.microsoft.com/store/detail/app-installer/9NBLGGH4NNS1)
It's also known as "Desktop App Installer" app [1].
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.DesktopAppInstaller
packageName: Microsoft.DesktopAppInstaller
publisherId: 8wekyb3d8bbwe
-
name: Remove "Get Help" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003200627/https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.GetHelp
packageName: Microsoft.GetHelp
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Tips" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003200952/https://apps.microsoft.com/store/detail/microsoft-tips/9WZDNCRDTBJJ)
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Getstarted
packageName: Microsoft.Getstarted
publisherId: 8wekyb3d8bbwe
-
category: Remove extensions
docs: |-
This category focuses on scripts designed to uninstall specific extensions from Windows.
Extensions, in the context of Windows, are software components that add specific capabilities to a larger software application. These
extensions can be related to media, images, videos, or other functionalities that enhance the main software's performance.
Most of these extensions come pre-installed on certain versions of Windows [1]. While they offer additional functionalities, not all
users require them, so the scripts provide an option to uninstall them if desired.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
children:
-
name: Remove "HEIF Image Extensions" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003201158/https://apps.microsoft.com/store/detail/heif-image-extensions/9PMMSR1CGPWG)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.HEIFImageExtension
packageName: Microsoft.HEIFImageExtension
publisherId: 8wekyb3d8bbwe
-
name: Remove "VP9 Video Extensions" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003201732/https://apps.microsoft.com/store/detail/vp9-video-extensions/9N4D0MSMP0PT)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.VP9VideoExtensions
packageName: Microsoft.VP9VideoExtensions
publisherId: 8wekyb3d8bbwe
-
name: Remove "Web Media Extensions" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003202207/https://apps.microsoft.com/store/detail/web-media-extensions/9N5TDP8VCMHS)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existenc : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.WebMediaExtensions
packageName: Microsoft.WebMediaExtensions
publisherId: 8wekyb3d8bbwe
-
name: Remove "Webp Image Extensions" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003202310/https://apps.microsoft.com/store/detail/webp-image-extensions/9PG2DK419DRG)
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.WebpImageExtension
packageName: Microsoft.WebpImageExtension
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Messaging" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003202812/https://apps.microsoft.com/store/detail/microsoft-messaging/9WZDNCRFJBQ6)
It's also known as just "Messaging" [1] or "Skype Video" [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Messaging
packageName: Microsoft.Messaging
publisherId: 8wekyb3d8bbwe
-
name: Remove "Mixed Reality Portal" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003202910/https://apps.microsoft.com/store/detail/mixed-reality-portal/9NG1H8B3ZC7M)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.MixedReality.Portal
packageName: Microsoft.MixedReality.Portal
publisherId: 8wekyb3d8bbwe
-
category: Remove Microsoft Office apps
docs: |-
This category focuses on scripts that help uninstall select Microsoft Office apps that may come pre-installed with Windows.
Microsoft Office suite is a popular productivity suite, providing tools for a wide range of tasks like document creation,
note-taking, and interactive presentation development. However, while many of these apps like Word, Excel, and PowerPoint are
commonly used, some other apps like My Office, OneNote, and Sway might not be essential for all users. Especially, if users have
other preferred tools or the web versions suit their needs better.
children:
-
name: Remove "Microsoft 365 (Office)" app
recommend: standard
docs: |-
[Microsoft Store Page](https://archive.ph/ZXfCl)
It's formerly known as just "Office" app [1] [2].
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.MicrosoftOfficeHub
packageName: Microsoft.MicrosoftOfficeHub
publisherId: 8wekyb3d8bbwe
-
name: Remove "OneNote" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003203445/https://apps.microsoft.com/store/detail/onenote/9WZDNCRFHVJL)
This app was previously known as "OneNote for Windows 10" [1] [2].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Office.OneNote
packageName: Microsoft.Office.OneNote
publisherId: 8wekyb3d8bbwe
-
name: Remove "Sway" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003204225/https://apps.microsoft.com/store/detail/sway/9WZDNCRD2G0J?hl=en-us)
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Office.Sway
packageName: Microsoft.Office.Sway
publisherId: 8wekyb3d8bbwe
-
name: Remove "Feedback Hub" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003210719/https://apps.microsoft.com/store/detail/feedback-hub/9NBLGGH4R32N)
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.WindowsFeedbackHub
packageName: Microsoft.WindowsFeedbackHub
publisherId: 8wekyb3d8bbwe
-
name: Remove "Windows Alarms and Clock" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004092407/https://apps.microsoft.com/store/detail/windows-clock/9WZDNCRFJ3PR)
This app was previously named "Windows Alarms & Clock" [1] [2].
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.WindowsAlarms
packageName: Microsoft.WindowsAlarms
publisherId: 8wekyb3d8bbwe
-
name: Remove "Windows Camera" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004092455/https://apps.microsoft.com/store/detail/windows-camera/9WZDNCRFJBBG)
It's also known as just "Camera" [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.WindowsCamera
packageName: Microsoft.WindowsCamera
publisherId: 8wekyb3d8bbwe
-
name: Remove "Paint 3D" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004092446/https://apps.microsoft.com/store/detail/paint-3d/9NBLGGH5FV99)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.MSPaint
packageName: Microsoft.MSPaint
publisherId: 8wekyb3d8bbwe
-
name: Remove "Windows Maps" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004092559/https://apps.microsoft.com/store/detail/windows-maps/9WZDNCRDTBVB)
It is also known as just "Maps" [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.WindowsMaps
packageName: Microsoft.WindowsMaps
publisherId: 8wekyb3d8bbwe
-
name: Remove "Minecraft for Windows" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004092835/https://apps.microsoft.com/store/detail/minecraft-for-windows/9nblggh2jhxj)
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.MinecraftUWP
packageName: Microsoft.MinecraftUWP
publisherId: 8wekyb3d8bbwe
-
category: Remove Microsoft Store apps
docs: |-
This category houses scripts dedicated to uninstalling specific applications related to the Microsoft Store.
As the digital storefront for Microsoft, the Microsoft Store is a hub for apps, games, movies, and other content.
While it provides a convenient method of obtaining software, some users might wish to uninstall or disable it for
reasons like performance optimization or data privacy concerns.
As always, when disabling or uninstalling core system apps, it is crucial to be informed of the potential repercussions
and act carefully.
children:
-
name: Remove "Microsoft Store" app
docs: |-
This script aims to uninstall the Microsoft Store app (also known as Store [1]), which comes pre-installed on modern versions
of Windows [1] [2] [3].
Microsoft has mentioned that it doesn't officially support the uninstallation of this app [3] [4]. Removing it might lead to unwanted
effects [4].
The Microsoft Store is subject to the data collection policies laid out in the Windows privacy statement [5]. It can collect diagnostic
data about your device, its settings, and capabilities [6]. This data is sent to Microsoft and can include unique identifiers, potentially
allowing Microsoft to recognize a user and their device [6]. Additionally, the data can offer insights into your device's settings,
capabilities, health, visited websites, device activity (or usage), and, the memory state of your device [6]. Sometimes, this might
inadvertently include parts of a file you are using [6].
From a security perspective, the Microsoft Store increases potential risks, as it has known vulnerabilities [7].
To address privacy and security concerns, it might be beneficial to disable the Microsoft Store and explore alternative methods for
software package management. However, considering the official stance from Microsoft on uninstallation, it's important to understand that
this action might affect some core functionalities of the operating system.
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20231004094641/https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/pre-installed-microsoft-store-app-removed-logon "Pre-installed Microsoft Store app is removed at first Windows logon - Windows Client | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231004093559/https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/cannot-remove-uninstall-or-reinstall-microsoft-store-app "Can't remove, uninstall, or reinstall Microsoft Store app - Windows Client | Microsoft Learn"
[5]: https://web.archive.org/web/20231004094058/https://github.com/microsoft/winget-cli/issues/179#issuecomment-631183527 "Please include ability to opt out of telemetry and clear documentation on how to opt out · Issue #179 · microsoft/winget-cli · GitHub"
[6]: https://web.archive.org/web/20231004094657/https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319#ID0EDF "Diagnostics, feedback, and privacy in Windows - Microsoft Support"
[7]: https://web.archive.org/web/20231004100105/https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=microsoft+store&queryType=phrase&search_type=all&isCpeNameSearch=false "Search: Microsoft Store | NVD - Results | nist.gov"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.WindowsStore
packageName: Microsoft.WindowsStore
publisherId: 8wekyb3d8bbwe
-
name: Remove "Store Purchase" app
docs: |-
This script uninstalls the "Store Purchase" app.
The Store Purchase app is linked with the purchase feature in the Store app, allowing users to view their purchase history without needing to open a separate
website [1]. This app is not well-documented officially by Microsoft.
The app comes pre-installed on certain Windows versions [2] [3].
[1]: https://web.archive.org/web/20231004133326/https://social.technet.microsoft.com/Forums/exchange/en-US/24b1088d-0fc5-4a82-8015-c9c964532603/store-purchase-app?forum=win10itproapps "Store Purchase App | social.technet.microsoft.com"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.StorePurchaseApp
packageName: Microsoft.StorePurchaseApp
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft People" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004105428/https://apps.microsoft.com/store/detail/microsoft-people/9NBLGGH10PG8)
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.People
packageName: Microsoft.People
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Pay" app
docs: |-
This script is uninstalls the Microsoft Pay app. Microsoft Pay, previously known as "Microsoft Wallet" [1] [2] [3], is a
cloud-based payment and wallet technology provided by Microsoft [2]. This system enables users to make secure payments through
Microsoft Pay on websites, within Universal Windows Platform (UWP) apps, and through Microsoft Bot Framework bots [4].
The primary function of Microsoft Pay is to facilitate payments using banks and credit cards [3]. The app integrates seamlessly with
the Microsoft Edge browser [5] and stores card data [4].
Microsoft Pay comes pre-installed on specific versions of Windows [1] [6] [7] [8].
[1]: https://web.archive.org/web/20231004112751/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn"
[2]: https://web.archive.org/web/20231004112830/https://blogs.windows.com/windows-insider/2016/06/21/microsoft-wallet-with-tap-to-pay-is-now-available-for-windows-insiders/ "Microsoft Wallet with tap to pay is now available for Windows Insiders | Windows Insider Blog"
[3]: https://web.archive.org/web/20180216173337/http://www.microsoft.com/wallet/ "Microsoft Wallet: Digital Wallet for Secure Mobile Payments"
[4]: https://web.archive.org/web/20230609124956/https://stripe.com/docs/microsoft-pay "Microsoft Pay | Stripe Documentation"
[5]: https://web.archive.org/web/20231004112732/https://support.microsoft.com/en-us/microsoft-edge/features-currently-not-available-in-the-new-microsoft-edge-4307f116-8184-0c59-dcb4-3c55e00f70bf "Features currently not available in the new Microsoft Edge - Microsoft Support"
[6]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[7]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[8]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Wallet
packageName: Microsoft.Wallet
publisherId: 8wekyb3d8bbwe
-
name: Remove "Snipping Tool" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004133447/https://apps.microsoft.com/store/detail/snipping-tool/9MZ95KL8MR0L)
This app was formerly named as "Snip & Sketch" [1] [2].
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.ScreenSketch
packageName: Microsoft.ScreenSketch
publisherId: 8wekyb3d8bbwe
-
name: Remove "Print 3D" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20220430015415/https://www.microsoft.com/en-us/p/print-3d/9pbpch085s3s?activetab=pivot:overviewtab)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Print3D
packageName: Microsoft.Print3D
publisherId: 8wekyb3d8bbwe
-
name: Remove "Mobile Plans" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004142628/https://apps.microsoft.com/store/detail/mobile-plans/9NBLGGH5PNB1)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.OneConnect
packageName: Microsoft.OneConnect
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Solitaire Collection" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20230609084501/https://apps.microsoft.com/store/detail/microsoft-solitaire-collection/9wzdncrfhwd2)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.MicrosoftSolitaireCollection
packageName: Microsoft.MicrosoftSolitaireCollection
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Sticky Notes" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20230806145300/https://apps.microsoft.com/store/detail/microsoft-sticky-notes/9NBLGGH4QGHW)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.MicrosoftStickyNotes
packageName: Microsoft.MicrosoftStickyNotes
publisherId: 8wekyb3d8bbwe
-
category: Remove Xbox apps
docs: |-
This category contains scripts designed to uninstall specific Windows apps related to Xbox.
Uninstalling these apps may enhance system performance and privacy, as fewer apps are running in the background, accessing personal data or utilizing system resources.
If you're not using these services or apps, it might be beneficial to disable them for a cleaner and more privacy-focused user experience.
children:
-
name: Remove "Xbox Console Companion" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004143830/https://apps.microsoft.com/store/detail/xbox-console-companion/9WZDNCRFJBD8)
This app comes pre-installed on certain versions of Windows [1] [2] [3].
It's part of Microsoft Game Development Kit (GDK) [4].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.XboxApp
packageName: Microsoft.XboxApp
publisherId: 8wekyb3d8bbwe
-
name: Remove "Xbox Live in-game experience" app
recommend: standard
docs: |-
This script uninstalls the "Xbox Live in-game experience" app [1].
This application provides TCUI functionality [1]. Title-callable UI (TCUI) is a feature that allows game code to invoke pre-defined
user interface displays [2].
This app comes pre-installed on certain versions of Windows [1] [3].
It's part of Microsoft Game Development Kit (GDK) [4].
Uninstalling this script can contribute to user privacy by removing unnecessary apps that may have predefined interfaces linked with
Xbox Live, minimizing potential data interactions with the system.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231004144304/https://github.com/MicrosoftDocs/xbox-live-docs/blob/docs/xbox-live-docs-pr/features/general/tcui/live-tcui-overview.md "xbox-live-docs/xbox-live-docs-pr/features/general/tcui/live-tcui-overview.md at docs · MicrosoftDocs/xbox-live-docs · GitHub"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Xbox.TCUI
packageName: Microsoft.Xbox.TCUI
publisherId: 8wekyb3d8bbwe
-
name: Remove "Xbox Game Bar" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004144844/https://apps.microsoft.com/store/detail/xbox-game-bar/9NZKPSTSNW4P)
This app comes pre-installed on certain versions of Windows [1] [2].
It's part of Microsoft Game Development Kit (GDK) [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.XboxGamingOverlay
packageName: Microsoft.XboxGamingOverlay
publisherId: 8wekyb3d8bbwe
-
name: Remove "Xbox Game Bar Plugin" app
recommend: standard
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
It's part of Microsoft Game Development Kit (GDK) [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.XboxGameOverlay
packageName: Microsoft.XboxGameOverlay
publisherId: 8wekyb3d8bbwe
-
name: Remove "Xbox Identity Provider" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004150131/https://apps.microsoft.com/store/detail/xbox-identity-provider/9WZDNCRD1HKW)
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.XboxIdentityProvider
packageName: Microsoft.XboxIdentityProvider
publisherId: 8wekyb3d8bbwe
-
name: Remove "Xbox Speech To Text Overlay" app
recommend: standard
docs: |-
This script uninstalls the "Xbox Speech To Text Overlay" app.
The app offers a speech-to-text feature for certain Xbox games. Specifically, it turns spoken words during a party chat into text which then
appears on the game screen [1]. This function is also termed as "game and chat transcription", and is compatible with games that support this feature [2].
The removal of this app can help in reclaiming system resources and enhancing user privacy, as it would reduce the number of tools with potential voice
data access. After uninstalling, the speech-to-text functionality in supported Xbox games may no longer be available.
This app comes pre-installed on certain versions of Windows [3] [4].
[1]: https://web.archive.org/web/20231004150708/https://news.xbox.com/en-us/2021/06/15/june-2021-xbox-update/ "June Xbox Update: Party Chat Accessibility, Xbox App Official Posts, and More - Xbox Wire"
[2]: https://web.archive.org/web/20231004151225/https://support.xbox.com/en-US/help/account-profile/accessibility/use-game-chat-transcription "Use game and chat transcription on Xbox and Windows devices | Xbox Support"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.XboxSpeechToTextOverlay
packageName: Microsoft.XboxSpeechToTextOverlay
publisherId: 8wekyb3d8bbwe
-
name: Remove "Mail and Calendar" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004175316/https://apps.microsoft.com/store/detail/mail-and-calendar/9WZDNCRFHVQM)
It's previously known as "Outlook Calendar and Mail" app [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage microsoft.windowscommunicationsapps
packageName: microsoft.windowscommunicationsapps
publisherId: 8wekyb3d8bbwe
-
name: Remove "Windows Media Player" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231005124745/https://apps.microsoft.com/store/detail/windows-media-player/9WZDNCRFJ3PT)
This app was previously known as "Groove Music" [1] [2] [3].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.ZuneMusic
packageName: Microsoft.ZuneMusic
publisherId: 8wekyb3d8bbwe
-
name: Remove "Movies & TV" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231005124924/https://apps.microsoft.com/store/detail/movies-tv/9WZDNCRFJ3P2)
It's also known as "Movies and TV" app [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.ZuneVideo
packageName: Microsoft.ZuneVideo
publisherId: 8wekyb3d8bbwe
-
name: Remove "Windows Calculator" app
docs: |-
[Microsoft Store Page](https://archive.ph/64EWx)
It's also known as just "Calculator" [1].
This app comes pre-installed on certain versions of Windows [2] [3].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.WindowsCalculator
packageName: Microsoft.WindowsCalculator
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Photos" app
docs: |-
[Microsoft Store Page](https://archive.ph/rBoCX)
It's also known as just "Photos" apps [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.Photos
packageName: Microsoft.Windows.Photos
publisherId: 8wekyb3d8bbwe
-
name: Remove "Skype" app
docs: |-
[Microsoft Store Page](https://archive.ph/vL2FJ)
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.SkypeApp
packageName: Microsoft.SkypeApp
publisherId: kzf8qxf38zg5c
-
name: Remove "GroupMe" app
docs: |-
[Microsoft Store Page](https://archive.ph/ggBiX)
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.GroupMe10
packageName: Microsoft.GroupMe10
publisherId: kzf8qxf38zg5c
-
name: Remove "Windows Sound Recorder" app
docs: |-
[Microsoft Store Page](https://archive.ph/8Fe9K)
This app is also known as "Voice recorder" [1] or "Windows Voice Recorder" [2] [3].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.WindowsSoundRecorder
packageName: Microsoft.WindowsSoundRecorder
publisherId: 8wekyb3d8bbwe
-
category: Remove Phone apps
docs: |-
The "Phone" category contains scripts focused on managing phone-related Windows apps. These scripts cater to apps designed to connect smartphones with Windows, telecommunication tools like
dialer apps, and older or substituted phone-associated apps. The scripts' objective is to provide users the flexibility to decide on the existence and functionalities of these apps, enhancing
their control over personal preferences.
children:
-
name: Remove "Your Phone Companion" app
docs: |-
It was initially released in October 2018 [1]. It allows synchronization between your phone and PC [2].
It is replaced by "Phone Link" app since March 2022 [1].
It does not exist in newer versions of Windows.
[1]: https://web.archive.org/web/20231006204400/https://support.microsoft.com/en-us/topic/introducing-microsoft-phone-link-and-link-to-windows-2e4bb4c0-f99a-4464-92a8-5264c7c39734 "Introducing Microsoft Phone Link and Link to Windows - Microsoft Support"
[2]: https://archive.ph/TfLf1#june-10-2020 "windows-insider/wip/apps/your-phone.md at public · MicrosoftDocs/windows-insider | github.com"
call:
-
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.WindowsPhone
packageName: Microsoft.WindowsPhone
publisherId: 8wekyb3d8bbwe
-
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Windows.Phone
packageName: Microsoft.Windows.Phone
publisherId: 8wekyb3d8bbwe
-
name: Remove "Communications - Phone" app # Deprecated in newer Windows 10
docs: |-
This app is also known as "Phone (dialer)" app [1].
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.CommsPhone
packageName: Microsoft.CommsPhone
publisherId: 8wekyb3d8bbwe
-
name: Remove "Phone Link" app
docs: |-
[Microsoft Store Page](https://archive.ph/Z4q70)
It was initially released as "Your Phone" app in October 2018 [1].
This app comes pre-installed on certain versions of Windows [2] [3].
[1]: https://web.archive.org/web/20231006204400/https://support.microsoft.com/en-us/topic/introducing-microsoft-phone-link-and-link-to-windows-2e4bb4c0-f99a-4464-92a8-5264c7c39734 "Introducing Microsoft Phone Link and Link to Windows - Microsoft Support"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.YourPhone
packageName: Microsoft.YourPhone
publisherId: 8wekyb3d8bbwe
-
category: Remove installed Windows apps
docs: |-
This category covers uninstallation of pre-installed Windows apps.
Pre-installed Windows apps come with the operating system [1] and are stored in the `C:\Program Files\WindowsApps\{PackageFamilyName}` directory [1].
Removing these apps contributes to user privacy by eliminating potential avenues for unwanted data collection and by decluttering the system.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
children:
-
name: Remove "Microsoft Remote Desktop" app
docs: |-
[Microsoft Store Page](https://archive.ph/jGZBm)
It's also known as just "Remote Desktop" [1].
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.RemoteDesktop
packageName: Microsoft.RemoteDesktop
publisherId: 8wekyb3d8bbwe
-
name: Remove "Network Speed Test" app
recommend: standard
docs: |-
[Microsoft Store Page](https://archive.ph/EpJ1B)
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.NetworkSpeedTest
packageName: Microsoft.NetworkSpeedTest
publisherId: 8wekyb3d8bbwe
-
name: 'Remove "Microsoft To Do: Lists, Tasks & Reminders" app'
docs: |-
[Microsoft Store Page](https://archive.ph/tOSDW)
This app comes pre-installed on certain versions of Windows [1].
[1]: https://archive.ph/wt3sJ "Surface Duo 2 - Dual-Screen Mobile Productivity - Microsoft Surface | microsoft.com"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Todos
packageName: Microsoft.Todos
publisherId: 8wekyb3d8bbwe
-
category: Remove third-party apps
docs: |-
This category provides options to uninstall third-party applications (not developed by Microsoft) that may come preinstalled or be available for
installation on specific Windows versions.
children:
-
name: Remove "Shazam" app
docs: |-
[Microsoft Store Page](https://archive.ph/zjVBQ)
Shazam Windows app was officially declared end-of-life on February 7, 2017 and is discontinued as Windows app [1].
[1]: https://web.archive.org/web/20231007013946/https://www.windowscentral.com/shazam-pulls-plug-windows-apps "Shazam pulls the plug on its Windows apps for PC and Mobile | Windows Central"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage ShazamEntertainmentLtd.Shazam
packageName: ShazamEntertainmentLtd.Shazam
publisherId: pqbynwjfrbcg4
-
category: Remove Candy Crush apps
docs: |-
This category encompasses actions to uninstall the various Candy Crush applications that may come preinstalled or be available for installation
on certain versions of Windows. These actions help streamline the system by removing potentially unwanted games.
children:
-
name: Remove "Candy Crush Saga" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231007015121/https://www.microsoft.com/en-us/p/candy-crush-saga/9nblggh18846)
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage king.com.CandyCrushSaga
packageName: king.com.CandyCrushSaga
publisherId: kgqvnymyfvs32
-
name: Remove "Candy Crush Soda Saga" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231007015313/https://www.microsoft.com/en-us/p/candy-crush-soda-saga/9nblggh1zrpv)
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage king.com.CandyCrushSodaSaga
packageName: king.com.CandyCrushSodaSaga
publisherId: kgqvnymyfvs32
-
name: Remove "Flipboard" app
docs: |-
[Microsoft Store Page](https://archive.ph/yEn8l)
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Flipboard.Flipboard
packageName: Flipboard.Flipboard
publisherId: 3f5azkryzdbc4
-
name: Remove "Twitter" app
docs: |-
[Microsoft Store Page](https://archive.ph/4xGBR)
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage 9E2F88E3.Twitter
packageName: 9E2F88E3.Twitter
publisherId: wgeqdkkx372wm
-
name: 'Remove "iHeart: Radio, Music, Podcasts" app'
docs: |-
[Microsoft Store Page](https://archive.ph/qKiUM)
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage ClearChannelRadioDigital.iHeartRadio
packageName: ClearChannelRadioDigital.iHeartRadio
publisherId: a76a11dkgb644
-
name: 'Remove "Duolingo - Language Lessons" app'
docs: |-
[Microsoft Store Page](https://archive.ph/AgJOE)
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage D5EA27B7.Duolingo-LearnLanguagesforFree
packageName: D5EA27B7.Duolingo-LearnLanguagesforFree
publisherId: yx6k7tf7xvsea
-
name: Remove "Adobe Photoshop Express" app
docs: |-
[Microsoft Store Page](https://archive.ph/213f5)
This apps is also known as just "Photoshop Express" [1].
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage AdobeSystemsIncorporated.AdobePhotoshop
packageName: AdobeSystemsIncorporated.AdobePhotoshopExpress # Official docs is wrong (given as `AdobeSystemIncorporated.AdobePhotoshop`)
publisherId: ynb6jyjzte8ga
-
name: Remove "Pandora" app
docs: |-
[Microsoft Store Page](https://archive.ph/uKHGP)
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage PandoraMediaInc.29680B314EFC2
packageName: PandoraMediaInc.29680B314EFC2
publisherId: n619g4d5j0fnw
-
name: Remove "Eclipse Manager" app
docs: |-
[Microsoft Store Page](https://archive.ph/bnllD)
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage 46928bounde.EclipseManager
packageName: 46928bounde.EclipseManager
publisherId: a5h4egax66k6y
-
name: Remove "Code Writer" app
docs: |-
[Microsoft Store Page](https://archive.ph/RZY0r)
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage ActiproSoftwareLLC.562882FEEB491
packageName: ActiproSoftwareLLC.562882FEEB491
publisherId: 24pqs290vpjk0
-
name: 'Remove "Spotify - Music and Podcasts" app'
docs: |-
[Microsoft Store Page](https://archive.ph/r3VwJ)
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage SpotifyAB.SpotifyMusic
packageName: SpotifyAB.SpotifyMusic
publisherId: zpdnekdrzrea0
-
category: Remove system apps
docs: |-
This category includes scripts for uninstalling default system apps in Windows.
System apps are pre-installed [1] [2] applications located in the `C:\Windows*` directory [1] [2].
These apps are typically found on `C:\Windows\SystemApps\{PackageFamilyName}` or `C:\Windows\{ShortAppName}` folders.
To view all system apps:
1. Open a PowerShell command prompt.
2. Execute the following command: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, PublisherId, InstallLocation`
They are integral components of the Windows operating system [1].
However, by removing unnecessary system apps, users can enhance their privacy by reducing potential data
collection points and streamlining their system.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
children:
-
name: Remove "File Picker" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage 1527c705-839a-4832-9118-54d4Bd6a0c89
packageName: 1527c705-839a-4832-9118-54d4Bd6a0c89
publisherId: cw5n1h2txyewy
-
name: Remove "File Explorer" app
docs: |
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage c5e2524a-ea46-4f67-841f-6a9465d9d515
packageName: c5e2524a-ea46-4f67-841f-6a9465d9d515
publisherId: cw5n1h2txyewy
-
name: Remove "App Resolver UX" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage E2A4F912-2574-4A75-9BB0-0D023378592B
packageName: E2A4F912-2574-4A75-9BB0-0D023378592B
publisherId: cw5n1h2txyewy
-
name: Remove "Add Suggested Folders To Library" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
-
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE
packageName: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE
publisherId: cw5n1h2txyewy
-
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage InputApp
packageName: InputApp
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft AAD Broker Plugin" app (breaks Night Light settings, taskbar keyboard selection and Office app authentication)
# recommend: strict (Unrecommended due to too many side-effects)
docs: |-
This script uninstalls the "Microsoft AAD Broker Plugin" app. This app is also referred to as the "Work or school account" or "Broker plug-in" [1].
The primary purpose of this app is to offer login functionality for what used to be Azure Active Directory and is now called Microsoft Entra ID [2].
Users should be aware of the following side-effects before uninstalling:
- For certain Windows versions, uninstalling this app disrupts the keyboard selection in the taskbar [3]. Clicking on the taskbar
language selection icon will not show the selection dialog [3].
- The Night Light feature, which adjusts the colors on your screen to reduce eye strain during the evening and night, will stop
functioning after uninstalling [4]. You can read more about the Night Light feature
[here](https://web.archive.org/web/20231003182409/https://support.microsoft.com/en-us/windows/set-your-display-for-night-time-in-windows-18fe903a-e0a1-8326-4c68-fd23d7aaf136).
- The authentication process for Office apps is affected, preventing users from signing in [5].
Removing this app enhances user privacy by reducing potential data collection by the app. Yet, it's important to weigh
the privacy benefits against the loss of the above functionalities.
Note: This app is pre-installed on specific Windows versions [1] [6] [7].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20231003182133/https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id "Microsoft Entra ID (formerly Azure Active Directory) | Microsoft Security"
[3]: https://github.com/undergroundwires/privacy.sexy/issues/24 "The selection of keyboards in the taskbar disappears. · Issue #24 · undergroundwires/privacy.sexy"
[4]: https://github.com/undergroundwires/privacy.sexy/issues/54 "What script disables the night light settings? · Issue #54 · undergroundwires/privacy.sexy"
[5]: https://web.archive.org/web/20231003182528/https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/authentication/automatic-authentication-fails "Authentication automatically fails in Microsoft 365 services - Microsoft 365 | Microsoft Learn"
[6]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[7]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.AAD.BrokerPlugin
packageName: Microsoft.AAD.BrokerPlugin # Offical docs point to wrong "Microsoft.AAD.Broker.Plugin"
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft Accounts Control" app
docs: |-
It is also known as "Email and accounts" [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.AccountsControl
packageName: Microsoft.AccountsControl
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft Async Text Service" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.AsyncTextService
packageName: Microsoft.AsyncTextService
publisherId: 8wekyb3d8bbwe
-
category: Remove Windows Hello setup UI apps
children:
-
name: Remove "Hello setup UI" app (breaks biometric authentication)
recommend: strict
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
See also: [Discussion about this service on Microsoft forums](https://web.archive.org/web/20231003183050/https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_store-insiderplat_pc/what-is-bio-enrollment-app/53808b5a-8694-4128-a5bd-34e3b954434a)
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.BioEnrollment
packageName: Microsoft.BioEnrollment
publisherId: cw5n1h2txyewy
-
name: Remove "Credentials Dialog Host" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2] [3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.CredDialogHost
packageName: Microsoft.CredDialogHost
publisherId: cw5n1h2txyewy
-
name: Remove "EC" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.ECApp
packageName: Microsoft.ECApp
publisherId: 8wekyb3d8bbwe
-
name: Remove "Lock" app (shows lock screen)
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
See also: [More information `LockApp.exe` process](https://web.archive.org/web/20231003183213/https://www.getwox.com/what-is-lockapp-exe/)
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.LockApp
packageName: Microsoft.LockApp
publisherId: cw5n1h2txyewy
-
category: Remove Edge apps
docs: |-
These scripts disable Windows apps related to Microsoft Edge [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10
children:
-
category: Remove Edge (Legacy)
docs: |-
This category aids in the removal of Microsoft Edge Legacy. Microsoft introduced the Legacy version based on the EdgeHTML engine [1].
However, as of March 9, 2021, they stopped supporting this version, implying it no longer gets security updates or patches [1].
Unsupported software can pose security vulnerabilities.
Initially, this version was the default browser on Windows 10 PCs [1]. Due to its tight integration with Windows, a simple uninstall
might not eliminate all related files.
One privacy concern with Microsoft Edge Legacy is how it handles your browsing history. When used, the browser integrates your browsing
history into your device's activity log that is sent to Microsoft [2]. But, even if disabled, the data remains on your device [2].
This local storage of data can be analyzed for your behavior, potentially compromising your privacy.
By utilizing this script, you ensure a comprehensive removal of the browser and its related components, thus enhancing your system's
privacy and security.
[1]: https://web.archive.org/web/20231004084011/https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0 "What is Microsoft Edge Legacy? - Microsoft Support"
[2]: https://web.archive.org/web/20231008125552/https://support.microsoft.com/en-us/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd "Windows activity history and your privacy - Microsoft Support"
children:
-
name: Remove "Microsoft Edge" app
recommend: strict
docs: |-
This script uninstalls the "Microsoft Edge" Windows app.
This app comes pre-installed on certain versions of Windows [1] [2] [3].
As of March 9, 2021, this app stopped receiving any updates or security patches [4]. Such unsupported software can become a security
risk. Furthermore, using this version means your browsing data gets integrated into your device's activity history [5]. Microsoft can
access this data [5] and it remains stored locally, leaving traces of your behavior [5].
Removing this software not only minimizes potential security threats but also improves your privacy by preventing data accumulation.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231004085037/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn"
[5]: https://web.archive.org/web/20231008125552/https://support.microsoft.com/en-us/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd "Windows activity history and your privacy - Microsoft Support"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.MicrosoftEdge
packageName: Microsoft.MicrosoftEdge
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Edge Dev Tools Client" app
recommend: strict
docs: |-
This script removes the Developer Tools (DevTools) app that was paired with Microsoft Edge Legacy. These tools, now outdated, haven't
received updates for a while [1] [2]. If the main Edge application is uninstalled, these tools lose their relevance and should be removed
as well.
This app comes pre-installed on certain versions of Windows [3] [4].
Getting rid of such outdated software components helps to protect your security. They could have vulnerabilities waiting to be exploited. By uninstalling
them, you're taking a step towards a more secure system.
[More about Edge DevTools](https://web.archive.org/web/20200508053014/https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide)
[1]: https://web.archive.org/web/20231004085037/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn"
[2]: https://web.archive.org/web/20231004084959/https://learn.microsoft.com/en-us/archive/microsoft-edge/legacy/developer/ "Legacy Microsoft Edge developer documentation - Legacy Microsoft Edge developer docs | Microsoft Learn"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.MicrosoftEdgeDevToolsClient
packageName: Microsoft.MicrosoftEdgeDevToolsClient
publisherId: 8wekyb3d8bbwe
-
name: Remove Edge (legacy) file and URL associations
recommend: strict
docs: |-
This script unlinks file and URL associations from the legacy Microsoft Edge, ensuring that it is not mistakenly recognized as
the default browser on your system.
When you remove Microsoft Edge and don't disconnect its associations as the default browser, certain Windows functionalities may
malfunction, as reported by users [1]. The standard uninstallation method for Microsoft Edge does not unlink these associations,
leading to possible issues.
For newer versions of Windows (specifically, Windows 10 21H2 and Windows 11 21H2 and beyond), the Chromium-based Edge is associated
with majority of default options (with ProgIDs `MSEdgePDF` and `MSEdgeHTM` [2]), however there are still associations for legacy Edge.
The legacy Microsoft Edge is associated with several ProgIDs, such as `AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9` and `AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723`,
all prefixed with `AppX` [3].
To check the specific file and URL associations handled by Edge, you can look under the following registry keys, although not
all these keys are registered by the operating system:
- `HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\URLAssociations`
- `HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\FileAssociations`
Within these keys:
- URL associations include `http`, `https`, `microsoft-edge`, and others.
- File associations include `.htm`, `.html`, `.pdf`, and `.svg`.
By running this script, you help in enhancing your system's privacy and ensuring that no unintended associations remain that could potentially cause
vulnerabilities or other issues.
[1]: https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy"
[2]: https://web.archive.org/web/20231001221635/https://learn.microsoft.com/en-us/deployedge/edge-default-browser "Set Microsoft Edge as the default browser on Windows and macOS | Microsoft Learn"
[3]: https://web.archive.org/web/20231001223221/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationdefaults#defaultassociationsconfiguration
call:
function: RemoveBrowserAssociations
parameters:
progIdPattern: AppX*
# List:
# $keywords = @('AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9', 'AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723', 'AppXq0fevzme2pys62n3e0fbqa7peapykr8v', 'AppX90nv6nhay5n6a98fnetv7tpk64pp35es')
# Get-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts' | ForEach-Object { $_.Property } | Where-Object { $key = $_; $keywords | Where-Object { $key -match $_ } }
toastAssociations: >-
AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9_.htm AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9_.html
AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723_.pdf
AppXq0fevzme2pys62n3e0fbqa7peapykr8v_http AppX90nv6nhay5n6a98fnetv7tpk64pp35es_https
-
name: Remove "Win32 Web View Host" / "Desktop App Web Viewer" app
recommend: strict
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Win32WebViewHost
packageName: Microsoft.Win32WebViewHost
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft PPI Projection" app
docs: |-
[More about Perceptive Pixel](https://en.wikipedia.org/wiki/Perceptive_Pixel)
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
recommend: strict
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.PPIProjection
packageName: Microsoft.PPIProjection
publisherId: cw5n1h2txyewy
-
name: Remove "ChxApp" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.Apprep.ChxApp
packageName: Microsoft.Windows.Apprep.ChxApp
publisherId: cw5n1h2txyewy
-
name: Remove "Assigned Access Lock App" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.AssignedAccessLockApp
packageName: Microsoft.Windows.AssignedAccessLockApp
publisherId: cw5n1h2txyewy
-
name: Remove "Capture Picker" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.CapturePicker
packageName: Microsoft.Windows.CapturePicker
publisherId: cw5n1h2txyewy
-
name: Remove "Cloud Experience Host" app (breaks Windows Hello password/PIN sign-in options, and Microsoft cloud/corporate sign in)
# recommend: strict (Unrecommended due to too many side-effects)
docs: |-
This script uninstall the Microsoft Cloud Experience Host service.
This service is required for connecting to corporate domains or Microsoft cloud-based services.
It is also referred to as the "Microsoft account" app [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
The Microsoft Cloud Experience Host has several functionalities:
- It is responsible for connecting Microsoft accounts [4] [5].
- It enables corporate login. Cloud Experience Host application comes into action during the joining process of workplace environments or Azure Active Directory (Azure AD) [6]. It renders the experience when collecting company-provided credentials [6]. After enrolling your device with your workplace environment or Azure AD, your organization can manage your PC and collect specific data about you, including your location [6]. The organization may add or remove apps, modify settings, disable certain features, prevent account removal, or even reset your PC [6].
- It manages PIN, Biometric, and Device authentication [7]. This is needed for Windows Hello, which supports authentication through a device, biometric data, or a PIN code [7]. This functionality also assists in joining a machine to Azure AD or an on-premises AD domain [7].
- Lastly, it aids in Out-of-box experience (OOBE) troubleshooting [8]. The OOBE comprises a series of screens such as the license agreement, internet connection, and login [9]. The service helps detect errors occurring during the OOBE flow [8].
While the service does offer these essential functionalities, it also introduces notable privacy considerations.
However, if one decides to uninstall it, they will encounter the following challenges:
- The ability to sign in to Windows using a Microsoft account will be hampered, affecting cloud-based sign-in [10] [11].
- The password and PIN sign-in options located in "Settings > Sign-in Options" will be inaccessible [12].
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231007145740/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[5]: https://web.archive.org/web/20231007145741/https://answers.microsoft.com/en-us/windows/forum/all/cant-login-to-microsoft-account-because-of-cloud/0861c72d-3621-45bc-bae0-67d13121f526 "cant login to microsoft account because of cloud experience host - Microsoft Community | answers.microsoft.com"
[6]: https://web.archive.org/web/20231007145756/https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology#cloud-experience-hos "How Windows Hello for Business works - technology and terms - Windows Security | Microsoft Learn"
[7]: https://web.archive.org/web/20231007150204/https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning "How Windows Hello for Business works - Provisioning - Windows Security | Microsoft Learn"
[8]: https://web.archive.org/web/20231007150256/https://learn.microsoft.com/en-us/windows/privacy/required-windows-11-diagnostic-events-and-fields#cloud-experience-host-events "Required diagnostic events and fields for Windows 11, version 21H2 - Windows Privacy | Microsoft Learn"
[9]: https://web.archive.org/web/20231007150258/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe "Customize OOBE | Microsoft Learn"
[10]: https://github.com/undergroundwires/privacy.sexy/issues/99 "Microsoft login procedure is not functional · Issue #99 · undergroundwires/privacy.sexy | github.com"
[11]: https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy | github.com"
[12]: https://github.com/undergroundwires/privacy.sexy/issues/67 "[BUG]: Unable to change PIN and Password · Issue #67 · undergroundwires/privacy.sexy | github.com"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.CloudExperienceHost
packageName: Microsoft.Windows.CloudExperienceHost
publisherId: cw5n1h2txyewy
-
name: Remove "Content Delivery Manager" app
recommend: strict
docs: |-
This script uninstalls the "Content Delivery Manager" app.
This app provides Windows Spotlight functionality [1], which automatically sets random wallpapers on the lock screen in Windows [2] [3].
The main purpose of this app is to update the Windows experience [1].
To achieve this, the app collects data about interactions with the Windows Spotlight content, such as which content is viewed, clicked on, or given feedback [1]. It records the content's ID, user actions, and other associated attributes [1]. Additionally, the app aggregates data about the state of content offers on a device, including the health of user accounts, the health status of the content delivery, and more specific metrics [1]. The app also keeps track of where the content is displayed, like on the LockScreen or Start menu, and when. This detailed tracking ensures that Windows stays up-to-date [1]. However, for users who prioritize privacy, understanding the data this app collects can be vital.
The app comes pre-installed on certain versions of Windows [4] [5].
[1]: https://web.archive.org/web/20231007152921/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703#content-delivery-manager-events "Windows 10, version 1703 basic diagnostic events and fields (Windows 10) - Windows Privacy | Microsoft Learn"
[2]: https://web.archive.org/web/20230911110727/https://support.microsoft.com/en-us/windows/personalize-your-lock-screen-81dab9b0-35cf-887c-84a0-6de8ef72bea0 "Personalize your lock screen - Microsoft Support"
[3]: https://web.archive.org/web/20230911110748/https://learn.microsoft.com/en-us/windows/configuration/windows-spotlight "Configure Windows Spotlight on the lock screen - Configure Windows | Microsoft Learn"
[4]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[5]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.ContentDeliveryManager
packageName: Microsoft.Windows.ContentDeliveryManager
publisherId: cw5n1h2txyewy
-
category: Remove Cortana system apps
children:
-
name: Remove "Search" app (breaks Windows search)
docs: |-
This script removes two specific apps from Windows:
- `Microsoft.Windows.Cortana`: Commonly known as Cortana [1] [2] [3]. This app comes pre-installed on certain versions of Windows [1] [2] [3].
- `Microsoft.Windows.Search`: Introduced in Windows 10 2004, this app took over the role of `Microsoft.Windows.Cortana` to provide search functionality [4].
The executable for this app is `SearchApp.exe`, located at `C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe` [5] [6].
This app powers the Windows search bar [5]. Some community reports have indicated that this app may collect data to display advertisements [7] [8].
Removing these apps contributes to user privacy by eliminating potential data collection points. However, please note that running this script will disfunction
the built-in Windows search functionality. Weigh the trade-off between improved privacy and the loss of search functionality before proceeding.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231007222810/https://answers.microsoft.com/en-us/windows/forum/all/applocker-blocking-windows-search-functionality/5509bfcc-061c-49e0-803d-6dbb1bc6a839 "Applocker Blocking windows search functionality Win 10 - 2004 - Microsoft Community"
[5]: https://web.archive.org/web/20231007222923/https://learn.microsoft.com/en-us/answers/questions/461791/kb5003637-problem-with-windows-search-bar "KB5003637 Problem With Windows Search Bar - Microsoft Q&A"
[6]: https://web.archive.org/web/20231007222844/https://learn.microsoft.com/en-us/answers/questions/842652/unable-to-start-a-dcom-server-microsoftwindows-cli?cid=kerryherger&page=2 "Unable to start a DCOM Server - MicrosoftWindows.Client.CBS_120.2212.4170.0_x64__cw5n1h2txyewy!InputApp as Unavailable/Unavailable. Error 2147942402 (TextInputHost.exe) - Microsoft Q&A"
[7]: https://web.archive.org/web/20231007222907/https://learn.microsoft.com/en-us/answers/questions/175856/windows-10-20h2-searchapp-exe-network-connection "Windows 10 20H2 searchapp.exe - network connection - Microsoft Q&A"
[8]: https://web.archive.org/web/20231007222922/https://learn.microsoft.com/en-us/answers/questions/893937/searchapp-exe-connecting-to-ms-for-no-reason "Searchapp.exe connecting to MS for no reason. - Microsoft Q&A"
call:
-
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Windows.Cortana
packageName: Microsoft.Windows.Cortana # Removed since version 2004
publisherId: cw5n1h2txyewy
-
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Windows.Search
packageName: Microsoft.Windows.Search # Added in version Windows 10 2004, it was called "Cortana" before now it's plain "Search"
publisherId: cw5n1h2txyewy
-
name: Remove "Holographic First Run" app
recommend: standard
docs: |-
The "Windows Holographic First Run" app is a diagnostic tool on Windows, designed for potential users of Microsoft's Hololens, an augmented reality headset [1].
When run, the app scans your computer's hardware to determine its compatibility with the Hololens [1]. It assesses which components meet or exceed the required
specifications, which might offer a subpar experience, and which fail to meet the necessary standards [1]. The app accesses hardware data to ensure that
the users have a system capable of supporting the Hololens [1].
This app is pre-installed in specific Windows versions [2].
[1]: https://web.archive.org/web/20231003184605/https://www.addictivetips.com/windows-tips/check-pc-windows-holographic-app-requirements/ "Check If Your PC Meets The Windows Holographic App Requirements | addictivetips.com"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Windows.Holographic.FirstRun
packageName: Microsoft.Windows.Holographic.FirstRun
publisherId: cw5n1h2txyewy
-
category: Remove Out-of-Box Experience (OOBE) apps
docs: |-
This category focuses on uninstalling specific Out-of-Box Experience (OOBE) apps from Windows devices. OOBE apps are components of the Windows setup process designed to guide
users through initial device setup, establishing settings and preferences, and connecting to networks [1].
[1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details "Windows 10 OOBE screen details | Microsoft Learn"
children:
-
name: Remove "OOBE Network Captive Portal" app
docs: |-
This script uninstall the OOBE Network Captive Portal app. The app is part of the Out-of-Box Experience (OOBE) process in Windows [1]. When users set
up their Windows system for the first time, they encounter the "Let's connect you to a network" screen [1]. This screen precedes the End User License Agreement
(EULA) screen and presents available connection options, including Wi-Fi and Cellular data networks in the vicinity [1]. Some pages during the OOBE are delivered
through a cloud service [1].
The app runs the `OOBENetworkCaptivePortal.exe` file, which is responsible for the Captive Portal Flow during OOBE [2].
This app is pre-installed in specific Windows versions [3] [4].
[1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details#connect-users-to-the-network "Windows 10 OOBE screen details | Microsoft Learn"
[2]: https://web.archive.org/web/20231007230004/https://strontic.github.io/xcyclopedia/library/OOBENetworkCaptivePortal.exe-0DF57DA84716210304E79A34BF5F4B39.html "OOBENetworkCaptivePortal.exe | OOBE Captive Portal Flow | STRONTIC"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.OOBENetworkCaptivePortal
packageName: Microsoft.Windows.OOBENetworkCaptivePortal # Offical docs point to wrong "Microsoft.Windows.OOBENetworkCaptivePort"
publisherId: cw5n1h2txyewy
-
name: Remove "OOBE Network Connection Flow" app
docs: |-
This script uninstalls the "OOBE Network Connection Flow" app from Windows devices. The OOBE (Out-of-Box Experience) Network Connection Flow app assists
users during their initial setup of a Windows device [1]. When setting up, users encounter the "Let's connect you to a network" screen, which lists available
Wi-Fi and Cellular network options [1]. Devices with LTE capabilities and an active SIM card will automatically connect to the Cellular network, but if a Wi-Fi
network is accessible, it will be preferred [1]. To ensure users don't consume excessive data during setup, Windows limits the download to essential updates
when on metered networks [1].
After establishing a network connection, the device starts downloading necessary driver and Windows Zero-Day Patch (ZDP) updates, which are necessary for device
performance and security [1]. Users cannot opt-out of these updates [1]. If a newer Windows version is available and the device qualifies, users will get an option
to download this update at the OOBE's conclusion [1].
The primary process for this app is `OOBENetworkConnectionFlow.exe` [2].
This app comes pre-installed on certain versions of Windows [3] [4].
[1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details "Windows 10 OOBE screen details | Microsoft Learn"
[2]: https://web.archive.org/web/20231007233651/https://strontic.github.io/xcyclopedia/library/OOBENetworkConnectionFlow.exe-823E4DEF469E572C9C3DC2DC332441E1.html "OOBENetworkConnectionFlow.exe | OOBE Network Connection Flow | STRONTIC"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.OOBENetworkConnectionFlow
packageName: Microsoft.Windows.OOBENetworkConnectionFlow
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft Family Safety" / "Parental control" app
recommend: standard
docs: |-
This script uninstalls the parental control app for Microsoft Family Safety.
A **parental control** app helps parents regulate the content their children access online, including how long they spend on devices [1].
It provides features such as content filtering, screen time limit enforcement, activity monitoring, contact blocking, and activity reports [1] [2].
**Family Safety**, a specific parental control tool from Microsoft, lets parents monitor and control their children's online activities [3].
It offers the ability to filter unsuitable web content and gives parents insight into the search terms their children use on search engines [3].
One notable function is the "safe search" feature that communicates with search engines to ensure adult material is excluded from search results [3].
However, using Family Safety means Microsoft collects personal details such as names, email addresses, birth dates, and other diagnostic data [4].
There's a privacy concern, especially regarding minors, because the tool actively logs the search terms children enter into search engines [3].
While "safe search" promotes user safety, it communicates settings to various search engine platforms, potentially sharing user preferences and
identifiable information with these third parties [3]. It's also worth noting that certain browsers, like Firefox, require extra measures to
ensure secure connections [3]. Without these measures, there's a risk of user data interception or manipulation.
This app comes pre-installed on certain versions of Windows [5] [6].
[1]: https://web.archive.org/web/20231008130535/https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/choosing-a-parental-control-app "Choosing a parental control app that works for you - Microsoft 365"
[2]: https://web.archive.org/web/20231008130516/https://www.microsoft.com/en-us/microsoft-365/family-safety "Microsoft Family Safety—Location Sharing and Screen Time App | Microsoft 365"
[3]: https://web.archive.org/web/20231008130419/https://support.microsoft.com/en-us/topic/family-safety-update-improves-web-filtering-and-activity-reporting-in-windows-8-1-and-windows-rt-8-1-116efe24-0153-9680-0d0c-5f433c677336 "Family Safety update improves web filtering and activity reporting in Windows 8.1 and Windows RT 8.1 - Microsoft Support"
[4]: https://web.archive.org/web/20231008130529/https://support.microsoft.com/en-us/account-billing/family-safety-data-collection-and-privacy-options-3d01b791-e48a-498f-bfa6-97f0d373cd9c "Family Safety data collection and privacy options - Microsoft Support"
[5]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[6]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.ParentalControls
packageName: Microsoft.Windows.ParentalControls
publisherId: cw5n1h2txyewy
-
category: Remove People Hub apps
children:
-
name: Remove "My People" app
recommend: strict
docs: |-
This script uninstalls the "My People" app.
This app is also known as "People Hub" [1] [2] or "Windows My People" [3] [4].
It allows users to pin contacts to the Windows task bar [3].
Additionally, users can drag and drop documents, photos, or videos onto a contact to share them [3].
This app comes pre-installed on certain versions of Windows [1] [2].
Its main operational file is `PeopleExperienceHost.exe`, which can typically be located at
`C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\PeopleExperienceHost.exe` [4]. This process is commonly as "Windows My People" [4].
By uninstalling pre-installed apps like "My People", users can reclaim system resources and potentially enhance privacy by reducing the
number of apps that could access and share their data.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231009112816/https://blogs.windows.com/windowsexperience/2016/10/26/empowering-a-new-wave-of-creativity-with-the-windows-10-creators-update-and-surface-studio/ "Empowering a new wave of creativity with the Windows 10 Creators Update and Surface Studio | Windows Experience Blog"
[4]: https://web.archive.org/web/20231009111644/https://strontic.github.io/xcyclopedia/library/PeopleExperienceHost.exe-4DB57408AA06543E575368FEDC280B4A. "PeopleExperienceHost.exe | Windows My People | STRONTIC"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.PeopleExperienceHost
packageName: Microsoft.Windows.PeopleExperienceHost
publisherId: cw5n1h2txyewy
-
name: Remove "Pinning Confirmation Dialog" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.PinningConfirmationDialog
packageName: Microsoft.Windows.PinningConfirmationDialog
publisherId: cw5n1h2txyewy
-
name: Remove "Secondary Tile Experience" app
recommend: strict
docs: |-
This script removes the Second Tile Experience app from your computer. The Second Tile Experience helps in providing a feature in Windows that lets users create quick access shortcuts,
called secondary tiles, to specific content from an app on their Start menu [1]. For example, it might be a shortcut to the weather of a city or a favorite news article. Secondary
tiles act as direct entry points to parts of an app, like displaying real-time updates or leading to a particular feature [1]. While these tiles share some similarities with primary tiles
in terms of showing detailed content and notifications, they differ in a few ways. First, secondary tiles are created based on the user's choice, and they get a prompt from the system asking
for confirmation before pinning [1]. Second, these tiles can be deleted at any time, and this doesn't affect the main app [1].
This app comes pre-installed on certain versions of Windows [2].
From a privacy perspective, it's worth noting that individual secondary tiles might track user behaviors or preferences, which could be a concern for some users.
The purpose of this script is to offer users the option to uninstall this feature if they wish to prioritize their privacy.
[1]: https://web.archive.org/web/20231008120335/https://learn.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/secondary-tiles "Secondary tiles - Windows apps | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.Windows.SecondaryTileExperience
packageName: Microsoft.Windows.SecondaryTileExperience
publisherId: cw5n1h2txyewy
-
name: Remove "Take a Test" app
recommend: strict
docs: |-
This script uninstalls the "Take a Test" application, also known as "secure assessment browser" [1] [2] [3]. It is a feature in Windows primarily used for online testing
in schools [4]. The purpose of this app is to create a secure environment where students can't access external computer or internet resources while taking a test [4].
It restricts specific activities, like printing, taking screenshots, or opening other apps [4]. The software offers two usage modes: a basic secure mode and a more
stringent "kiosk mode" for vital assessments [4].
Educators and administrators have the flexibility to set various rules using this application [5]. For example, they can determine if the test allows screen monitoring,
if students can get keyboard text suggestions, or if a specific test should auto-launch when the app is started [5]. They can also control printing permissions and determine
which user accounts are permitted to take the test [5].
The app collects data such as the username of the person taking the test and information about the particular tests being taken [5].
This app comes pre-installed on certain versions of Windows [1] [2]. Its technical implementation can be found under the name `SecureAssessmentBrowser.exe` at
`C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessmentBrowser.exe`[3].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231008122256/https://strontic.github.io/xcyclopedia/library/SecureAssessmentBrowser.exe-9997A632135DFB0C53479401E17A7367.html.html "SecureAssessmentBrowser.exe | Take a Test | STRONTIC"
[4]: https://web.archive.org/web/20231008122321/https://learn.microsoft.com/en-us/education/windows/take-tests-in-windows "Take tests and assessments in Windows - Windows Education | Microsoft Learn"
[5]: https://web.archive.org/web/20231008122328/https://learn.microsoft.com/en-us/windows/client-management/mdm/secureassessment-csp "SecureAssessment CSP - Windows Client Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.Windows.SecureAssessmentBrowser
packageName: Microsoft.Windows.SecureAssessmentBrowser
publisherId: cw5n1h2txyewy
-
category: Remove Windows Feedback apps
children:
-
name: Remove "Windows Feedback" app
recommend: standard
docs: |-
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Microsoft.WindowsFeedback
packageName: Microsoft.WindowsFeedback
publisherId: cw5n1h2txyewy
-
name: Remove "Xbox Game Callable UI" app (breaks Xbox Live games)
docs: |-
This script uninstalls the "Xbox Game Callable UI" (TCUI) app.
This app acts as an intermediary tool that games can use to bring up common UI elements on the Xbox platform [1].
These displays, consistent with the RS5 Gamebar style, offer functionalities such as profile viewing, game invite sending, people selection,
friend management, achievement viewing, user privilege checking, and navigation to game details, profile customization, user settings, and
storage management [1].
This app comes pre-installed on certain versions of Windows [2] [3].
[1]: https://web.archive.org/web/20200827080253/https://docs.microsoft.com/en-us/gaming/xbox-live/features/general/tcui/live-tcui-overview "Title-callable UI (TCUI) overview - Xbox Live | Microsoft Docs"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
recommend: strict
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Microsoft.XboxGameCallableUI
packageName: Microsoft.XboxGameCallableUI
publisherId: cw5n1h2txyewy
-
name: Remove "CBS Preview" app
recommend: standard
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Windows.CBSPreview
packageName: Windows.CBSPreview
publisherId: cw5n1h2txyewy
-
name: Remove "Contact Support" app
docs: |-
This app comes pre-installed on certain versions of Windows [1].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Windows.ContactSupport
packageName: Windows.ContactSupport
publisherId: cw5n1h2txyewy
-
name: Remove "Windows Print 3D" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ❌ Missing
# More info : Get-AppxPackage Windows.Print3D
packageName: Windows.Print3D
publisherId: cw5n1h2txyewy
-
name: Remove "Print UI" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallSystemApp
parameters:
# Existence : Windows 10 (≥ 22H2): ✅ Exists | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage Windows.PrintDialog
packageName: Windows.PrintDialog
publisherId: cw5n1h2txyewy
-
category: Remove OneDrive
docs: |-
Microsoft OneDrive (formerly SkyDrive) is a file hosting service operated by Microsoft [1].
First launched in August 2007, it enables registered users to share and synchronize their files [1].
Data stored on OneDrive is subject to monitoring by Microsoft [2].
There's been reports of Microsoft accessing and altering your personal files when syncing on OneDrive [3] [4].
Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5].
[1]: https://en.wikipedia.org/wiki/OneDrive "OneDrive | Wikipedia"
[2]: https://en.wikipedia.org/w/index.php?title=OneDrive&oldid=1111615560#Privacy_concerns "OneDrive | Privacy concerns | Wikipedia"
[3]: https://web.archive.org/web/20191002180755/https://www.intralinks.com/blog/2014/04/microsoft-onedrive-business-can-alter-files-syncs "Microsoft OneDrive for Business can Alter Your Files as It Syncs | Intralinks"
[4]: https://thehackernews.com/2014/04/microsoft-onedrive-secretly-modifies.html "Microsoft OneDrive Secretly Modifies your BackUp Files | thehackernews.com"
[5]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn"
children:
-
name: Kill OneDrive process
recommend: strict
docs: |-
It stops the execution of OneDrive.
Main OneDrive process is `OneDrive.exe` and it is installed in `<local-app-data>\Microsoft\OneDrive\OneDrive.exe` [1] [2] [3] [4].
[1]: https://answers.microsoft.com/en-us/windows/forum/all/onedrive-wont-sync-and-wont-uninstall-so-i-can-re/6182d0a5-e7ea-46bb-a058-c0a4fd5e299a "Onedrive wont sync and wont uninstall so I can re-install the latest - Microsoft Community | answers.microsoft.com"
[2]: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/9bd33f03-62dd-4c4f-9d29-970c1016f2f9/better-onedrive-detection-method?forum=configmanagerapps "Better OneDrive detection method | social.technet.microsoft.com"
[3]: https://social.msdn.microsoft.com/Forums/en-US/072e3577-d0ff-4950-9e0b-40b037853881/starting-and-stopping-sharepoint-library-sync-with-onedrive?forum=sharepointdevelopmentprevious "Starting and stopping SharePoint library sync with OneDrive | social.msdn.microsoft.com"
[4]: https://learn.microsoft.com/en-us/answers/questions/473995/onedrive-was-previously-disabled-and-now-i-can39t.html "OneDrive was previously disabled and now I can't enable it with GPO - Microsoft Q&A | learn.microsoft.com"
call:
function: KillProcess
parameters:
processName: OneDrive.exe
processStartPath: '%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe'
processStartArgs: /background
-
name: Remove OneDrive from startup
recommend: strict
docs: |-
OneDrive starts on every boot in both Windows 10 and 11.
It's started through `OneDrive` `REG_SZ` entry in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` [1].
The startup command is `"<local-app-data>\Microsoft\OneDrive\OneDrive.exe" /background` [1].
[1]: https://techcommunity.microsoft.com/t5/azure-virtual-desktop/start-onedrive-when-using-a-remoteapp-in-wvd/m-p/899331 "Re: Start OneDrive when using a RemoteApp in WVD - Page 2 - Microsoft Tech Community | techcommunity.microsoft.com"
code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /f 2>nul
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDrive" /t REG_SZ /d "\"%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe\" /background" /f
-
name: Remove OneDrive through official installer
docs: |-
This script will call official Microsoft uninstaller that will uninstall the application but residual files will be left.
You won't lose data by uninstalling OneDrive from computer because they will be stored in cloud [1].
Running OneDrive client setup package (`OneDriveSetup.exe`) with the `/uninstall` command line switch uninstalls OneDrive [2] [3].
On Windows 10, the setup package is found on different folders (`System32` or `SysWOW64`) based on the CPU architecture [4].
On Windows 11, the setup package is always inside `System32` regarding of the CPU architecture.
Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5].
[1]: https://support.microsoft.com/en-us/office/turn-off-disable-or-uninstall-onedrive-f32a17ce-3336-40fe-9c38-6efb09f944b0 "Turn off, disable, or uninstall OneDrive | support.microsoft.com"
[2]: https://web.archive.org/web/20231002162805/https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016#method-2-uninstall-onedriveexe "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn"
[3]: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/lists-and-libraries/cannot-open-onedrive-on-images-using-sysprep#how-to-correctly-deploy-onedrive-via-sysprep "Can't open OneDrive on images using Sysprep - SharePoint | Microsoft Learn"
[4]: https://answers.microsoft.com/en-us/windows/forum/all/onedrive-on-windows-11-does-not-appear-in-file/250c679b-9d02-410f-8c8f-41cca112ccfa "OneDrive on Windows 11 - Does Not Appear in File Explorer - Microsoft Community | answers.microsoft.com"
[5]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn"
recommend: strict
code: |-
if exist "%SystemRoot%\System32\OneDriveSetup.exe" (
"%SystemRoot%\System32\OneDriveSetup.exe" /uninstall
) else (
if exist "%SystemRoot%\SysWOW64\OneDriveSetup.exe" (
"%SystemRoot%\SysWOW64\OneDriveSetup.exe" /uninstall
) else (
echo Failed to uninstall, uninstaller could not be found. 1>&2
)
)
revertCode: |-
if exist "%SystemRoot%\System32\OneDriveSetup.exe" (
"%SystemRoot%\System32\OneDriveSetup.exe" /silent
) else (
if exist "%SystemRoot%\SysWOW64\OneDriveSetup.exe" (
"%SystemRoot%\SysWOW64\OneDriveSetup.exe" /silent
) else (
echo Failed to install, installer could not be found. 1>&2
)
)
-
name: Remove OneDrive residual files
recommend: strict
docs: |-
This script cleans OneDrive files such as installation directories, application data,
and temporary files and cache.
- `C:\OneDriveCache`: Temporary cache location [1].
- `C:\ProgramData\Microsoft OneDrive`: Program data, used during setup [2] [3].
- `C:\Users\<username>\OneDrive`: OneDrive root directory [4].
- `C:\Users\<username>\AppData\Local\Microsoft\OneDrive`: OneDrive installation directory [5].
The folders are reported by the community [1]. According to the tests:
| Directory | Windows 11 (since 22H2) | Windows 10 (since 22H2) |
| --------- |:-----------------------:|:-----------------------:|
| `%SYSTEMDRIVE%C:\OneDriveCache` | ❌ Missing | ❌ Missing |
| `%PROGRAMDATA%\Microsoft OneDrive` | ✅ Exists | ✅ Exists |
| `%LOCALAPPDATA%\Microsoft\OneDrive` | ✅ Exists | ✅ Exists |
| `%USERPROFILE%\OneDrive` | ✅ Exists | ✅ Exists |
[1]: https://social.microsoft.com/Forums/en-US/53263a51-856f-4e64-bc0e-a689d4cc5a8b/release-notes-for-1907-build-29711727413?forum=FSLogix "Release Notes for 1907 - build 2.9.7117.27413 | social.microsoft.com"
[2]: https://techcommunity.microsoft.com/t5/sharepoint/onedrive-setup-fails-to-complete/m-p/2072446 "OneDrive setup fails to complete - Microsoft Tech Community"
[3]: https://answers.microsoft.com/en-us/msoffice/forum/all/why-does-onedrive-act-as-ransomware/288e5940-b92b-493c-91ff-dafd26279bee "Why does OneDrive act as Ransomware? - Microsoft Community"
[4]: https://techcommunity.microsoft.com/t5/onedrive-for-business/change-onedrive-installation-location/m-p/225064 "Change OneDrive installation location - Microsoft Tech Community | techcommunity.microsoft.com"
[5]: https://learn.microsoft.com/en-us/sharepoint/install/configure-syncing-with-the-onedrive-sync-app "Configure syncing with the new OneDrive sync app - SharePoint Server | Microsoft Learn | learn.microsoft.com"
call:
-
function: DeleteDirectory
parameters:
directoryGlob: '%USERPROFILE%\OneDrive'
-
function: DeleteDirectory
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\OneDrive'
grantPermissions: true
-
function: DeleteDirectory
parameters:
directoryGlob: '%PROGRAMDATA%\Microsoft OneDrive'
-
function: DeleteDirectory
parameters:
directoryGlob: '%SYSTEMDRIVE%\OneDriveTemp'
-
name: Remove OneDrive shortcuts
recommend: strict
docs: |-
This script ensures the removal of all OneDrive shortcuts from your system, even after uninstallation or cleanup.
Erasing these shortcuts improves the security and privacy of your computer system, lessening the potential access points for
unwanted entities.
Moreover, the removal of unused shortcuts results in a more organized and efficient system, enhancing your user experience by
preventing any confusion from dead shortcuts.
Shortcuts that link to OneDrive are stored in various locations, such as:
- `Start Menu\Programs\Microsoft OneDrive.lnk`, `Start Menu\Programs\OneDrive.lnk`, `Links\OneDrive.lnk` [1],
- `ServiceProfiles\LocalService` and `ServiceProfiles\NetworkService` [1]
Below are the tested shortcut file locations on default installation (since Windows 10 22H2 and Windows 11 22H2):
| Path | Windows 11 | Windows 10 |
| ---- |:----------:|:----------:|
| `%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ✅ Exists | ✅ Exists |
| `%USERPROFILE%\Links\OneDrive.lnk` | ❌ Missing | ❌ Missing |
| `%WINDIR%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ❌ Missing | ✅ Exists |
| `%WINDIR%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ❌ Missing | ✅ Exists |
In Windows 10 and higher, additional steps are necessary to delete the OneDrive icon from the navigation pane in Windows
Explorer [2], which is executed by this script.
[1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn"
[2]: https://web.archive.org/web/20231002162805/https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016 "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn"
call:
-
function: RemoveShortcutFiles
parameters:
targetFile: C:\Users\undergroundwires\AppData\Local\Microsoft\OneDrive\OneDrive.exe
shortcutItems: |-
@{ Revert = $True; Path = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; }
@{ Revert = $False; Path = "$env:USERPROFILE\Links\OneDrive.lnk"; }
@{ Revert = $False; Path = "$env:WINDIR\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; }
@{ Revert = $False; Path = "$env:WINDIR\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; }
-
function: RunPowerShell
parameters:
code: |-
Set-Location "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"
Get-ChildItem | ForEach-Object {Get-ItemProperty $_.pspath} | ForEach-Object {
$leftnavNodeName = $_."(default)";
if (($leftnavNodeName -eq "OneDrive") -Or ($leftnavNodeName -eq "OneDrive - Personal")) {
if (Test-Path $_.pspath) {
Write-Host "Deleting $($_.pspath)."
Remove-Item $_.pspath;
}
}
}
-
name: Disable OneDrive usage
recommend: strict
docs: |-
This script prevents [1]:
- Keeping OneDrive files in sync with the cloud.
- Users from automatically uploading photos and videos from the camera roll folder.
- Users from accessing OneDrive from the OneDrive app and file picker.
- Windows Store apps from accessing OneDrive using the WinRT API.
- OneDrive from appearing in the navigation pane in File Explorer.
Setting `DisableFileSyncNGSC` group policy prevents OneDrive from working on both Windows 10 and 11 [1] [2].
Windows 8 uses older `DisableFileSync` key [3].
These policies do not exist by default in clean installations.
[1]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSync "Prevent the usage of OneDrive for file storage | admx.help"
[2]: https://support.microsoft.com/en-us/office/onedrive-won-t-start-0c158fa6-0cd8-4373-98c8-9179e24f10f2 "OneDrive won't start | support.microsoft.com"
[3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSyncForBlue "Prevent the usage of OneDrive for file storage on Windows 8.1 | admx.help"
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSyncNGSC" /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSync" /d 1 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSync" /f 2>nul
-
name: Disable automatic OneDrive installation
docs: |-
Windows 10 comes with `OneDriveSetup` entry in startup for automatic reinstallations even though
OneDrive is uninstalled. This entry is missing in Windows 11 by default.
`OneDriveSetup` is registered to reinstall OneDrive and can be removed using registry [1],
as recommended by Microsoft for optimizing Windows VDIs [1].
[1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn"
recommend: strict
call:
function: RunPowerShell
parameters:
code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f 2>$null
revertCode: |-
function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) }
if (Test-IsWindows11) {
Write-Host 'Skipping, no action needed on Windows 11.'
} else {
if([Environment]::Is64BitOperatingSystem) {
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\SysWOW64\OneDriveSetup.exe /silent" /f
} else {
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\System32\OneDriveSetup.exe /silent" /f
}
}
-
name: Remove OneDrive folder from File Explorer
recommend: strict
docs: |-
File Explorer shows OneDrive to allow you to access files stored in OneDrive (stored online and locally cached) [1].
[CLSID](https://learn.microsoft.com/en-us/windows/win32/com/clsid-key-hklm) for OneDrive is `018D5C66-4533-4307-9B53-224DE2ED1FE6` [2] for
both Windows 10 and 11. Changing pinning option for this key removed OneDrive from navigation file in File Explorer [2].
This CLSID includes `System.IsPinnedToNameSpaceTree` as value as `1` after clean installation in both Windows 10 and Windows 11.
[1]: https://support.microsoft.com/en-us/office/sync-files-with-onedrive-in-windows-615391c4-2bd3-4aae-a42a-858262e42a49 "Sync files with OneDrive in Windows | support.microsoft.com"
[2]: https://answers.microsoft.com/en-us/windows/forum/all/remove-onedrive-from-file-explorer-navigation-pane/38ac7524-2b35-4ffc-baab-40ad61dc5d79 "Remove OneDrive from File Explorer navigation pane - Microsoft Community | answers.microsoft.com"
code: |-
reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f
reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "0" /t REG_DWORD /f
revertCode: |-
reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "1" /t REG_DWORD /f
reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /d "1" /t REG_DWORD /f
-
name: Disable OneDrive scheduled tasks
docs: |-
Scheduled tasks for OneDrive handle maintainence tasks such as auto-updates and data reporting.
These tasks are left intact even after successful uninstall.
Windows 10 and 11 comes with two tasks named:
1. `OneDrive Standalone Update Task`
2. `OneDrive Reporting Task`
Both tasks are enabled by default. They are not documented officially either on Microsoft's website
or inside Task Scheduler itself through any description. But one could find these tasks by running:
`Get-ScheduledTask 'OneDrive *' | Select -ExpandProperty TaskName`.
The tasks are named accordingly:
- OneDrive Reporting Task-S-1-5-21-994346235-3805487047-77196597-500
- OneDrive Standalone Update Task-S-1-5-21-994346235-3805487047-77196597-500
- OneDrive Standalone Update Task-S-1-5-21-2040720125-3302134200-1644992326-500
The SID number (after `-`) changes per installation. SID of user accounts always start with `S-1-5-21` [1]
so these are users. You can see all user accounts by running `wmic useraccount get Name,sid`, and you will
find out that the first SID used belongs to your account (can verify using `whoami /user`). The other SID
used does not belong to any user account even though it starts with `S-1-5-21`. It may be caused by
`sysprep` behavior where it will use different SID for scheduled tasks to avoid duplication [2].
Third SID is unpredictable but also impossible to disable. Disabling using `schtasks` would result in:
`schtasks : ERROR: Catastrophic failure`. You can try using:
```ps1
$tasks=$(
Get-ScheduledTask 'OneDrive Reporting Task-*'
Get-ScheduledTask 'OneDrive Standalone Update Task-*'
)
foreach ($task in $tasks) {
$fullPath = $task.TaskPath + $task.TaskName
Write-Host "Disabling `"$fullPath`""
schtasks /Change /TN "$fullPath" /DISABLE
}
```
Even disabling this using Task Scheduler UI shows "Catastrophic failure (Exception from HRESULT: 0x80000FFF (E_UNEXPECTED))".
Disabling tasks with user SID works fine, you can test it using (run as .bat file, not directly on terminal):
```batchfile
@echo off
for /f "tokens=1,2 delims==" %%s IN ('wmic path win32_useraccount where name^='%username%' get sid /value ^| find /i "SID"') do (
set "User_SID=%%t"
)
schtasks /Change /TN "\OneDrive Standalone Update Task-%User_SID%" /DISABLE
schtasks /Change /TN "\OneDrive Reporting Task-%User_SID%" /DISABLE
```
Deleting tasks works fine so this script will delete all these tasks instead.
[1]: https://renenyffenegger.ch/notes/Windows/security/SID/index "Windows security identifiers (SID) | renenyffenegger.ch"
[2]: https://en.wikipedia.org/w/index.php?title=Windows_Task_Scheduler&oldid=1086196699#Bugs "Windows Task Scheduler - Wikipedia | wikipedia.rg"
recommend: strict
call:
function: RunPowerShell
parameters:
code: |-
$tasks=$(
Get-ScheduledTask 'OneDrive Reporting Task-*'
Get-ScheduledTask 'OneDrive Standalone Update Task-*'
)
if($tasks.Length -eq 0) {
Write-Host 'Skipping, no OneDrive tasks exists.'
} else {
Write-Host "Total found OneDrive tasks: $($tasks.Length)."
foreach ($task in $tasks) {
$fullPath = $task.TaskPath + $task.TaskName
Write-Host "Deleting `"$fullPath`""
schtasks /DELETE /TN "$fullPath" /f
}
}
-
name: Clear OneDrive environment variable
recommend: strict
docs: |-
Since Windows 10 1809, Microsoft introduced `%OneDrive%` environment variable to
reach OneDrive through an alias [1]. This variable is redundant when OneDrive is
undesired.
This script deletes `OneDrive` environment variable [2].
`OneDrive` key at `HKCU\Environment` is found on both Windows 10 and Windows 11.
[1]: https://superuser.com/a/1397495 "Determine OneDrive synchronisation folders - Super User | superuser.com"
[2]: https://stackoverflow.com/questions/46744840/export-registry-value-to-file-and-then-set-a-variable-in-batch "Export registry value to file and then set a variable in Batch - Stack Overflow | stackoverflow.com"
code: reg delete "HKCU\Environment" /v "OneDrive" /f 2>nul
-
category: Remove Edge (Chromium)
docs: |-
This category automates the uninstallation of Microsoft Edge (also known as "Chromium Edge" or "New Edge" [1]), the web browser that comes
pre-installed with many versions of Windows.
Microsoft Edge collects various types of data, some of which pertain to your browsing habits, such as the websites you visit, your search
queries, and the data you enter into forms [2]. Additionally, it tracks usage metrics and diagnostic data about your device data and
how the browser is functioning [2]. These pieces of information could be used for targeted advertising or profiling. Removing Microsoft
Edge ensures that it is not silently accumulating this data in the background, thereby improving your overall privacy.
By default, Microsoft Edge doesn't allow uninstallation and has officially declared Microsoft Edge as uninstallable on Windows [3].
[1]: https://en.wikipedia.org/w/index.php?title=Microsoft_Edge&oldid=1174053020#New_Edge_(2019%E2%80%93present) "Microsoft Edge - Wikipedia"
[2]: https://web.archive.org/web/20230907002709/https://support.microsoft.com/en-us/microsoft-edge/learn-more-about-diagnostic-data-collection-in-microsoft-edge-7fcee15b-39f7-ba02-bc59-9eef622c1a9f "Learn more about diagnostic data collection in Microsoft Edge - Microsoft Support"
[3]: https://web.archive.org/web/20230907002011/https://support.microsoft.com/en-us/microsoft-edge/why-can-t-i-uninstall-microsoft-edge-ee150b3b-7d7a-9984-6d83-eb36683d526d "Why can't I uninstall Microsoft Edge? - Microsoft Support"
children:
-
name: Remove Edge through official installer
docs: |-
This script uninstalls the Microsoft Edge using the official installer.
1. **Enable Uninstallation**: The script modifies a specific registry key to allow the uninstallation of Microsoft Edge. This step is crucial
because, starting from version 116 of Edge, you cannot uninstall it unless this registry key is set.
2. **Run Uninstaller**: The script then finds the Microsoft Edge installer (`setup.exe`) for every Microsoft Edge installation (it is possible
to have multiple versions) and executes it to perform a system-level uninstall.
There's no official documentation for the Edge installer or registry keys codes, which this script relies on. However, these have been verified
through testing and community support to work as expected.
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdateDev" /v "AllowUninstall" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdateDev" /v "AllowUninstall" /f 2>nul # It does not exists since Windows 10 21H2 and Windows 11 21H2
-
function: RunPowerShell
parameters:
code: |-
$installer = (Get-ChildItem "$($env:ProgramFiles)*\Microsoft\Edge\Application\*\Installer\setup.exe")
if (!$installer) {
Write-Host 'Installer not found. Microsoft Edge may already be uninstalled.'
} else {
$installer | ForEach-Object {
$uninstallerPath = $_.FullName
$installerArguments = @("--uninstall", "--system-level", "--verbose-logging", "--force-uninstall")
Write-Output "Uninstalling through uninstaller: $uninstallerPath"
$process = Start-Process -FilePath "$uninstallerPath" -ArgumentList $installerArguments -Wait -PassThru
if ($process.ExitCode -eq 0 -or $process.ExitCode -eq 19) {
Write-Host "Successfully uninstalled Edge."
} else {
Write-Error "Failed to uninstall, uninstaller failed with exit code $($process.ExitCode)."
}
}
}
revertCode: |-
$edgeExePath = Get-ChildItem -Path "$($env:ProgramFiles)*\Microsoft\Edge\Application" -Filter 'msedge.exe' -Recurse
if ($edgeExePath) {
Write-Host 'Microsoft Edge is already installed. Skipping reinstallation.'
Exit 0
}
Write-Host 'Downloading Microsoft Edge...'
$edgeInstallerUrl = 'https://c2rsetup.officeapps.live.com/c2r/downloadEdge.aspx?platform=Default&Channel=Stable&language=en'
$downloadPath = "$($env:TEMP)\MicrosoftEdgeSetup.exe"
Invoke-WebRequest -Uri "$edgeInstallerUrl" -OutFile "$downloadPath"
$installerArguments = @('/install', '/silent')
Write-Host 'Installing Microsoft Edge...'
$process = Start-Process -FilePath "$downloadPath" -ArgumentList "$installerArguments" -Wait -PassThru
Remove-Item -Path $downloadPath -Force
if ($process.ExitCode -eq 0) {
Write-Host 'Successfully reinstalled Microsoft Edge.'
} else {
Write-Error "Failed to reinstall Microsoft Edge. Installer failed with exit code $($process.ExitCode)."
}
-
name: Remove Edge (Chromium) file and URL associations
docs: |-
This script disconnects file and URL associations related to the Microsoft Edge browser on your computer. When you uninstall Edge, these
associations remain intact, leading to potential unexpected behaviors [1] and vulnerabilities when opening specific file types or URLs.
The script is recommended for enhancing the stability and privacy of your system by avoiding unintentional interactions with these leftover
settings. It particularly addresses associations found under specific registry keys:
- `HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\FileAssociations`
- `HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\URLAssociations`
Note that not all these associations are registered for Edge by the OS by default. Specifically, the removed associations have an `MSEdge` prefix,
covering program IDs such as `MSEdgePDF` and `MSEdgeHTM` [2].
Clearing these associations, which are not removed by the official Edge uninstaller, mitigates the risk of exposure to system vulnerabilities due to
these lingering settings. Your system remains cleaner, more stable, and more private, ensuring a more secure user experience.
[1]: https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy"
[2]: https://web.archive.org/web/20231001221635/https://learn.microsoft.com/en-us/deployedge/edge-default-browser "Set Microsoft Edge as the default browser on Windows and macOS | Microsoft Learn"
recommend: strict
call:
# Exclude:
# - Cleanup of keys under `HKLM\SOFTWARE\Clients\StartMenuInternet` as default uninstaller already cleans it.
-
function: RemoveBrowserAssociations # Deleting Edge through uninstaller does not remove these (tested on Windows 11 22H2 and Windows 10 21H1 using Edge v115).
parameters:
progIdPattern: MSEdge* # MSEdgeHTM, MSEdgeMHT, MSEdgePDF
# List:
# Get-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts' | ForEach-Object { $_.Property } | Where-Object { $_ -Match 'MSEdge' }
toastAssociations: >-
MSEdgeHTM_.webp MSEdgeHTM_http MSEdgeHTM_https MSEdgeHTM_.htm MSEdgeHTM_ftp MSEdgeHTM_.xml MSEdgeHTM_.html
MSEdgePDF_.pdf MSEdgeHTM_.svg MSEdgeHTM_mailto MSEdgeHTM_read MSEdgeHTM_.mht MSEdgeMHT_.mht
MSEdgeHTM_.mhtml MSEdgeMHT_.mhtml MSEdgeHTM_.xhtml MSEdgeHTM_.xht
-
function: RunInlineCode
# Remove association from "Open With" context menu.
# Deleting Edge through uninstaller does not remove these (tested on Windows 11 22H2 and Windows 10 21H1 using Edge v115).
# This associations can be found at HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\FileAssociations.
parameters:
code: |- # reg delete HKCR\{extension}\OpenWithProgIds\MSEdge{..}
for %%A in (
htm:MSEdgeHTM, html:MSEdgeHTM, shtml:MSEdgeHTM,
pdf:MSEdgePDF, svg:MSEdgeHTM, xht:MSEdgeHTM,
xhtml:MSEdgeHTM, webp:MSEdgeHTM, xml:MSEdgeHTM,
mht:MSEdgeMHT, mhtml:MSEdgeMHT
) do (
for /f "tokens=1,2 delims=:" %%B in ("%%A") do (
echo Removing OpenWith association for "%%C" from "%%B"...
reg delete "HKCR\.%%B\OpenWithProgIds" /v "%%C" /f 2>nul
)
)
revertCode: |- # Common defaults since Windows 10 21H2 and Windows 11 21H2
for %%A in (
htm:MSEdgeHTM, html:MSEdgeHTM, shtml:MSEdgeHTM,
pdf:MSEdgePDF, svg:MSEdgeHTM, xht:MSEdgeHTM,
xhtml:MSEdgeHTM, webp:MSEdgeHTM, mht:MSEdgeMHT,
mhtml:MSEdgeMHT
) do (
for /f "tokens=1,2 delims=:" %%B in ("%%A") do (
echo Restoring OpenWith for ".%%B" to "%%C"...
reg add "HKCR\.%%B\OpenWithProgids" /v "%%C" /t REG_SZ /f
)
)
-
name: Remove Edge shortcuts
docs: |-
This script removes Microsoft Edge shortcuts from specific locations on your computer, enhancing the privacy and
integrity of your system.
When installed, Microsoft Edge, places shortcuts in various locations on your computer. Even after uninstalling the
Edge browser, some of these shortcuts may not be removed (tested since ≥ Edge v117). This script ensures the
removal of these residual shortcuts.
These shortcuts can serve as access points for malicious entities, potentially compromising your computer's security
and privacy. By deleting these shortcuts, the script helps in reducing these vulnerabilities, thus contributing to
a more secure and private computing environment.
Besides contributing to privacy and security, removing these unused shortcuts also contributes to a cleaner and more
organized computer system, providing an enhanced user experience.
The script specifically targets and removes shortcuts from the following paths, which have been tested and verified to
exist on default installations of Windows since Windows 10 22H2 and Windows 11 22H2:
| Path | Windows 11 | Windows 10 |
| ---- |:----------:|:----------:|
| `%ProgramData%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists |
| `%AppData%\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists |
| `%AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists |
| `%Public%\Desktop\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists |
| `%SystemRoot%\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists |
| `%UserProfile%\Desktop\Microsoft Edge.lnk` | ❌ Missing | ❌ Missing |
call:
# Exclude:
# - `DisableEdgeDesktopShortcutCreation` because it's highly documented and it does not really bring value since this script already deletes `Microsoft Edge.lnk` from public folder.
function: RemoveShortcutFiles
parameters:
targetFile: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
shortcutItems: |-
@{ Revert = $True; Path = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"; }
@{ Revert = $True; Path = "$env:AppData\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"; }
@{ Revert = $True; Path = "$env:AppData\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"; }
@{ Revert = $True; Path = "$env:Public\Desktop\Microsoft Edge.lnk"; }
@{ Revert = $True; Path = "$env:SystemRoot\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"; }
@{ Revert = $False; Path = "$env:UserProfile\Desktop\Microsoft Edge.lnk"; }
-
category: Disable built-in Windows features
children:
-
name: Disable "Direct Play" feature
call:
function: DisableFeature
parameters:
featureName: DirectPlay
-
name: Disable "Internet Explorer" feature
call:
-
function: DisableFeature
parameters:
featureName: Internet-Explorer-Optional-x64
-
function: DisableFeature
parameters:
featureName: Internet-Explorer-Optional-x84
-
function: DisableFeature
parameters:
featureName: Internet-Explorer-Optional-amd64
-
name: Disable "Legacy Components" feature
call:
function: DisableFeature
parameters:
featureName: LegacyComponents
-
category: Disable server features
children:
-
category: Disable Hyper-V virtualization features
children:
-
name: Disable "Hyper-V" feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-All
-
name: Disable "Hyper-V GUI Management Tools" feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-Management-Clients
-
name: Disable "Hyper-V Management Tools" feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-Tools-All
-
name: Disable "Hyper-V Module for Windows PowerShell" feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-Management-PowerShell
-
name: Disable "Telnet Client" feature
docs: https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx
call:
function: DisableFeature
parameters:
featureName: TelnetClient
-
name: Disable "Net.TCP Port Sharing" feature
docs: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing
call:
function: DisableFeature
parameters:
featureName: WCF-TCP-PortSharing45
-
name: Disable "SMB Direct" feature
docs: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-direct
call:
function: DisableFeature
parameters:
featureName: SmbDirect
-
name: Disable "TFTP Client" feature
call:
function: DisableFeature
parameters:
featureName: TFTP
-
category: Disable printing features
children:
-
category: Disable printer networking
children:
-
name: Disable "Internet Printing Client" feature
call:
function: DisableFeature
parameters:
featureName: Printing-Foundation-InternetPrinting-Client
-
name: Disable "LPD Print Service" feature
call:
function: DisableFeature
parameters:
featureName: LPDPrintService
-
name: Disable "LPR Port Monitor" feature
call:
function: DisableFeature
parameters:
featureName: Printing-Foundation-LPRPortMonitor
-
name: Disable "Microsoft Print to PDF" feature
call:
function: DisableFeature
parameters:
featureName: Printing-PrintToPDFServices-Features
-
name: Disable "Print and Document Services" feature
call:
function: DisableFeature
parameters:
featureName: Printing-Foundation-Features
-
name: Disable "Work Folders Client" feature
docs: https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview
call:
function: DisableFeature
parameters:
featureName: WorkFolders-Client
-
category: Disable XPS support features
children:
-
name: Disable "XPS Services" feature
call:
function: DisableFeature
parameters:
featureName: Printing-XPSServices-Features
-
name: Disable "XPS Viewer" feature
call:
function: DisableFeature
parameters:
featureName: Xps-Foundation-Xps-Viewer
-
name: Disable "Media Features" feature
call:
function: DisableFeature
parameters:
featureName: MediaPlayback
-
name: Disable "Scan Management" feature
call:
function: DisableFeature
parameters:
featureName: ScanManagementConsole
-
name: Disable "Windows Fax and Scan" feature
call:
function: DisableFeature
parameters:
featureName: FaxServicesClientPackage
-
name: Disable "Windows Media Player" feature
call:
function: DisableFeature
parameters:
featureName: WindowsMediaPlayer
-
name: Disable "Windows Search" feature
call:
function: DisableFeature
parameters:
featureName: SearchEngine-Client-Package
-
category: Remove on-demand capabilities and features
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#fods-that-are-not-preinstalled-but-may-need-to-be-preinstalled
children:
-
category: Remove preinstalled features on demand
children:
-
name: Remove "DirectX Configuration Database" capability
call:
function: UninstallCapability
parameters:
capabilityName: DirectX.Configuration.Database
-
name: Remove "Internet Explorer 11" capability
call:
function: UninstallCapability
parameters:
capabilityName: Browser.InternetExplorer
-
name: Remove "Math Recognizer" capability
call:
function: UninstallCapability
parameters:
capabilityName: MathRecognizer
-
name: Remove "OneSync" capability (breaks Mail, People, and Calendar)
recommend: strict
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#onesync
call:
function: UninstallCapability
parameters:
capabilityName: OneCoreUAP.OneSync
-
name: Remove "OpenSSH client" capability
call:
function: UninstallCapability
parameters:
capabilityName: OpenSSH.Client
-
name: Remove "PowerShell ISE" capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.Windows.PowerShell.ISE
-
name: Remove "Print Management Console" capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.Management.Console
-
name: Remove "Quick Assist" capability
call:
function: UninstallCapability
parameters:
capabilityName: App.Support.QuickAssist
-
name: Remove "Steps Recorder" capability
call:
function: UninstallCapability
parameters:
capabilityName: App.StepsRecorder
-
name: Remove "Windows Fax and Scan" capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.Fax.Scan
# Following are excluded because:
# 1. They are not widely considered as "bloatware" as the community
# 2. Do not have known privacy issues
# 3. Make Windows more functional when running all scripts
# -
# name: Remove "WordPad" capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.WordPad
# -
# name: Remove "Paint" capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.MSPaint
# -
# name: Remove "Notepad" capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.Notepad
-
category: Remove not preinstalled features on demand
children:
-
name: Remove ".NET Framework" capability
call:
function: UninstallCapability
parameters:
capabilityName: NetFX3
-
name: Remove "Mixed Reality" capability
call:
function: UninstallCapability
parameters:
capabilityName: Analog.Holographic.Desktop
-
name: Remove "Wireless Display" capability
call:
function: UninstallCapability
parameters:
capabilityName: App.WirelessDisplay.Connect
-
name: Remove "Accessibility - Braille Support" capability
call:
function: UninstallCapability
parameters:
capabilityName: Accessibility.Braille
-
name: Remove "Developer Mode" capability
call:
function: UninstallCapability
parameters:
capabilityName: Tools.DeveloperMode.Core
-
name: Remove "Graphics Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Tools.Graphics.DirectX
-
name: Remove "IrDA" capability
call:
function: UninstallCapability
parameters:
capabilityName: Network.Irda
-
name: Remove "Microsoft WebDriver" capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.WebDriver
-
name: Remove "MSIX Packaging Tool Driver" capability
call:
function: UninstallCapability
parameters:
capabilityName: Msix.PackagingTool.Driver
-
category: Remove networking capabilities
children:
-
name: Remove "RAS Connection Manager Administration Kit (CMAK)" capability
call:
function: UninstallCapability
parameters:
capabilityName: RasCMAK.Client
-
name: Remove "RIP Listener" capability
call:
function: UninstallCapability
parameters:
capabilityName: RIP.Listener
-
name: Remove "Simple Network Management Protocol (SNMP)" capability
call:
function: UninstallCapability
parameters:
capabilityName: SNMP.Client
-
name: Remove "SNMP WMI Provider" capability
call:
function: UninstallCapability
parameters:
capabilityName: WMI-SNMP-Provider.Client
-
name: Remove "OpenSSH Server" capability
call:
function: UninstallCapability
parameters:
capabilityName: OpenSSH.Server
-
category: Remove printing capabilities
children:
-
name: Remove "Enterprise Cloud Print" capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.EnterpriseCloudPrint
-
name: Remove "Mopria Cloud Service" capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.MopriaCloudService
-
category: Remove Remote Server Administration Tools (RSAT)
children:
-
name: Remove "Active Directory Domain Services and Lightweight Directory Services Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.ActiveDirectory.DS-LDS.Tools
-
name: Remove "BitLocker Drive Encryption Administration Utilities" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.BitLocker.Recovery.Tools
-
name: Remove "Active Directory Certificate Services Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.CertificateServices.Tools
-
name: Remove "DHCP Server Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.DHCP.Tools
-
name: Remove "DNS Server Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.Dns.Tools
-
name: Remove "Failover Clustering Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.FailoverCluster.Management.Tools
-
name: Remove "File Services Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.FileServices.Tools
-
name: Remove "Group Policy Management Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.GroupPolicy.Management.Tools
-
name: Remove "IP Address Management (IPAM) Client" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.IPAM.Client.Tools
-
name: Remove "Data Center Bridging LLDP Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.LLDP.Tools
-
name: Remove "Network Controller Management Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.NetworkController.Tools
-
name: Remove "Network Load Balancing Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.NetworkLoadBalancing.Tools
-
name: Remove "Remote Access Management Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.RemoteAccess.Management.Tools
-
name: Remove "Server Manager Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.ServerManager.Tools
-
name: Remove "Shielded VM Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.Shielded.VM.Tools
-
name: Remove "Storage Replica Module for Windows PowerShell" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.StorageReplica.Tools
-
name: Remove "Volume Activation Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.VolumeActivation.Tools
-
name: Remove "Windows Server Update Services Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.WSUS.Tools
-
name: Remove "Storage Migration Service Management Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.StorageMigrationService.Management.Tools
-
name: Remove "Systems Insights Module for Windows PowerShell" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.SystemInsights.Management.Tools
-
category: Remove storage capabilities
children:
-
name: Remove "Windows Storage Management" capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.Windows.StorageManagement
-
name: Remove "OneCore Storage Management" capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.OneCore.StorageManagement
-
name: Remove "Windows Emergency Management Services and Serial Console" capability
call:
function: UninstallCapability
parameters:
capabilityName: Windows.Desktop.EMS-SAC.Tools
-
name: Remove "XPS Viewer" capability
call:
function: UninstallCapability
parameters:
capabilityName: XPS.Viewer
-
category: Remove Widgets
docs: |-
Windows 11 adds a new taskbar flyout named "Widgets", which displays a panel with Microsoft Start, a news aggregator
with personalized stories and content (expanding upon the "news and interests" panel introduced in later builds of Windows 10) [1].
It's rebranding/future version of older "Windows 10 News and Interests" feature [2].
The user can customize the panel by adding or removing widgets, rearranging, resizing, and personalizing the content [1].
It has privacy implications as it collects data about your usage of the computer such as diagnostics data [3].
[1]: https://en.wikipedia.org/wiki/Features_new_to_Windows_11#Windows_shell "Features new to Windows 11 | Wikipedia"
[2]: https://www.bleepingcomputer.com/news/microsoft/windows-10-news-and-interests-enabled-for-everyone-in-latest-update/ "Windows 10 News and Interests enabled for everyone in latest update | Bleeping Computer"
[3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "What data does Microsoft collect? | Widgets | Microsoft"
children:
-
name: Remove Widgets from taskbar
docs: |-
To control whether the Widgets button is visible on the taskbar, Microsoft introduced `TaskbarDa` registry value [1].
Possible `DWORD` 32-bit settings for the `TaskbarDa` value are [1] [2]:
1. 0 = Hidden
2. 1 = Visible
This registry key does not exist in Windows 11 installations by default.
[1]: https://www.elevenforum.com/t/add-or-remove-widgets-button-on-taskbar-in-windows-11.32/ " Add or Remove Widgets Button on Taskbar in Windows 11 | Windows Eleven Forum"
[2]: https://www.bleepingcomputer.com/news/microsoft/new-windows-11-registry-hacks-to-customize-your-device/ "New Windows 11 registry hacks to customize your device | Bleeping Computer"
recommend: strict
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /f 2>nul
-
name: Remove "Windows Web Experience Pack" (breaks Widgets)
recommend: strict
docs: |-
Windows Web Experience Pack is a store app that enables Widgets feature [1].
The app is not needed and not known to break other OS functionality if you do not wish to use Widgets feature.
This app is known to collect diagnostics data, individual widgets might also collect data [2].
See its [Windows Store Page](https://apps.microsoft.com/store/detail/windows-web-experience-pack/9MSSGKG348SP).
It requires you to agree with Microsoft's general privacy terms, see [privacy agreement](http://go.microsoft.com/fwlink/?LinkID=521839) [3].
The agreement allows Microsoft to collect your personal data [3].
[1]: https://support.microsoft.com/en-us/windows/how-to-update-the-windows-web-experience-pack-in-the-microsoft-store-a16c9bf1-f042-4dc9-a523-740cca1e1e60 "How to update the Windows Web Experience Pack in the Microsoft Store | support.microsoft.com"
[2]: https://apps.microsoft.com/store/detail/windows-web-experience-pack/9MSSGKG348SP "Windows Web Experience Pack - Microsoft Store Apps | apps.microsoft.com/store"
[3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "Stay up to date with widgets | support.microsoft.com"
call:
function: UninstallStoreApp
parameters:
# Existence : Windows 10 (≥ 22H2): ❌ Missing | Windows 11 (≥ 22H2): ✅ Exists
# More info : Get-AppxPackage MicrosoftWindows.Client.WebExperience
packageName: MicrosoftWindows.Client.WebExperience
publisherId: cw5n1h2txyewy
-
name: Remove Meet Now icon from taskbar
recommend: strict
docs: # Skype feature, introduced in 20H2, KB4580364 update
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TaskBar2::HideSCAMeetNow
- https://www.windowscentral.com/how-disable-meet-now-feature-windows-10
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /f
-
category: Advanced settings
children:
-
name: Set NTP (time) server to `pool.ntp.org` # Marked: stop-service-do-stuff-restart-service
docs: https://www.pool.ntp.org/en/use.html
recommend: strict
# `sc queryex` output is same in every OS language
code: |-
:: Configure time source
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
:: Stop time service if running
SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||(
net stop w32time
)
:: Start time service and sync now
net start w32time
w32tm /config /update
w32tm /resync
revertCode: |-
:: Configure time source
w32tm /config /syncfromflags:manual /manualpeerlist:"time.windows.com"
:: Stop time service if running
SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||(
net stop w32time
)
:: Start time servie and sync now
net start w32time
w32tm /config /update
w32tm /resync
-
name: Disable reserved storage for updates # since 19H1 (1903)
docs:
- https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement
- https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState
- https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves
- https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy
code: |-
dism /online /Set-ReservedStorageState /State:Disabled /NoRestart
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "2" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f
revertCode: |-
DISM /Online /Set-ReservedStorageState /State:Enabled /NoRestart
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f
-
name: Run script on startup [EXPERIMENTAL]
code: |-
del /f /q %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat
copy "%~dpnx0" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat"
revertCode: del /f /q %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat
functions:
-
name: KillProcess
parameters:
- name: processName
- name: processStartPath
- name: processStartArgs
# `start` command is used to start processes without blocking execution of rest of the script, see https://ss64.com/nt/start.html.
code: |-
tasklist /fi "ImageName eq {{ $processName }}" /fo csv 2>NUL | find /i "{{ $processName }}">NUL && (
echo {{ $processName }} is running and will be killed.
taskkill /f /im {{ $processName }}
) || (
echo Skipping, {{ $processName }} is not running.
)
revertCode: |-
tasklist /fi "ImageName eq {{ $processName }}" /fo csv 2>NUL | find /i "{{ $processName }}">NUL && (
echo Skipping, {{ $processName }} is already running.
) || (
if exist "{{ $processStartPath }}" (
start "" "{{ $processStartPath }}" {{ with $processStartArgs }}{{ . }}{{ end }}
echo Executed {{ $processStartPath }} {{ with $processStartArgs }}{{ . }}{{ end }}
) else (
echo Failed to run the file, it does not exist. 1>&2
)
)
-
name: KillProcessWhenItStarts
parameters:
- name: processName
# https://docs.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options
code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'{{ $processName }}'" /v "Debugger" /t REG_SZ /d "%windir%\System32\taskkill.exe" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'{{ $processName }}'" /v "Debugger" /f
-
name: DisableFeature
parameters:
- name: featureName
code: dism /Online /Disable-Feature /FeatureName:"{{ $featureName }}" /NoRestart
revertCode: dism /Online /Enable-Feature /FeatureName:"{{ $featureName }}" /NoRestart
-
name: UninstallStoreApp
parameters:
- name: packageName
- name: publisherId
call:
-
function: RunPowerShell
parameters:
codeComment: Uninstall '{{ $packageName }}' Microsoft Store app.
code: Get-AppxPackage '{{ $packageName }}' | Remove-AppxPackage
# This script attempts to reinstall the app that was just uninstalled, if necessary.
# The app's package family name is constructed using its name and publisher ID.
# Package Family Name is: `<name>_<publisherid>`
# Learn more about package identity: https://learn.microsoft.com/en-us/windows/apps/desktop/modernize/package-identity-overview#publisher-id (https://archive.ph/Sx4JC)
revertCodeComment: Reinstall '{{ $packageName }}' if it was previously uninstalled.
revertCode: |-
$packageName='{{ $packageName }}'
$publisherId='{{ $publisherId }}'
Write-Host "Starting the installation process for `"$packageName`"..."
# Attempting installation using the manifest file
Write-Host "Checking if `"$packageName`" is installed on another user profile..."
$package = Get-AppxPackage -AllUsers $packageName
if (!$package) {
Write-Host "`"$packageName`" is not installed on any other user profiles."
} else {
Write-Host "Found package `"$($package.PackageFullName)`"."
$manifestPath = "$($package.InstallLocation)AppxManifest.xml"
if (Test-Path "$manifestPath") {
Write-Host "Manifest file located. Trying to install using the manifest..."
try {
Add-AppxPackage -DisableDevelopmentMode -Register "$manifestPath" -ErrorAction Stop
Write-Host "Successfully installed `"$packageName`" using its manifest file."
exit 0
} catch {
Write-Warning "Error installing from manifest: $($_.Exception.Message)"
}
} else {
Write-Host "Manifest file not found for `"$packageName`"."
}
}
# Attempting installation using the package family name
$packageFamilyName = "$($packageName)_$($publisherId)"
Write-Host "Trying to install `"$packageName`" using its package family name: `"$packageFamilyName`"..."
try {
Add-AppxPackage -RegisterByFamilyName -MainPackage $packageFamilyName -ErrorAction Stop
Write-Host "Successfully installed `"$packageName`" using its package family name."
exit 0
} catch {
Write-Warning "Error installing using package family name: $($_.Exception.Message)"
}
# If all methods fail
throw "Unable to install `"$packageName`". Please check the provided details and try again."
-
function: RunInlineCode
# This script prevents specified applications from being automatically reinstalled during Windows updates.
# Windows has a feature where certain pre-installed applications (also known as provisioned apps) are reinstalled
# when you perform a major update, even if they were previously uninstalled.
# For detailed information, refer to the following Microsoft documentation:
# - Deprovisioning Apps: https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update#create-registry-keys-for-deprovisioned-apps
# - Archived versions: https://archive.ph/04108, https://web.archive.org/web/20231023131048/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update#create-registry-keys-for-deprovisioned-apps
# - In-place Upgrade Recommendations: https://learn.microsoft.com/en-us/mem/configmgr/osd/understand/in-place-upgrade-recommendations#remove-default-apps
# - Archived versions: https://archive.ph/I7Dwc, https://web.archive.org/web/20231023132613/https://learn.microsoft.com/en-us/mem/configmgr/osd/understand/in-place-upgrade-recommendations#remove-default-apps
parameters:
code: |-
:: Mark '{{ $packageName }}' as deprovisioned to block reinstall during Windows updates.
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\{{ $packageName }}_{{ $publisherId }}" /f
revertCode: |-
:: Remove '{{ $packageName }}' from deprovisioned list to allow reinstall during updates.
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\{{ $packageName }}_{{ $publisherId }}" /f 2>nul
-
name: UninstallSystemApp
parameters:
- name: packageName
- name: publisherId
call:
-
# Installation (SystemApps)
# - Parent : %WINDIR%\SystemApps\{PackageFamilyName}
# -- ❗️ When reverting, this script must be executed before `UninstallStoreApp` as it holds manifest data to be able to reinstall the app ---
# Clear: Installation (SystemApps)
# - Folder : %WINDIR%\SystemApps\{PackageFamilyName}
# - Example : C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy
# - Check : (Get-AppxPackage -AllUsers 'Windows.CBSPreview').InstallLocation
# - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\SystemApps\{{ $packageName }}_{{ $publisherId }}\*'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
recurse: 'true'
-
# -- ❗️ When reverting, this script must be executed before `UninstallStoreApp` as it holds manifest data to be able to reinstall the app ---
# Clear: Installation (Root)
# - Folder : %WINDIR%\{ShortAppName}
# - Example : C:\Windows\PrintDialog
# - Check : (Get-AppxPackage -AllUsers 'Windows.PrintDialog').InstallLocation
# - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
function: SoftDeleteFiles
parameters:
fileGlob: >-
%WINDIR%\$(("{{ $packageName }}" -Split '\.')[-1])\*
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
recurse: 'true'
-
# -- ❗️ This script must be executed before `UninstallStoreApp` as it enables it for system app removal ---
function: RunPowerShell
parameters:
# This script modifies the system registry to enable the uninstallation of a specified app.
# Some apps (including system apps) are marked as non-removable, which prevents uninstallation and results in error 0x80070032 if an uninstall is attempted.
# To bypass this, the script marks the app as 'EndOfLife' in the registry, tricking the system into allowing the uninstallation.
codeComment: Enable removal of system app '{{ $packageName }}' by marking it as "EndOfLife" in the system registry
code: |-
$packageName='{{ $packageName }}'
$publisherId='{{ $publisherId }}'
$packageFamilyName = "$($packageName)_$($publisherId)"
$sid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value
$path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$($sid)\$($packageFamilyName)"
if (Test-Path $path) {
Write-Host "Skipping, no action needed, path `"$path`" already exists."
exit 0
}
try {
New-Item -Path $path -Force -ErrorAction Stop | Out-Null
Write-Host "Successfully created the registry key at path `"$path`"."
} catch {
Write-Error "Failed to create the registry key at path `"$path`": $($_.Exception.Message)"
}
revertCodeComment: Disable removal of system app '{{ $packageName }}' by removing the "EndOfLife" mark from the registry.
revertCode: |-
$packageName='{{ $packageName }}'
$publisherId='{{ $publisherId }}'
$packageFamilyName = "$($packageName)_$($publisherId)"
$sid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value
$path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$($sid)\$($packageFamilyName)"
if (-not (Test-Path $path)) {
Write-Host "Skipping, no action needed, path `"$path`" does not exist."
exit 0
}
try {
Remove-Item -Path $path -Force -ErrorAction Stop | Out-Null
Write-Host "Successfully removed the registry key at path `"$path`"."
} catch {
Write-Error "Failed to remove the registry key at path `"$path`": $($_.Exception.Message)"
}
-
function: UninstallStoreApp
parameters:
packageName: '{{ $packageName }}'
publisherId: '{{ $publisherId }}'
-
# Clear: User-specific data
# - Folder : %LOCALAPPDATA%\Packages\{PackageFamilyName}
# - Example : C:\Users\undergroundwires\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy
# - Check : "$env:LOCALAPPDATA\Packages\$((Get-AppxPackage -AllUsers 'Windows.CBSPreview').PackageFamilyName)"
function: SoftDeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Packages\{{ $packageName }}_{{ $publisherId }}\*'
recurse: 'true'
-
# Clear: Metadata
# - Folder : %PROGRAMDATA%\Microsoft\Windows\AppRepository\Packages\{PackageFullName}
# - Example : C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Windows.CBSPreview_10.0.19580.1000_neutral_neutral_cw5n1h2txyewy
# - Check : "$env:PROGRAMDATA\Microsoft\Windows\AppRepository\Packages\$((Get-AppxPackage -AllUsers 'Windows.CBSPreview').PackageFullName)"
function: SoftDeleteFiles
parameters:
fileGlob: '%PROGRAMDATA%\Microsoft\Windows\AppRepository\Packages\{{ $packageName }}_*_{{ $publisherId }}\*'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
recurse: 'true'
-
name: UninstallCapability
parameters:
- name: capabilityName
call:
function: RunPowerShell
parameters:
code: Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' | Remove-WindowsCapability -Online
revertCode: |-
$capability = Get-WindowsCapability -Online -Name '{{ $capabilityName }}*'
Add-WindowsCapability -Name "$capability.Name" -Online
-
name: SoftDeleteFiles
# 💡 Purpose:
# Renames files matching a given glob pattern by appending a `.OLD` extension, effectively "soft deleting" them.
# It does not touch any of the folders.
# This allows for easier restoration and less immediate disruption compared to permanent deletion.
# 🤓 Implementation:
# 1. (with `grantPermissions`:) Elevate script privileges.
# 2. Iterate every file in the given directory, and for each file:
# - (with `grantPermissions`:) Grant permissions to file to be able to modify it.
# - Rename the file.
# - (with `grantPermissions`:) Restore permissions of the file to its original state
# 3. (with `grantPermissions`:) Remove elevated script privileges.
parameters:
- name: fileGlob
- name: grantPermissions
optional: true
- name: recurse
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Soft delete files matching pattern
{{ with $grantPermissions }}(with additional permissions){{ end }}
: "{{ $fileGlob }}"
revertCodeComment: >-
Restore files matching pattern
{{ with $grantPermissions }}(with additional permissions){{ end }}
: "{{ $fileGlob }}"
-
function: IterateGlob
parameters:
pathGlob: '{{ $fileGlob }}'
revertPathGlob: '{{ $fileGlob }}.OLD'
recurse: '{{ with $recurse }}{{ . }}{{ end }}'
# Elevating privileges:
# Another (simpler) implementation would be:
# ```
# $setPrivilegeFunction = [System.Diagnostics.Process].GetMethods(42) | Where-Object { $_.Name -eq 'SetPrivilege' }
# $privileges = @('SeRestorePrivilege', 'SeTakeOwnershipPrivilege')
# foreach ($privilege in $privileges) {
# $setPrivilegeFunction.Invoke($null, @($privilege, 2))
# }
# ```
beforeIteration: |-
$renamedCount = 0
$skippedCount = 0
$failedCount = 0
{{ with $grantPermissions }}
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class Privileges {
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid {
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool AddPrivilege(string privilege) {
try {
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
} catch (Exception ex) {
throw new Exception("Failed to adjust token privileges", ex);
}
}
public static bool RemovePrivilege(string privilege) {
try {
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = 0; // This line is changed to revoke the privilege
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
} catch (Exception ex) {
throw new Exception("Failed to adjust token privileges", ex);
}
}
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetCurrentProcess();
}
"@
[Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null
[Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null
$adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'
$adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount])
$adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( `
$adminAccount, `
[System.Security.AccessControl.FileSystemRights]::FullControl, `
[System.Security.AccessControl.AccessControlType]::Allow `
)
{{ end }}
duringIteration: |-
if (Test-Path -Path $path -PathType Container) {
Write-Host "Skipping folder (not its contents): `"$path`"."
$skippedCount++
continue
}
if($revert -eq $true) {
if (-not $path.EndsWith('.OLD')) {
Write-Host "Skipping non-backup file: `"$path`"."
$skippedCount++
continue
}
} else {
if ($path.EndsWith('.OLD')) {
Write-Host "Skipping backup file: `"$path`"."
$skippedCount++
continue
}
}
$originalFilePath = $path
Write-Host "Processing file: `"$originalFilePath`"."
if (-Not (Test-Path $originalFilePath)) {
Write-Host "Skipping, file `"$originalFilePath`" not found."
$skippedCount++
exit 0
}
{{ with $grantPermissions }}
$originalAcl = Get-Acl -Path "$originalFilePath"
$accessGranted = $false
try {
$acl = Get-Acl -Path "$originalFilePath"
$acl.SetOwner($adminAccount) # Take Ownership (because file is owned by TrustedInstaller)
$acl.AddAccessRule($adminFullControlAccessRule) # Grant rights to be able to move the file
Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop
$accessGranted = $true
} catch {
Write-Warning "Failed to grant access to `"$originalFilePath`": $($_.Exception.Message)"
}
{{ end }}
if ($revert -eq $true) {
$newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4)
} else {
$newFilePath = "$($originalFilePath).OLD"
}
try {
Move-Item -LiteralPath "$($originalFilePath)" -Destination "$newFilePath" -Force -ErrorAction Stop
Write-Host "Successfully processed `"$originalFilePath`"."
$renamedCount++
{{ with $grantPermissions }}
if ($accessGranted) {
try {
Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop
} catch {
Write-Warning "Failed to restore access on `"$newFilePath`": $($_.Exception.Message)"
}
}
{{ end }}
} catch {
Write-Error "Failed to rename `"$originalFilePath`" to `"$newFilePath`": $($_.Exception.Message)"
$failedCount++
{{ with $grantPermissions }}
if ($accessGranted) {
try {
Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop
} catch {
Write-Warning "Failed to restore access on `"$originalFilePath`": $($_.Exception.Message)"
}
}
{{ end }}
}
afterIteration: |-
if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {
Write-Host "Successfully processed $renamedCount items and skipped $skippedCount items."
}
if ($failedCount -gt 0) {
Write-Warning "Failed to processed $($failedCount) items."
}
{{ with $grantPermissions }}
[Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null
[Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null
{{ end }}
-
name: SetVsCodeSetting
parameters:
- name: setting
- name: powerShellValue
call:
function: RunPowerShell
parameters:
code: |-
$settingKey='{{ $setting }}'
$settingValue={{ $powerShellValue }}
$jsonFilePath = "$($env:APPDATA)\Code\User\settings.json"
if (!(Test-Path $jsonFilePath -PathType Leaf)) {
Write-Host "Skipping, no updates. Settings file was not at `"$jsonFilePath`"."
exit 0
}
try {
$fileContent = Get-Content $jsonFilePath -ErrorAction Stop
} catch {
throw "Error, failed to read the settings file: `"$jsonFilePath`". Error: $_"
}
if ([string]::IsNullOrWhiteSpace($fileContent)) {
Write-Host "Settings file is empty. Treating it as default empty JSON object."
$fileContent = "{}"
}
try {
$json = $fileContent | ConvertFrom-Json
} catch {
throw "Error, invalid JSON format in the settings file: `"$jsonFilePath`". Error: $_"
}
$existingValue = $json.$settingKey
if ($existingValue -eq $settingValue) {
Write-Host "Skipping, `"$settingKey`" is already configured as `"$settingValue`"."
exit 0
}
$json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force
$json | ConvertTo-Json | Set-Content $jsonFilePath
Write-Host "Successfully applied the setting to the file: `"$jsonFilePath`"."
revertCode: |-
$settingKey='{{ $setting }}'
$settingValue={{ $powerShellValue }}
$jsonFilePath = "$($env:APPDATA)\Code\User\settings.json"
if (!(Test-Path $jsonFilePath -PathType Leaf)) {
Write-Host "Skipping, no need to revert because settings file is not found: `"$jsonFilePath`"."
exit 0
}
try {
$fileContent = Get-Content $jsonFilePath -ErrorAction Stop
} catch {
throw "Error, failed to read the settings file: `"$jsonFilePath`". Error: $_"
}
if ([string]::IsNullOrWhiteSpace($fileContent)) {
Write-Host "Skipping, no need to revert because settings file is empty: `"$jsonFilePath`"."
exit 0
}
try {
$json = $fileContent | ConvertFrom-Json
} catch {
throw "Error, invalid JSON format in the settings file: `"$jsonFilePath`". Error: $_"
}
if (!$json.PSObject.Properties[$settingKey]) {
Write-Host "Skipping, no need to revert because setting `"$settingKey`" does not exist."
exit 0
}
if ($json.$settingKey -ne $settingValue) {
Write-Host "Skipping, setting (`"$settingKey`") has different configuration than `"$settingValue`": `"$($json.$settingKey)`"."
exit 0
}
$json.PSObject.Properties.Remove($settingKey)
$json | ConvertTo-Json | Set-Content $jsonFilePath
Write-Host "Successfully reverted the setting from file: `"$jsonFilePath`"."
-
name: RunPowerShell
parameters:
- name: code
- name: revertCode
optional: true
- name: codeComment
optional: true
- name: revertCodeComment
optional: true
call:
-
function: Comment
parameters:
codeComment: '{{ with $codeComment }}{{ . }}{{ end }}'
revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}'
-
function: RunInlineCode
parameters:
code: PowerShell -ExecutionPolicy Unrestricted -Command "{{ $code | inlinePowerShell | escapeDoubleQuotes }}"
revertCode: |-
{{ with $revertCode }}
PowerShell -ExecutionPolicy Unrestricted -Command "{{ . | inlinePowerShell | escapeDoubleQuotes }}"
{{ end }}
-
name: DisablePerUserService
parameters:
- name: serviceName
- name: defaultStartupMode # Alowed values: Boot | System | Automatic | Manual
# More about per-user services: https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows
call:
- # System-wide variant: every per-user service has also system-wide counterpart with same default startup mode
function: DisableServiceInRegistry
parameters:
serviceName: '{{ $serviceName }}'
defaultStartupMode: '{{ $defaultStartupMode }}'
- # Per-user variant
function: DisableServiceInRegistry
parameters:
serviceName: '{{ $serviceName }}_*'
defaultStartupMode: '{{ $defaultStartupMode }}'
-
name: RunInlineCode
parameters:
- name: code
optional: true
- name: revertCode
optional: true
code: '{{ with $code }}{{ . }}{{ end }}'
revertCode: '{{ with $revertCode }}{{ . }}{{ end }}'
-
name: RunPowerShellWithSameCodeAndRevertCode
parameters:
- name: code
call:
function: RunPowerShell
parameters:
code: '{{ $code }}'
revertCode: '{{ $code }}'
-
name: RunInlineCodeAsTrustedInstaller
parameters:
- name: code
- name: revertCode
optional: true
call:
function: RunPowerShell
parameters:
# PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks.
# Seen e.g. on Windows 11 when reverting scripts after executing them and reboot.
# They are seen to throw different exceptions:
# - `Unregister-ScheduledTask : The system cannot find the file specified`
# `ObjectNotFound: (MSFT_ScheduledTask:Root/Microsoft/...T_ScheduledTask)` with `HRESULT 0x80070002`
# - `No MSFT_ScheduledTask objects found with property 'TaskName'`
# - Because task is already running but `Get-ScheduledTask` cannot find it it throws:
# `Failed to execute with exit code: 267009`
# Solution
# Checking if task is running:
# - ❌ Not using `$(schtasks.exe /query /tn "$taskName" 2>$null)".Contains('Running')` because it outputs
# different text (not always "Running") in German/English versions.
# - ❌ Not using `(Get-ScheduledTask $taskName -ErrorAction Ignore).State -eq 'Running'
# because `Get-ScheduledTask `sometimes fails.
# - ✅ Using `(Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009` where "267009" indicates running.
# Deleting existing task:
# - ❌ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002`
# - ✅ Using `schtasks.exe /delete /tn "$taskName" /f` with additional `| Out-Null` or `2>&1 | Out-Null`
# to suppress errors.
code: |-
$command = '{{ $code }}'
$trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464')
$trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount])
$streamOutFile = New-TemporaryFile
$batchFile = New-TemporaryFile
try {
$batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru
"@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII
$taskName = 'privacy.sexy invoke'
schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output
$taskAction = New-ScheduledTaskAction `
-Execute 'cmd.exe' `
-Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1"
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask `
-TaskName $taskName `
-Action $taskAction `
-Settings $settings `
-Force `
-ErrorAction Stop `
| Out-Null
try {
($scheduleService = New-Object -ComObject Schedule.Service).Connect()
$scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null
$timeOutLimit = (Get-Date).AddMinutes(5)
Write-Host "Running as $trustedInstallerName"
while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {
Start-Sleep -Milliseconds 200
if((Get-Date) -gt $timeOutLimit) {
Write-Warning "Skipping results, it took so long to execute script."
break;
}
}
if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {
Write-Error "Failed to execute with exit code: $result."
}
} finally {
schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors
}
Get-Content $streamOutFile
} finally {
Remove-Item $streamOutFile, $batchFile
}
revertCode: |- # Duplicated until custom pipes are implemented
{{ with $revertCode }}
$command = '{{ . }}'
$trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464')
$trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount])
$streamOutFile = New-TemporaryFile
$batchFile = New-TemporaryFile
try {
$batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru
"@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII
$taskName = 'privacy.sexy invoke'
schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output
$taskAction = New-ScheduledTaskAction `
-Execute 'cmd.exe' `
-Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1"
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask `
-TaskName $taskName `
-Action $taskAction `
-Settings $settings `
-Force `
-ErrorAction Stop `
| Out-Null
try {
($scheduleService = New-Object -ComObject Schedule.Service).Connect()
$scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null
$timeOutLimit = (Get-Date).AddMinutes(5)
Write-Host "Running as $trustedInstallerName"
while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {
Start-Sleep -Milliseconds 200
if((Get-Date) -gt $timeOutLimit) {
Write-Warning "Skipping results, it took so long to execute script."
break;
}
}
if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {
Write-Error "Failed to execute with exit code: $result."
}
} finally {
schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors
}
Get-Content $streamOutFile
} finally {
Remove-Item $streamOutFile, $batchFile
}
{{ end }}
-
name: DisableServiceInRegistry
parameters:
- name: serviceName
- name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual
call:
function: RunPowerShell
parameters:
code: |- # We do registry way because GUI, "sc config" or "Set-Service" won't not work
$serviceQuery = '{{ $serviceName }}'
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue
if(!$service) {
Write-Host "Service query `"$serviceQuery`" did not yield any results, no need to disable it."
Exit 0
}
$serviceName = $service.Name
Write-Host "Disabling service: `"$serviceName`"."
# -- 2. Stop if running
if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is running, trying to stop it."
try {
Stop-Service -Name "$serviceName" -Force -ErrorAction Stop
Write-Host "Stopped `"$serviceName`" successfully."
} catch {
Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_"
}
} else {
Write-Host "`"$serviceName`" is not running, no need to stop."
}
# -- 3. Skip if service info is not found in registry
$registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
if(!(Test-Path $registryKey)) {
Write-Host "`"$registryKey`" is not found in registry, cannot enable it."
Exit 0
}
# -- 4. Skip if already disabled
if( $(Get-ItemProperty -Path "$registryKey").Start -eq 4) {
Write-Host "`"$serviceName`" is already disabled from start, no further action is needed."
Exit 0
}
# -- 5. Disable service
try {
Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop
Write-Host "Disabled `"$serviceName`" successfully."
} catch {
Write-Error "Could not disable `"$serviceName`": $_"
}
revertCode: |-
$serviceQuery = '{{ $serviceName }}'
$defaultStartupMode = '{{ $defaultStartupMode }}'
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue
if(!$service) {
Write-Warning "Service query `"$serviceQuery`" did not yield and results, cannot enable it."
Exit 1
}
$serviceName = $service.Name
Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start."
# -- 2. Skip if service info is not found in registry
$registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
if(!(Test-Path $registryKey)) {
Write-Warning "`"$registryKey`" is not found in registry, cannot enable it."
Exit 1
}
# -- 3. Enable if not already enabled
$defaultStartupRegValue = `
if ($defaultStartupMode -eq 'Boot') { '0' } `
elseif($defaultStartupMode -eq 'System') { '1' } `
elseif($defaultStartupMode -eq 'Automatic') { '2' } `
elseif($defaultStartupMode -eq 'Manual') { '3' } `
else { throw "Unknown start mode: $defaultStartupMode"}
if( $(Get-ItemProperty -Path "$registryKey").Start -eq $defaultStartupRegValue) {
Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start."
} else {
try {
Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force
Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer."
} catch {
Write-Error "Could not enable `"$serviceName`": $_"
Exit 1
}
}
# -- 4. Start if not running (must be enabled first)
if($defaultStartupMode -eq 'Automatic') {
if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is not running, trying to start it."
try {
Start-Service $serviceName -ErrorAction Stop
Write-Host "Started `"$serviceName`" successfully."
} catch {
Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_"
}
} else {
Write-Host "`"$serviceName`" is already running, no need to start."
}
}
-
name: SetMpPreference
# Configures preferences for Microsoft Defender scans and updates.
# ❗️ Requires "WinDefend" service in running state, otherwise fails
parameters:
- name: property
- name: value
-
# When provided, it sets defaults using `Set-MpPreference`.
# Used by default in Windows 10 as `Remove-MpPreference` cmdlet is very limited/poor in Windows 10.
# Ignored by default in Windows 11 with providing a value for `setDefaultOnWindows11`
name: default
optional: true
-
# When reverting in Windows 11, `Set-MpPreference` is called instead of `Remove-MpPreference`
# Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11.
name: setDefaultOnWindows11
optional: true
call:
function: RunPowerShell
parameters:
# Unsupported arguments ->
# Skips when error contains "Cannot convert", this happens e.g. when trying to set `PlatformUpdatesChannel`,
# `EngineUpdatesChannel`, `DefinitionUpdatesChannel` to `Broad`. `Broad` is not supported on all platforms
# and throws e.g. with:
# `Cannot process argument transformation on parameter 'EngineUpdatesChannel'. Cannot convert value
# "Broad" to type "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType".
# Error: "Unable to match the identifier name Broad to a valid enumerator name. Specify one of the
# following enumerator names and try again: NotConfigured, Beta, Preview"`
code: |-
$propertyName = '{{ $property }}'
$value = {{ $value }}
if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {
Write-Host "Skipping. `"$propertyName`" is already `"$value`" as desired."
exit 0
}
$command = Get-Command 'Set-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Set-MpPreference".'
exit 0
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"
Set-MpPreference -Force -{{ $property }} $value -ErrorAction Stop
Write-Host "Successfully set `"$propertyName`" to `"$value`"."
exit 0
} catch {
if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"
exit 0
} elseif (($_ | Out-String) -like '*Cannot convert*') {
Write-Host "Skipping. Argument `"$value`" for property `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
} else {
Write-Error "Failed to set using $($command.Name): $_"
exit 1
}
}
# `Remove-MpPreference` is different in Windows 11 / 10
# Windows 11 and 10 have different revert behavior which is caused by different `Remove-MpPreference` cmdlet versions used
# Windows 10 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2019-ps
# Windows 11 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2022-ps
# On Windows 11:
# - By default, `Remove-MpPreference` sets default values for settings for all cases.
# - `setDefaultOnWindows11` parameter changes this behavior to set the default value using `Set-MpPreference`
# On Windows 10:
# - If `default` argument is is provided, it's set using `Set-MpPreference`
# - `default` argument should not be provided if `Remove-MpPreference` is supported in Windows 10.
revertCode: |-
$propertyName = '{{ $property }}'
{{ with $default }} $defaultValue = {{ . }} {{ end }}
$setDefaultOnWindows10 = {{ with $default }} $true # {{ end }} $false
$setDefaultOnWindows11 = {{ with $setDefaultOnWindows11 }} $true # {{ end }} $false
$osVersion = [System.Environment]::OSVersion.Version
function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) }
function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) }
# ------ Set-MpPreference ------
if(($setDefaultOnWindows10 -and (Test-IsWindows10)) -or ($setDefaultOnWindows11 -and (Test-IsWindows11))) {
if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $defaultValue) {
Write-Host "Skipping. `"$propertyName`" is already configured as desired `"$defaultValue`"."
exit 0
}
$command = Get-Command 'Set-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Set-MpPreference".'
exit 1
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName `$defaultValue -ErrorAction Stop"
Write-Host "Successfully restored `"$propertyName`" to its default `"$defaultValue`"."
exit 0
} catch {
if ($_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"
} else {
Write-Error "Failed to set using $($command.Name): $_"
}
exit 1
}
}
# ------ Remove-MpPreference ------
$command = Get-Command 'Remove-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Remove-MpPreference".'
exit 1
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName -ErrorAction Stop"
Write-Host "Successfully restored `"$propertyName`" to its default."
exit 0
} catch {
if ($_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"
} else {
Write-Error "Failed to set using $($command.Name): $_"
}
exit 1
}
-
name: DisableService
parameters:
- name: serviceName
- name: defaultStartupMode # Allowed values: Automatic | Manual
call:
function: RunPowerShell
# Careful with Set-Service cmdlet:
# 1. It exits with positive code even if service is disabled
# 2. It had breaking API change for `-StartupMode` parameter:
# Powershell >= 6.0 : Automatic, AutomaticDelayedStart, Disabled, InvalidValue, Manual
# PowerShell <= 5 : Boot, System, Automatic, Manual, Disabled
# So "Disabled", "Automatic" and "Manual" are only consistent ones.
# Read more:
# https://github.com/PowerShell/PowerShell/blob/v7.2.0/src/Microsoft.PowerShell.Commands.Management/commands/management/Service.cs#L2966-L2978
# https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.1
parameters:
code: |-
$serviceName = '{{ $serviceName }}'
Write-Host "Disabling service: `"$serviceName`"."
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if(!$service) {
Write-Host "Service `"$serviceName`" could not be not found, no need to disable it."
Exit 0
}
# -- 2. Stop if running
if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is running, stopping it."
try {
Stop-Service -Name "$serviceName" -Force -ErrorAction Stop
Write-Host "Stopped `"$serviceName`" successfully."
} catch {
Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_"
}
} else {
Write-Host "`"$serviceName`" is not running, no need to stop."
}
# -- 3. Skip if already disabled
$startupType = $service.StartType # Does not work before .NET 4.6.1
if(!$startupType) {
$startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode
if(!$startupType) {
$startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode
}
}
if($startupType -eq 'Disabled') {
Write-Host "$serviceName is already disabled, no further action is needed"
}
# -- 4. Disable service
try {
Set-Service -Name "$serviceName" -StartupType Disabled -Confirm:$false -ErrorAction Stop
Write-Host "Disabled `"$serviceName`" successfully."
} catch {
Write-Error "Could not disable `"$serviceName`": $_"
}
revertCode: |-
$serviceName = '{{ $serviceName }}'
$defaultStartupMode = '{{ $defaultStartupMode }}'
Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start."
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if(!$service) {
Write-Warning "Service `"$serviceName`" could not be not found, cannot enable it."
Exit 1
}
# -- 2. Enable or skip if already enabled
$startupType = $service.StartType # Does not work before .NET 4.6.1
if(!$startupType) {
$startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode
if(!$startupType) {
$startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode
}
}
if($startupType -eq "$defaultStartupMode") {
Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start, no further action is needed."
} else {
try {
Set-Service -Name "$serviceName" -StartupType "$defaultStartupMode" -Confirm:$false -ErrorAction Stop
Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer."
} catch {
Write-Error "Could not enable `"$serviceName`": $_"
Exit 1
}
}
# -- 4. Start if not running (must be enabled first)
if($defaultStartupMode -eq 'Automatic') {
if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is not running, starting it."
try {
Start-Service $serviceName -ErrorAction Stop
Write-Host "Started `"$serviceName`" successfully."
} catch {
Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_"
}
} else {
Write-Host "`"$serviceName`" is already running, no need to start."
}
}
-
name: ShowWarning
parameters:
- name: message
- name: ignoreWindows11 # Ignores warning message on Windows 11, allowed values: true | false, default: false
- name: ignoreWindows10 # Ignores warning message on Windows 10, allowed values: true | false, default: false
call:
function: RunPowerShell
parameters:
code: |-
$warningMessage = '{{ $message }}'
$ignoreWindows10 = {{ with $ignoreWindows10 }} $true # {{ end }} $false
$ignoreWindows11 = {{ with $ignoreWindows11 }} $true # {{ end }} $false
$osVersion = [System.Environment]::OSVersion.Version
function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) }
function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) }
if (($ignoreWindows10 -and (Test-IsWindows10)) -or ($ignoreWindows11 -and (Test-IsWindows11))) {
exit 0 # Skip
}
Write-Warning "$warningMessage"
# revertCode: No warnings needed when reverting
-
name: RemoveBrowserAssociations
parameters:
- name: progIdPattern
- name: toastAssociations
call:
-
function: RunPowerShell
# See all default OS assocations:
# 1. Open an elevated prompt
# 2. Run `dism /online /export-defaultappassociations:C:\appassoc.xml`
# 3. Inspect `C:\appassoc.xml`
# Registry locations:
# - File associations: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\{extension}\UserChoice`
# - URL associations: `HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\{url}\UserChoice`
parameters:
# -
# This script uses WMI StdRegProv methods to modify the registry.
# Because deleting key with `Remove-Item -Path $path -Recurse -Force -ErrorAction Stop` fails with:
# Cannot delete a subkey tree because the subkey does not exist.
# CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
# FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException
code: |-
$programIdPattern = '{{ $progIdPattern }}'
$defaultAssociations = @(
@{ Type = 'File'; Ext = '.htm'; }
@{ Type = 'File'; Ext = '.html'; }
@{ Type = 'File'; Ext = '.pdf'; }
@{ Type = 'File'; Ext = '.mht'; }
@{ Type = 'File'; Ext = '.mhtml'; }
@{ Type = 'File'; Ext = '.svg'; }
@{ Type = 'File'; Ext = '.url'; }
@{ Type = 'File'; Ext = '.website'; }
@{ Type = 'File'; Ext = '.xht'; }
@{ Type = 'File'; Ext = '.xhtml'; }
@{ Type = 'URL'; Ext = 'ftp'; }
@{ Type = 'URL'; Ext = 'http'; }
@{ Type = 'URL'; Ext = 'https'; }
@{ Type = 'URL'; Ext = 'microsoft-edge'; }
@{ Type = 'URL'; Ext = 'microsoft-edge-holographic'; }
@{ Type = 'URL'; Ext = 'ms-xbl-3d8b930f'; }
@{ Type = 'URL'; Ext = 'read'; }
)
foreach ($assoc in $defaultAssociations) {
$path = $null
if ($assoc.Type -eq 'File') {
$path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\$($assoc.Ext)\UserChoice"
} elseif ($assoc.Type -eq 'URL') {
$path = "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\$($assoc.Ext)\UserChoice"
} else {
throw "Error, unknown type: $($assoc.Type)"
}
$currentProgramId = Get-ItemProperty -Path $path -Name 'Progid' -ErrorAction Ignore | Select-Object -ExpandProperty Progid
if (!$currentProgramId) {
Write-Host "Skipping, no association found for `"$($assoc.Ext)`" in `"$path`" matching `"$programIdPattern`"."
continue
}
if ($currentProgramId -notlike $programIdPattern) {
Write-Host "Skipping, association found `"$currentProgramId`" in `"$path`" does not match pattern `"$programIdPattern`"."
continue
}
$hkcuHiveId = 2147483649
$pathWithoutHive = ($path -split ':\\')[1]
$wmi = Get-WmiObject -List -Namespace root\default | Where-Object {$_.Name -eq 'StdRegProv'}
$result = $wmi.DeleteKey($hkcuHiveId, $pathWithoutHive)
if ($result.ReturnValue -ne 0) {
Write-Error "Failed to delete `"$path`": Return code $($result.ReturnValue)"
continue
}
Write-Host "Successfully removed `"$($assoc.Ext)`" association in `"$path`"."
}
# Differences in OS defaults:
# - `.url` : `InternetShortcut` in Windows 11, and `IE.AssocFile.URL` in Windows 10
# - `.website`: N/A (missing) in Windows 11, `IE.AssocFile.WEBSITE` in Windows 10
# Setting keys work fine on Windows 11 but fails with access error on Windows 10, so this script modifies ACLs.
revertCode: |-
$defaultAssociations = @(
@{ Type = 'File'; Ext = '.htm'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'File'; Ext = '.html'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'File'; Ext = '.pdf'; ProgId = 'MSEdgePDF'; }
@{ Type = 'File'; Ext = '.mht'; ProgId = 'MSEdgeMHT'; }
@{ Type = 'File'; Ext = '.mhtml'; ProgId = 'MSEdgeMHT'; }
@{ Type = 'File'; Ext = '.svg'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'File'; Ext = '.url'; ProgId = 'InternetShortcut'; }
@{ Type = 'File'; Ext = '.website'; ProgId = 'IE.AssocFile.WEBSITE'; }
@{ Type = 'File'; Ext = '.xht'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'File'; Ext = '.xhtml'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'URL'; Ext = 'ftp'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'URL'; Ext = 'http'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'URL'; Ext = 'https'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'URL'; Ext = 'microsoft-edge'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'URL'; Ext = 'microsoft-edge-holographic'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'URL'; Ext = 'ms-xbl-3d8b930f'; ProgId = 'MSEdgeHTM'; }
@{ Type = 'URL'; Ext = 'read'; ProgId = 'MSEdgeHTM'; }
)
foreach ($assoc in $defaultAssociations) {
$path = $null
if ($assoc.Type -eq 'File') {
$path = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\$($assoc.Ext)\UserChoice"
} elseif ($assoc.Type -eq 'URL') {
$path = "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\$($assoc.Ext)\UserChoice"
} else {
throw "Unknown type: $($assoc.Type)"
}
$currentValue = Get-ItemProperty -Path $path -Name 'Progid' -ErrorAction SilentlyContinue
if ($currentValue -and ($currentValue.Progid -eq $assoc.ProgId)) {
Write-Host "Skipping, `"$($assoc.Ext)`" association already has the desired value. No changes needed."
continue
}
if ($currentValue -and $currentValue.Progid) {
Write-Host "Updating existing `"$($currentValue.Progid)`" to `"$($assoc.ProgId)`"."
} else {
Write-Host "Adding new association `"$($assoc.ProgId)`"."
}
if (-Not (Test-Path $path)) {
New-Item -Path $path -Force | Out-Null
Write-Host "Successfully created missing `"$path`"."
}
# Remove deny access rules
$pathWithoutHive = ($path -split ':\\')[1]
$registrySubKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey($pathWithoutHive, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::ChangePermissions)
$accessControlList = $registrySubKey.GetAccessControl()
$denyAccessRules = @($accessControlList.Access.Where({ $_.AccessControlType -eq "Deny" }))
foreach ($denyAccessRule in $denyAccessRules) {
$accessControlList.RemoveAccessRule($denyAccessRule)
}
if ($denyAccessRules.Count -gt 0) {
$registrySubKey.SetAccessControl($accessControlList)
$registrySubKey.Close()
Write-Host "Successfully removed deny access rules from `"$pathWithoutHive`"."
}
# Update registry key
Set-ItemProperty -Path $path -Name 'Progid' -Value $assoc.ProgId -Force -ErrorAction Continue
Write-Host "Successfully updated association for `"$($assoc.Ext)`""
# Restore permissions
if ($denyAccessRules.Count -gt 0) {
foreach ($denyAccessRule in $denyAccessRules) {
$accessControlList.AddAccessRule($denyAccessRule)
}
$registrySubKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey($pathWithoutHive, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::ChangePermissions)
$registrySubKey.SetAccessControl($accessControlList)
$registrySubKey.Close()
Write-Host "Successfully added back deny access rules to `"$pathWithoutHive`"."
}
}
-
# Remove association Open With context menu
# Edge uninstallers do not remove these associations
function: RunPowerShell # When reverting, using batch (`reg add /t REG_NONE`) does not add the exactly same default value
# This associations can be found at:
# - New, chromium : HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\FileAssociations
# - Legacy, store : HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\FileAssociations
# - See Microsoft docs for default associations: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/272f15b1d7ea4768e79eb74cfe24d584823970ef/windows/client-management/mdm/policy-csp-applicationdefaults.md?plain=1#L80-L87
parameters:
code: |-
$extensions = @('.htm', '.html', '.pdf', '.svg')
foreach ($extension in $extensions) {
$path = "HKCU:\Software\Classes\$extension\OpenWithProgids"
Write-Host "Removing association for `"$extension`": `"$path`"..."
Remove-Item -Path $path -Force -ErrorAction SilentlyContinue
}
revertCode: |- # Common defaults since Windows 10 21H2 and Windows 11 21H2
$defaultContextMenuAssociations = @(
@{ Extension='.htm'; Name='AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9'; }
@{ Extension='.html'; Name='AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9'; }
@{ Extension='.pdf'; Name='AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723'; }
@{ Extension='.svg'; Name='AppXde74bfzw9j31bzhcvsrxsyjnhhbq66cs'; }
)
foreach ($assoc in $defaultContextMenuAssociations) {
$path = "HKCU:\Software\Classes\$($assoc.Extension)\OpenWithProgids"
$value = Get-ItemProperty -Path $path -Name $assoc.Name -ErrorAction SilentlyContinue
if ($value -and [System.BitConverter]::ToString($value.$($assoc.Name)) -eq '') {
Write-Host "Skipping, no changes needed for `"$($assoc.Name)`" association."
continue
}
if (-Not (Test-Path $path)) {
New-Item -Path $path -Force | Out-Null
}
Set-ItemProperty -Path $path -Name $assoc.Name -Value ([byte[]]@()) -Type None -Force
Write-Host "Successfully reverted association for `"$($assoc.Name)`"."
}
-
function: RunInlineCode # Clean application toasts associations
# Description:
# The HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts registry key in Windows stores user preferences for file type and application associations.
# When a user opens a file with a non-default application, Windows may display a "toast" notification suggesting the use of the default application for that file type. The user's
# response to this suggestion is recorded in the ApplicationAssociationToasts registry key. This allows Windows to remember the user's application preferences for specific file types
# and determine whether to show the notification again in the future.
parameters:
code: |-
for %%a in (
{{ $toastAssociations }}
) do (
echo Removing association toast for "%%a"...
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" /v "%%a" /f 2>nul
)
revertCode: |-
for %%a in (
{{ $toastAssociations }}
) do (
echo Restoring association toast for "%%a"...
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" /v "%%a" /t "REG_DWORD" /d "0" /f
)
-
name: RemoveShortcutFiles
parameters:
- name: shortcutItems
- name: targetFile
call:
function: RunPowerShell
parameters:
code: |-
$shortcuts = @(
{{ $shortcutItems }}
)
foreach ($shortcut in $shortcuts) {
if (-Not (Test-Path $shortcut.Path)) {
Write-Host "Skipping, shortcut does not exist: `"$($shortcut.Path)`"."
continue
}
try {
Remove-Item -Path $shortcut.Path -Force -ErrorAction Stop
Write-Output "Successfully removed shortcut: `"$($shortcut.Path)`"."
} catch {
Write-Error "Encountered an issue while attempting to remove shortcut at: `"$($shortcut.Path)`"."
}
}
revertCode: |-
$targetFile = "{{ $targetFile }}"
$shortcuts = @(
{{ $shortcutItems }}
)
if (-Not (Test-Path $targetFile)) {
Write-Warning "Target file `"$targetFile`" does not exist."
}
$wscriptShell = $null
try {
$wscriptShell = New-Object -ComObject WScript.Shell
} catch {
throw "Failed to create WScript.Shell object: $($_.Exception.Message)"
}
foreach ($shortcut in $shortcuts) {
if (-Not $shortcut.Revert) {
Write-Host "Skipping, revert operation is not needed for: `"$($shortcut.Path)`"."
continue
}
if (Test-Path $shortcut.Path) {
Write-Host "Shortcut already exists, skipping: `"$($shortcut.Path)`"."
continue
}
try {
$shellShortcut = $wscriptShell.CreateShortcut($shortcut.Path)
$shellShortcut.TargetPath = $targetFile
$shellShortcut.Save()
Write-Output "Successfully created shortcut at `"$($shortcut.Path)`"."
} catch {
Write-Error "An error occurred while creating the shortcut at `"$($shortcut.Path)`"."
}
}
-
name: Comment
# 💡 Purpose:
# Adds a comment in the executed code for better readability and debugging.
# This function does not affect the execution flow but helps in understanding the purpose of subsequent code.
parameters:
- name: codeComment
optional: true
- name: revertCodeComment
optional: true
call:
function: RunInlineCode
parameters:
code: '{{ with $codeComment }}:: {{ . }}{{ end }}'
revertCode: '{{ with $revertCodeComment }}:: {{ . }}{{ end }}'
-
# Behavior:
# Searches for files and directories based on a Unix-style glob pattern and iterates over them.
# Similar to the `ls` command.
# Primarily supports the `*` wildcard; compatibility with other patterns is not tested.
# 💡 Usage:
# This is a low-level function. Favor using other functions in script calls.
# It provides following variables for the code in argument value:
# - `$expandedPath` : Expanded path glob pattern.
# - `$path` : Current iterated path (only available for `duringIteration`)
name: IterateGlob
parameters:
- name: pathGlob # Glob pattern for search.
- name: revertPathGlob # Glob pattern for reverting changes.
optional: true
- name: beforeIteration # (Iteration callback) Code to run before iteration.
optional: true
- name: duringIteration # (Iteration callback) Code to run for each found item.
- name: afterIteration # (Iteration callback) Code to run after iteration.
optional: true
- name: recurse # If set, includes all files and directories recursively.
optional: true
call:
function: RunPowerShell
parameters:
code: |-
$pathGlobPattern = "{{ $pathGlob }}"
$expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern)
Write-Host "Searching for items matching pattern: `"$($expandedPath)`"."
{{ with $beforeIteration }}
{{ . }}
{{ end }}
$foundAbsolutePaths = @()
{{ with $recurse }}
Write-Host 'Iterating files and directories recursively.'
try {
$foundAbsolutePaths += @(
Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName
)
} catch [System.Management.Automation.ItemNotFoundException] {
# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions
}
{{ end }}
try {
$foundAbsolutePaths += @(
Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName
)
} catch [System.Management.Automation.ItemNotFoundException] {
# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions
}
$foundAbsolutePaths = $foundAbsolutePaths `
| Select-Object -Unique `
| Sort-Object -Property { $_.Length } -Descending
if (!$foundAbsolutePaths) {
Write-Host 'Skipping, no items available.'
exit 0
}
Write-Host "Initiating processing of $($foundAbsolutePaths.Count) items from `"$expandedPath`"."
foreach ($path in $foundAbsolutePaths) {
{{ $duringIteration }}
}
{{ with $afterIteration }}
{{ . }}
{{ end }}
# Marked: refactor-with-variables
# Unfortunately a lot of duplication here as privacy.sexy compiler does not support better way for now.
# The difference from this script and `code` is that:
# - It sets `$revert` variable to `$true`.
# - It uses value of `$revertPathGlob` instead of `$pathGlob`
revertCode: |-
{{ with $revertPathGlob }}
$revert = $true
$pathGlobPattern = "{{ . }}"
$expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern)
Write-Host "Searching for items matching pattern: `"$($expandedPath)`"."
{{ with $beforeIteration }}
{{ . }}
{{ end }}
$foundAbsolutePaths = @()
{{ with $recurse }}
Write-Host 'Iterating files and directories recursively.'
try {
$foundAbsolutePaths += @(
Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName
)
} catch [System.Management.Automation.ItemNotFoundException] {
# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions
}
{{ end }}
try {
$foundAbsolutePaths += @(
Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName
)
} catch [System.Management.Automation.ItemNotFoundException] {
# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions
}
$foundAbsolutePaths = $foundAbsolutePaths `
| Select-Object -Unique `
| Sort-Object -Property { $_.Length } -Descending
if (!$foundAbsolutePaths) {
Write-Host 'Skipping, no items available.'
exit 0
}
Write-Host "Initiating processing of $($foundAbsolutePaths.Count) items from `"$expandedPath`"."
foreach ($path in $foundAbsolutePaths) {
{{ $duringIteration }}
}
{{ with $afterIteration }}
{{ . }}
{{ end }}
{{ end }}
-
name: DeleteGlob
# Behavior:
# Deletes files and directories based on a Unix-style glob pattern.
# Optionally, it can grant full permissions to the items before deletion.
# 💡 Usage:
# This is a low-level function. Favor higher-level functions like `ClearDirectoryContents`, `DeleteDirectory`, and `DeleteFiles`
# for clearer intent and enhanced security when applicable.
# 🚫 Limitations:
# The function might not perform as expected if the current user lacks read permissions on the parent directory.
# This specific use case is not addressed in the implementation because it has not been deemed necessary for the function's intended
# applications.
parameters:
- name: pathGlob # Glob pattern for search.
- name: grantPermissions # Grants permission on items of the parent directory recursively (including all files and directories) to be able to delete them.
optional: true
- name: beforeIteration # (Iteration callback) Code to run before iteration.
optional: true
- name: duringIteration # (Iteration callback) Code to run for each found item.
optional: true
- name: afterIteration # (Iteration callback) Code to run after iteration.
optional: true
- name: recurse # If set, deletes all files and directories recursively.
optional: true
call:
function: IterateGlob
parameters:
pathGlob: '{{ $pathGlob }}'
recurse: '{{ with $recurse }}{{ . }}{{ end }}'
# Granting permissions has limitations for wildcard due to `takeown` and `icacls`. These commands are used for their simplicity to avoid adjusting token privileges.
# However, adjusting token privileges is already implemented by `SoftFileDelete`, when this kind of implementations are reusable, this script can be improved to
# use `Get-Acl`, `Set-Acl` instead for better wildcards support.
# Marked: refactor-with-variables
beforeIteration: |-
{{ with $grantPermissions }}
# Not using `Get-Acl`/`Set-Acl` to avoid adjusting token privileges
$parentDirectory = [System.IO.Path]::GetDirectoryName($expandedPath)
$fileName = [System.IO.Path]::GetFileName($expandedPath)
if ($parentDirectory -like '*[*?]*') {
throw "Unable to grant permissions to glob path parent directory: `"$parentDirectory`", wildcards in parent directory are not supported by ``takeown`` and ``icacls``."
}
if (($fileName -ne '*') -and ($fileName -like '*[*?]*')) {
throw "Unable to grant permissions to glob path file name: `"$fileName`", wildcards in file name is not supported by ``takeown`` and ``icacls``."
}
Write-Host "Taking ownership of `"$expandedPath`"."
$cmdPath = $expandedPath
if ($cmdPath.EndsWith('\')) {
$cmdPath += '\' # Escape trailing backslash for correct handling in batch commands
}
$takeOwnershipCommand = "takeown /f `"$cmdPath`" /a" # `icacls /setowner` does not succeed, so use `takeown` instead.
if (-not (Test-Path -Path "$expandedPath" -PathType Leaf)) {
$takeOwnershipCommand += ' /r /d y'
}
$takeOwnershipOutput = cmd /c "$takeOwnershipCommand 2>&1" # `stderr` message is misleading, e.g. "ERROR: The system cannot find the file specified." is not an error.
if ($LASTEXITCODE -eq 0) {
Write-Host "Successfully took ownership of `"$expandedPath`" (using ``$takeOwnershipCommand``)."
} else {
Write-Host "Did not take ownership of `"$expandedPath`" using ``$takeOwnershipCommand``, status code: $LASTEXITCODE, message: $takeOwnershipOutput."
# Do not write as error or warning, because this can be due to missing path, it's handled in next command.
# `takeown` exits with status code `1`, making it hard to handle missing path here.
}
Write-Host "Granting permissions for `"$expandedPath`"."
$adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'
$adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount])
$adminAccountName = $adminAccount.Value
$grantPermissionsCommand = "icacls `"$cmdPath`" /grant `"$($adminAccountName):F`" /t"
$icaclsOutput = cmd /c "$grantPermissionsCommand"
if ($LASTEXITCODE -eq 3) {
Write-Host "Skipping, no items available for deletion according to: ``$grantPermissionsCommand``."
exit 0
} elseif ($LASTEXITCODE -ne 0) {
Write-Host "Take ownership message:`n$takeOwnershipOutput"
Write-Host "Grant permissions:`n$icaclsOutput"
Write-Warning "Failed to assign permissions for `"$expandedPath`" using ``$grantPermissionsCommand``, status code: $LASTEXITCODE."
} else {
$fileStats = $icaclsOutput | ForEach-Object { $_ -match '\d+' | Out-Null; $matches[0] } | Where-Object { $_ -ne $null } | ForEach-Object { [int]$_ }
if ($fileStats.Count -gt 0 -and ($fileStats | ForEach-Object { $_ -eq 0 } | Where-Object { $_ -eq $false }).Count -eq 0) {
Write-Host "Skipping, no items available for deletion according to: ``$grantPermissionsCommand``."
exit 0
} else {
Write-Host "Successfully granted permissions for `"$expandedPath`" (using ``$grantPermissionsCommand``)."
}
}
{{ end }}
$deletedCount = 0
$failedCount = 0
{{ with $beforeIteration }}
{{ . }}
{{ end }}
duringIteration: |-
{{ with $duringIteration }}
{{ . }}
{{ end }}
if (-not (Test-Path $path)) { # Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories).
Write-Host "Successfully deleted: $($path) (already deleted)."
$deletedCount++
continue
}
try {
Remove-Item -Path $path -Force -Recurse -ErrorAction Stop
$deletedCount++
Write-Host "Successfully deleted: $($path)"
} catch {
$failedCount++
Write-Warning "Unable to delete $($path): $_"
}
afterIteration: |-
{{ with $afterIteration }}
{{ . }}
{{ end }}
Write-Host "Successfully deleted $($deletedCount) items."
if ($failedCount -gt 0) {
Write-Warning "Failed to delete $($failedCount) items."
}
-
name: ClearDirectoryContents
# 💡 Purpose:
# Empties the contents of a directory recursively (including all of its files and subfolders) while preserving
# the directory itself.
# This is beneficial when other applications depend on the existence of the directory.
# For deleting the directory itself too, use `DeleteDirectory`.
# 🤓 Implementation:
# - Formats the provided glob pattern to ensure only contents are targeted, then delegates to `DeleteGlob`.
# - Provides a user-friendly comment in code.
parameters:
- name: directoryGlob
- name: grantPermissions
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Clear directory contents
{{ with $grantPermissions }}(with additional permissions){{ end }}
: "{{ $directoryGlob }}"
-
function: DeleteGlob
parameters:
# Ensure path ends with '\*':
# - 'C:\' becomes 'C:\*'
# - 'C:' becomes 'C:\*'
# - 'C:\*' remains 'C:\*'
pathGlob: >-
$($directoryGlob = '{{ $directoryGlob }}'; if ($directoryGlob.EndsWith('\*')) { $directoryGlob } elseif ($directoryGlob.EndsWith('\')) { "$($directoryGlob)*" } else { "$($directoryGlob)\*" } )
grantPermissions: '{{ with $grantPermissions }}true{{ end }}'
recurse: 'true' # Logs every deleted file name
-
name: DeleteDirectory
# 💡 Purpose:
# Deletes an entire directory, including its contents.
# ❗️ Use with caution; if you intend to preserve the directory and delete only its contents, use `ClearDirectoryContents`.
# 🤓 Implementation:
# Formats the provided glob pattern to target the directory, then delegates to `DeleteGlob`.
# - Provides a user-friendly comment in code.
parameters:
- name: directoryGlob # The directory to delete along with its files and subdirectories
- name: grantPermissions # Grants permission on the parent directory and its sub-items recursively (including all files and directories) to be able to delete them.
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Delete directory
{{ with $grantPermissions }}(with additional permissions){{ end }}
: "{{ $directoryGlob }}"
-
function: DeleteGlob
parameters:
# Ensure path ends with '\':
# - 'C:\' remains 'C:\'
# - 'C:' becomes 'C:\'
pathGlob: >-
$($directoryGlob = '{{ $directoryGlob }}'; if (-Not $directoryGlob.EndsWith('\')) { $directoryGlob += '\' }; $directoryGlob )
grantPermissions: '{{ with $grantPermissions }}true{{ end }}'
recurse: 'true' # Logs every deleted file name
-
name: DeleteFiles
# 💡 Purpose:
# Deletes files but does not touch any directories.
# Use `DeleteDirectory` or `ClearDirectoryContents` to delete directories.
parameters:
- name: fileGlob # File glob pattern to delete.
- name: grantPermissions # Grants permission on the files found to be able to delete them.
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Delete files matching pattern: "{{ $fileGlob }}"
-
function: DeleteGlob
parameters:
pathGlob: '{{ $fileGlob }}'
grantPermissions: '{{ with $grantPermissions }}true{{ end }}'
beforeIteration: |-
$skippedCount = 0
duringIteration: |-
if (Test-Path -Path $path -PathType Container) {
Write-Host "Skipping, the path is not a file but a folder: $($path)."
$skippedCount++
continue
}
afterIteration: |-
if ($skippedCount -gt 0) {
Write-Host "Skipped $($skippedCount) items."
}
-
name: DeleteFilesFromFirefoxProfiles
parameters:
- name: pathGlob # File name inin profile file
call:
- # Windows XP
function: DeleteFiles
parameters:
fileGlob: '%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\*\{{ $pathGlob }}'
- # Windows Vista and newer
function: DeleteFiles
parameters:
fileGlob: '%APPDATA%\Mozilla\Firefox\Profiles\*\{{ $pathGlob }}'
Reference in New Issue View Git Blame Copy Permalink