44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
50ba00b0af6232fc9187532635b04c4d9d9a68af
privacy.sexy/src/application/collections/windows.yaml
undergroundwires 50ba00b0af win: fix, constrain and document WNS #227 #314 
This change addresses issues #227 and #314 by preventing unintended side
effects on newer Windows versions while still offering WNS control on
supported systems.

Changes:

- Constrain `WpnUserService` disabling to Windows 10 v1909 and earlier.
- Update documentation for WNS and related services.
- Remove redundant warnings (in generated code and script title).
- Improve DisablePerUserService function:
  - Add documentation and generated comments
  - Implement Windows version constraint capability
2024-08-13 11:19:46 +02:00

33472 lines
2.8 MiB
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# yaml-language-server: $schema=./.schema.yaml
# ↑ Adds a schema support in VS Code for auto-completion and validation.
# Structure is documented in "docs/collection-files.md"
os: windows
scripting:
language: batchfile
startCode: |-
@echo off
:: {{ $homepage }} — v{{ $version }} — {{ $date }}
:: Ensure admin privileges
fltmc >nul 2>&1 || (
echo Administrator privileges are required.
PowerShell Start -Verb RunAs '%0' 2> nul || (
echo Right-click on the script and select "Run as administrator".
pause & exit 1
)
exit 0
)
:: Initialize environment
setlocal EnableExtensions DisableDelayedExpansion
endCode: |-
:: Pause the script to view the final state
pause
:: Restore previous environment settings
endlocal
:: Exit the script successfully
exit /b 0
actions:
-
category: Privacy cleanup
children:
-
category: Clear recent activity
docs: |-
This category includes scripts that erase traces of recent user activities on Windows.
These scripts enhance privacy by removing records of accessed files, used applications, and changed
system settings.
Clearing recent activity is crucial for protecting your privacy.
Your computer keeps detailed logs of your actions, creating a digital footprint that can reveal
sensitive information about your habits, interests, and personal life.
This data can be exploited by cybercriminals, aggressive marketers, or even used in legal proceedings.
Regularly clearing this information helps you control your privacy and reduces the risk of personal.
It also protects you from malicious actors who may insert harmful items into your activity history [4].
**Key Benefits:**
- **Enhances privacy:** Removes records that reveal personal usage patterns, habits, and preferences.
- **Safeguards information:** Helps protect sensitive information from unauthorized access and analysis.
- **Improves security:** Limits the information and attack surface available to potential attackers.
- **Boosts performance:** Improves system performance slightly by reducing unnecessary data.
> **Caution:**
> Clearing recent activity may affect your productivity by removing quick access to recently used
> files, applications, and settings.
children:
-
category: Clear Quick Access lists
docs: |-
This category focuses on managing Jump Lists in Windows.
This feature was first introduced with Windows 7 in July 2009 and has been included in subsequent versions [1] [2] [3].
These lists are found in the Start Menu or Taskbar and provide quick access to recently opened files and folders [1] [2] [3] [4] [5].
The privacy concern with Jump Lists is their detailed recording of user activities. They store data such as file names, directory paths,
MAC (Modified, Accessed, Created) timestamps, network information, volume names, and file sizes [2] [3] [4] [6]. This information is
utilized in forensic analysis to reveal user behavior and interactions with the system [1] [2] [3] [4] [5]. Authorities frequently examine
these files for investigative purposes [3].
Clearing these Jump Lists is crucial for maintaining privacy. It helps remove traces of user activities, particularly those involving
personal or confidential files. By doing so, users prevent the easy accessibility of their activity history, an important privacy measure
since these records can persist long after the original files and applications are deleted [3] [5].
> **Caution:** Clearing Quick Access lists may disrupt your workflow by removing shortcuts to frequently accessed files and folders.
[1]: https://web.archive.org/web/20231128091134/https://www.forensicfocus.com/articles/forensic-analysis-of-windows-7-jump-lists/ "Forensic Analysis of Windows 7 Jump Lists - Forensic Focus | forensicfocus.com"
[2]: https://web.archive.org/web/20210205154335/https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf "A forensic insight into Windows 10 Jump Lists | Bhupendra Singh, Upasna Sin | Dept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India"
[3]: https://web.archive.org/web/20231128094035/https://forensafe.com/blogs/jumplist.html "Jump Lists Blog | forensafe.com"
[4]: https://web.archive.org/web/20231128091208/https://www.justice.gov/usao/page/file/931366/download "Forensic Science and Forensic Evidence I | United States Attorneys' Bulletin | justice.gov"
[5]: https://web.archive.org/web/20231128091107/https://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public "Windows 7 forensics jump lists-rv3-public | PPT | slideshare.net"
[6]: https://web.archive.org/web/20231128095448/https://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf "The Meaning of Linkfiles In Forensic Examinations | Harry Parsonage | computerforensics.parsonage.co.uk"
children:
-
name: Clear Quick Access recent files
recommend: standard # Has minimal impact.
docs: |-
This script clears the `AutomaticDestinations` Jump List files in Windows.
It improves user privacy by removing traces of recent file and application usage.
These files are automatically created when a user opens a file or an application [1].
They help users quickly access recently or frequently used items, usually via the Windows taskbar [2].
They are hidden and do not appear in Windows Explorer [3].
The files are located in `%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations` [2] [3] [4].
These files are identified by the `automaticDestinations-ms` extension [3].
However, these files also record detailed user activity, such as timestamps, file locations, network information, and usage frequency [1] [3] [4] [5].
They store comprehensive data including boot session times, sequence numbers, user directories, and MAC addresses of network cards [1] [5].
Web search strings from browsers like Edge, Firefox, Chrome, and Opera, used by Cortana, are also stored in these files [3].
By clearing these files, the script not only removes the history of user activity but also reduces the risk of this data being analyzed to
construct user activity timelines [1]. Such analysis could potentially expose personal usage patterns and behaviors, compromising privacy.
> **Caution:**
> Clearing recent files will remove the convenience of quickly accessing recently used files and folders.
[1]: https://web.archive.org/web/20231128094035/https://forensafe.com/blogs/jumplist.html "Jump Lists Blog | forensafe.com"
[2]: https://web.archive.org/web/20231128091208/https://www.justice.gov/usao/page/file/931366/download "Forensic Science and Forensic Evidence I | United States Attorneys' Bulletin | justice.gov"
[3]: https://web.archive.org/web/20210205154335/https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf "A forensic insight into Windows 10 Jump Lists | Bhupendra Singh, Upasna Sin | Dept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India"
[4]: https://web.archive.org/web/20231128091107/https://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public "Windows 7 forensics jump lists-rv3-public | PPT | slideshare.net"
[5]: https://web.archive.org/web/20231128095448/https://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf "The Meaning of Linkfiles In Forensic Examinations | Harry Parsonage | computerforensics.parsonage.co.uk"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations'
-
name: Clear Quick Access pinned items
recommend: null # User-pinned items; privacy impact likely considered
docs: |-
This script removes `CustomDestinations` Jump List files in Windows.
These files are hidden [1] and located in `%APPDATA%\Microsoft\Windows\Recent\CustomDestinations` [1] [2] [3].
`CustomDestinations` files are created by different applications to enable users to pin items
such as tasks and files or applications.
This includes tasks like opening a new browser window or creating a new spreadsheet [2], as well
as files and applications frequently used [3] [4].
They are commonly used by web browsers and media players to store a user's web history and other activities [1].
The privacy concern arises because these files not only record pinned items but also store detailed data
about user interactions. This includes
file opening, modification, and access times, along with the full directory path and volume information [3] [4].
Such information, if accessed, may reveal personal habits and preferences [1] [2] [3].
Clearing these files prevents the potential use of this data in reconstructing a user's activity history, which is
particularly sensitive when it involves personal or confidential information.
The script thus plays a crucial role in maintaining the confidentiality and privacy of the user's digital activities.
> **Caution:** Removing pinned items will delete shortcuts to frequently accessed files and applications,
> requiring re-pinning them manually.
[1]: https://web.archive.org/web/20210205154335/https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf "A forensic insight into Windows 10 Jump Lists | Bhupendra Singh, Upasna Sin | Dept. of Computer Engineering, Defence Institute of Advanced Technology (DU), Girinagar, Pune, India"
[2]: https://web.archive.org/web/20231128091107/https://www.slideshare.net/ctin/windows-7-forensics-jump-listsrv3public "Windows 7 forensics jump lists-rv3-public | PPT | slideshare.net"
[3]: https://web.archive.org/web/20231128091208/https://www.justice.gov/usao/page/file/931366/download "Forensic Science and Forensic Evidence I | United States Attorneys' Bulletin | justice.gov"
[4]: https://web.archive.org/web/20231128094035/https://forensafe.com/blogs/jumplist.html "Jump Lists Blog | forensafe.com"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Microsoft\Windows\Recent\CustomDestinations'
-
category: Clear Windows Registry recent activity
docs: |-
This category focuses on removing specific types of usage data from the Windows Registry
to enhance privacy and improve system performance.
The Windows Registry is a hierarchical database that stores settings, configurations, and
options for the operating system, installed applications, and user preferences [1].
It's like a central storage system for Windows and its programs.
As users interact with their system and software, usage data and traces accumulate in the registry.
This information is often used for forensic analysis to study user behavior or by attackers to
gather data about individuals [2].
Clearing non-essential registry usage data improves privacy by reducing the amount of personal
information available to potential threats.
By removing unnecessary data, this process may also contribute to optimizing
system performance by reducing registry size and complexity.
> **Caution:**
> Removing recent activity from the registry may affect the ease of accessing frequently
> used registry keys.
[1]: https://web.archive.org/web/20240730092434/https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users "Windows registry for advanced users - Windows Server | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240730092829/https://par.nsf.gov/servlets/purl/10152793 "A Forensic Evidence Acquisition Model for Data Leakage Attacks | par.nsf.gov"
children:
-
name: Clear Windows Registry last-accessed key
recommend: standard
docs: |-
This script removes the record of the last visited Windows Registry key.
The Windows Registry stores the location of the last key visited using `regedit.exe` [1].
This information is used to open the registry at the same location when `regedit.exe` is started again [1].
Forensic analysts often use this data to study user behavior and activity [2] [3].
By clearing this information, you improve your privacy by reducing traces of your system interactions.
This script may also improve system performance by reducing unnecessary data in the registry.
This script deletes all values under
`HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit!LastKey` [1] [2] [3]
registry key.
> **Caution:**
> This action will reset the registry editor's navigation history,
> potentially affecting ease of use for advanced users.
[1]: https://web.archive.org/web/20240730094036/https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Applets/Regedit/index "Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit | renenyffenegger.ch"
[2]: https://web.archive.org/web/20240619180528/https://secure.corradoroberto.it/doc/Registry_Forensics.pdf "Microsoft Word - 462583DF-2150-08FA03.doc | secure.corradoroberto.it"
[3]: https://web.archive.org/web/20240730094313/https://forensafe.com/blogs/lastkey.html "Last Accessed Key Blog | forensafe.com"
call:
function: DeleteRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit
valueName: LastKey
-
name: Clear Windows Registry favorite locations
recommend: strict # This script may interfere with user preferences, but enhances privacy.
docs: |-
This script removes saved favorite locations in the Windows Registry Editor.
The Windows Registry Editor (`regedit`) allows users to save frequently
accessed registry locations as favorites [1].
This information is typically used by forensic analysts to study your behavior [2].
Clearing these favorites removes traces of your commonly accessed registry
locations, enhancing your privacy.
It may also improve system performance by reducing unnecessary data in the registry.
This script deletes all values under
`HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites` [1] [2]
registry key.
> **Caution:**
> Removing favorite locations in the registry editor will delete shortcuts to commonly
> accessed registry keys, which may need to be recreated manually.
[1]: https://web.archive.org/web/20240222114116/https://ss64.com/nt/regedit.html "Regedit - Windows CMD - SS64.com | ss64.com"
[2]: https://web.archive.org/web/20240730095211/https://secure.corradoroberto.it/doc/Registry_Forensics.pdf "Microsoft Word - 462583DF-2150-08FA03.doc | secure.corradoroberto.it"
call:
function: ClearRegistryValues
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
-
name: Clear recent application history
recommend: standard # Minimal impact
docs: |-
This script removes the list of recently opened applications from the Windows Registry.
Windows keeps track of applications used to open or save files in the
"Open" and "Save" dialog boxes [1] [2].
This information includes:
- The last program used to access files in these dialogs [1] [2]
- Timestamps of when programs were executed (in Windows Vista and later) [2]
- The order of entries, from most recently used [2]
- The folder location of the last file accessed by each application [1]
Digital forensic analysts often use this data to study user behavior [1] [2].
By clearing this information, you improve your privacy by removing traces
of your application usage patterns.
This script may also slightly improve system performance by reducing
unnecessary data in the registry.
The script deletes all registry values under:
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU`
(for Windows XP) [1] [2]
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU`
(for Windows Vista and above) [1] [2]
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy` [2]
> **Caution:**
> Clearing the application history may disrupt your usual workflow by removing quick
> access to recently used programs in file dialogs.
[1]: https://web.archive.org/web/20240730101153/https://forensafe.com/blogs/lastvisitedmru.html "LastVisitedMRU Blog | forensafe.com"
[2]: https://web.archive.org/web/20240730101502/https://tzworks.com/prototype_page.php?proto_id=19 "Computer Account Forensic Artifact Extractor | tzworks.com"
call:
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy
-
name: Clear Adobe recent file history
recommend: standard # Does not significantly affect Adobe software functionality.
docs: |-
This script removes the list of recently opened files in Adobe software.
Adobe programs store a list of recently used files in the Windows registry [1] [2].
Each entry is labeled with a timestamp and includes details about the file opened at that specific time [1].
This information can reveal a user's file activity patterns [1], potentially compromising privacy.
By deleting these entries, the script:
1. Enhances privacy by eliminating traces of your recent file activity in Adobe programs.
2. May slightly improve system performance by reducing registry size.
The script deletes the entire registry key `HKCU\Software\Adobe\MediaBrowser\MRU`,
which includes subkeys such as:
- `HKCU\Software\Adobe\MediaBrowser\MRU\illustrator\FileList\*` [1]
- `HKCU\Software\Adobe\MediaBrowser\MRU\Photoshop\FileList\*` [1]
- `HKCU\Software\Adobe\MediaBrowser\MRU\indesign\FileList\*` [2]
> **Caution**:
> This action will reset your "Recent Files" list in Adobe programs.
> You may need to manually reopen frequently used files after running this script.
[1]: https://web.archive.org/web/20240730105854/https://www.taksati.org/mru/ "MRU - TAKSATI | www.taksati.org"
[2]: https://archive.ph/2024.07.30-110430/https://community.adobe.com/t5/indesign-discussions/recent-files-list/td-p/5826422 "Recent files list - Adobe Community - 5826422 | community.adobe.com"
call:
function: DeleteRegistryKey
parameters:
keyPath: HKCU\Software\Adobe\MediaBrowser\MRU
-
name: Clear Microsoft Paint recent files history
recommend: standard # Has minimal impact on Paint functionality.
docs: |-
This script removes the list of recently used files in Microsoft Paint.
When you open or save an image file in Paint (`mspaint.exe`), it adds the image to the
**File > Recent pictures** history list [1].
This list provides quick access to recently used files but also creates a record of your
Paint usage [1] [2].
The Paint registry keys are created only after you use the application [2].
These keys store information such as:
- File names of recently opened images [2]
- Dates when images were last closed [2]
- Other related data [2]
This information can be used to:
- Track your Paint usage patterns
- Provide evidence in forensic investigations to study your behavior [2]
By clearing this list, you:
- Enhance your privacy by removing traces of your Paint activity
- Reduce the risk of others seeing your recently edited images
- May slightly improve system performance by clearing unnecessary data
This action doesn't affect your saved files, only the record of recently used files in Paint.
The script deletes all registry values under
`HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List`
registry key [1] [2].
> **Caution:**
> Removing recent file history in Paint will delete the list of recently edited images,
> requiring manual reopening of these files.
[1]: https://web.archive.org/web/20240730113602/https://www.tenforums.com/tutorials/156361-how-clear-recent-pictures-paint-mspaint-app-windows-10-a.html "How to Clear Recent Pictures in Paint (mspaint) app in Windows 10 | Tutorials | www.tenforums.com"
[2]: https://web.archive.org/web/20240730113748/https://forensafe.com/blogs/PaintMRU.html "Paint MRU Blog | forensafe.com"
call:
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
-
name: Clear WordPad recent file history
recommend: standard # Minimally affects older Windows users.
docs: |-
This script removes the most recently used (MRU) file list from WordPad, enhancing user privacy.
WordPad stores the names and paths of recently opened files [1] [2].
Unlike Microsoft Office Word, WordPad doesn't offer a built-in feature to clear this list [1].
This data can be used in forensic investigations to analyze user behavior [1].
The stored information includes:
- **File Name:** The name of the file opened in WordPad [1] [2]
- **File Path:** The complete path to the file [1]
- **File Modified Date/Time:** When the MRU registry key was last changed [1]
- **Registry or MRU Order:** The order of file access, with `1` being the most recent [1]
- **Value Name:** The record's associated value in the registry key [1]
The recent files list updates only when the WordPad application is closed [1].
WordPad is removed from all editions of Windows starting with Windows 11, version 24H2 [3].
Therefore, this script may not apply to the latest Windows versions.
This script deletes all registry values under the
`HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List` registry key [1] [2].
By doing so, it removes traces of your recent WordPad activity, improving your privacy.
> **Caution:**
> Clearing the recent files list may hinder quick access to your frequently used WordPad documents,
> potentially affecting your workflow efficiency.
[1]: https://web.archive.org/web/20240730115041/https://forensafe.com/blogs/wordpad_recent_files.html "WordPad Recent Files | forensafe.com"
[2]: https://web.archive.org/web/20240730115357/https://www.majorgeeks.com/content/page/how_to_clear_recent_documents_history_in_wordpad.html "How to Clear Recent Documents History in WordPad - MajorGeeks | majorgeeks.com"
[3]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client | Microsoft Learn | learn.microsoft.com"
call:
function: ClearRegistryValues
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
-
name: Clear network drive mapping history
recommend: strict # May affect the user's ability to reconnect to network drives easily
docs: |-
This script removes the history of mapped network drives from your system.
Windows allows users to map network drives, which assigns a drive letter to a shared folder on a remote system [1].
This makes accessing shared resources easier, as if they were local drives.
When you map a network drive, Windows stores information about it [1].
These stored details includes:
- The network path (UNC) of the mapped drive [1]
- When the drive was last accessed [1]
- Other mapped drive paths [1]
While convenient, this stored information may pose privacy risks.
Forensic analysts often use these artifacts to study user behavior and uncover network activity [1].
By clearing this data, you can:
- Protect your privacy by removing traces of network resources you've accessed
- Potentially improve system performance by reducing Registry clutter
This script deletes all registry values under the following key:
`HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU` [1]
> **Caution**: Clearing this list may require you to manually reconnect to network drives you use regularly.
[1]: https://web.archive.org/web/20240730120256/https://forensafe.com/blogs/mappednetworkdrive.html "Mapped Network Drives | forensafe.com"
call:
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
-
name: Clear Windows Search history
recommend: standard # Minimal functional impact
docs: |
This script clears Windows search history to enhance privacy.
Windows records search keywords used on your device [1] [2] [3] [4] [5] [6].
This data includes search terms and dates [1] [2] [4] [5].
It's used in forensic analysis to study user behavior [1] [2] [3] [4] [5] [6].
Clearing search history improves privacy by removing this potentially sensitive information.
It may also improve system performance by freeing up storage space.
> **Caution:** Clearing search history may affect your ability to quickly find recently searched items.
### Technical Details
The script enhances privacy by deleting this tracking information from the following locations:
- `HKCU\Software\Microsoft\Search Assistant\ACMru\*` [1] [3] [6]:
Used by Windows XP [1] [3].
It stores search history in subkeys [6] [6].
This location is not used in newer Windows versions [1] [3].
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery` [1] [2] [3] [5]:
Used by Windows 7 and later versions [1] [2] [3] [5],
including Windows 10 [2] [5] and 11 [5] to store search history.
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchHistory` [3] [4]:
Used by Windows 8 and later for search history [3] [4].
Windows 8 utilizes `Microsoft.Windows.FileSearchApp` sub key [4].
- `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\History` folder [3] [4].
This directory is used by Windows 8.1 to store search history [3] [4].
[1]: https://web.archive.org/web/20240730101502/https://tzworks.com/prototype_page.php?proto_id=19 "Computer Account Forensic Artifact Extractor | tzworks.com"
[2]: https://web.archive.org/web/20240730125503/https://forensafe.com/blogs/searchedstrings.html "Searched Strings Blog | forensafe.com"
[3]: https://web.archive.org/web/20240730132214/http://www.csc.villanova.edu/~dprice/fall2014/slides/16_Registry%20Forensics.pdf "Registry Artifacts | Villanova University Department of Computing Sciences D. Justin Price Fall 2014 | csc.villanova.edu"
[4]: https://web.archive.org/web/20240730133138/https://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html "Yogesh Khatri's forensic blog: Search history on Windows 8 and 8.1 | www.swiftforensics.com"
[5]: https://web.archive.org/web/20240730133138/https://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html "windows-forensic-artifacts/user-activity/wordwheelquery.md at b0faf656761091e165b1c4fff74541ebeb29d306 · privacysexy-forks/windows-forensic-artifacts | github.com"
[6]: https://web.archive.org/web/20240730125955/https://www.mpauli.de/interesting-windows-forensic-spots.html "interesting windows forensic spots | www.mpauli.de"
call:
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Search Assistant\ACMru
deleteSubkeyValuesRecursively: 'true' # Data is stored in subkeys
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Windows\v
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchHistory
deleteSubkeyValuesRecursively: 'true' # Data is stored in subkeys, e.g. `Microsoft.Windows.FileSearchApp`
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\History'
-
name: Clear recent files and folders history
recommend: standard # Minimal functional impact
docs: |-
This script enhances privacy by removing traces of recently accessed files and folders from the Windows system.
Windows automatically tracks and stores information about files and folders accessed by users [1] [2].
This data is maintained in various registry keys and includes details such as file names, types,
access dates, and full paths [1] [2] [3] [4].
This information persists even after the original files or folders are deleted [1] [4].
This data is commonly used for forensic analysis to study your behavior [1] [2] [3] [4] [5].
It can reveal user activities, including access to sensitive or unauthorized documents [1] [2] [3].
This information provides insights into user behavior and file interactions across different applications [2].
To protect your privacy, this script deletes tracking information from these locations:
- `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\<Extension>` [1] [2] [5]
for Windows XP [2] and Vista [1] [2].
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\<Extension>` [2] [3] [5]
for Windows 2000 [5], Windows XP [3] [5], Windows Vista [2].
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\<Extension>` [2] [3] [5]
for Windows 7 [3], Windows Vista [2] [5], Windows 8 [3] and Windows 10 [3].
- `%APPDATA%\Microsoft\Windows\Recent Items` [1] [4]
for Windows 10 [1] and Windows 11.
> **Caution:**
> Clearing this history may disrupt your workflow by removing quick access to frequently used
> files and folders.
[1]: https://web.archive.org/web/20240730194320/https://forensafe.com/blogs/recentdocs.html "RecentDocs MRU Blog | forensafe.com"
[2]: https://web.archive.org/web/20240730200254/https://www.magnetforensics.com/blog/what-is-mru-most-recently-used/ "What is MRU (Most Recently Used)? - Magnet Forensics | www.magnetforensics.com"
[3]: https://web.archive.org/web/20240730195941/https://forensafe.com/blogs/opensavemru.html "OpenSaveMRU Blog | forensafe.com"
[4]: https://web.archive.org/web/20240730200152/https://forensafe.com/blogs/investigating_recent_items.html "Recent Items | forensafe.com"
[5]: https://web.archive.org/web/20240730195957/https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html "Most recently used (MRU) — Windows Registry knowledge base (winreg-kb) 20240211 documentation | winreg-kb.readthedocs.io"
call:
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
deleteSubkeyValuesRecursively: 'true' # Data is stored in subkeys for each file extension.
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
deleteSubkeyValuesRecursively: 'true' # Data is stored in subkeys for each file extension.
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
deleteSubkeyValuesRecursively: 'true' # Data is stored in subkeys for each file extension.
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Microsoft\Windows\Recent Items'
-
name: Clear Windows Media Player recent activity history
recommend: standard # Minimal functional impact
docs: |-
This script clears the recent activity history in Windows Media Player.
Windows Media Player automatically stores files and URLs you recently played for easy access
through the history list [1] [2].
It also stores recently added radio station entries [3].
This data can be exploited by attackers to gather information about you [2] [4].
The script improves privacy by removing traces of your media consumption habits.
It may also enhance system performance by clearing unnecessary data.
This script mimics the **Tools > Privacy > Clear History** option in Windows Media Player 9 and 10 [1].
The script deletes all registry values under:
- `HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList` [1] [2] [4]
- `HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList` [1] [2] [4]
- `HKCU\Software\Microsoft\MediaPlayer\Radio\MRUList` [3]
This data is recreated when you open a file in Media Player [1].
For continuous privacy protection, run this cleanup regularly.
> **Caution:**
> Running this script may temporarily disrupt quick access to your recently played media files,
> URLs, and radio stations in Windows Media Player.
[1]: https://web.archive.org/web/20240730210758/https://support.microsoft.com/en-us/topic/how-to-delete-the-recent-play-list-from-windows-media-player-095410a9-1f37-8e9b-222e-c520757d4eca "How to delete the recent play list from Windows Media Player - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20240730210856/https://www.offensiveosint.io/inside-of-danderspritz-post-exploitation-modules/ "Inside of Danderspritz post-exploitation modules | www.offensiveosint.io"
[3]: https://web.archive.org/web/20040504183343/http://support.microsoft.com/default.aspx?scid=kb;en-us;235570 "235570 - How to Remove Entries From the Radio Toolbar | support.microsoft.com"
[4]: https://web.archive.org/web/20240619180528/https://secure.corradoroberto.it/doc/Registry_Forensics.pdf "Microsoft Word - 462583DF-2150-08FA03.doc | secure.corradoroberto.it"
call:
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Gabest\Media Player Classic\Recent File List
-
name: Clear DirectX recent application history
recommend: standard # Minimal impact on DirectX functionality
docs: |-
This script removes the most recent application usage data stored by DirectX to enhance privacy.
DirectX is a set of Windows components that helps software (often games and multimedia applications)
to work directly with video and audio hardware [1].
It logs the most recent application data in the system registry [2].
Attackers exploit this information to gather insights about a target's system or network [3].
Forensic analysts use this information to study your behavior [4].
This script enhances your privacy by removing traces of the last DirectX applications or games you have used.
It can also improve system performance by freeing up system resources.
This script deletes all registry values under the key `HKCU\Software\Microsoft\Direct3D\MostRecentApplication` [2] [3] [4].
> **Caution:** This action may slightly impact DirectX's ability to optimize performance for recently used applications.
[1]: https://web.archive.org/web/20240708104416/https://support.microsoft.com/en-us/topic/how-to-install-the-latest-version-of-directx-d1f5ffa5-dae2-246c-91b1-ee1e973ed8c2 "How to install the latest version of DirectX - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20240730213229/https://www.freefixer.com/library/file/Microsoft.DirectX.Direct3D.dll-59895/ "What is Microsoft.DirectX.Direct3D.dll? | www.freefixer.com"
[3]: https://web.archive.org/web/20211206161019/https://vulners.com/nessus/MICROSOFT_WINDOWS_DIRECT3D.NASL "Direct3D Recent Program - vulnerability database | Vulners.com | vulners.com"
[4]: https://web.archive.org/web/20240730213658/https://forensics.wiki/list_of_windows_mru_locations/ "List of windows mru locations | forensics.wiki"
call:
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Direct3D\MostRecentApplication
-
name: Clear Windows Run command history
recommend: standard # Minimal impact on functionality
docs: |-
This script clears the Most Recently Used (MRU) list in Windows Run.
Windows Run is a utility that allows users to quickly open programs, files, folders, and web pages [1] [2] [3].
It's also known as the Windows Run dialog box [2] [4], Windows Command Window [3], Windows Run Box [5],
Windows Run utility [1] [6], and Windows Run window [1].
You can access it by:
- Pressing **Windows logo key + R** [1] [3]
- Searching for **Run** in the **Start Menu** [1] [2]
- Running specific commands:
- `explorer shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}` [4]
- `WINDIR%\System32\rundll32.exe shell32.dll,#61` [4]
Keeping this data poses privacy and security risks:
- It reveals user activity on the system, including accessed files and applications [1] [5] [6]
- Forensic analysts use this data to study user behavior [1] [5] [6]
- Attackers use this data to understand user activities or execute malicious code [5]
Clearing this data improves your privacy and security by:
- Removing traces of your recent activities
- Preventing third parties from gaining insights into your system usage
- Reducing the risk of malicious code execution via manipulated data entries
It can also improve system performance by reducing the amount of data Windows needs to process when accessing the Run dialog history.
This script deletes all registry values under `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU` [1] [5] [6].
To ensure the changes take effect, close and reopen the Run window if it's currently open [1].
> **Caution**:
> This script will erase your Run command history, potentially slowing down access to frequently used programs and files.
[1]: https://web.archive.org/web/20240731003110/https://forensafe.com/blogs/runmrukey.html "Run MRU Blog | forensafe.com"
[2]: https://web.archive.org/web/20240801092604/https://support.microsoft.com/en-us/office/command-line-switches-for-microsoft-office-products-079164cd-4ef5-4178-b235-441737deb3a6 "Command-line switches for Microsoft Office products - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240801093108/https://support.microsoft.com/en-us/office/about-the-microsoft-support-and-recovery-assistant-e90bb691-c2a7-4697-a94f-88836856c72f "About the Microsoft Support and Recovery Assistant - Microsoft Support | support.microsoft.com"
[4]: https://web.archive.org/web/20240801092302/https://superuser.com/questions/1163990/where-is-the-windows-run-command-located/1164001#1164001 "Where is the Windows Run command located? - Super User | superuser.com"
[5]: https://archive.ph/2024.07.30-220219/https://www.4n6post.com/2023/02/runmru.html "4n6post.com/2023/02/runmru.html | www.4n6post.com"
[6]: https://web.archive.org/web/20240730200254/https://www.magnetforensics.com/blog/what-is-mru-most-recently-used/ "What is MRU (Most Recently Used)? - Magnet Forensics | www.magnetforensics.com"
call:
function: ClearRegistryValues
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
-
name: Clear File Explorer address bar history
recommend: strict # May affect workflow efficiency
docs: |-
This script clears the history of paths you've typed in the File Explorer address bar.
Windows stores recent paths entered in File Explorer [1] [2] [3] (formerly known as Windows Explorer [1] [2]).
This specifically targets paths that have been manually typed into the Address Bar [2] [3].
These can be file or folder locations [2].
Windows saves up to 25 of these entries [1].
The paths are saved upon closing the File Explorer window [1].
This stored data includes:
- Full path typed [1] [2]
- Date and time of entry [1] [2]
This information may pose privacy and security risks:
- Reveals your file access history [1] [2]
- Allows tracking of when and how often files were accessed [1] [2]
- Enables detection of activity patterns, such as specific application use [2]
- Can be used to build a timeline of user actions [2]
- Can be exploited by malware to maintain persistence on the system [4]
- Can be used by attackers to map system structure or track behavior
- Facilitates social engineering attacks based on file access patterns
This data is often used in forensic investigations [1] [2].
This data can be used in investigations related to intellectual property theft, employee misconduct,
security breaches, or other criminal activities [2].
This script enhances privacy by:
- Removing traces of your file system navigation
- Reducing unauthorized access risk to your browsing history
- Limiting data available for forensic analysis
- Preventing exposure of sensitive file or folder names
- Reducing risk of attacks based on file access patterns
- Minimizing digital footprint on shared or public computers
- Protecting against certain types of malware
- Maintaining confidentiality of work or personal projects
It can also slightly improve system performance by freeing up space and reducing the data
Windows processes when accessing File Explorer history.
This script deletes all registry values under:
`HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` [1] [2] [3].
This subkey includes values named `url1`, `url2`, `url3`, etc., with `url1` always containing the most recent typed path [1].
> **Caution**:
> This script may impair your ability to quickly access recently typed file paths in File Explorer,
> potentially affecting your workflow efficiency.
[1]: https://web.archive.org/web/20240801124433/https://forensafe.com/blogs/typedpaths.html "Typed Paths Blog | forensafe.com"
[2]: https://web.archive.org/web/20240801124441/https://www.3fforensics.com/forensics/typed-paths.html "New Orleans Forensics, Expert computer forensics. NOLA Forensics. Mobile forensics, Memory forensics, Disk forensics. | Forensics | www.3fforensics.com"
[3]: https://web.archive.org/web/20240801102250/https://www.elevenforum.com/t/clear-file-explorer-history-in-windows-11.8468/ "Clear File Explorer History in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[4]: https://archive.ph/2024.08.01-102204/https://x.com/dez_/status/1560101453150257154 "Joe Desimone on X: \"@Hexacorn ever come across this technique before ? Is it some kind of odd persistence? Explorer\TypedPaths\url1 \" / X | x.com"
call:
function: ClearRegistryValues
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
-
category: Clear third-party application data
children:
-
category: Clear privacy.sexy data
# Marked: refactor-with-variables, refactor-with-partials
# - Documentation is same across macOS, Linux and Windows, this should be shared and not duplicated.
docs: |-
This category offers scripts to remove data left by the privacy.sexy desktop application,
helping you ensure your privacy by eliminating all traces of use.
The web application version of privacy.sexy does not create or store user data on your device [1],
so this category is applicable to desktop application users only.
These scripts are designed for anyone wanting to ensure their script activities leave no trace on their systems.
> **Caution**:
> Deleting this data might affect security [2] and troubleshooting [1]:
> - Logs are valuable for diagnosing issues and understanding past actions [1].
> - Script files can help review changes made to the system and aid in reverting those changes if needed.
[1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com"
[2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com"
children:
-
name: Clear privacy.sexy script history
docs: |-
This script removes script files generated by the privacy.sexy desktop application.
The desktop version executes scripts directly on your device [1], saving a script file for execution [1],
troubleshooting [1], and security [2].
By running this script, you remove the executed script files, enhancing your privacy by ensuring that there is no
residual data that could reveal your usage patterns or preferences.
> **Caution**:
> - This action is irreversible. Deleted script files cannot be retrieved.
> - These files might be necessary for troubleshooting if you experience issues after using privacy.sexy scripts.
[1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com"
[2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\privacy.sexy\runs'
-
name: Clear privacy.sexy activity logs
docs: |-
This script removes log files generated by the privacy.sexy desktop application.
Different from the web version, the desktop application records logs for troubleshooting [1].
Additionally, these logs offer auditing and transparency for security [2].
Deleting these logs can help maintain your privacy by ensuring there are no records of the application's activities
on your system.
> **Caution**:
> - Removing logs will prevent you from reviewing the application's activities, which could be helpful in diagnosing issues.
> - Logs can contain valuable information for technical support should you need assistance.
[1]: https://github.com/undergroundwires/privacy.sexy/blob/master/docs/desktop/desktop-vs-web-features.md "Desktop vs. Web Features | privacy.sexy | github.com"
[2]: https://github.com/undergroundwires/privacy.sexy/blob/master/SECURITY.md "SECURITY.md | privacy.sexy | github.com"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\privacy.sexy\logs'
-
name: Clear Listary search index
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Listary\UserData'
-
name: Clear Java cache
recommend: strict
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Sun\Java\Deployment\cache'
-
name: Clear Flash Player traces
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Macromedia\Flash Player'
-
category: Clear Steam data
children:
-
name: Clear Steam dumps
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%PROGRAMFILES(X86)%\Steam\Dumps'
-
name: Clear Steam traces
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%PROGRAMFILES(X86)%\Steam\Traces'
-
name: Clear Steam cache
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%ProgramFiles(x86)%\Steam\appcache'
-
category: Clear Visual Studio usage data
docs: |-
Visual Studio is an integrated development environment (IDE) from Microsoft that is used to develop software [1].
Visual Studio store data such as your usage of the software and also information about your hardware [2].
The data is stored both in Microsoft cloud [3] and locally on computer.
These scripts allow you to delete the local data that might reveal your personally identifiable data about you
or the way you use the product.
[1]: https://web.archive.org/web/20240731003406/https://learn.microsoft.com/en-us/visualstudio/get-started/visual-studio-ide?view=vs-2022 "What is the Visual Studio IDE? | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240314092010/https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program?view=vs-2022 "Visual Studio Customer Experience Improvement Program | Microsoft Learn | learn.microsoft.com"
[3]: https://www.infoworld.com/article/2609774/microsoft-reinvents-visual-studio-as-an-azure-cloud-service.html "Microsoft reinvents Visual Studio as an Azure cloud service | InfoWorld"
children:
-
category: Clear Visual Studio telemetry and feedback data
docs: |-
These scripts delete data about you and your behavior that's locally stored by Visual Studio on your computer.
These do not clear data that's already collected in Microsoft servers, but it can prevent sending more data by
deleting data waiting to be sent.
children:
-
name: Clear offline Visual Studio usage telemetry data
recommend: standard
docs: |-
This script removes offline telemetry data in Visual Studio to enhance privacy and potentially
improve system performance.
These telemetry files, known as SQM (*Service Quality Monitoring* or *Software Quality Metrics* [2]),
contain details about application usage, errors, and performance [1].
SQM files are created and used by Microsoft to gather data for the Microsoft Customer Experience Improvement Program [2].
When offline, Visual Studio stores these files in the user's local application data folder [3].
Removing these files helps protect user privacy by deleting usage data.
Removing this data may improve Visual Studio's performance, as the accumulation of these files can potentially slow
down the application [3].
### Technical Details
Visual Studio stores these SQM files locally in the `%LOCALAPPDATA%\Microsoft\VSCommon\<Version Number>\SQM` folder [3].
This script removes data for Visual Studio versions 2015 through 2022 [4]:
| Version | Product |
|:-------:|--------------------|
| 14.0 | Visual Studio 2015 |
| 15.0 | Visual Studio 2017 |
| 16.0 | Visual Studio 2019 |
| 17.0 | Visual Studio 2022 |
[1]: https://web.archive.org/web/20231206212243/https://file.org/extension/sqm "SQM File: How to open SQM file (and what it is) | file.org"
[2]: https://web.archive.org/web/20231206212102/https://devblogs.microsoft.com/oldnewthing/20100406-00/?p=14393 "Microspeak: SQMmed - The Old New Thing | devblogs.microsoft.com"
[3]: https://web.archive.org/web/20240314062704/https://stackoverflow.com/questions/17643535/slow-visual-studio-related-to-sqmclient/38862596#38862596 "Process monitor - Slow Visual Studio, related to SQMClient? | Stack Overflow | stackoverflow.com"
[4]: https://web.archive.org/web/20240808200605/https://en.wikipedia.org/wiki/Visual_Studio#History "Visual Studio - Wikipedia | en.wikipedia.org"
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\14.0\SQM'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\15.0\SQM'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\16.0\SQM'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\VSCommon\17.0\SQM'
-
name: Clear Visual Studio Application Insights logs
recommend: standard
docs: |-
Application Insights for Visual Studio stores diagnostic data for e.g. exceptions and performance [1].
Application Insights store `.TRN` files that might grow and exceed thousands [2] [3].
[1]: https://azuredevopslabs.com/labs/vsts/monitor/ "Monitoring Applications using Application Insights | Azure DevOps Hands-on-Labs"
[2]: https://developercommunity.visualstudio.com/t/visual-studio-freezes-randomly/224181#T-N257722-N277241-N407607 "Visual Studio freezes randomly | Visual Studio Feedback"
[3]: https://web.archive.org/web/20240314062743/https://stackoverflow.com/questions/45832665/visual-studio-2017-15-3-1-keeps-hanging-freezing/53754481#53754481 "Visual Studio 2017 (15.3.1) keeps hanging/freezing | Stack Overflow | stackoverflow.com"
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\VSApplicationInsights'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%PROGRAMDATA%\Microsoft\VSApplicationInsights'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\Microsoft\VSApplicationInsights'
-
name: Clear Visual Studio telemetry data
recommend: standard
docs: |-
`vstelemetry` is a folder created by both Visual Studio [1] and also by SQL Server Management Studio [2] to
store telemetry data.
There has been security vulnerabilities through these folders that were patched in 2020 by Microsoft [2].
[1]: http://processchecker.com/file/VsHub.exe.html "What is VsHub.exe ? VsHub.exe info | Processchecker.com"
[2]: https://herolab.usd.de/en/security-advisories/usd-2020-0030/ "usd-2020-0030 - usd HeroLab"
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\vstelemetry'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%PROGRAMDATA%\vstelemetry'
-
name: Clear Visual Studio temporary telemetry and log data
recommend: standard
docs: |-
These logs area created by different tools that Visual Studio uses such as its launcher, installer or
data collection agents.
Folders include `VSFaultInfo` [1], `VSFeedbackPerfWatsonData` [2], `VSFeedbackCollector` [2],
`VSFeedbackVSRTCLogs` [3], `VSRemoteControl` [4] [5], `VSFeedbackIntelliCodeLogs` [4] [5],
`VSTelem` [6] [7], `VSTelem.Out` [6].
There are more log and cache data stored by Visual Studio, but not all of them come with privacy
implications. These files can be useful for faster loading, so this script removes only the
sensitive data stored instead of cleaning all the cache completely.
[1]: https://developercommunity.visualstudio.com/t/visual-studio-installer-crashes-after-updating-to/1356122 "Visual Studio Installer crashes after updating to version 16.9.0 - Visual Studio Feedback | Visual Studio Developer Community"
[2]: https://developercommunity.visualstudio.com/t/microsoft-visual-studio-1/588200#T-N588861-N594783 "MSTF help | Visual Studio Developer Community"
[3]: https://github.com/microsoft/live-share/issues/3584 "Agent logs in %TEMP%\VSFeedbackVSRTCLogs taking up over 87GB · Issue #3584 · MicrosoftDocs/live-share | GitHub"
[4]: https://developercommunity.visualstudio.com/t/please-keep-my-temp-folder-clean/731637 "Please keep my TEMP folder clean! - Visual Studio Feedback | Visual Studio Developer Community"
[5]: https://web.archive.org/web/20240314062744/https://stackoverflow.com/questions/60974427/reduce-log-and-other-temporary-file-creation-in-visual-studio-2019 "Reduce log and other temporary file creation in Visual Studio 2019 | Stack Overflow | stackoverflow.com"
[6]: https://web.archive.org/web/20240314063145/https://stackoverflow.com/questions/72341126/visual-studio-2022-telemetry-related-temp-folders "Visual Studio 2022 - Telemetry related temp folders - Stack Overflow | stackoverflow.com"
[7]: https://web.archive.org/web/20231206212802/https://social.msdn.microsoft.com/Forums/vstudio/en-US/5b2a0baa-748f-40e0-b504-f6dfad9b7b4d/vstelem-folder-24000-files-2064kb "VSTELEM folder 24000 files 2064Kb | MSDN Forums"
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSFaultInfo'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSFeedbackPerfWatsonData'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSFeedbackVSRTCLogs'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSFeedbackIntelliCodeLogs'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSRemoteControl'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\Microsoft\VSFeedbackCollector'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSTelem'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%\VSTelem.Out'
-
category: Clear Visual Studio licenses
docs: |- # refactor-with-variables: Same • Visual Studio License Caution
This category removes locally stored Visual Studio license information to enhance privacy.
Visual Studio is an integrated development environment (IDE) for writing, editing, debugging, and building code [1].
It offers tools like compilers, code completion, and supports various programming languages and platforms [1].
Visual Studio stores a local copy of your license information [2] [3] [4] [5].
It remains even after uninstalling the software [2].
This applies to both purchased products and free trials [3].
The stored data may include sensitive information such as:
- License expiration date [3] [4]
- License key used to activate your local Visual Studio installation [5]
Removing this information improves your privacy by eliminating potentially revealing data about your software usage
and licensing status.
It may also slightly improve system performance by freeing up storage space used for license data.
> **Caution**:
> Removing the license information may require you to reactivate Visual Studio on the next use.
> You will need your license key and Microsoft account details for reactivation.
[1]: https://web.archive.org/web/20240731003406/https://learn.microsoft.com/en-us/visualstudio/get-started/visual-studio-ide?view=vs-2022 "What is the Visual Studio IDE? | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231124133613/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow"
[3]: https://web.archive.org/web/20231124133613/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key/14810695#14810695 "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com"
[4]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com"
[5]: https://web.archive.org/web/20240731111715/https://github.com/privacysexy-forks/VSKeyExtractor "privacysexy-forks/VSKeyExtractor: A small tool to extract the license key that was used to activate your local installation of Visual Studio | github.com"
children:
-
name: Clear Visual Studio 2010 license
docs: |-
This script removes the license information for Visual Studio 2010.
Visual Studio 2010 is an integrated development environment (IDE) by Microsoft [1].
It simplifies creating, debugging, and deploying applications [1].
It was released in 2010 [2].
Its official support ended in 2015, and extended support ended in October 2020 [2].
This means it's no longer receiving security updates or bug fixes, making it potentially vulnerable.
The script removes the license associated with Visual Studio 2010's product GUID:
`77550D6B-6352-4E77-9DA3-537419DF564B` [3] [4].
This script enhances your privacy by removing identifiable license information from your system.
It may also improve system performance by clearing outdated registry entries.
> **Caution**:
> Removing the license information may require you to reactivate Visual Studio on the next use.
> You will need your license key and Microsoft account details for reactivation.
[1]: https://web.archive.org/web/20240731092747/https://www.microsoft.com/en-ie/download/details.aspx?id=10142 "Download Visual Studio 2010 Professional Whitepaper from Official Microsoft Download Center | www.microsoft.com"
[2]: https://web.archive.org/web/20240731092804/https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2010 "Visual Studio 2010 - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231124133613/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key/14810695#14810695 "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com"
[4]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com"
call:
function: DeleteVisualStudioLicense
parameters:
productGuid: 77550D6B-6352-4E77-9DA3-537419DF564B
-
name: Clear Visual Studio 2013 license
docs: |- # refactor-with-variables: Same • Visual Studio License Caution
This script removes the license information for Visual Studio 2013.
Visual Studio 2013 is an integrated development environment (IDE) by Microsoft [1].
It was released in October 2013 [2].
It introduced roaming support, notifications, improved update experience, and various productivity enhancements [2].
It improved the interface, added coding shortcuts, supported Windows apps development, combined web development tools,
enabled cloud testing, and enhanced team collaboration [2].
Microsoft ended official support for Visual Studio 2013 in April 2019, with extended support ended in April 2024 [3].
This means it no longer receives security updates or bug fixes, potentially making it vulnerable to security risks.
Visual Studio 2013 uses the product GUID `E79B3F9C-6543-4897-BBA5-5BFB0A02BB5C` for license association [3] [4] [5].
This script enhances your privacy by removing identifiable license information from your system.
It may also improve system performance by clearing unnecessary data.
> **Caution**:
> Removing the license information may require you to reactivate Visual Studio on the next use.
> You will need your license key and Microsoft account details for reactivation.
[1]: https://web.archive.org/web/20150111085353/http://channel9.msdn.com/Events/Visual-Studio/Launch-2013/VS101 "What's New in Visual Studio 2013 Integrated Developer Environment (IDE) | Visual Studio 2013 Launch | Channel 9 | channel9.msdn.com"
[2]: https://web.archive.org/web/20240731095411/https://learn.microsoft.com/en-us/visualstudio/releasenotes/vs2013-rtm-vs "Visual Studio 2013 Release Notes | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com"
[4]: https://web.archive.org/web/20240731002659/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key/22258088#22258088 "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com"
[5]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com"
call:
function: DeleteVisualStudioLicense
parameters:
productGuid: E79B3F9C-6543-4897-BBA5-5BFB0A02BB5C
-
name: Clear Visual Studio 2015 license
docs: |- # refactor-with-variables: Same • Visual Studio License Caution
This script removes the license information for Visual Studio 2015.
Visual Studio 2015 is an integrated development environment (IDE) by Microsoft [1].
It was released on July 20, 2015 [1] [2] [3].
Visual Studio 2015 improved support for various programming languages and platforms, especially for mobile and
cross-platform development [2].
It offered enhanced setup customization for lighter and quicker installations, and integrated a streamlined
account management experience [1].
It included tools for developing Android, iOS, and Windows apps, expanded debugging capabilities, and better
support for web development technologies [2].
Microsoft ended official support for Visual Studio 2015 in October 2020, with extended support ending in October 2025 [3].
This means it no longer receives security updates or bug fixes, potentially exposing it to security risks.
Visual Studio 2015 uses the product GUID `4D8CFBCB-2F6A-4AD2-BABF-10E28F6F2C8F`, to which the license
is associated [4] [5] [6].
This script enhances privacy by removing identifiable license information from your system.
It may also improve system performance by clearing unnecessary data and reducing registry clutter.
> **Caution**:
> Removing the license information may require you to reactivate Visual Studio on the next use.
> You will need your license key and Microsoft account details for reactivation.
[1]: https://web.archive.org/web/20240731101036/https://devblogs.microsoft.com/visualstudio/visual-studio-2015-rtm-whats-new-in-the-ide/ "Visual Studio 2015 RTM: Whats New in the IDE - Visual Studio Blog | devblogs.microsoft.com"
[2]: https://web.archive.org/web/20240731100217/https://learn.microsoft.com/en-us/visualstudio/releasenotes/vs2015-rtm-vs "Visual Studio 2015 Release Notes | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240731100226/https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2015 "Visual Studio 2015 - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20231124133749/https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key/32482322#32482322 "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow | stackoverflow.com"
[5]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com"
[6]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com"
call:
function: DeleteVisualStudioLicense
parameters:
productGuid: 4D8CFBCB-2F6A-4AD2-BABF-10E28F6F2C8F
-
name: Clear Visual Studio 2017 license
docs: |- # refactor-with-variables: Same • Visual Studio License Caution
This script removes the license information for Visual Studio 2017.
Visual Studio 2017 is an integrated development environment (IDE) created by Microsoft [1].
It was released on March 7, 2017 [2] [3].
Visual Studio 2017 focuses on improving performance with a faster, more efficient lightweight
installation process [1].
It enhances cloud and mobile development, providing integrated tools for .NET Core, Azure applications,
Docker containers, and streamlined mobile app creation for Android, iOS, and Windows [1].
Microsoft ended official support for Visual Studio 2017 in April 2022, with extended support ending in April 2027 [4].
This means it no longer receives security updates or bug fixes, potentially exposing users to security risks.
Visual Studio 2017 has a product GUID of `5C505A59-E312-4B89-9508-E162F8150517` to which the license is associated [4] [5] [6].
This script enhances your privacy by removing identifiable license information.
It may also improve system performance by clearing unnecessary license data.
> **Caution**:
> Removing the license information may require you to reactivate Visual Studio on the next use.
> You will need your license key and Microsoft account details for reactivation.
[1]: https://web.archive.org/web/20240731102312/https://devblogs.microsoft.com/visualstudio/announcing-visual-studio-2017-general-availability-and-more/ "Announcing Visual Studio 2017 General Availability... and more - Visual Studio Blog | devblogs.microsoft.com"
[2]: https://web.archive.org/web/20240731102317/https://learn.microsoft.com/en-us/visualstudio/releasenotes/vs2017-relnotes-history "Visual Studio 2017 Release History | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240731102322/https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2017 "Visual Studio 2017 - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com"
[5]: https://web.archive.org/web/20231124134032/https://stackoverflow.com/questions/43390466/is-visual-studio-community-a-30-day-trial/51570570#51570570 "Is Visual Studio Community a 30 day trial? | Stack Overflow | stackoverflow.com"
[6]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com"
call:
function: DeleteVisualStudioLicense
parameters:
productGuid: 5C505A59-E312-4B89-9508-E162F8150517
-
name: Clear Visual Studio 2019 license
docs: |- # refactor-with-variables: Same • Visual Studio License Caution
This script removes the license information for Visual Studio 2019.
Visual Studio 2019 is an integrated development environment (IDE) developed by Microsoft [1].
It was released on April 2, 2019 [2].
Visual Studio 2019 improves productivity with enhanced performance, code cleanup tools,
and more efficient search functionality [1].
It facilitates collaboration through Git-focused workflows and integrated code reviews [1].
The IDE also offers advanced debugging capabilities, including memory optimization and automatic execution snapshots [1].
Microsoft ended mainstream support for Visual Studio 2019 in April 2024,
with extended support continuing until April 2029 [2].
Visual Studio 2019 uses a product GUID of `41717607-F34E-432C-A138-A3CFD7E25CDA` for license association [3] [4] [5].
This script enhances your privacy by removing identifiable license information.
It may also improve system performance by clearing unnecessary registry entries.
> **Caution**:
> Removing the license information may require you to reactivate Visual Studio on the next use.
> You will need your license key and Microsoft account details for reactivation.
[1]: https://web.archive.org/web/20240731103501/https://learn.microsoft.com/en-us/visualstudio/ide/whats-new-visual-studio-2019?view=vs-2019 "What's new in Visual Studio 2019 | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240731103505/https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2019 "Visual Studio 2019 - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231124134207/https://stackoverflow.com/questions/46731291/how-to-change-visual-studio-2017-license-key/46974337#46974337 "How to change Visual Studio 2017 License Key? | Stack Overflow | stackoverflow.com"
[4]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com"
[5]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com"
call:
function: DeleteVisualStudioLicense
parameters:
productGuid: 41717607-F34E-432C-A138-A3CFD7E25CDA
-
name: Clear Visual Studio 2022 license
docs: |- # refactor-with-variables: Same • Visual Studio License Caution
This script removes the license information for Visual Studio 2022.
Visual Studio 2022 is an integrated development environment (IDE) by Microsoft
for software development [1].
It was released on November 8, 2021 [2].
Visual Studio 2022 introduces AI-powered enhancements such as IntelliSense and
IntelliCode for smarter, faster coding, alongside GitHub Copilot for improved
code completion and debugging [1].
It also offers improved productivity with a 64-bit IDE, better cross-platform
development tools, and advanced debugging and testing features [1].
Microsoft's mainstream support for Visual Studio 2022 ends in January 2027, with
extended support until January 2032 [2].
Visual Studio 2022 uses multiple product GUIDs, reflecting the variety of versions and installation
configurations reported by the community [3].
The script targets three product GUIDs associated with Visual Studio 2022 licenses:
- `1299B4B9-DFCC-476D-98F0-F65A2B46C96D` [3] [4] [5] [6]
- `10D17DBA-761D-4CD8-A627-984E75A58700` [3]
- `B16F0CF0-8AD1-4A5B-87BC-CB0DBE9C48FC` [3]
This script enhances your privacy by removing identifiable license information.
It may also improve system performance by clearing unnecessary license data.
> **Caution**:
> Removing the license information may require you to reactivate Visual Studio on the next use.
> You will need your license key and Microsoft account details for reactivation.
[1]: https://web.archive.org/web/20240731104906/https://visualstudio.microsoft.com/vs/ "Visual Studio 2022 IDE - Programming Tool for Software Developers | visualstudio.microsoft.com"
[2]: https://web.archive.org/web/20240731104914/https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2022 "Visual Studio 2022 - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231124134314/https://github.com/beatcracker/VSCELicense/issues/14 "VS 2022 Key Discussion | beatcracker/VSCELicense | GitHub | github.com"
[4]: https://web.archive.org/web/20231124134431/https://learn.microsoft.com/en-us/answers/questions/673243/how-do-i-remove-a-license-from-visual-studio-2022 "MSFT Answer | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20231124134322/https://stackoverflow.com/questions/46731291/how-to-change-visual-studio-2017-license-key/71624750#71624750 "How to change Visual Studio 2017 License Key? | Stack Overflow | stackoverflow.com"
[6]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com"
call:
-
function: DeleteVisualStudioLicense
parameters:
productGuid: B16F0CF0-8AD1-4A5B-87BC-CB0DBE9C48FC
-
function: DeleteVisualStudioLicense
parameters:
productGuid: 10D17DBA-761D-4CD8-A627-984E75A58700
-
function: DeleteVisualStudioLicense
parameters:
productGuid: 1299B4B9-DFCC-476D-98F0-F65A2B46C96D
-
name: Clear Dotnet CLI telemetry
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%USERPROFILE%\.dotnet\TelemetryStorageService'
-
category: Clear browser history
children:
-
category: Clear Internet Explorer history
children:
-
name: Clear Internet Explorer cache
recommend: standard
docs:
# INetCache
- https://web.archive.org/web/20240314131456/https://support.microsoft.com/en-us/topic/how-to-delete-the-contents-of-the-temporary-internet-files-folder-8eb83a8d-43e2-300d-d355-2ee71602ab44
- https://web.archive.org/web/20240315114443/https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/apps-access-admin-web-cache
# WebCache
- https://web.archive.org/web/20240315114443/https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/apps-access-admin-web-cache
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\WebCache'
-
name: Clear Internet Explorer typed URLs
recommend: standard # Improves privacy with little downside since IE is outdated.
docs: |-
This script deletes recently typed or pasted URLs from Internet Explorer's history.
Internet Explorer stores typed URLs [1] [2] [3] [4].
It enables AutoComplete, which automatically suggests and fills in web addresses as you type [1] [4].
It's also used for populating the URL drop-down menu with previously visited sites [1] [4].
This data includes:
- **Typed URLs:** Web addresses entered in the address bar [4]
- **Typed filepaths:** Files or folders typed on some versions of Internet Explorer [1].
- **Visit dates:** The most recent access time for each entry [3] [4]
While this feature enhances usability, it may compromise privacy:
1. It reveals browsing habits, potentially exposing sensitive information [1].
2. Forensic analysts can use this data to study user web activity [1] [2] [3] [4].
3. Malware may exploit this data to redirect users to malicious sites [2] [5].
For example `Adware.StartPage` malware uses it to generate revenue by increasing website visits [2] [5].
The potential misuse of this data is exemplified by the Julie Amero case [2].
Amero, a substitute teacher, was wrongly convicted based on forensic evidence of typed URLs, despite her
computer being infected with malware generating unwanted pop-ups [2].
This incident underscores the importance of regular privacy maintenance to prevent misinterpretation
of browsing data and protect against unwarranted accusations.
Deleting this data improves privacy by:
- Reducing the risk of unauthorized access to browsing history
- Limiting potential exploitation by malware
- Minimizing digital footprints that could be used for user profiling
- Preventing misinterpretation of browsing data in unforeseen circumstances
This script improves privacy with little downside since Internet Explorer is outdated [6].
This script may also slightly improve system performance by freeing up disk space and
reducing the amount of stored data that Internet Explorer needs to process.
The script removes data from these registry locations:
- `HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs` [1] [4] [5]
Values are stored as strings named `url1`, `url2`, etc., with `url1` being the most recent entry [1] [4].
- `HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime` [3]
Values are stored as strings named `url1`, `url2`, etc., corresponding to the TypedURLs entries [3].
> **Caution:** This action may slow down your browsing in Internet Explorer by removing suggestions
> for previously accessed websites.
[1]: https://web.archive.org/web/20160304232740/http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ "TypedURLs (Part 1) | Crucial Security Forensics Blog | crucialsecurityblog.harris.com"
[2]: https://web.archive.org/web/20160321221849/http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/ "TypedURLs (Part 2) | Crucial Security Forensics Blog | crucialsecurityblog.harris.com"
[3]: https://web.archive.org/web/20150601014235/http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html "Random Thoughts of Forensics: The Trouble with TypedUrlsTime | randomthoughtsofforensics.blogspot.com"
[4]: https://web.archive.org/web/20240801123756/https://forensafe.com/blogs/typedurls.html "Typed URLs Blog | forensafe.com"
[5]: https://web.archive.org/web/20151103125411/http://www.symantec.com/security_response/writeup.jsp?docid=2004-042715-3545-99&tabid=2 "Adware.StartPage Technical Details | Symantec | www.symantec.com"
[6]: https://web.archive.org/web/20240730124000/https://blogs.windows.com/windowsexperience/2022/06/15/internet-explorer-11-has-retired-and-is-officially-out-of-support-what-you-need-to-know/ "Internet Explorer 11 has retired and is officially out of support—what you need to know | Windows Experience Blog | blogs.windows.com"
call:
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs
-
function: ClearRegistryValues
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime
-
name: Clear "Temporary Internet Files" (browser cache)
recommend: standard
docs:
- https://en.wikipedia.org/wiki/Temporary_Internet_Files
- https://www.windows-commandline.com/delete-temporary-internet-files/ # %LOCALAPPDATA%\Temporary Internet Files
- https://www.thewindowsclub.com/temporary-internet-files-folder-location # %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files and INetCache
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%USERPROFILE%\Local Settings\Temporary Internet Files'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 📂 Unprotected on Windows 11 since 22H2
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files'
# This directory consists of 4 additional folders:
# - %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5
# - %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\IE
# - %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Low
# - %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Virtualized
# Since Windows 10 22H2 and Windows 11 22H2, data files are observed in this subdirectories but not on the parent.
# Especially in `IE` folder includes many files. These folders are protected and hidden by default.
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCache'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Temporary Internet Files'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Clear Internet Explorer feeds cache
recommend: standard
docs: https://web.archive.org/web/20240314175030/https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Feeds Cache'
-
name: Clear Internet Explorer cookies
recommend: strict
docs:
- https://web.archive.org/web/20240314130055/https://learn.microsoft.com/en-us/windows/win32/wininet/managing-cookies
- https://web.archive.org/web/20240314130046/https://learn.microsoft.com/en-us/internet-explorer/kb-support/ie-edge-faqs
- https://www.thewindowsclub.com/cookies-folder-location-windows
call:
-
function: ClearDirectoryContents
parameters: # Windows 7 browsers
directoryGlob: '%APPDATA%\Microsoft\Windows\Cookies'
-
function: ClearDirectoryContents
parameters: # Windows 8 and higher
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\INetCookies'
-
name: Clear Internet Explorer DOMStore
recommend: standard
docs: |-
[Introduction to DOM Storage | msdn.microsoft.com](https://web.archive.org/web/20100416135352/http://msdn.microsoft.com/en-us/library/cc197062(VS.85).aspx)
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\InternetExplorer\DOMStore'
-
name: Clear Internet Explorer usage data
docs:
- https://web.archive.org/web/20240314101459/https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+Data
- https://web.archive.org/web/20240314175030/https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data
- https://web.archive.org/web/20240314100550/https://forensafe.com/blogs/internetexplorer.html
# Includes Internet Explorer cache, tab recovery data, persistence storage (DOMStore, indexed DB etc.)
# Folders: CacheStorage\, Tracking Protection\, Tiles\, TabRoaming\, IECompatData\
# DOMStore\, Recovery\ (that includes browser history), DomainSuggestions\,
# VersionManager\, UrlBlockManager\, Indexed DB\, imagestore\, IEFlipAheadCache\
# EUPP\, EmieUserList\, EmieSiteList\, EmieBrowserModeList\
# Files: brndlog.txt, brndlog.bak, ie4uinit-ClearIconCache.log, ie4uinit-UserConfig.log,
# MSIMGSIZ.DAT
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Internet Explorer'
-
category: Clear Chrome history
children:
-
name: Clear Chrome crash reports
recommend: standard
docs: https://web.archive.org/web/20240314095801/https://www.chromium.org/developers/crash-reports/
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Google\Chrome\User Data\Crashpad\reports'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Google\CrashReports'
-
name: Clear Google's "Software Reporter Tool" logs
recommend: standard
docs: https://web.archive.org/web/20220808110009/https://support.google.com/chrome/forum/AAAAP1KN0B0T8qnffV5gwM/
call:
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Google\Software Reporter Tool\*.log'
-
name: Clear Chrome user data
docs: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md
call:
- # Windows XP
function: ClearDirectoryContents
parameters:
directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data'
- # Windows Vista and newer
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Google\Chrome\User Data'
-
category: Clear Firefox history
docs: |-
This category encompasses a series of scripts aimed at helping users manage and delete their browsing history and related data in Mozilla Firefox.
The scripts are designed to target different aspects of user data stored by Firefox, providing users options for maintaining privacy and freeing up disk space.
children:
-
name: Clear Firefox browsing history (URLs, downloads, bookmarks, visits, etc.)
# This script (name, documentation and code) is same in Linux and Windows collections.
# Changes should be done at both places.
# Marked: refactor-with-partials
docs: |-
This script targets the Firefox browsing history, including URLs, downloads, bookmarks, and site visits, by deleting specific database entries.
Firefox stores various user data in a file named `places.sqlite`. This file includes:
- Annotations, bookmarks, and favorite icons (`moz_anno_attributes`, `moz_annos`, `moz_favicons`) [1]
- Browsing history, a record of pages visited (`moz_places`, `moz_historyvisits`) [1]
- Keywords and typed URLs (`moz_keywords`, `moz_inputhistory`) [1]
- Item annotations (`moz_items_annos`) [1]
- Bookmark roots such as places, menu, toolbar, tags, unfiled (`moz_bookmarks_roots`) [1]
The `moz_places` table holds URL data, connecting to various other tables like `moz_annos`, `moz_bookmarks`, `moz_inputhistory`, and `moz_historyvisits` [2].
Due to these connections, the script removes entries from all relevant tables simultaneously to maintain database integrity.
**Bookmarks**: Stored across several tables (`moz_bookmarks`, `moz_bookmarks_folders`, `moz_bookmarks_roots`) [3], with additional undocumented tables like `moz_bookmarks_deleted` [4].
**Downloads**: Stored in the 'places.sqlite' database, within the 'moz_annos' table [5]. The entries in `moz_annos` are linked to `moz_places` that store the actual history entry
(`moz_places.id = moz_annos.place_id`) [6]. Associated URL information is stored within the 'moz_places' table [5]. Downloads have been historically stored in `downloads.rdf` for Firefox 2.x
and below [7], and `downloads.sqlite` later on [7].
**Favicons**: Older Firefox versions stored favicons in `places.sqlite` within the `moz_favicons` table [5], while newer versions use `favicons.sqlite` and the `moz_icons` table [5].
By executing this script, users can ensure their Firefox browsing history, bookmarks, and downloads are thoroughly removed, contributing to a cleaner and more private browsing experience.
[1]: https://web.archive.org/web/20221029141626/https://kb.mozillazine.org/Places.sqlite "Places.sqlite - MozillaZine Knowledge Base | kb.mozillazine.org"
[2]: https://web.archive.org/web/20221030160803/https://wiki.mozilla.org/images/0/08/Places.sqlite.schema.pdf "Places.sqlite.schema.pdf | Mozilla Wiki"
[3]: https://web.archive.org/web/20221029145432/https://wiki.mozilla.org/Places:BookmarksComments "Places:BookmarksComments | MozillaWiki | wiki.mozilla.org"
[4]: https://web.archive.org/web/20221029145447/https://github.com/mozilla/application-services/issues/514 "Add a `moz_bookmarks_deleted` table for tombstones · Issue #514 · mozilla/application-services | GitHub | github.com"
[5]: https://web.archive.org/web/20221029145535/https://www.foxtonforensics.com/browser-history-examiner/firefox-history-location "Mozilla Firefox History Location | Firefox History Viewer | foxtonforensics.com"
[6]: https://web.archive.org/web/20221029145550/https://support.mozilla.org/en-US/questions/1319253 "Where does Firefox store SQLITE download history | Firefox Support Forum | Mozilla Support | support.mozilla.org"
[7]: https://web.archive.org/web/20221029145712/https://kb.mozillazine.org/Downloads.rdf "Downloads.rdf | MozillaZine Knowledge Base | kb.mozillazine.org"
call:
-
function: DeleteFilesFromFirefoxProfiles
parameters:
pathGlob: downloads.rdf
-
function: DeleteFilesFromFirefoxProfiles
parameters:
pathGlob: downloads.sqlite
-
function: DeleteFilesFromFirefoxProfiles
parameters:
pathGlob: places.sqlite
-
function: DeleteFilesFromFirefoxProfiles
parameters:
pathGlob: favicons.sqlite
-
name: Clear all Firefox user information and preferences
docs: |-
This script performs a reset of Mozilla Firefox, erasing all user profiles, settings, and personalized data to restore the
browser to its default state.
Firefox user profiles, encompassing bookmarks, browsing history, passwords, extensions, themes, and preferences [1].
These folders are in:
- `C:\Documents and Settings\<Windows login/user name>\Application Data\Mozilla\Firefox\Profiles\<profile folder>` on Windows XP and earlier [1],
- `%APPDATA%\Mozilla\Firefox\Profiles\<profile folder>` on Windows 10 and later [1].
> **Caution**:
> - Using this script results in a total loss of all personalized Firefox data.
> - If your goal is solely to clear browsing data while retaining settings and extensions, this script is not recommended.
> - Close Firefox before running this script to prevent potential issues.
[1]: https://web.archive.org/web/20231101125909/https://kb.mozillazine.org/Profile_folder_-_Firefox#Windows "Profile folder - Firefox - MozillaZine Knowledge Base | kb.mozillazine.org"
call:
- # Windows XP
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Mozilla\Firefox\Profiles'
- # Windows Vista and newer
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Mozilla\Firefox\Profiles'
- # Firefox installations from Microsoft Store
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Packages\Mozilla.Firefox_n80bbvh6b1yt2\LocalCache\Roaming\Mozilla\Firefox\Profiles'
-
name: Clear Opera history (user profiles, settings, and data)
call:
- # Windows XP
function: ClearDirectoryContents
parameters:
directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Opera\Opera'
- # Windows Vista and newer
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Opera\Opera'
- # Windows Vista and newer
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Opera\Opera'
-
category: Clear Safari history
children:
-
name: Clear Webpage Icons
recommend: standard
docs: https://www.sans.org/blog/safari-browser-forensics/
call:
- # Windows XP
function: DeleteFiles
parameters:
fileGlob: '%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db'
- # Windows Vista and newer
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\WebpageIcons.db'
-
name: Clear Safari cache
recommend: standard
docs: https://web.archive.org/web/20220710222903/https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari
call:
- # Windows XP
function: DeleteFiles
parameters:
fileGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db'
- # Windows Vista and newer
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\Cache.db'
-
name: Clear Safari cookies
recommend: strict
docs: https://web.archive.org/web/20240314101529/https://kb.digital-detective.net/display/BF/Location+of+Safari+Data
call:
- # Windows XP
function: DeleteFiles
parameters:
fileGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cookies.db'
- # Windows Vista and newer
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Apple Computer\Safari\Cookies.db'
-
name: Clear all Safari data (user profiles, settings, and data)
docs:
- https://web.archive.org/web/20240314101529/https://kb.digital-detective.net/display/BF/Location+of+Safari+Data
- https://web.archive.org/web/20220710222903/https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari
- https://web.archive.org/web/20240314091143/https://zerosecurity.org/2013/04/safari-forensic-tutorial/
call:
- # Windows XP
function: ClearDirectoryContents
parameters:
directoryGlob: '%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari'
- # Windows Vista and newer
function: ClearDirectoryContents
parameters:
directoryGlob: '%APPDATA%\Apple Computer\Safari'
-
category: Clear temporary Windows files
docs: |-
This category covers removal of temporary Windows files.
It is recommended to clean these files as they can be used for unauthorized analysis of user behavior and system usage [1].
They may also potentially host malicious software [2] [3].
Eliminating these files significantly enhances the security and privacy of the system.
Microsoft advises this cleanup for enhanced security [2]. Besides enhancing security, removing these files also frees up disk space.
However, removing temporary files might lead to a slight delay in initial application/system load times.
By regularly clearing these files, users reduce the chance of malware residing [2] [3] in these folders and prevent the unauthorized
use of their information for forensic analysis [1], serving as a simple and effective strategy for maintaining a secure and private system environment.
[1]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University"
[2]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com"
[3]: https://web.archive.org/web/20231001145930/https://nvd.nist.gov/vuln/detail/CVE-2019-11644 "NVD - CVE-2019-11644 | nist.gov"
children:
-
name: Clear temporary system folder
recommend: standard
docs: |-
This script eliminates the contents of the `%WINDIR%\Temp\` directory, also known as the Windows Temp directory [1].
This directory is located within the Windows system folder `%SystemDrive%\Windows\Temp\` [1] [2].
It is used by the system and system-level processes to store temporary files, including those generated by the operating
system and other system-level software.
This folder, protected by specific access control lists (ACL) [3] [4], is accessible only to system-level accounts [2].
Known for being utilized by malware, cleaning this directory is recommended for maintaining system security [2] [5]. Moreover,
it's used for forensics to analyze user behavior [6], thus raising privacy concerns.
Microsoft underscores the importance of cleaning this folder to free up disk space [7], resolve system application issues [1] [8] [9],
and counteract malware [2]. Some system applications may populate this folder, taking up considerable disk space [7] [9] [10].
This script only deletes the contents of the `%WINDIR%\Temp\` directory, not the directory itself, to maintain system integrity,
security, and privacy, avoiding potential issues caused by unintentional directory deletion without proper ACL. Deleting the directory
itself might disrupt certain applications, such as `dism` [11], and application installers [12], while also removing the special ACL
that secures the folder.
[1]: https://web.archive.org/web/20231001145018/https://learn.microsoft.com/en-us/troubleshoot/windows-server/deployment/error-0x800f0922-uninstall-role-feature "Error 0x800f0922 when you uninstall roles - Windows Server | Microsoft Learn"
[2]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com"
[3]: https://web.archive.org/web/20231001145051/https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-postmortem-debugging#window-sysinternals-procdump "Enabling Postmortem Debugging - Windows drivers | Microsoft Learn"
[4]: https://web.archive.org/web/20231001150053/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892%28v=vs.85%29 "About User Profiles (Windows) | Microsoft Learn"
[5]: https://web.archive.org/web/20231001145930/https://nvd.nist.gov/vuln/detail/CVE-2019-11644 "NVD - CVE-2019-11644 | nist.gov"
[6]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University"
[7]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
[8]: https://web.archive.org/web/20231001150108/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/adr-updates-download-failure "Automatic deployment rule (ADR) fails to download updates - Configuration Manager | Microsoft Learn"
[9]: https://web.archive.org/web/20231001150158/https://support.microsoft.com/en-us/topic/error-message-112-setup-is-unable-to-decompress-and-copy-all-the-program-files-c8dadf2a-4e7e-11bf-6543-ab5560b7fc19 'Error Message 112 "Setup Is Unable to Decompress and Copy All the Program Files" - Microsoft Support'
[10]: https://web.archive.org/web/20231001150233/https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/unifiedcontent-folder-fills-up-drive "Exchange UnifiedContent folder fills up the drive - Exchange | Microsoft Learn"
[11]: https://github.com/undergroundwires/privacy.sexy/pull/176 "Do not delete temp dirs by iam-py-test · Pull Request #176 · undergroundwires/privacy.sexy"
[12]: https://github.com/undergroundwires/privacy.sexy/issues/89 "Some installer failed to installer · Issue #89 · undergroundwires/privacy.sexy"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%WINDIR%\Temp'
-
name: Clear temporary user folder
recommend: standard
docs: |-
This script deletes the contents of the `%TEMP%\` (or `%LOCALAPPDATA%\Temp\` [1], `%TMP%\` [2]) directory, used by applications
and processes to store temporary files. This directory is situated within the user profile
`%SystemDrive%\Users\<username>\AppData\Local\Temp` [1] [2] [3]. Only the respective profile user can read and write to this folder [4].
This folder's usage for understanding user behavior in forensics [5] raises privacy concerns. Its content deletion, a regular operation performed
by Windows system tools like SilentCleanup (`cleanmgr.exe`) or Storage Sense (`storsvc.exe`) [8], does not harm the system. On cloud machines,
Microsoft does not retain contents of this directory and conducts automatic clean-ups to prevent data accumulation [6].
This script, while removing the contents, retains the directory to preserve the access control list (ACL) assigned by Microsoft [7], preventing potential
misconfigurations due to unintentional folder creation without proper ACL.
Microsoft recommends cleaning this folder to free disk space [8] and eliminate potential malware [9].
Post-script execution, a reboot is recommended to ensure smooth application functionality accessing `%TEMP%` [8].
[1]: https://github.com/undergroundwires/privacy.sexy/pull/176 "Do not delete temp dirs by iam-py-test · Pull Request #176 · undergroundwires/privacy.sexy"
[2]: https://web.archive.org/web/20231001150554/https://learn.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables "Recognized environment variables - Windows Deployment | Microsoft Learn"
[3]: https://web.archive.org/web/20231001150603/https://learn.microsoft.com/en-us/dotnet/api/system.io.path.gettemppath?view=net-7.0#examples "Path.GetTempPath Method (System.IO) | Microsoft Learn"
[4]: https://web.archive.org/web/20231001150917/https://learn.microsoft.com/en-us/windows/win32/shell/about-user-profiles "About User Profiles - Win32 apps | Microsoft Learn"
[5]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University"
[6]: https://web.archive.org/web/20231001150713/https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-troubleshoot-default-temp-folder-size-too-small-web-worker-role "Default TEMP folder size is too small for a role | Microsoft Learn"
[7]: https://web.archive.org/web/20231001150053/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892%28v=vs.85%29 "About User Profiles (Windows) | Microsoft Learn"
[8]: https://web.archive.org/web/20240120214444/https://learn.microsoft.com/en-us/troubleshoot/windows-server/shell-experience/temp-folder-with-logon-session-id-deleted "The %TEMP% folder with logon session ID is deleted - Windows Server | Microsoft Learn"
[9]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%TEMP%'
-
name: Clear prefetch folder
recommend: standard
docs: |-
This script deletes the contents of `%WINDIR%\Prefetch\*`, typically pointing to `C:\Windows\Prefetch\` [1] [2].
**What is Prefetch?**
Introduced in Windows XP [2], Prefetch was developed by Windows to expedite application startup [1] and the boot process [1] [2].
It works by preemptively loading data and code pages into memory from the disk before requests [2], monitoring application's startup
page faults [2], and storing the gathered data in the Prefetch directory [2].
**Why Clear the Prefetch Directory?**
Over time, many files accumulate in the Prefetch directory. Clearing this directory enhances privacy and potentially frees disk space
by removing traces of recently used applications and files in the system, making unauthorized tracking of application usage more difficult.
Despite its design for improving application startup times [1], Prefetch can inadvertently expose information about the applications and files
accessed on the system [1]. Clearing the Prefetch directory addresses this issue by eliminating these traces.
Microsoft suggests deleting the Prefetch directory and its contents if significant system configuration changes occur, like adjustments to drivers,
services, or applications that start automatically [3]. This action eradicates any outdated prefetched data [3], ensuring that the system operates
with the most up-to-date and relevant data for application startups [3].
The files in the Prefetch directory are used for forensic purposes [4] [5], adding to the privacy concerns. They reveal information about application usage,
including data layout [4], access history on disk [4], last execution time [5], and the total number of times an application has been run [5]. Additionally,
they contain historical process information such as loaded libraries and process dependencies [6]. Erasing these files mitigates the risk of
this information being used for unauthorized tracking or analysis, improving your privacy.
**Trade-Off**
Clearing the Prefetch might cause a minor delay in application startup times until the necessary data is regenerated as applications are used again [2].
This is a compromise for heightened privacy and potentially freed disk space.
[1]: https://web.archive.org/web/20231001151015/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices "Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn"
[2]: https://web.archive.org/web/20231001151029/https://learn.microsoft.com/en-us/sysinternals/resources/archive/v03n02#windows-xp-prefetching "Sysinternals Newsletter Vol. 3, No. 2 - Sysinternals | Microsoft Learn"
[3]: https://web.archive.org/web/20230829142700/https://download.microsoft.com/download/7/e/7/7e7662cf-cbea-470b-a97e-ce7ce0d98dc2/win7perf.docx "Performance Testing Guide for Windows | Microsoft"
[4]: https://web.archive.org/web/20231001151107/https://ccsweb.lanl.gov/~kei/mypubbib/papers/TOS_13_diskseen.pdf "A Prefetching Scheme Exploiting both Data Layout and Access History on Disk | ccsweb.lanl.gov"
[5]: https://web.archive.org/web/20231001151150/https://www.justice.gov/sites/default/files/usao/legacy/2008/02/04/usab5601.pdf "Computer Forensics | justice.gov"
[6]: https://web.archive.org/web/20231001151207/https://par.nsf.gov/servlets/purl/10333089 "Malware Family Classification via Residual Prefetch Artifacts | par.nsf.gov"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%WINDIR%\Prefetch'
-
category: Clear Windows log and caches
children:
-
name: Clear thumbnail cache
call:
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Microsoft\Windows\Explorer\*.db'
-
category: Clear Windows system log files
children:
-
category: Clear Windows Update system logs
children:
-
name: Clear Windows update and SFC scan logs
recommend: standard
docs: https://web.archive.org/web/20231206191838/https://answers.microsoft.com/en-us/windows/forum/all/cwindowslogscbs/fe4e359a-bcb9-4988-954d-563ef83bac1c
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Temp\CBS'
-
name: Clear Windows Update Medic Service logs
recommend: standard
docs: https://web.archive.org/web/20231206191736/https://answers.microsoft.com/en-us/windows/forum/all/what-is-this-waasmedic-and-why-it-required-to/e5e55a95-d5bb-4bf4-a7ce-4783df371de4
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Logs\waasmedic'
-
name: Clear "Cryptographic Services" diagnostic traces
recommend: standard
docs: |-
This script removes specific files associated with the "Cryptographic Services".
The files include:
- `%SYSTEMROOT%\System32\catroot2\dberr.txt`
- `%SYSTEMROOT%\System32\catroot2.log`
- `%SYSTEMROOT%\System32\catroot2.jrs`
- `%SYSTEMROOT%\System32\catroot2.edb`
- `%SYSTEMROOT%\System32\catroot2.chk`
The "Cryptographic Services" (`CryptSvc`) service manages services such as key management for the computer [1] [2].
This service is used by different features, including Windows Updates [3] [4] [5].
There is no official documentation available for these files from Microsoft. However, after analyzing the internal workings of Windows, below
is a detailed explanation of the purpose, collected data, and privacy implications for each file:
| File name | Purpose | Data Collected | Privacy Implications |
| --------- | ------- | -------------- | -------------------- |
| `dberr.txt` | Logging database errors | Error messages and codes related to database operations | Potential system issues or vulnerabilities |
| `catroot2.log` | Logging activities, errors, or transactions related to cryptographic operations | Log data including status messages, error codes | System configurations and vulnerabilities |
| `catroot2.jrs` | Journal file for data integrity in cryptographic operations | Transaction logs or temporary cryptographic data | System's state and cryptographic operations |
| `catroot2.edb` | Storing certificate and signature data for Windows Update | Certificate and signature validation data, update details | Update history and security state |
| `catroot2.chk` | Ensuring data consistency in the ESE database | Information for database recovery | System state information |
This script deletes these files, improving user privacy by removing sensitive information related to system configurations, vulnerabilities, and
cryptographic operations is not readily available.
[1]: https://web.archive.org/web/20231025233132/https://www.windows-security.org/windows-service/cryptographic-services "Cryptographic Services | Windows security encyclopedia | windows-security.org"
[2]: https://web.archive.org/web/20231025233145/https://revertservice.com/10/cryptsvc/ "Cryptographic Services (CryptSvc) Defaults in Windows 10 | revertservice.com"
[3]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20231025233228/https://support.microsoft.com/en-us/topic/claims-to-windows-token-service-c2wts-not-starting-after-rebooting-server-52a2d131-cb9d-bf28-77d4-1663a99d03b3 "Claims to Windows Token Service (c2WTS) not starting after rebooting server - Microsoft Support | support.microsoft.com"
[5]: https://web.archive.org/web/20231025233251/https://learn.microsoft.com/en-us/troubleshoot/windows-server/backup-and-storage/vss-error-8193-restart-cryptographic-services "VSS event 8193 when you restart the Cryptographic Services service after you install the DHCP role - Windows Server | Microsoft Learn | learn.microsoft.com"
call:
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\catroot2\dberr.txt'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\catroot2.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\catroot2.jrs'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\catroot2.edb'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\catroot2.chk'
-
name: Clear Server-initiated Healing Events system logs
docs: |-
These are logs related to Windows Update [1] [2].
It stores event trace log (ETL) files [3].
While the logs are largely technical, like many diagnostic logs, there's a potential for some data that could be considered personally identifiable information
(PII), such as usernames or machine names, to be included.
From a forensic standpoint, they offer valuable data for reconstructing system events related to software updates [3] :
- **Update History**: The logs can provide a history of updates, including those that failed and required remediation. This could be used to establish a timeline of events on a system.
- **System Integrity**: In forensic scenarios where the integrity of the system is in question, the SIH logs could be used to determine if there were any issues with updates, including
any that were automatically remediated.
- **Behavior Analysis**: While the primary purpose of the logs is not to capture user behavior, they can be part of a broader set of logs and data used in behavioral analysis, especially
when reconstructing events leading up to a particular system state or incident.
[1]: https://web.archive.org/web/20231020011710/https://raw.githubusercontent.com/Azure/azure-diskinspect-service/master/docs/manifest_by_file.md "Official Microsoft Documentation | azure-diskinspect-service/docs/manifest_by_file.md at master · Azure/azure-diskinspect-service | github.com"
[2]: https://web.archive.org/web/20231020012236/https://answers.microsoft.com/es-es/windows/forum/all/windows-10-carpeta-y-archivos-sih/4d318121-fed6-4202-8b92-d4dc236b468e "Windows 10 | Carpeta y archivos SIH - Microsoft Community"
[3]: https://tzworks.com/prototypes/tela/tela.users.guide.pdf "TZWorks Shim Database Parser (shims) Users Guide"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Logs\SIH'
-
name: Clear Windows Update logs
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Traces\WindowsUpdate'
-
name: Clear Optional Component Manager and COM+ components logs
recommend: standard
call:
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\comsetup.log'
-
name: Clear "Distributed Transaction Coordinator (DTC)" logs
recommend: standard
call:
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\DtcInstall.log'
-
name: Clear logs for pending/unsuccessful file rename operations
docs: |-
This script is used to clear the log files created by Windows whenever there are pending file rename operations
that are not successfully completed. The logged operations might include renaming, moving or deleting a file that is
currently in use [1].
[1]: https://web.archive.org/web/20230806191624/https://support.microsoft.com/en-us/topic/how-to-install-multiple-windows-updates-or-hotfixes-with-only-one-reboot-6247def4-7f39-c1a0-efe5-61f82849fb7c "How to install multiple Windows updates or hotfixes with only one reboot - Microsoft Support"
call:
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\PFRO.log'
-
name: Clear Windows update installation logs
recommend: standard
docs: |-
This script is used to clear the log files created during the Windows update installation process. This includes both
the actions log (`setupact.log`) and the error log (`setuperr.log`).
These files contains information about initializing setup and typically used if setup fails to launch [1].
[1]: https://web.archive.org/web/20230806191844/https://learn.microsoft.com/en-us/windows/deployment/upgrade/log-files "Log files and resolving upgrade errors - Windows Deployment | Microsoft Learn"
call:
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\setupact.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\setuperr.log'
-
name: Clear Windows setup logs
recommend: standard
docs: https://web.archive.org/web/20240314130622/https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/windows-setup-log-file-locations
call:
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\setupapi.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\inf\setupapi.app.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\inf\setupapi.dev.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\inf\setupapi.offline.log'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Panther'
-
name: Clear "Windows System Assessment Tool (`WinSAT`)" logs
recommend: standard
docs: https://web.archive.org/web/20240314125941/https://learn.microsoft.com/en-us/windows/win32/winsat/windows-system-assessment-tool-portal
call:
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\Performance\WinSAT\winsat.log'
-
name: Clear password change events
recommend: standard
call:
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\debug\PASSWD.LOG'
-
name: Clear user web cache database
recommend: standard
docs: https://web.archive.org/web/20240314130843/https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/performance-issues-custom-default-user-profile
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\Windows\WebCache'
-
name: Clear system temp folder when not logged in
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\ServiceProfiles\LocalService\AppData\Local\Temp'
-
name: Clear DISM (Deployment Image Servicing and Management) system logs
recommend: standard
docs: https://web.archive.org/web/20240314125948/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files?view=windows-11
call:
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\Logs\CBS\CBS.log'
-
function: DeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\Logs\DISM\DISM.log'
-
name: Clear Windows update files
docs: |-
This script clears the contents of the `%SYSTEMROOT%\SoftwareDistribution\` directory.
This action is sometimes called *resetting the Windows Update Agent* or *resetting Windows Update components* by Microsoft [1].
This directory contains Windows Update files [2] [3].
It includes logs of Windows updates [2] [4], downloaded updates [5], and database files related to the updates [2].
Over time, the size of this folder can increase [5], leading to potential disk space issues. Clearing this directory can help free up disk space [5].
This folder is used by Windows Updates [1] [6].
The `wuauserv` service, also known as "Windows Update Service" [7], uses this folder for its operations [1] [8] [9].
This service manages the Windows Update Agent (WUA) functionality [7].
Clearing this directory is generally safe, and sometimes, Microsoft even recommends this action to troubleshoot and resolve update-related
errors [1] [5] [6] [9] [10].
This script contributes to users' privacy and system efficiency by cleaning up old and potentially unnecessary update files.
[1]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update#how-do-i-reset-windows-update-components "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231027190239/https://support.microsoft.com/en-us/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc "Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158) - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide#windows-update-files-or-automatic-update-files "Microsoft Defender Antivirus exclusions on Windows Server | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20231027190425/https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs "Windows Update log files - Windows Deployment | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20231027190439/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/address-disk-space-issues-caused-by-winsxs "Large WinSxS directory causes disk space issues - Windows Client | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20231027190148/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/common-windows-update-errors "Common Windows Update errors - Windows Client | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20231027190357/https://revertservice.com/10/wuauserv/ "Windows Update (wuauserv) Service Defaults in Windows 10 | revertservice.com"
[8]: https://web.archive.org/web/20231027190213/https://support.microsoft.com/en-us/windows/troubleshoot-problems-updating-windows-188c2b0f-10a7-d72f-65b8-32d177eb136c#WindowsVersion=Windows_11 "Troubleshoot problems updating Windows - Microsoft Support | support.microsoft.com"
[9]: https://web.archive.org/web/20231027190503/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/troubleshoot-software-update-scan-failures "Troubleshoot software update scan failures - Configuration Manager | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20231029172022/https://support.microsoft.com/en-us/topic/you-receive-an-administrators-only-error-message-in-windows-xp-when-you-try-to-visit-the-windows-update-web-site-or-the-microsoft-update-web-site-d2c732b6-21e0-a2ce-8d18-303ed71736c9 'You receive an "Administrators only" error message in Windows XP when you try to visit the Windows Update Web site or the Microsoft Update Web site - Microsoft Support | support.microsoft.com'
call:
-
function: StopService
parameters:
serviceName: wuauserv
waitUntilStopped: 'true'
serviceRestartStateFile: '%APPDATA%\privacy.sexy-wuauserv' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation)
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\SoftwareDistribution'
-
function: StartService
parameters:
serviceName: wuauserv
serviceRestartStateFile: '%APPDATA%\privacy.sexy-wuauserv' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation)
-
name: Clear Common Language Runtime system logs
recommend: standard
call:
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\CLR_v4.0\UsageTraces'
-
function: ClearDirectoryContents
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageTraces'
-
name: Clear Network Setup Service Events system logs
recommend: standard
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\Logs\NetSetup'
-
name: Clear logs generated by Disk Cleanup Tool (`cleanmgr.exe`)
docs: |-
This script is used to clear the log files generated by the Disk Cleanup Tool (cleanmgr.exe). These logs are
generated when the Disk Cleanup Tool is used to free up disk space. Log files for this tool are stored in
`C:\Windows\System32\LogFiles\setupcln\` [1].
Erasing these logs can enhance user privacy by removing traces of the cleanup process. These logs are known to
be used in forensic analysis [2].
[1]: https://web.archive.org/web/20230806192546/https://ss64.com/nt/cleanmgr.html "Cleanmgr - Delete Junk and Temp files - Windows CMD - SS64.com | ss64.com"
[2]: https://archive.ph/2023.12.06-185637/https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ "Beyond good ol' Run key, Part 86 | Hexacorn | hexacorn.com"
call:
function: ClearDirectoryContents
parameters:
directoryGlob: '%SYSTEMROOT%\System32\LogFiles\setupcln'
-
name: Clear diagnostics tracking logs
recommend: standard
docs: |-
This script deletes primary telemetry files in Windows.
These files store event trace logs that are collected by the `DiagTrack` service [1] [2].
This service is also known as "Diagnostics Tracking Service" [3] or "Connected User Experiences and Telemetry" service [4].
These files are stored as Event Trace Log (`.etl`) files, also known as a trace logs [5].
Contents of these files are transmitted to Microsoft servers [1] [2].
This services uses *AutoLogger* logs.
*AutoLogger* allows saving trace logs early in the operating system boot process before the user logs in [6].
This data is collected during system boot and shut-down, and typically read and deleted at each system boot [3].
The information collected is divided into two files:
- `%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl` [1] [2]
- `%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl` [1] [2]
To modify or delete these files, `SYSTEM` rights are required [1], which this script provides.
The collected data varies based on the telemetry level set [2] and may include information about websites visited, application
and system performance, device activity, and memory dumps [7].
By deleting these telemetry files, this script prevents the `DiagTrack` service from sending a specific set of diagnostic and
usage data to Microsoft, enhancing user privacy by reducing data sharing.
[1]: https://web.archive.org/web/20231027164549/https://it-forensik.fiw.hs-wismar.de/images/a/a3/MT_MReuter.pdf "Options for using Event Tracing for Windows (ETW) to support forensic analyzes of process behavior in Windows 10 | University of Wismar"
[2]: https://web.archive.org/web/20230215084038/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/Analyse_Telemetriekomponente_1_2.pdf?__blob=publicationFile&v=3 "Analyse der Telemetriekomponente in Windows 10 | The national cyber security authority in Germany | bsi.bund.de"
[3]: https://web.archive.org/web/20231027164826/https://troopers.de/downloads/troopers19/TROOPERS19_DM_Telemetry.pdf "The Anatomy of Windows Telemetry | The national cyber security authority in Germany | troopers.de"
[4]: https://web.archive.org/web/20231027165627/https://revertservice.com/10/diagtrack/ "Connected User Experiences and Telemetry (DiagTrack) Service Defaults in Windows 10 | revertservice.com"
[5]: https://web.archive.org/web/20231027164529/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-log "Trace Log - Windows drivers | Microsoft Learn"
[6]: https://web.archive.org/web/20231027164510/https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session "Configuring and Starting an AutoLogger Session - Win32 apps | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240217185108/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
-
function: StopService
parameters:
serviceName: DiagTrack
waitUntilStopped: 'true'
serviceRestartStateFile: '%APPDATA%\privacy.sexy-DiagTrack' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation)
-
function: DeleteFiles
parameters:
fileGlob: '%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl'
grantPermissions: 'true'
-
function: DeleteFiles
parameters:
fileGlob: '%PROGRAMDATA%\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl'
grantPermissions: 'true'
-
function: StartService
parameters:
serviceName: DiagTrack
serviceRestartStateFile: '%APPDATA%\privacy.sexy-DiagTrack' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation)
-
name: Clear event logs in Event Viewer application
docs: https://serverfault.com/questions/407838/do-windows-events-from-the-windows-event-log-have-sensitive-information
code: |-
REM https://social.technet.microsoft.com/Forums/en-US/f6788f7d-7d04-41f1-a64e-3af9f700e4bd/failed-to-clear-log-microsoftwindowsliveidoperational-access-is-denied?forum=win10itprogeneral
wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)
for /f "tokens=*" %%i in ('wevtutil.exe el') DO (
echo Deleting event log: "%%i"
wevtutil.exe cl %1 "%%i"
)
-
name: Clear Defender scan (protection) history
docs: |-
This script deletes the scan history kept by Microsoft Defender on your computer. Microsoft Defender logs detected threats but also gathers
and stores data about various other files it scans [1] [2]. While removing this history enhances your privacy, it might decrease security,
as these logs assist in monitoring threats. By eliminating traces of your system's files, activities and any threats detected, you ensure
no residual data can be utilized to study or analyze your computer's activities, thus protecting your privacy.
Defender keeps a log of various details whenever it scans your computer for threats. This includes [3] [4]:
- **Time**: The moment the threat was discovered.
- **Threat Status**: The action carried out against the threat.
- **Virus Type**: The type or category of the virus.
- **Threat ID**: A unique identifier for the threat.
- **Virus Name**: The name of the virus.
- **File Path**: The location of the threat on your computer.
- **File Hash**: A unique code representing the file.
- **Quarantine File Name (GUID)**: The name given to the quarantined threat.
- **File Size**: The size of the file.
When you first set up Windows, it conducts an initial scan [1]. This scan identifies system files that won't require future
scans [1]. These 'safe' files are saved in a unique folder, which becomes a part of the scan history [1].
If a threat is recognized, Microsoft Defender will notify you [4]. Regardless of whether you choose to run the file or not, a
`DetectionHistory` file is created [2]. This file is stored in a specific folder
(`%ProgramData%\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\[numbered folder]\`), and it contains a
system-generated ID for the event [2].
> **Caution:** Deleting these logs may decrease your security. These logs help in keeping track of potential threats and their sources,
allowing for a more proactive response in future encounters. Without this history, Microsoft Defender might not recognize recurring threats
as quickly, possibly leaving your system more vulnerable. It's essential to understand that you're making a trade-off between enhanced
privacy and potentially reduced security.
[1]: https://web.archive.org/web/20230829142700/https://download.microsoft.com/download/7/e/7/7e7662cf-cbea-470b-a97e-ce7ce0d98dc2/win7perf.docx "Performance Testing Guide for Windows | Microsoft"
[2]: https://web.archive.org/web/20230829143754/https://www.sans.org/blog/uncovering-windows-defender-real-time-protection-history-with-dhparser/ "Uncovering Windows Defender Real-time Protection History with DHParser | SANS Alumni Blog"
[3]: https://web.archive.org/web/20230829144957/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/defender/msft-mpthreatdetection "MSFT\_MpThreatDetection class | Microsoft Learn"
[4]: https://web.archive.org/web/20230829144434/https://forensafe.com/blogs/windows_defender.html "Windows Defender | Forensafe"
call:
function: ClearDirectoryContents # Otherwise it cannot access/delete files under `Scans\History`, see https://github.com/undergroundwires/privacy.sexy/issues/246
parameters:
directoryGlob: '%ProgramData%\Microsoft\Windows Defender\Scans\History'
grantPermissions: 'true' # Running as TrustedInstaller is not needed, and causes Defender to alarm https://github.com/undergroundwires/privacy.sexy/issues/264
-
name: Clear credentials in Windows Credential Manager
call:
function: RunPowerShell
parameters:
code: |-
$cmdkeyPath = Get-Command cmdkey -ErrorAction SilentlyContinue
if (-not $cmdkeyPath) {
throw 'Failed to find the `cmdkey` utility on this system.'
}
$cmdkeyListOutput = & $cmdkeyPath /list
if ($LASTEXITCODE -ne 0) {
throw "Failed to execute `cmdkey /list`. Exit code: $LASTEXITCODE."
}
if (-not $cmdkeyListOutput) {
throw 'Failed to retrieve credentials list. The output from `cmdkey /list` is empty.'
}
$credentialEntries = @($cmdkeyListOutput | Select-String 'Target')
if (-not $credentialEntries) {
Write-Host 'Skipping: No credentials found for deletion.'
exit 0
}
$allCredentialsDeletedSuccessfully = $true
Write-Host "Total of $($credentialEntries.Length) credential(s) found. Initiating deletion..."
foreach ($credentialEntry in $credentialEntries) {
if ($credentialEntry -notmatch 'Target:(.+)') {
Write-Error "Failed to parse credential from output: $credentialEntry"
$allCredentialsDeletedSuccessfully = $false
continue
}
$credentialTargetName = $matches[1].Trim()
Write-Host "Deleting credential: `"$credentialTargetName`"..."
& $cmdkeyPath /delete:$credentialTargetName
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to delete credential '$credentialTargetName'. `cmdkey` returned exit code: $LASTEXITCODE."
$allCredentialsDeletedSuccessfully = $false
} else {
Write-Host "Successfully deleted credential: `"$credentialTargetName`"."
}
}
if (-not $allCredentialsDeletedSuccessfully) {
Write-Warning 'Failed to delete some credentials. Please check the error messages above.'
} else {
Write-Host "Successfully deleted all $($credentialEntries.Length) credential(s)."
}
-
name: Remove the controversial `default0` user
docs: https://github.com/undergroundwires/privacy.sexy/issues/30
recommend: standard
code: net user defaultuser0 /delete 2>nul
-
name: Empty trash (Recycle Bin)
call:
function: RunPowerShell
parameters:
code: |-
$bin = (New-Object -ComObject Shell.Application).NameSpace(10)
$bin.items() | ForEach {
Write-Host "Deleting $($_.Name) from Recycle Bin"
Remove-Item $_.Path -Recurse -Force
}
-
name: Minimize DISM "Reset Base" update data
recommend: standard
docs: |-
This script diminishes unnecessary system data, thus enhancing your privacy and performance.
The **DISM tool** is used to manage Windows images and is often used to fix issues with the Windows operating system [1].
The **"Reset Base"** option can help to reduce the size of the WinSxS folder [2]. Once, "Reset Base" is enabled, you cannot
uninstall any previous updates [2]. This script activates the **"Reset Base"** feature, minimizing the size of WinSxS folder.
It contributes to the reduction of redundant data, enhancing both the performance of your system and your privacy.
The **WinSxS folder**, also known as the "Windows Side by Side" folder, is a component of the Windows operating system [3].
It is located in the Windows directory (for example, `C:\Windows\WinSxS`) [3]. The WinSxS folder is used to store system
components that are required for the installation of Windows [3]. It also stores components that are added to the system
through Windows updates [3].
**Windows Component Store** contains all the files that are required to Windows features on demand [3].
> **Caution:** Once the "Reset Base" operation is activated, you will not be able to uninstall previous updates. However, this
small trade-off improves your privacy and control over system data.
[1]: https://web.archive.org/web/20230806160623/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/what-is-dism?view=windows-11 "DISM Overview | Microsoft Learn"
[2]: https://web.archive.org/web/20230806160827/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder?view=windows-11 "Clean Up the WinSxS Folder | Microsoft Learn"
[3]: https://web.archive.org/web/20230710000943/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/manage-the-component-store?view=windows-11 "Manage the Component Store | Microsoft Learn"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration
valueName: DisableResetbase
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 21H1) | Missing on Windows 11 Pro 21H1 | `1` on Windows 11 Pro (≥ 22H2)
-
name: Remove Windows product key from registry
# Helps to protect it from being stolen and used for identity theft or identifying you.
docs: https://web.archive.org/web/20240314100853/https://winaero.com/remove-windows-10-product-key-from-registry-and-protect-it-from-being-stolen/
# We use cscript.exe to execute instead of `slmgr` command directly to keep the output but suppress the dialogs.
code: cscript.exe //nologo "%SYSTEMROOT%\System32\slmgr.vbs" /cpky
-
name: Clear volume backups (shadow copies)
docs:
- https://web.archive.org/web/20240314130354/https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
code: vssadmin delete shadows /all /quiet
-
name: Remove associations of default apps
recommend: standard
code: dism /online /Remove-DefaultAppAssociations
-
name: Clear System Resource Usage Monitor (SRUM) data
recommend: standard
docs: |-
This script deletes the Windows System Resource Usage Monitor (SRUM) database file.
SRUM tracks the usage of desktop applications, services, Windows applications, and network connections [1] [2] [3]. SRUM stores its file at
`C:\Windows\System32\sru\SRUDB.dat` [1] [3] [4].
Before deleting the file, the script temporarily stops the Diagnostic Policy Service (DPS). The DPS helps Windows detect and solve problems with its
components [4]. Stopping this service is required as modifications to the SRUM file require it to be turned off [5].
Deleting this file can enhance user privacy as it contains usage data and is often used for forensic analysis of user behavior [1] [6].
[1]: https://web.archive.org/web/20231013164746/https://raw.githubusercontent.com/libyal/esedb-kb/main/documentation/System%20Resource%20Usage%20Monitor%20%28SRUM%29.asciidoc "esedb-kb/documentation/System Resource Usage Monitor (SRUM).asciidoc at main · libyal/esedb-kb | github.com"
[2]: https://web.archive.org/web/20231004161112/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809 "Windows 10, version 1809 basic diagnostic events and fields (Windows 10) - Windows Privacy | Microsoft Learn"
[3]: https://web.archive.org/web/20231004161132/https://security.opentext.com/appDetails/SRUM-Database-Parser "SRUM Database Parser | security.opentext.com"
[4]: https://web.archive.org/web/20231004161147/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#diagnostic-policy-service "Security guidelines for system services in Windows Server 2016 | Microsoft Learn"
[5]: https://web.archive.org/web/20231008135321/https://devblogs.microsoft.com/sustainable-software/measuring-your-application-power-and-carbon-impact-part-1/ "Measuring Your Application Power and Carbon Impact (Part 1) - Sustainable Software | devblogs.microsoft.com"
[6]: https://web.archive.org/web/20231008135333/https://www.sciencedirect.com/science/article/abs/pii/S1742287615000031 "Forensic implications of System Resource Usage Monitor (SRUM) data in Windows 8 | Yogesh Khatri | sciencedirect.com"
call:
-
# If the service is not stopped, following error is thrown:
# Failed to delete SRUM database file at: "C:\Windows\System32\sru\SRUDB.dat". Error Details: The process cannot access
# the file 'C:\Windows\System32\sru\SRUDB.dat' because it is being used by another process
function: StopService
parameters:
serviceName: DPS
waitUntilStopped: 'true'
serviceRestartStateFile: '%APPDATA%\privacy.sexy-DPS' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation)
-
function: DeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\sru\SRUDB.dat'
grantPermissions: 'true'
-
function: StartService
parameters:
serviceName: DPS
serviceRestartStateFile: '%APPDATA%\privacy.sexy-DPS' # Marked: refactor-with-variables (app dir should be unified, not using %TEMP% as it can be cleaned during operation)
-
name: Clear previous Windows installations
call:
function: DeleteDirectory
parameters:
directoryGlob: '%SYSTEMDRIVE%\Windows.old'
grantPermissions: 'true'
-
category: Disable OS data collection
children:
-
name: Disable Recall
recommend: strict
docs: |-
This script disables the Recall feature to address serious privacy concerns.
Recall is an AI feature introduced in Windows 11 on Copilot+ PCs [1] [2] [3] [4] [5].
It is designed to capture and store snapshots of your screen and analyze them [1] [2] [3] [4] [5] [6] [7].
This feature allows users to browse and search their past activities, such as images and text [1] [2] [3] [4] [5] [6] [7].
Recall includes a component called 'screenray'.
This component analyzes the snapshot's contents and lets you interact with elements within it [3] [5] [6].
This script will also disable the screenray feature [6].
This feature is enabled by default, so Windows will capture and store screen snapshots [2] [5] [6].
They remain on your computer for months by default [4].
Recall captures frequent screenshots, as frequent as multiple times during a minute [1] [2] [4].
These screenshots may include all visible content such as app data, websites, images, and documents [2] [5].
It may even include sensitive information like passwords and bank account numbers [2] [3].
The data is indexed, and the indexes are stored locally on your computer [5].
This feature raises significant security and privacy concerns.
Experts sometimes describe this feature as a 'privacy nightmare' [4] [7] or 'keylogger' [4] due to these concerns.
The privacy risks associated with this feature include:
- **Misuse**:
This data is stored locally on your computer [1] [2] [5] [7].
It poses a risk of unauthorized access to your sensitive and private data [4] [7].
Potential threats include malicious attackers, state actors, colleagues, or family members who could misuse this
information for identity theft, financial crime, phishing, or coercion.
- **Microsoft data collection**:
Microsoft's data collection policies may change.
As Mozilla expressed, this raises concerns about potential data sharing with law enforcement or the use of the data
for targeted advertising or AI training in the future [7].
- **Storing sensitive data**:
Microsoft does not perform content moderation on the snapshots [2] [3] [4] [7].
It means that sensitive information such as passwords or financial account numbers are visible and stored [2] [3],
posing a significant privacy and security risk.
- **Opt-in**:
The feature is opt-in by default [2] [6], and users can only opt-out of certain sites if they are using Microsoft Edge [3].
This limits user control over their privacy.
- **Lack of transparency:**
While Microsoft states that the snapshots are not sent to their servers [2] [7]
and that all analysis is conducted locally [1] [2] [3] [7].
However, Microsoft has not specified whether it collects the results of these analyses or any related diagnostic data.
United Kingdom's data protection agency finds this lack of transparency worrying [4] [7].
- **Language model vulnerabilities:**
Language models susceptibility to attacks like prompt engineering underlines its security risks [8].
More about security vulnerabilities: [Attacks on language models](https://erkinekici.com/articles/attacks-on-language-models/).
This script configures the `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot!DisableAIDataAnalysis` registry key [6].
By running this script, you enhance your privacy by preventing the storage and analysis of snapshots on your device [6],
thereby mitigating the associated risks.
[1]: https://web.archive.org/web/20240523143034/https://support.microsoft.com/en-us/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c "Retrace your steps with Recall - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20240523143048/https://support.microsoft.com/en-us/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15 "Privacy and control over your Recall experience - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240523143210/https://learn.microsoft.com/en-us/windows/client-management/manage-recall "Manage Recall for Windows clients - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240523122636/https://www.bleepingcomputer.com/news/microsoft/microsofts-new-windows-11-recall-is-a-privacy-nightmare/ "Microsoft's new Windows 11 Recall is a privacy nightmare | www.bleepingcomputer.com"
[5]: https://web.archive.org/web/20240523143240/https://blogs.microsoft.com/blog/2024/05/20/introducing-copilot-pcs/ "Introducing Copilot+ PCs - The Official Microsoft Blog | blogs.microsoft.com"
[6]: https://web.archive.org/web/20240522162728/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis "WindowsAI Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240523155006/https://www.bbc.com/news/articles/cpwwqp6nx14o "Microsoft Copilot+ Recall feature 'privacy nightmare' | www.bbc.com"
[8]: https://erkinekici.com/articles/attacks-on-language-models/ "Attacks on language models :: Erkin Ekici | erkinekici.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot
valueName: DisableAIDataAnalysis
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable app access to personal information
docs: |- # refactor-with-variables: Same • App Access Caution
This category enhances your privacy by restricting app access to sensitive personal data.
These scripts enable you to enforce the *principle of least privilege* ensuring that apps only have
access to the information absolutely necessary for their legitimate function, thereby minimizing potential
data misuse.
It specifically targets UWP (Universal Windows Platform) apps.
These apps can be both native system apps [1] and third-party apps [2].
They are typically available through the Microsoft Store [1] [2].
These scripts only affect UWP apps, not desktop applications outside the UWP ecosystem.
By disabling default app access to personal information and requiring explicit user permission,
these scripts protect your security and privacy.
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427123038/https://learn.microsoft.com/en-us/windows/uwp/get-started/universal-application-platform-guide "What's a Universal Windows Platform (UWP) app? - UWP applications | Microsoft Learn | learn.microsoft.com"
children:
-
name: Disable app access to location
recommend: standard
docs: |- # refactor-with-variables: Same • App Access Caution
This script prevents Windows apps from accessing your location [1].
It restricts access to location-specific network information [2] and sensors [2] [3],
enhancing your privacy and security.
This script configures:
- Windows policy (`LetAppsAccessLocation` [1] [3])
- Privacy settings user interface (`BFA794E4-F964-4FDB-90F6-51056BFE4B44` [4], `location` [2] [5])
- Location Services (`E6AD100E-5F4E-44CD-BE0F-2265D88D14F5` [4], `lfsvc` [6])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesslocation "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
[6]: https://web.archive.org/web/20231206211616/https://social.technet.microsoft.com/Forums/en-US/63904312-04af-41e5-8b57-1dd446ea45c5/privacy-settings-reg-keys?forum=win10itprosetup "Privacy Settings Reg Keys | social.technet.microsoft.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessLocation
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: location
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration # Location Services
valueName: Status
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{BFA794E4-F964-4FDB-90F6-51056BFE4B44}'
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{E6AD100E-5F4E-44CD-BE0F-2265D88D14F5}'
-
name: Disable app access to account information, name, and picture
recommend: standard # refactor-with-variables: Same • App Access Caution
docs: |-
This script prevents Windows apps from accessing account information [1].
This includes your name and picture [2] [3].
By limiting this access, the script enhances your privacy by protecting against potential
misuse of personal details by apps.
This script configures:
- Windows policy (`LetAppsAccessAccountInfo` [1] [2])
- Privacy settings user interface (`C1D23ACC-752B-43E5-8448-8D0E519CD6D6` [4], `userAccountInformation` [3] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessaccountinfo "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#187-account-info "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessAccountInfo
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: userAccountInformation
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}'
-
name: Disable app access to motion activity
recommend: standard # refactor-with-variables: Same • App Access Caution
docs: |-
This script prevents Windows apps from accessing motion data [1] [2] [3].
By running this script, you improve your privacy by preventing apps from
automatically tracking physical movements without permission.
This script configures:
- Windows policy (`LetAppsAccessMotion` [1] [2]).
- Privacy settings user interface (`activity` [3] [4]).
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessmotion "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1818-motion "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessMotion
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: activity
-
name: Disable app access to trusted devices
recommend: standard # refactor-with-variables: Same • App Access Caution
docs: |-
This script prevents Windows apps from accessing trusted devices [1].
It restricts apps from automatically connecting to or controlling trusted devices without your
permission, enhancing privacy protection.
This script configures:
- Windows policy (`LetAppsAccessTrustedDevices` [1])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesstrusteddevices "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessTrustedDevices
-
name: Disable app access to unpaired wireless devices
recommend: standard # refactor-with-variables: Same • App Access Caution
docs: |-
This script prevents Windows apps from communicating with unpaired wireless devices [1].
It prevents automatic sharing and synchronization of information with devices that aren't paired [2] [3] [4].
For example, these devices can be gaming consoles (e.g., Xbox One [2]), phones, TVs, tablets.
By preventing apps from sending or receiving data from such devices, this script protects your security
and privacy.
This script configures:
- Windows policy (`LetAppsSyncWithDevices` [1] [2])
- Privacy settings user interface (`LooselyCoupled` [3] [4]).
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappssyncwithdevices "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1815-other-devices "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[4]: https://web.archive.org/web/20240427100504/https://4sysops.com/archives/windows-10-privacy-settings/#rtoc-18 "Windows 10 privacy settings 4sysops | 4sysops.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsSyncWithDevices
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: LooselyCoupled
-
name: Disable app access to camera
docs: |- # refactor-with-variables: Same • App Access Caution
This script prevents Windows apps from accessing the camera [1] [2].
By disabling access, it ensures that no app can use the camera to capture photos or videos [3]
without explicit user permission, thereby protecting privacy.
This script configures:
- Windows policy (`LetAppsAccessCamera` [1] [2])
- Privacy settings user interface (`E5323777-F976-4f5b-9B55-B94699C46E44` [4], `webcam` [3] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesscamera "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#182-location "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessCamera
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: webcam
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{E5323777-F976-4f5b-9B55-B94699C46E44}'
-
name: Disable app access to microphone (breaks Sound Recorder)
docs: |- # refactor-with-variables: Same • App Access Caution
This script prevents Windows apps from accessing the microphone [1] [2].
It enhances privacy by preventing apps from recording audio [3], which may include sensitive conversations.
This script configures:
- Windows policy (`LetAppsAccessMicrophone` [1] [2])
- Privacy settings user interface (`2EEF81BE-33FA-4800-9670-1CD474972C3F` [4], `microphone` [3] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
> Disabling microphone access will impact recording sounds with built-in Sound Recorder (formerly Voice Recorder) app [6].
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessmicrophone "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#184-microphone "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
[6]: https://web.archive.org/web/20240427140021/https://learn.microsoft.com/en-us/hololens/hololens-cortana "Use your voice to operate HoloLens | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessMicrophone
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: microphone
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{2EEF81BE-33FA-4800-9670-1CD474972C3F}'
-
name: Disable app access to information about other apps
recommend: standard # refactor-with-variables: Same • App Access Caution
docs: |-
This script prevents Windows apps from accessing diagnostic information about other apps [1] [2] [3] [4].
This includes details like user names [1], package information, memory usage, and account
names for any running UWP apps [2].
This script configures:
- Windows policy (`LetAppsGetDiagnosticInfo` [1] [3])
- Privacy settings user interface (`2297E4E2-5DBE-466D-A12B-0F8286F0D9CA` [4], `appDiagnostics` [2] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsgetdiagnosticinfo "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1820-app-diagnostics "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsGetDiagnosticInfo
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: appDiagnostics
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{2297E4E2-5DBE-466D-A12B-0F8286F0D9CA}'
-
category: Disable app access to your files
docs: |- # refactor-with-variables: Same • App Access Caution
This category limits the access of Windows apps to various user-specific folders and other file systems.
It enhances privacy by restricting apps from accessing and manipulating files without explicit user permission.
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
children:
-
name: Disable app access to "Documents" folder
recommend: standard
docs: |- # refactor-with-variable: Similar template to other file access restriction scripts
This script prevents Windows apps from accessing the Documents folder [1] [2].
It restricts app access to document files without user consent [1].
After running this script, apps can still access the files when explicitly permitted [1].
This script enhances your privacy and security by preventing unauthorized app access.
This script configures:
- Privacy settings user interface (`documentsLibrary` [1] [2])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: documentsLibrary
-
name: Disable app access to "Pictures" folder
recommend: standard
docs: |- # refactor-with-variable: Similar template to other file access restriction scripts
This script prevents Windows apps from accessing the Pictures folder [1] [2].
It restricts app access to photos and images without user consent [1].
After running this script, apps can still access the files when explicitly permitted [1].
This script enhances your privacy and security by preventing unauthorized app access.
This script configures:
- Privacy settings user interface (`picturesLibrary` [1] [2])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
> This may specifically impact photo-related apps. [1].
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: picturesLibrary
-
name: Disable app access to "Videos" folder
recommend: standard
docs: |- # refactor-with-variable: Similar template to other file access restriction scripts
This script prevents Windows apps from accessing the Videos folder [1] [2].
It restricts app access to video files without user consent [1].
After running this script, apps can still access the files when explicitly permitted [1].
This script enhances your privacy and security by preventing unauthorized app access.
This script configures:
- Privacy settings user interface (`videosLibrary` [1] [2])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
> This may specifically impact movie playback apps [1].
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: videosLibrary
-
name: Disable app access to "Music" folder
recommend: standard
docs: |- # refactor-with-variable: Similar template to other file access restriction scripts
This script prevents Windows apps from accessing the Music folder [1].
It restricts app access to audio files without user consent [1].
After running this script, apps can still access the files when explicitly permitted [1].
This script enhances your privacy and security by preventing unauthorized app access.
This script configures:
- Privacy settings user interface (`musicLibrary` [1])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
call:
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: musicLibrary
-
name: Disable app access to personal files
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution • Template as other file access restriction scripts
This script restricts app access to the broader file system [1] [2].
It restricts app access to files that the user has access to without user consent [2].
After running this script, apps can still access the files when explicitly permitted [1].
This script enhances your privacy and security by preventing unauthorized app access.
This script configures:
- Privacy settings user interface (`broadFileSystemAccess` [1] [2])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: broadFileSystemAccess
-
name: Disable app access to your contacts
recommend: standard # refactor-with-variable: Same • App Access Caution
docs: |-
This script prevents Windows apps from accessing your contact list [1] [2] [3] [4] [5].
Your contact list may include sensitive details synced from various networks [2].
This script improves privacy by safeguarding personal and sensitive details in your contact list
by restrictings applications from automatically accessing it.
This script configures:
- Windows policy (`LetAppsAccessContacts` [1] [3])
- Privacy settings user interface (`7D7E8402-7C54-4821-A34E-AEEFD62DED93` [4], `contacts` [2] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesscontacts "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#188-contacts "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessContacts
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: contacts
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{7D7E8402-7C54-4821-A34E-AEEFD62DED93}'
-
name: Disable app access to notifications
recommend: strict # User may be in need of notifications from apps like Instagram and Whatsapp #339
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing notifications [1] [2] [3].
It enhances privacy by ensuring that apps cannot access [1] [2] [3] or manage [4] notifications
without explicit user permission.
Notifications can contain personal or sensitive information.
This script configures:
- Windows policy (`LetAppsAccessNotifications` [1] [2])
- Privacy settings user interface (`52079E78-A92B-413F-B213-E8FE35712E72` [3], `userNotificationListener` [4] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
> This may disrupt essential functions, such as receiving alerts from messaging apps including Instagram and WhatsApp [6].
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessnotifications "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#185-notifications "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[4]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
[6]: https://web.archive.org/web/20240428104000/https://github.com/undergroundwires/privacy.sexy/issues/339 "[BUG]: Ran the standard protection and now my Windows does not display notifications to apps like Instagram and Whatsapp · Issue #339 · undergroundwires/privacy.sexy · GitHub | github.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessNotifications
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: userNotificationListener
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{52079E78-A92B-413F-B213-E8FE35712E72}'
-
name: Disable app access to calendar
recommend: standard # refactor-with-variable: Same • App Access Caution
docs: |-
This script prevents Windows apps from accessing the calendar data [1] [2] [3] [4] [5].
This includes information about appointments from your synced network accounts [2].
It protects personal schedule by preventing apps from automatically creating [2],
reading [1] [2] [3] [4] [5] or writing to calendars [2] without explicit user permission.
This script configures:
- Windows policy (`LetAppsAccessCalendar` [1] [3])
- Privacy settings user interface (`D89823BA-7180-4B81-B50C-7E471E6121A3` [4], `appointments` [2] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesscalendar "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#189-calendar "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessCalendar
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: appointments
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{D89823BA-7180-4B81-B50C-7E471E6121A3}'
-
category: Disable app access to phone
docs: |- # refactor-with-variable: Same • App Access Caution
This category contains scripts that restrict app access to phone-related functionalities.
They protect your privacy and security by ensuring communication details remain private and
are accessible only when necessary.
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
children:
-
name: Disable app access to call history
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing your call history [1] [2] [3] [4] [5].
It protects past communication records by blocking apps from
automatically reading and deleting call history [1] without explicit user permission.
This script configures:
- Windows policy (`LetAppsAccessCallHistory` [2] [3])
- Privacy settings user interface (`8BC668CF-7728-45BD-93F8-CF2B3B41D7AB` [4], `phoneCallHistory` [1] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesscallhistory "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1810-call-history "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessCallHistory
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: phoneCallHistory
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}'
-
name: Disable app access to phone calls (breaks phone calls through Phone Link)
recommend: strict # Breaks "Calls" feature (making and receiving phone calls) of Microsoft Phone Link #350
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing phone calls [1] [2] [3].
This includes reading phone call data [1] and making phone calls [1] [2] [3].
By controlling app permissions related to phone functionalities, it ensures that your personal
communication remains private and secure, requiring explicit user approval before any app
can interact with phone calls.
The restrictions include:
- Preventing apps from accessing phone call data, including metadata and call triggers [1].
- Disallowing apps from managing spam filters, such as modifying block lists or call origin details [1].
- Blocking apps from initiating calls [1] [2] [3] or displaying the system dialer [1] without user consent.
This script configures:
- Windows policy (`LetAppsAccessPhone` [2] [3])
- Privacy settings user interface (`phoneCall` [1])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
> This will disable the Calls feature in the Microsoft Phone Link app, preventing the ability to make and receive
> phone calls through your PC [4].
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1813-phone-calls "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessphone "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[4]: https://github.com/undergroundwires/privacy.sexy/issues/350 "[BUG]: After applying Standard selection Phone Link is broken · Issue #350 · undergroundwires/privacy.sexy".
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessPhone
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: phoneCall
-
name: Disable app access to messaging (SMS / MMS)
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing messages [1] [2] [3] [4] [5],
securing message content from unauthorized access and improving privacy.
It protects your privacy by blocking apps from automatically reading [1] [2] [3] [4],
storing [1], sending [2] [3] [4], or deleting [1] SMS/MMS messages without your permission.
This script configures:
- Windows policy (`LetAppsAccessMessaging` [2] [3])
- Privacy settings user interface (`992AFA70-6F47-4148-B3E9-3003349C1548` [4], `21157C1F-2651-4CC1-90CA-1F28B02263F6` [4], `chat` [1] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessmessaging "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1812-messaging "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessMessaging
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: chat
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{992AFA70-6F47-4148-B3E9-3003349C1548}'
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{21157C1F-2651-4CC1-90CA-1F28B02263F6}'
-
name: Disable app access to email
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing email [1] [2] [3] [4] [5].
It protects your privacy by blocking apps from automatically reading [1],
sending [1] [2], organizing [1] emails without your permission.
This script configures:
- Windows policy (`LetAppsAccessEmail` [2] [3])
- Privacy settings user interface (`9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5` [4], `email` [1] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1811-email "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessemail "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessEmail
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: email
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}'
-
name: Disable app access to tasks
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing task data [1] [2] [3] [4] [5].
These task items may be stored by Exchange ActiveSync (EAS) connections and other provider apps [1].
This script protects your privacy by preventing unauthorized access without your permission
to your task information.
This script configures:
- Windows policy (`LetAppsAccessTasks` [2] [3])
- Privacy settings user interface (`E390DF20-07DF-446D-B962-F5C953062741` [4], `userDataTasks` [1] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesstasks "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1819-tasks "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessTasks
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: userDataTasks
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{E390DF20-07DF-446D-B962-F5C953062741}'
-
name: Disable app access to radios
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from controlling radios [1] [2] [3] [4] [5],
improving privacy by preventing unauthorized use or toggling of these components.
This script ensures that apps cannot toggle device radios [1] [2] such as Wi-Fi
and Bluetooth [1] without your explicit consent.
This script configures:
- Windows policy (`LetAppsAccessRadios` [2] [3])
- Privacy settings user interface (`A8804298-2D5F-42E3-9531-9C8C39EB29CE` [4], `radios` [1] [5])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1814-radios "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessradios "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
[5]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessRadios
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: radios
-
function: BlockUWPLegacyDeviceAccess
parameters:
deviceAccessId: '{A8804298-2D5F-42E3-9531-9C8C39EB29CE}'
-
category: Disable app access to Bluetooth devices
docs: |- # refactor-with-variable: Same • App Access Caution
This category enhances user privacy by blocking unauthorized access to Bluetooth devices through Windows apps.
It restricts Bluetooth connections, preventing apps from initiating unwanted communication or data exchange.
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
children:
-
name: Disable app access to paired Bluetooth devices
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing paired Bluetooth devices [1].
This script improves your privacy by preventing apps from automatically interacting
with paired Bluetooth devices [1], thus blocking unauthorized data exchanges without
your permission.
This script configures:
- Privacy settings user interface (`bluetooth` [1])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
call:
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: bluetooth
-
name: Disable app access to unpaired Bluetooth devices
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing unpaired Bluetooth devices [1] [2].
This script protects your privacy by blocking apps from automatically sharing and synchronizing
information with wireless devices that don't explicitly pair with your PC [2], preventing unauthorized
data exchange without your permission.
This script configures:
- Privacy settings user interface (`bluetoothSync` [1] [2])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
[2]: https://web.archive.org/web/20240427192428/https://www.tenforums.com/tutorials/85048-turn-off-apps-communicate-unpaired-devices-windows-10-a.html "Turn On or Off Apps Communicate with Unpaired Devices in Windows 10 | Tutorials | www.tenforums.com"
call:
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: bluetoothSync
-
category: Disable app voice activation
docs: |- # refactor-with-variable: Same • App Access Caution
This category safeguards against unauthorized app activation via voice commands.
It includes measures to disable voice activation for apps, ensuring that apps cannot be triggered
by voice and start listening without explicit user permission.
This protects your security against potential eavesdropping or accidental triggering of applications.
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
children:
-
name: Disable app access to voice activation
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from voice activation [1] [2] [3] [4].
This script improves privacy by preventing apps from being activated [1] [2] [3] [4]
and from continuing to listen [3] [4] automatically while the device is locked without explicit user instruction.
This protects your security against potential eavesdropping or accidental triggering of applications.
This script configures:
- Windows policy (`LetAppsActivateWithVoice` [1] [2] [4])
- Privacy settings user interface (`AgentActivationEnabled` [3])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
> This affects Cortana and may impact its functionality [1] [2].
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsactivatewithvoice "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427115516/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoice "Let Windows apps activate with voice | admx.help"
[3]: https://web.archive.org/web/20240427115515/https://www.tenforums.com/tutorials/130122-allow-deny-apps-access-use-voice-activation-windows-10-a.html "Allow or Deny Apps Access to Use Voice Activation in Windows 10 | Tutorials | www.tenforums.com"
[4]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1823-voice-activation "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsActivateWithVoice
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps
valueName: AgentActivationEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable app access to voice activation on locked system
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from voice activation when the system is locked [1] [2] [3] [4].
This script improves privacy by preventing apps from being activated [1] [2] [3] [4]
and from continuing to listen [3] [4] automatically while the device is locked without explicit user instruction.
This protects your security against potential eavesdropping or accidental triggering of applications.
This script configures:
- Windows policy (`LetAppsActivateWithVoiceAboveLock` [1] [2])
- Privacy settings user interface (`AgentActivationEnabled` [3])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
> This affects Cortana and may impact its functionality [1] [2].
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsactivatewithvoiceabovelock "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427115725/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoiceAboveLock "Let Windows apps activate with voice while the system is locked | admx.help"
[3]: https://web.archive.org/web/20240427115515/https://www.tenforums.com/tutorials/130122-allow-deny-apps-access-use-voice-activation-windows-10-a.html "Allow or Deny Apps Access to Use Voice Activation in Windows 10 | Tutorials | www.tenforums.com"
[4]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1823-voice-activation "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsActivateWithVoiceAboveLock
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps
valueName: AgentActivationOnLockScreenEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable app access to physical movement
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing spatial perception data [1] [2].
This includes movement of the user's head, hands, motion controllers, and other tracked objects [1],
as well as nearby surfaces [2].
This data may be accessed while the apps are running in the background [1] [2].
This script enhances privacy by preventing apps from accessing body-related data automatically [1] [2]
, without explicit user permission.
This script configures:
- Windows policy (`LetAppsAccessBackgroundSpatialPerception` [1])
- Privacy settings user interface (`spatialPerception` [2], `backgroundSpatialPerception` [2])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
> Disabling access to physical movement may impact the functionality of mixed reality apps that use this data [2].
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessbackgroundspatialperception "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessBackgroundSpatialPerception
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: spatialPerception
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: backgroundSpatialPerception
-
name: Disable app access to eye tracking
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing the eye tracker [1] [2].
This script improves privacy by blocking apps from tracking users' eye automatically
without explicit user instruction.
This script configures:
- Windows policy (`LetAppsAccessGazeInput` [1])
- Privacy settings user interface (`gazeInput` [2])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
> This may significantly impact the functionality of mixed reality apps that rely on this data [2].
> These apps may be unable to detect where a user is looking within the application bounds when an eye-tracking
> device is connected [2].
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessgazeinput "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessGazeInput
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: gazeInput
-
name: Disable app access to human presence
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from accessing presence sensing [1] [2].
Presence data includes information on user presence and engagement [2].
This data could potentially be used to infer user behavior or activities.
This script improves privacy by blocking apps from Presence Sensors on the device [2]
without explicit user instruction.
This script configures:
- Windows policy (`LetAppsAccessHumanPresence` [1])
- Privacy settings user interface (`humanPresence` [2])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccesshumanpresence "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessHumanPresence
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: humanPresence
-
name: Disable app access to screen capture
recommend: standard # It does not affect built-in Snipping Tool
docs: |- # refactor-with-variable: Same • App Access Caution
This script restricts Windows apps from taking screenshots of the user's screen [1] [2] [3].
This script improves privacy by blocking apps from taking screenshots programmatically [1] [3],
and without showing a screenshot border [3], without explicit user instruction.
This script configures:
- Windows policy (`LetAppsAccessGraphicsCaptureProgrammatic` [1], `LetAppsAccessGraphicsCaptureWithoutBorder` [2])
- Privacy settings user interface (`graphicsCaptureProgrammatic` [3], `graphicsCaptureWithoutBorder` [3])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessgraphicscaptureprogrammatic "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsaccessgraphicscapturewithoutborder "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessGraphicsCaptureProgrammatic
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: graphicsCaptureProgrammatic
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsAccessGraphicsCaptureWithoutBorder
-
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: graphicsCaptureWithoutBorder
-
name: Disable app access to background activity (breaks Cortana, Search, live tiles, notifications)
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents Windows apps from running in the background [1] [2] [3].
This script may improve system performance by reducing resource usage.
This script configures:
- Windows policy (`LetAppsRunInBackground` [1] [2])
- Privacy settings user interface (`BackgroundAccessApplications!GlobalUserDisabled` [3])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
> This may impact the functionality of apps that rely on background tasks, such as Cortana and Search [2].
> It may also impact live tile updates, along with notifications such as text messages, email and voicemail [3].
[1]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#letappsruninbackground "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1817-background-apps "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
call:
-
function: BlockUWPAccessViaGPO
parameters:
policyName: LetAppsRunInBackground
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications
valueName: GlobalUserDisabled
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable app access to input devices
recommend: standard
docs: |- # refactor-with-variable: Same • App Access Caution
This script prevents apps from accessing Human Interface Device (HID) capabilities [1].
HIDs include a wide range of devices such as keyboards, mice, and other input devices that can
communicate directly with the system.
By restricting access, the script ensures that applications cannot intercept or record input data
from these devices, thereby safeguarding user interactions.
This script configures:
- Privacy settings user interface (`humanInterfaceDevice` [1])
> **Caution:**
> Disabling app access may affect the functionality of certain Microsoft Store, third-party, and system applications.
[1]: https://web.archive.org/web/20240427120219/https://learn.microsoft.com/en-us/windows/uwp/packaging/app-capability-declarations "App capability declarations - UWP applications | Microsoft Learn | learn.microsoft.com"
call:
function: BlockUWPAccessViaConsentStore
parameters:
appCapability: humanInterfaceDevice
-
category: Disable Customer Experience Improvement Program
docs: |-
This script disables the Windows Customer Experience Improvement Program (CEIP).
CEIP collects user interaction data with Windows [1].
This includes hardware configurations (e.g., processor count, screen resolution), system performance, reliability metrics,
and user behaviors like folder creation on the desktop [1].
It also tracks usage of features such as the Event Viewer and Remote Assistance [1].
Collected data is used by Microsoft to identify software trends and user patterns [1].
This data is stored on Microsoft-controlled servers [1].
CEIP-related events are logged in the "Event Viewer" under `Windows Logs\Application` [1].
Storing this data on your computer can expose sensitive personal information to unauthorized third-parties.
By default, CEIP is disabled in Windows [1].
If enabled, it periodically collects and sends data to Microsoft [1].
Disabling CEIP enhances privacy by protecting data that reveals details about your system and personal behaviors.
This also speeds up your computer by reducing background activities such as network and hardware usage.
It is recommended by security frameworks like the CIS (Center for Internet Security) to protect your security [2].
[1]: https://web.archive.org/web/20231011232340/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj618322%28v=ws.11%29#purpose-of-the-windows-customer-experience-improvement-program "Manage Privacy: Windows Customer Experience Improvement Program and Resulting Internet Communication | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231215185442/https://www.cisecurity.org/-/jssmedia/Project/cisecurity/cisecurity/data/media/files/uploads/2017/04/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v220.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark | cisecurity.org"
children:
-
name: Disable Customer Experience Improvement Program data collection
recommend: standard
docs: |-
This script disables the Windows Customer Experience Improvement Program (CEIP) [1].
CEIP collects details on users' hardware setups and software usage to analyze trends [2].
Disabling CEIP through this script means all users on the computer are opted out [1] [2].
This enhances privacy by ensuring that data is neither stored locally nor shared with Microsoft.
Additionally, turning off CEIP improves system performance by reducing background data collection.
Security frameworks such as the CIS Center for Internet Security recommend this action to enhance your security [3].
This change is applied by modifying registry keys:
- `HKLM\Software\Policies\Microsoft\SQMClient\Windows!CEIPEnable` [1] [2] [3]
- `HKLM\Software\Microsoft\SQMClient\Windows!CEIPEnable` [1]
Without this script, CEIP may remain active [2].
[1]: https://web.archive.org/web/20230922164714/https://learn.microsoft.com/en-us/windows/win32/devnotes/ceipenable "CEIPEnable - Win32 apps | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230922164711/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-icm#ceipenable "ADMX_ICM Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231215185442/https://www.cisecurity.org/-/jssmedia/Project/cisecurity/cisecurity/data/media/files/uploads/2017/04/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v220.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark | cisecurity.org"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\SQMClient\Windows
valueName: CEIPEnable
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\SQMClient\Windows
valueName: CEIPEnable
dataType: REG_DWORD
data: '0'
dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 21H1) | `1` on Windows 11 Pro (≥ 22H2)
-
name: Disable Customer Experience Improvement Program data uploads
recommend: standard
docs: |-
This script disables the upload of data to Microsoft's Customer Experience Improvement Program (CEIP).
By stopping this data upload, you gain greater control over your personal information and ensure that your usage habits remain private.
Additionally, this action can boost system performance by reducing unnecessary data transmission.
This script modifies the Windows Registry key `HKLM\Software\Microsoft\SQMClient!UploadDisableFlag` [1].
This change effectively prevents user data from being transmitted to Microsoft [1].
[1]: https://web.archive.org/web/20240101180142/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/customize/uwfexclusions "Common write filter exclusions | Microsoft Learn | learn.microsoft.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\SQMClient
valueName: UploadDisableFlag
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2)
-
category: Disable background customer experience data collection
docs: |-
This category includes scripts that disable scheduled tasks from the Windows Customer Experience Improvement Program (CEIP).
The CEIP, designed by Microsoft, collects background data on user interactions with its products [1].
This data collection is executed through multiple background tasks that transmit usage data to Microsoft [1].
Scripts in this category stop these tasks, thereby reducing data transmission to Microsoft, enhancing privacy,
and improving system performance.
Use the following PowerShell command to list all scheduled tasks associated with the CEIP:
```powershell
@('\Microsoft\Windows\Autochk\*', '\Microsoft\Windows\Customer Experience Improvement Program\*', '\Microsoft\Windows\DiskDiagnostic\*', '\Microsoft\Windows\Customer Experience Improvement Program\Server\*') `
| ForEach-Object { Get-ScheduledTask -TaskName '*' -TaskPath $_ -ErrorAction SilentlyContinue } `
| ForEach-Object { Write-Host "$($_.TaskPath)$($_.TaskName)" }
```
[1]: https://web.archive.org/web/20240718151636/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj651022(v=ws.11) "What's New in Telemetry | Microsoft Learn | learn.microsoft.com"
children:
-
name: Disable automatic Software Quality Metrics (SQM) data transmission
recommend: standard
docs: |-
This script disables the "Proxy" scheduled task.
This task sends Software Quality Metrics (SQM) data to Microsoft [1].
SQM stands for "Software Quality Metrics" [2] [3], also known as "Software Quality Management" [4] [5].
It is part of Microsoft's telemetry framework, gathering and sending usage and performance data to Microsoft [2] [3] [5].
This task specifically collects and sends `autochk` SQM data [1].
`autochk` is a Windows tool that checks file system integrity before Windows starts [6].
This task enables features of the Customer Experience Improvement Program for participating users [7].
It sends data when a user opts into the Microsoft Customer Experience Improvement Program [1].
### Why disable it?
- **Privacy**:
Disabling this task reduces data sent to Microsoft [1], enhancing your privacy.
- **Performance and Reliability:**
Microsoft suggests this task isn't required [7].
Turning it off can boost performance [1] [8] and system reliability [1] [7].
- **Security**:
Enabling this background data collection task increases vulnerabilities.
Authorities, such as the Polish government [9], advise disabling this task for enhanced security.
### Overview of default task statuses
`\Microsoft\Windows\Autochk\Proxy`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#scheduled-tasks "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231011231116/https://learn.microsoft.com/en-us/skype-sdk/ucwa/policies_ref "Policies reference | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231011230658/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sqmcs/10c34967-5fd7-4791-b336-30a2ffc14b8c "[MS-SQMCS]: Overview | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20231011231057/https://support.microsoft.com/en-us/topic/update-is-available-that-prevents-sqm-data-collection-in-windows-rt-8-1-windows-8-1-and-windows-server-2012-r2-87b3f330-7894-e25b-3693-51b58da399fc "Update is available that prevents SQM data-collection in Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 - Microsoft Support | support.microsoft.com"
[5]: https://web.archive.org/web/20231011230649/https://learn.microsoft.com/en-us/archive/msdn-magazine/2015/january/azure-sdk-2-5-hadoop-made-easier-for-microsoft-developers "Azure SDK 2.5 - Hadoop Made Easier for Microsoft Developers | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20231011230640/https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/autochk "autochk | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20231002104948/https://learn.microsoft.com/en-us/services-hub/health/other/work-with-results/assessmentplanreport_windowsclientassessmentplus.xlsx "Windows Client Assessment Recommendations Report generated on: 06/13/2019 | learn.microsoft.com"
[8]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs | docs.microsoft.com"
[9]: https://web.archive.org/web/20231011231107/https://plid.obywatel.gov.pl/wp-content/uploads/2014/08/Wymagania-dla-stacji-koncowych-SRP-v-5-0.pdf "WYMAGANIA - dla stacji roboczych stanowisk obsługi dla użytkowników końcowych SRP | plid.obywatel.gov.pl"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Autochk\' -TaskName 'Proxy'
taskPathPattern: \Microsoft\Windows\Autochk\
taskNamePattern: Proxy
-
name: Disable kernel-level customer experience data collection
recommend: standard
docs: |-
This script disables the "KernelCeipTask" scheduled task.
This task is part of the Windows Customer Experience Improvement Program (CEIP) [1] [2] [3].
Its primary role is to collect and send user usage data to Microsoft when a user consents to participate in CEIP [1].
Disabling this task:
- Improves system reliability and performance [1]
- Reduces data collection by Microsoft, enhancing privacy [2]
Governments such as Poland [4] and Argentina [5] recommend disabling this task.
Microsoft suggests:
- Turning off this task can improve system reliability and reduce performance issues [1].
- This task is not necessary for core operating system functionality [1].
- Its deactivation can optimize system performance [1] [2] [6] and reduce data collection [2].
### Overview of default task statuses
`\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
| Windows 11 23H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231002104948/https://learn.microsoft.com/en-us/services-hub/health/other/work-with-results/assessmentplanreport_windowsclientassessmentplus.xlsx "Windows Client Assessment Recommendations Report generated on: 06/13/2019 | learn.microsoft.com"
[2]: https://web.archive.org/web/20231017194013/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations#task-scheduler "Recommended configuration for VDI desktops | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231017193840/https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-virtual-desktops/GUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html "Disable the Windows Customer Experience Improvement Program | docs.vmware.com"
[4]: https://web.archive.org/web/20231011231107/https://plid.obywatel.gov.pl/wp-content/uploads/2014/08/Wymagania-dla-stacji-koncowych-SRP-v-5-0.pdf "WYMAGANIA - dla stacji roboczych stanowisk obsługi dla użytkowników końcowych SRP | plid.obywatel.gov.pl"
[5]: https://archive.ph/2023.10.17-193954/http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml "A complete task sequence for deploying a client operating system | Government of Argentin | argentinacompra.gov.ara"
[6]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs | docs.microsoft.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'KernelCeipTask'
taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\
taskNamePattern: KernelCeipTask
-
name: Disable Bluetooth usage data collection
recommend: standard
docs: |-
This script disables the "BthSQM" scheduled task.
This task is part of the Bluetooth Customer Experience Improvement Program (CEIP) [1].
The BthSQM task collects and sends data about your Bluetooth usage to Microsoft [1].
This data transmission compromises your privacy.
Microsoft has suggested disabling this task as an optimization measure for Windows [2].
Disabling this task stops the transmission of your Bluetooth usage data to Microsoft, enhancing your privacy.
It may also improve system performance by reducing background tasks.
### Overview of default task statuses
`\Microsoft\Windows\Customer Experience Improvement Program\BthSQM`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
| Windows 11 23H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231215183514/http://windows.fyicenter.com/4373_BthSQM_Scheduled_Task_on_Windows_8.html '"BthSQM" Scheduled Task on Windows 8 | windows.fyicenter.com'
[2]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs | docs.microsoft.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'BthSQM'
taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\
taskNamePattern: BthSQM
-
name: Disable disk diagnostic data collection
recommend: standard
docs: |-
This script disables the "Microsoft-Windows-DiskDiagnosticDataCollector" scheduled task.
This task collects and sends disk and system data to Microsoft [1].
It primarily affects users in the Customer Experience Program [1].
When this task runs, it:
- Uses the **Windows Diagnostic Infrastructure (WDI) Resolution host** feature [2].
This feature fixes specific computer problems identified by the **Diagnostic Policy Service (DPS)** [2].
- It launches the **Windows Disk Diagnostic User Resolver Wizard** (`dfdwiz.exe`) when a hard drive problem is detected [2].
This task has been present in Windows since Windows Vista [2].
Disabling this task:
- Enhances user privacy by preventing data transmission to Microsoft [1].
- Improves system performance [1] [3].
Microsoft [1] [3] and the Polish government [4] recommend disabling this task for
enhanced privacy and improved system performance.
### Overview of default task statuses
`\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 21H2 | 🟢 Ready |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#scheduled-tasks "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231017191924/https://support.microsoft.com/en-us/topic/description-of-the-scheduled-tasks-in-windows-vista-21f93b44-7260-a612-5ec3-fb2a7be5563c "Description of the scheduled tasks in Windows Vista - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs | docs.microsoft.com"
[4]: https://web.archive.org/web/20231011231107/https://plid.obywatel.gov.pl/wp-content/uploads/2014/08/Wymagania-dla-stacji-koncowych-SRP-v-5-0.pdf "WYMAGANIA - dla stacji roboczych stanowisk obsługi dla użytkowników końcowych SRP | plid.obywatel.gov.pl"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\DiskDiagnostic\' -TaskName 'Microsoft-Windows-DiskDiagnosticDataCollector'
taskPathPattern: \Microsoft\Windows\DiskDiagnostic\
taskNamePattern: Microsoft-Windows-DiskDiagnosticDataCollector
-
name: Disable disk diagnostic user notifications
recommend: strict # It may prevent user from seeing disk errors
docs: |-
This script disables the "Microsoft-Windows-DiskDiagnosticResolver" scheduled task.
This task warns users about faults reported by hard disks that support
S.M.A.R.T. (Self-Monitoring, Analysis, and Reporting Technology) [1].
This task is disabled by default.
However, it is automatically enabled by the **Diagnostic Policy Service**
when a S.M.A.R.T. fault is detected [1].
It runs `%SYSTEMROOT%\Windows\System32\DFDWiz.exe` [1] [2].
This executable is known as "Windows Disk Diagnostic User Resolver" [1] [2].
Disabling this task enhances privacy by preventing the collection and display of
information about your hard disk's health and performance.
This data, though primarily technical, may reveal insights into your disk usage patterns.
Disabling this task may improve system performance by reducing background activities.
Citrix recommends disabling this service for system optimization [3].
> **Caution**: Disabling these notifications may prevent users from being aware of potential
> disk issues.
### Overview of default task statuses
`\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 21H2 | 🔴 Disabled |
| Windows 10 22H2 | 🔴 Disabled |
| Windows 11 22H2 | 🔴 Disabled |
| Windows 11 22H3 | 🔴 Disabled |
[1]: https://web.archive.org/web/20231215183637/http://windows.fyicenter.com/4258_Microsoft-Windows-DiskDiagnosticResolver_Scheduled_Task_on_Windows_7.html '"Microsoft-Windows-DiskDiagnosticResolver" Scheduled Task on Windows 7 | windows.fyicenter.com'
[2]: https://web.archive.org/web/20231215183645/https://www.shouldiblockit.com/dfdwiz.exe-7565.aspx "dfdwiz.exe - Should I Block It? (Windows Disk Diagnostic User Resolver) | www.shouldiblockit.com"
[3]: https://web.archive.org/web/20231215184007/https://jans.cloud/wp-content/uploads/2017/12/Analyze_History.html "Citrix Optimizer Report | jans.cloud"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\DiskDiagnostic\' -TaskName 'Microsoft-Windows-DiskDiagnosticResolver'
taskPathPattern: \Microsoft\Windows\DiskDiagnostic\
taskNamePattern: Microsoft-Windows-DiskDiagnosticResolver
disableOnRevert: 'true' # Disabled by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2)
-
name: Disable USB data collection
recommend: standard
docs: |-
This script disables the "UsbCeip" scheduled task.
This task is part of the Windows Customer Experience Improvement Program [1] [2] [3].
The task collects data about USB devices connected to your computer [4].
This data is then sent to Microsoft's engineering team [4].
While the aim is to improve USB functionality in Windows [4], it raises privacy concerns.
If a user opts out of the Windows Customer Experience Improvement Program (CEIP), this task remains inactive [1] [4].
This script disables the task to ensure it remains inactive.
Disabling this task reduces data collection, enhancing your privacy.
Microsoft recommends disabling this task to reduce data collection [5].
The Argentine government suggests disabling this task for enhanced privacy [7].
The Polish government recommends deleting this task for additional privacy [8].
Additionally, disabling this task can improve your system performance.
Both Microsoft [1] [5] [6] and VMWare [2] recommend disabling this task for better performance.
### Overview of default task statuses
`\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231002104948/https://learn.microsoft.com/en-us/services-hub/health/other/work-with-results/assessmentplanreport_windowsclientassessmentplus.xlsx "Windows Client Assessment Recommendations Report generated on: 06/13/2019 | learn.microsoft.com"
[2]: https://web.archive.org/web/20231017193840/https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-virtual-desktops/GUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html "Disable the Windows Customer Experience Improvement Program | docs.vmware.com"
[3]: https://web.archive.org/web/20231017194013/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations#task-scheduler "Recommended configuration for VDI desktops | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20231017193828/http://windows.fyicenter.com/4254_UsbCeip_Scheduled_Task_on_Windows_7.html '"UsbCeip" Scheduled Task on Windows 7 | windows.fyicenter.com'
[5]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs | docs.microsoft.com"
[7]: https://archive.ph/2023.10.17-193954/http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml "A complete task sequence for deploying a client operating system | Government of Argentin | argentinacompra.gov.ara"
[8]: https://web.archive.org/web/20231011231107/https://plid.obywatel.gov.pl/wp-content/uploads/2014/08/Wymagania-dla-stacji-koncowych-SRP-v-5-0.pdf "WYMAGANIA - dla stacji roboczych stanowisk obsługi dla użytkowników końcowych SRP | plid.obywatel.gov.pl"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'UsbCeip'
taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\
taskNamePattern: UsbCeip
-
name: Disable customer experience data consolidation
recommend: standard
docs: |-
This script disables the "Consolidator" scheduled task.
The "Consolidator" task is a part of the Windows Customer Experience Improvement Program (CEIP) [1] [2] [3] [4].
When enabled, this task collects and sends usage data to Microsoft [1] [2] [4] [5] [6] [7] [8] [9].
Introduced in Windows Vista [1], this task is present in later Windows versions [5].
Disabling this task offers several benefits:
- Enhances privacy.
Microsoft states that disabling this task stops Windows data collection [5] [6].
The governments of Poland [10] and Argentina [11] recommend disabling it for privacy
- Improves system performance.
Microsoft acknowledges that the task can degrade performance and impact other users and services [2] [5] [6].
Microsoft also recommends disabling the task to optimize system performance [2] [5] [6].
- Increases your security.
In the past, malicious software has exploited this task [12].
Disabling it reduces the attack surface by eliminating a potential exploitation vector.
It is safe to disable this task according to Microsoft:
- This task is not essential for core operating system functions [2] [5] [6].
- It is not needed in all environments [2].
- It should be disabled when deemed unnecessary [2] [3] [5] [6].
## Technical Details
The task uses a program named `wsqmcons.exe` [1].
The name `wsqmcons` stands for "Windows SQM Consolidator" [13] or "Windows Software Quality Management Consolidator" [14].
This program runs daily if the user is part of CEIP [1].
When it runs, it collects and transmits usage data to Microsoft [1] [9].
The process resides in the `%SYSTEMROOT%\System32` folder [1].
CEIP data collection includes two tasks [7] [8]:
1. `Consolidator`: Gathers and compresses CEIP data [7] [8].
2. `Uploader`: Sends the data to Microsoft [7] [8].
### Overview of default task statuses
`\Microsoft\Windows\Customer Experience Improvement Program\Consolidator`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231017191924/https://support.microsoft.com/en-us/topic/description-of-the-scheduled-tasks-in-windows-vista-21f93b44-7260-a612-5ec3-fb2a7be5563c "Description of the scheduled tasks in Windows Vista - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20231002104948/https://learn.microsoft.com/en-us/services-hub/health/other/work-with-results/assessmentplanreport_windowsclientassessmentplus.xlsx "Windows Client Assessment Recommendations Report generated on: 06/13/2019 | learn.microsoft.com"
[3]: https://web.archive.org/web/20231017194013/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations#task-scheduler "Recommended configuration for VDI desktops | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20231021011849/http://windows.fyicenter.com/4252_Consolidator_Scheduled_Task_on_Windows_7.html '"Consolidator" Scheduled Task on Windows 7 | windows.fyicenter.com'
[5]: https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#scheduled-tasks "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs | docs.microsoft.com"
[7]: https://web.archive.org/web/20231021125929/https://cloudblogs.microsoft.com/windowsserver/2012/05/17/improved-server-manageability-through-customer-feedback-how-the-customer-experience-improvement-program-makes-windows-server-2012-a-better-product-for-it-professionals/ "Improved Server Manageability through Customer Feedback: How the Customer Experience Improvement Program makes Windows Server 2012 a better product for IT Professionals - Microsoft Windows Server Blog | cloudblogs.microsoft.com"
[8]: https://web.archive.org/web/20231021011254/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj651022%28v=ws.11%29 "What's New in Telemetry | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20231021011342/https://windowsreport.com/wsqmcons-exe/ "Wsqmcons.exe: What Is It & Should You Disable It? | windowsreport.com"
[10]: https://web.archive.org/web/20231011231107/https://plid.obywatel.gov.pl/wp-content/uploads/2014/08/Wymagania-dla-stacji-koncowych-SRP-v-5-0.pdf "WYMAGANIA - dla stacji roboczych stanowisk obsługi dla użytkowników końcowych SRP | plid.obywatel.gov.pl"
[11]: https://archive.ph/2023.10.17-193954/http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml "A complete task sequence for deploying a client operating system | Government of Argentin | argentinacompra.gov.ara"
[12]: https://web.archive.org/web/20231021011706/https://attackevals.mitre-engenuity.org/results/enterprise?vendor=crowdstrike&evaluation=turla&scenario=1 "ATT&CK® Evaluations | attackevals.mitre-engenuity.org"
[13]: https://web.archive.org/web/20231021011602/https://strontic.github.io/xcyclopedia/library/wsqmcons.exe-3198C8F020BC60931404167EEC51E2BF.html "wsqmcons.exe | Windows SQM Consolidator | STRONTIC | strontic.github.io"
[14]: https://web.archive.org/web/20231021011855/https://www.file.net/process/wsqmcons.exe.html "wsqmcons.exe Windows process - What is it? < file.net"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'Consolidator'
taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\
taskNamePattern: Consolidator
-
name: Disable customer experience data uploads
recommend: standard
docs: |-
This script disables the "Uploader" scheduled task.
This task is part of the Windows Customer Experience Improvement Program (CEIP) [1] [2].
The Uploader task transfers CEIP data to Microsoft [1] [2] [3] [4].
The data is sent every 19 [3] to 24 hours [1] [2].
Disabling this task prevents automatic sharing of your usage data with Microsoft, enhancing your privacy.
The Government of Vietnam recommends disabling this task to reduce data collection [5].
Disabling the task may also improve system performance by reducing background processes.
The task is located at `\Microsoft\Windows\Customer Experience Improvement Program\Uploader` [3] [4] [5].
Disabling the task is safe and has no negative effects on other parts of the operating system [3].
### Overview of default task statuses
`\Microsoft\Windows\Customer Experience Improvement Program\Uploader`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 23H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231021125929/https://cloudblogs.microsoft.com/windowsserver/2012/05/17/improved-server-manageability-through-customer-feedback-how-the-customer-experience-improvement-program-makes-windows-server-2012-a-better-product-for-it-professionals/ "Improved Server Manageability through Customer Feedback: How the Customer Experience Improvement Program makes Windows Server 2012 a better product for IT Professionals - Microsoft Windows Server Blog | cloudblogs.microsoft.com"
[2]: https://web.archive.org/web/20231021011254/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj651022%28v=ws.11%29 "What's New in Telemetry | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240726132037/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc774625(v%3Dws.10) "Event ID 1008 — CEIP Upload | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240726131536/http://windows.fyicenter.com/4376_Uploader_Scheduled_Task_on_Windows_8.html "\"Uploader\" Scheduled Task on Windows 8 | windows.fyicenter.com"
[5]: https://web.archive.org/web/20240726131546/https://antoanthongtin.gov.vn/giai-phap-khac/cau-hinh-nang-cao-hieu-nang-va-an-toan-cho-windows-10-104713 "Cấu hình nâng cao hiệu năng và an toàn cho Windows 10 - Tạp chí An toàn thông tin | antoanthongtin.gov.vn"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\' -TaskName 'Uploader'
taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\
taskNamePattern: Uploader
-
category: Disable server-specific customer experience data collection
docs: |-
This category includes scripts that disable specific scheduled tasks related to
the Windows Server Customer Experience Improvement Program (CEIP).
CEIP is a voluntary program that collects information about how people use Windows Server [1].
It gathers data on:
- Configuration settings [1]
- Hardware configurations [1]
- Usage patterns
- Performance metrics
Disabling these tasks prevents the system from automatically sending usage and performance data
to Microsoft, enhancing user privacy.
It may also improve system performance by reducing background activities.
These tasks are typically present in server versions of the Windows operating system.
These tasks may not be present in consumer editions of Windows.
This category includes scripts designed to disable specific scheduled tasks related to the
Windows Server Customer Experience Improvement Program (CEIP).
[1]: https://web.archive.org/web/20240726125134/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj618322(v=ws.11) "Manage Privacy: Windows Customer Experience Improvement Program and Resulting Internet Communication | Microsoft Learn | learn.microsoft.com"
children:
-
name: Disable server customer experience data assistant
recommend: standard
docs: |-
This script disables the "ServerCeipAssistant" scheduled task.
This task is part of the "Windows Server Customer Experience Improvement Program" [1] [2] [3].
The main function of this task is to collect and send usage and performance data to Microsoft.
It runs without requiring user consent to participate in the CEIP [4].
This task poses a significant privacy concern as it can share sensitive information without explicit user approval.
Disabling this task prevents data transmission, aligning with best practices for privacy protection.
It may also improve system performance.
The Citrix optimization guide recommends disabling this task to enhance operating system performance [5].
The task is located at `\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant` [1] [2] [3] [4] [6] [7].
It runs `%WINDIR%\System32\ceipdata.exe` [3] [6] [7].
This task was originally introduced in Windows Server 2008 [2] [8].
Tests show this task is absent in modern Windows versions.
### Overview of default task statuses
`\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows Server 2022 21H2 | 🟡 N/A (missing) |
| Windows 10 Pro 21H2 | 🟡 N/A (missing) |
| Windows 11 Pro 22H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231021140611/https://wutils.com/wmi/root/microsoft/windows/taskscheduler/msft_scheduledtask/instances.html "MSFT_ScheduledTask, ROOT\Microsoft\Windows\TaskScheduler - Instances | wutils.com"
[2]: https://web.archive.org/web/20231021140830/https://novikov.ua/windows-%D0%BD%D0%B5%D0%BA%D0%BE%D1%82%D0%BE%D1%80%D1%8B%D0%B5-tasks-%D0%B7%D0%B0%D0%B4%D0%B0%D1%87%D0%B8-%D0%BF%D0%BE-%D1%83%D0%BC%D0%BE%D0%BB%D1%87%D0%B0%D0%BD%D0%B8%D1%8E-%D0%BA%D0%BE%D1%82/ "Windows: некоторые tasks (задачи) по-умолчанию, которые желательно выключить - RUSLAN NOVIKOV - Full Stack Developer /Chief Technology Officer (CTO) | novikov.ua"
[3]: https://web.archive.org/web/20231021140923/https://www.shouldiblockit.com/ceipdata.exe-1228.aspx "ceipdata.exe - Should I Block It? (Windows Server Customer Experience Improvement Program) | www.shouldiblockit.com"
[4]: https://web.archive.org/web/20231021140845/https://www.mcbsys.com/blog/2016/08/serverceipassistant-task-incorrectly-formatted-xml/ "ServerCeipAssistant Task Incorrectly Formatted XML | MCB Systems | mcbsys.com"
[5]: https://web.archive.org/web/20231021141013/https://static.spiceworks.com/attachments/post/0016/8802/XA_-_Windows_2008_R2_Optimization_Guide.pdf "Windows 2008 R2 Optimization Guide - For Desktop Virtualization with XenApp 6 / 6.5 | Citrix | spiceworks.com"
[6]: https://web.archive.org/web/20231021140624/https://raw.githubusercontent.com/montri789/Warroom-bot/master/Script/tasks.csv "Warroom-bot/Script/tasks.csv at master · montri789/Warroom-bot | github.com"
[7]: https://web.archive.org/web/20231021141045/https://services4.lowercolumbia.edu/demo/projectlid/lccInvestigateRecords/lccIR-demoRecords5.xtm "lccIR Demo Records 5: Task Schedulers | Lower Columbia College | lowercolumbia.edu"
[8]: https://archive.org/details/windowsserver2000000sosi/page/172/mode/2up?q=ServerCeipAssistant "Windows server 2008 : implementation and administration | Sosinsky, Barrie A | archive.org"
[9]: https://web.archive.org/web/20231021140905/https://strontic.github.io/xcyclopedia/library/ceipdata.exe-938465C81CB9D2026CE8F4B97D30AF26.html "ceipdata.exe | Windows Server Customer Experience Improvement Program | STRONTIC | strontic.github.io"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\Server\' -TaskName 'ServerCeipAssistant'
taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\Server\
taskNamePattern: ServerCeipAssistant
-
name: Disable server role telemetry collection
recommend: standard
docs: |-
This script disables the "ServerRoleCollector" scheduled task.
This task collects telemetry data about server roles [1].
**Server roles** are specific functions a server performs for users and other computers within
a network, such as providing web services or handling emails [2].
This task is part of the "Windows Server Customer Experience Improvement Program" [3] [4].
Disabling this task enhances privacy by preventing CEIP data collection.
Additionally, it may improve system performance.
The Citrix optimization guide recommends disabling this task to boost system performance [5].
The task is located at `\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector` [3] [4] [6] [7].
It executes `%WINDIR%\System32\ceiprole.exe` [3] [6] [7].
This process is named "Windows Server Role Collector" [6] [8].
This task was originally introduced in Windows Server 2008 [4] [9].
The functionality of the Role Collector (`ceiprole.exe`) and its associated API
were removed in Windows Server 2012 [1] [10] [11].
Since then, Server Manager has taken over these responsibilities [1].
### Overview of default task statuses
`\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows Server 2022 21H2 | 🟡 N/A (missing) |
| Windows 10 Pro 21H2 | 🟡 N/A (missing) |
| Windows 11 Pro | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231021142502/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831568%28v=ws.11%29 "Features Removed or Deprecated in Windows Server 2012 | Microsoft Learn"
[2]: https://web.archive.org/web/20231021142524/https://www.oreilly.com/library/view/windows-server-2008/9780735624382/ch07.html "7. Configuring Roles, Role Services, and Features - Windows Server® 2008 Inside Out [Book] | oreilly.com"
[3]: https://web.archive.org/web/20231021140624/https://raw.githubusercontent.com/montri789/Warroom-bot/master/Script/tasks.csv "Warroom-bot/Script/tasks.csv at master · montri789/Warroom-bot | github.com"
[4]: https://web.archive.org/web/20231021140830/https://novikov.ua/windows-%D0%BD%D0%B5%D0%BA%D0%BE%D1%82%D0%BE%D1%80%D1%8B%D0%B5-tasks-%D0%B7%D0%B0%D0%B4%D0%B0%D1%87%D0%B8-%D0%BF%D0%BE-%D1%83%D0%BC%D0%BE%D0%BB%D1%87%D0%B0%D0%BD%D0%B8%D1%8E-%D0%BA%D0%BE%D1%82/ "Windows: некоторые tasks (задачи) по-умолчанию, которые желательно выключить - RUSLAN NOVIKOV - Full Stack Developer /Chief Technology Officer (CTO) | novikov.ua"
[5]: https://web.archive.org/web/20231021141013/https://static.spiceworks.com/attachments/post/0016/8802/XA_-_Windows_2008_R2_Optimization_Guide.pdf "Windows 2008 R2 Optimization Guide - For Desktop Virtualization with XenApp 6 / 6.5 | Citrix | spiceworks.com"
[6]: https://web.archive.org/web/20231021142340/https://www.shouldiblockit.com/ceiprole.exe-b8fa0f5b617e82d41241c7a2c3a89c26.aspx "ceiprole.exe - Should I Block It? (MD5 b8fa0f5b617e82d41241c7a2c3a89c26) | shouldiblockit.com"
[7]: https://web.archive.org/web/20231021141045/https://services4.lowercolumbia.edu/demo/projectlid/lccInvestigateRecords/lccIR-demoRecords5.xtm "lccIR Demo Records 5: Task Schedulers | Lower Columbia College | lowercolumbia.edu"
[8]: https://web.archive.org/web/20231021142324/https://systemexplorer.net/file-database/file/ceiprole-exe "What is ceiprole.exe ? | System Explorer | systemexplorer.net"
[9]: https://archive.org/details/windowsserver2000000unse_t2j3/page/596/mode/2up?q=ServerRoleCollector "Windows Server 2008 : unleashed | Indianapolis, Ind. : Sams | archive.org"
[10]: https://web.archive.org/web/20231021142351/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn303411%28v=ws.11%29 "Features Removed or Deprecated in Windows Server 2012 R2 | Microsoft Learn | learn.microsoft.com"
[11]: https://web.archive.org/web/20231021142446/https://catalogimages.wiley.com/images/db/pdf/9781118859919.excerpt.pdf "Exam 70-410: Installing and Configuring Windows Server 2012 R2 | wiley.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\Server\' -TaskName 'ServerRoleCollector'
taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\Server\
taskNamePattern: ServerRoleCollector
-
name: Disable server role usage data collection
recommend: standard
docs: |-
This script disables the "ServerRoleUsageCollector" scheduled task.
The task tracks the types and frequency of server role usage.
A **server role** is a combination of software components that allow the server to perform specific
functions for users and other computers on a network [1].
This task is located at `\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector` [2] [3] [4].
The task runs `%WINDIR%\System32\ceipdata.exe -roleusage` [2] [3].
Microsoft describes `ceipdata.exe` as part of the "Windows Server Customer Experience Improvement Program" [3] [4] [5].
Disabling this task protects your privacy by stopping a CEIP data collection process.
It also improves system performance.
The Citrix optimization guide recommends disabling this task to enhance system performance [6].
Originally introduced in Windows Server 2008 [4], this task is absent in desktop Windows versions.
### Overview of default task statuses
`\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows Server 2022 21H2 | 🟡 N/A (missing) |
| Windows 10 Pro 21H2 | 🟡 N/A (missing) |
| Windows 11 Pro 22H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231021142524/https://www.oreilly.com/library/view/windows-server-2008/9780735624382/ch07.html "7. Configuring Roles, Role Services, and Features - Windows Server® 2008 Inside Out [Book] | oreilly.com"
[2]: https://web.archive.org/web/20231021141045/https://services4.lowercolumbia.edu/demo/projectlid/lccInvestigateRecords/lccIR-demoRecords5.xtm "lccIR Demo Records 5: Task Schedulers | Lower Columbia College | lowercolumbia.edu"
[3]: https://web.archive.org/web/20231021140624/https://raw.githubusercontent.com/montri789/Warroom-bot/master/Script/tasks.csv "Warroom-bot/Script/tasks.csv at master · montri789/Warroom-bot | github.com"
[4]: https://web.archive.org/web/20231021140830/https://novikov.ua/windows-%D0%BD%D0%B5%D0%BA%D0%BE%D1%82%D0%BE%D1%80%D1%8B%D0%B5-tasks-%D0%B7%D0%B0%D0%B4%D0%B0%D1%87%D0%B8-%D0%BF%D0%BE-%D1%83%D0%BC%D0%BE%D0%BB%D1%87%D0%B0%D0%BD%D0%B8%D1%8E-%D0%BA%D0%BE%D1%82/ "Windows: некоторые tasks (задачи) по-умолчанию, которые желательно выключить - RUSLAN NOVIKOV - Full Stack Developer /Chief Technology Officer (CTO) | novikov.ua"
[5]: https://web.archive.org/web/20231021140905/https://strontic.github.io/xcyclopedia/library/ceipdata.exe-938465C81CB9D2026CE8F4B97D30AF26.html "ceipdata.exe | Windows Server Customer Experience Improvement Program | STRONTIC | strontic.github.io"
[6]: https://web.archive.org/web/20231021141013/https://static.spiceworks.com/attachments/post/0016/8802/XA_-_Windows_2008_R2_Optimization_Guide.pdf "Windows 2008 R2 Optimization Guide - For Desktop Virtualization with XenApp 6 / 6.5 | Citrix | spiceworks.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Customer Experience Improvement Program\Server\' -TaskName 'ServerRoleUsageCollector'
taskPathPattern: \Microsoft\Windows\Customer Experience Improvement Program\Server\
taskNamePattern: ServerRoleUsageCollector
-
category: Disable Application Experience data collection
docs: |-
Application Experience comprises services and tasks that help applications, including older ones, run smoothly.
These components collect and send telemetry data to Microsoft, potentially impacting user privacy [1] [2] [3] [4].
Scripts under this category aim to enhance user privacy, data protection, and protect the system from potential
vulnerabilities [5]. They also optimize system performance [1] [2] by removing non-essential operating system components.
However, disabling Application Experience could influence the performance or compatibility of specific applications
or services on your system [3] [5].
[1]: https://web.archive.org/web/20230929124611/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/high-network-bandwidth-usage "High network bandwidth usage - Configuration Manager | Microsoft Learn"
[2]: https://web.archive.org/web/20230929124644/https://geeksadvice.com/fix-microsoft-compatibility-telemetry-high-cpu-usage/ "Fix Microsoft Compatibility Telemetry High CPU Usage (CompatTelRunner.exe) | Geek's Advice"
[3]: https://web.archive.org/web/20230528031527/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn"
[4]: https://web.archive.org/web/20230928142052/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health "Monitor connection health - Configuration Manager | Microsoft Learn"
[5]: https://web.archive.org/web/20230929124720/https://nvd.nist.gov/vuln/detail/CVE-2019-1267 "NVD - CVE-2019-1267 | nist.gov"
children:
# Excluding:
# - "Application Experience" service (`AeLookupSvc`) as it does not exists since Windows 10 21H1 and Windows 11 22H2
-
category: Disable automatic system compatibility checks (Microsoft Compatibility Appraiser)
docs: |-
This category covers disabling of the Microsoft Compatibility Appraiser.
This tool checks your computer's software and hardware compatibility with the latest Windows updates,
including major upgrades such as Windows 11 [1].
It scans your system, collecting detailed information about your apps and devices to ensure everything will work
smoothly with potential updates [2] [3].
This process helps Microsoft improve Windows and keep your system running efficiently with the latest features.
However, it sends substantial system usage data to Microsoft, raising privacy concerns for some users.
This script optimizes your computer by managing how it prepares for Windows updates.
The Microsoft Compatibility Appraiser, designed to check system readiness for new updates, routinely discards saved
update data [2].
Consequently, your computer must redownload this data during subsequent update checks, consuming significant
internet bandwidth [2] and CPU resources [3].
Preventing this redundancy, the script reduces internet usage and improves computer performance.
The Microsoft Compatibility Appraiser contributes to Desktop Analytics [2] (formerly Windows Analytics [4]), a system
that collects and sends Windows diagnostics and app usage data to Microsoft servers [4].
This service is unavailable in high-privacy settings such as GCC High or the US Department of Defense [4],
highlighting its potential privacy implications.
These organizations, known for stringent privacy and security standards, do not utilize Desktop Analytics, suggesting
the service's inherent data collection practices may not align with high-privacy protocols.
Despite its utility, Microsoft Compatibility Appraiser can introduce additional vulnerabilities to your system. A known
elevation of privilege vulnerability linked with the appraiser allows a configuration file to be susceptible to symbolic link
and hard link attacks, also known as the "Microsoft Compatibility Appraiser Elevation of Privilege Vulnerability" [5].
By disabling the Microsoft Compatibility Appraiser, this category contributes to enhancing your system's privacy by reducing
unnecessary data transmission to Microsoft servers, mitigating potential vulnerabilities, and conserving network bandwidth
and CPU usage.
[1]: https://web.archive.org/web/20230929124550/https://support.microsoft.com/en-us/windows/how-to-check-if-your-device-meets-windows-11-system-requirements-after-changing-device-hardware-f3bc0aeb-6884-41a1-ab57-88258df6812b "How to check if your device meets Windows 11 system requirements after changing device hardware - Microsoft Support"
[2]: https://web.archive.org/web/20230929124611/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/high-network-bandwidth-usage "High network bandwidth usage - Configuration Manager | Microsoft Learn"
[3]: https://web.archive.org/web/20230929124644/https://geeksadvice.com/fix-microsoft-compatibility-telemetry-high-cpu-usage/ "Fix Microsoft Compatibility Telemetry High CPU Usage (CompatTelRunner.exe) | Geek's Advice"
[4]: https://web.archive.org/web/20230528031527/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn"
[5]: https://web.archive.org/web/20230929124720/https://nvd.nist.gov/vuln/detail/CVE-2019-1267 "NVD - CVE-2019-1267 | nist.gov"
children:
-
name: Disable daily compatibility data collection ("Microsoft Compatibility Appraiser" task)
recommend: standard
docs: |-
This script disables the "Microsoft Compatibility Appraiser" scheduled task.
The "Microsoft Compatibility Appraiser" is a default scheduled task in Windows [1] [2].
It collects program telemetry information for participants in the Microsoft Customer Experience Improvement Program [2],
and it maintains this data collection across computer reboots [2].
Running at least daily [3], this task assesses your system's eligibility for Windows 11 upgrades [4].
By disabling this task, the script helps in optimizing computer performance as recommended by Microsoft [1] [2].
This action prevents the task from collecting and sending your computer's data to Microsoft, enhancing your privacy and conserving
system resources.
It also stops the task from checking Windows 11 eligibility, which can be beneficial for systems that do not plan to upgrade.
> **Caution:** While this script increases privacy, it may limit the system's ability to automatically resolve compatibility
> issues or provide upgrade recommendations.
### Overview of default task statuses
`\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser` [3] [4]:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20230929130253/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-1803#scheduled-tasks "Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn"
[2]: https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#scheduled-tasks "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn"
[3]: https://web.archive.org/web/20230929124611/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/high-network-bandwidth-usage#mitigation "High network bandwidth usage - Configuration Manager | Microsoft Learn"
[4]: https://web.archive.org/web/20230929124550/https://support.microsoft.com/en-us/windows/how-to-check-if-your-device-meets-windows-11-system-requirements-after-changing-device-hardware-f3bc0aeb-6884-41a1-ab57-88258df6812b "How to check if your device meets Windows 11 system requirements after changing device hardware - Microsoft Support"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'Microsoft Compatibility Appraiser'
taskPathPattern: \Microsoft\Windows\Application Experience\
taskNamePattern: Microsoft Compatibility Appraiser
-
name: Disable telemetry collector and sender process (`CompatTelRunner.exe`)
recommend: standard
docs: |-
This script disables `CompatTelRunner.exe`, associated with the Microsoft Compatibility Appraiser [1] [2]
This process runs at least daily [2] from Windows 7 onwards [3] [4].
It collects extensive data, including information about devices, apps, drivers, hardware configurations,
and other user engagement details [1] [6].
This data, formerly known as Windows Customer Data [7], is then sent to Microsoft servers [1].
`CompatTelRunner.exe` is known for high CPU [8], disk [8], and network usage [2], affecting system performance.
Disabling it can therefore lead to better computer efficiency and enhanced privacy by reducing data transmission to Microsoft.
The `CompatTelRunner.exe` is located in the directory: `%WINDIR%\System32\CompatTelRunner.exe` [1].
This script specifically targets and disables it at this location.
[1]: https://web.archive.org/web/20230928142052/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health "Monitor connection health - Configuration Manager | Microsoft Learn"
[2]: https://web.archive.org/web/20230929124611/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/high-network-bandwidth-usage "High network bandwidth usage - Configuration Manager | Microsoft Learn"
[3]: https://web.archive.org/web/20230929132723/https://support.microsoft.com/en-us/topic/compatibility-update-for-keeping-windows-up-to-date-in-windows-7-5fe4a218-adf1-9074-9522-bea956cf149b "Compatibility update for keeping Windows up-to-date in Windows 7 - Microsoft Support"
[4]: https://web.archive.org/web/20230929132734/https://support.microsoft.com/en-us/topic/compatibility-update-for-keeping-windows-up-to-date-in-windows-8-1-34c1fdff-bb94-32ef-4a8b-0d71e11c4af0 "Compatibility update for keeping Windows up-to-date in Windows 8.1 - Microsoft Support"
[5]: https://web.archive.org/web/20230929132806/https://support.microsoft.com/en-us/topic/update-rollup-2-for-system-center-configuration-manager-current-branch-version-1810-fb956f05-ef39-03b4-ab73-e66dd5e96a9a "Update Rollup 2 for System Center Configuration Manager current branch, version 1810 - Microsoft Support"
[6]: https://web.archive.org/web/20230929132837/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/appraiser-diagnostic-data-events-and-fields#windows-customer-data-opt-in "Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields | Microsoft Learn"
[7]: https://web.archive.org/web/20230929132845/https://support.microsoft.com/en-us/topic/compatibility-update-for-keeping-windows-up-to-date-in-windows-server-2012-r2-and-windows-server-2008-r2-sp1-c62197fb-d711-f7d3-f135-172844b9f322 "Compatibility update for keeping Windows up-to-date in Windows Server 2012 R2 and Windows Server 2008 R2 SP1 - Microsoft Support"
[8]: https://web.archive.org/web/20230929124644/https://geeksadvice.com/fix-microsoft-compatibility-telemetry-high-cpu-usage/ "Fix Microsoft Compatibility Telemetry High CPU Usage (CompatTelRunner.exe) | Geek's Advice"
call:
-
function: TerminateAndBlockExecution
parameters:
executableNameWithExtension: CompatTelRunner.exe
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\CompatTelRunner.exe'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
category: Disable background application compatibility checks (Application Experience scheduled tasks)
docs: |-
This category focuses on disabling scheduled tasks related to Application Experience.
These tasks aim to improve user experience by identifying compatibility issues with older software and boosting application performance.
However, they also collect and transmit telemetry data to Microsoft.
Disabling them can optimize system performance, reduce unwanted data collection, and lower security risks.
To view all the scheduled tasks related to Application Experience, you can use the following PowerShell command:
```powershell
@('\Microsoft\Windows\Application Experience\*') `
| ForEach-Object { Get-ScheduledTask -TaskName '*' -TaskPath $_ -ErrorAction SilentlyContinue } `
| ForEach-Object { Write-Host "$($_.TaskPath)$($_.TaskName)" }
```
children:
-
name: Disable program data collection and reporting (`ProgramDataUpdater`)
recommend: standard
docs: |-
This script disables the "ProgramDataUpdater" scheduled task.
This component collects and transmits Application Telemetry information for participants in
the Microsoft Customer Experience Improvement Program [1].
Running this script improves privacy and security by limiting data transmission, making it suitable for high-security environments.
Recommendations to disable or delete this task have been voiced by both the Polish [2] and Argentine [3] governments.
Microsoft acknowledges this task as non-essential, explaining that its deactivation improves system reliability and
performance by preventing possible degradation [1] [4].
It highlights that the task's deactivation will not adversely affect other users and services,
reinforcing its non-critical nature [1].
Running this script prioritizes privacy by reducing telemetry data sent to Microsoft.
This choice comes without any notable drawbacks [1], thereby ensuring enhanced privacy and security.
### Overview of default task statuses
`\Microsoft\Windows\Application Experience\ProgramDataUpdater`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟡 N/A (missing) |
| Windows 11 23H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231002104948/https://learn.microsoft.com/en-us/services-hub/health/other/work-with-results/assessmentplanreport_windowsclientassessmentplus.xlsx "Windows Client Assessment Recommendations Report generated on: 06/13/2019 | microsoft.com"
[2]: https://web.archive.org/web/20231011231107/https://plid.obywatel.gov.pl/wp-content/uploads/2014/08/Wymagania-dla-stacji-koncowych-SRP-v-5-0.pdf "WYMAGANIA - dla stacji roboczych stanowisk obsługi dla użytkowników końcowych SRP | plid.obywatel.gov.pl"
[3]: https://archive.ph/2023.10.17-193954/http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml "A complete task sequence for deploying a client operating system (snapshot from http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml) | Government of Argentina"
[4]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'ProgramDataUpdater'
taskPathPattern: \Microsoft\Windows\Application Experience\
taskNamePattern: ProgramDataUpdater
-
name: Disable application usage tracking (`AitAgent`)
recommend: standard
docs: |-
This script disables the "AitAgent" scheduled task.
`AitAgent` is a task that is part of the Microsoft Customer Experience Improvement Program [3] [4], which aggregates and uploads
Application Telemetry information if the user has opted in [3].
This task is part of Application Experience as per its registry location
(`Microsoft\Windows\Application Experience\AitAgent` [1] [3])
and VMWare's documentation [4].
Governments of various countries, including Argentina [1] and the United States (via VMWare) [2], recommend disabling this
task to improve system privacy by reducing data collection. Microsoft recommends disabling to optimize speed of your computer [5].
By disabling this task, you minimize background activities on your system, contributing positively to your privacy.
### Overview of default task statuses
`\Microsoft\Windows\Application Experience\AitAgent`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
| Windows 11 23H2 | 🟡 N/A (missing) |
[1]: https://archive.ph/2023.10.17-193954/http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml "A complete task sequence for deploying a client operating system (snapshot from http://onc-ftp1.argentinacompra.gov.ar/0091/000/020000042017001000/CNV-000736230001.xml) | Government of Argentina"
[2]: https://web.archive.org/web/20231123073336/https://www.mspb.gov/foia/files/VMWareHealthCheckReport.pdf "VMware Desktop Virtualization Health Check Services Health Check Report | www.mspb.gov"
[3]: https://web.archive.org/web/20231130072051/http://windows.fyicenter.com/4363_AitAgent_Scheduled_Task_on_Windows_8.html '"AitAgent" Scheduled Task on Windows 8'
[4]: https://web.archive.org/web/20231017193840/https://docs.vmware.com/en/VMware-Horizon-7/7.13/horizon-virtual-desktops/GUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html "Disable the Windows Customer Experience Improvement Program | docs.vmware.com"
[5]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'AitAgent'
taskPathPattern: \Microsoft\Windows\Application Experience\
taskNamePattern: AitAgent
-
name: Disable startup application data tracking (`StartupAppTask`)
recommend: strict
docs: |-
This script disables the "StartupAppTask" scheduled task.
This task checks auto-start programs at boot-up and alerts if there are excessively many [1].
By disabling this task, you can speed up your computer's startup time and reduce unnecessary data collection [1].
Microsoft itself suggests turning it off to optimize system performance and reduce data collection [1] [2].
### Overview of default task statuses
`\Microsoft\Windows\Application Experience\StartupAppTask`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#scheduled-tasks "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn"
[2]: https://web.archive.org/web/20220120073244/https://docs.microsoft.com/en-us/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe "Hot off the presses, get it now, the Windows 8 VDI optimization script, courtesy of PFE! | Microsoft Docs"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'StartupAppTask'
taskPathPattern: \Microsoft\Windows\Application Experience\
taskNamePattern: StartupAppTask
-
name: Disable software compatibility updates (`PcaPatchDbTask`)
recommend: strict
docs: |-
This script disables the "PcaPatchDbTask" scheduled task.
"PcaPatchDbTask" is responsible for periodically updating a specific database that tracks software known to have compatibility issues [1].
When users run a program listed in this database, Windows' Program Compatibility Assistant (PCA) will notify them and suggest a solution
to address the compatibility problem the next time the program is started [2] [3]. By keeping this database updated, the PCA can consistently
recognize and remedy compatibility conflicts, ensuring that even software designed for older Windows versions runs correctly on newer ones.
This database is named the System Application Compatibility Database [3]. Its primary function is to support users in seamlessly operating older
software on modern Windows versions by auto-applying compatibility settings when necessary.
Besides compatibility features, 'PcaPatchDbTask' supports Windows' Dynamic Update process, performing tasks like [4]:
- Retrieving the latest Windows updates and integrating them into the existing system [4]. This action can occasionally trigger antivirus alerts, labeling
the process as "Riskware.Injector.Generic" [5].
- Acquiring drivers that may be missing from the installation media [4].
- Keeping the aforementioned compatibility database up-to-date [1] [4].
"PcaPatchDbTask" was initially rolled out in Windows 10 [4] and it's present by default since Windows 10 21H1 and Windows 11 22H2.
Disabling this task might enhance user privacy by preventing automated compatibility checks and updates. However, users might miss out on helpful
compatibility solutions for older software.
### Overview of default task statuses
`\Microsoft\Windows\Application Experience\PcaPatchDbTask`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231004190322/https://raw.githubusercontent.com/Azure/Azure-Sentinel/daa1d3717a3c6240cf15f7f06041905b73208720/Sample%20Data/ASIM/Microsoft_Windows_AuditEvent_WindowsEvent_IngestedLogs_.csv "(Line 48 shows task scheduler description for PcaPatchDbTask) Azure-Sentinel/Sample Data/ASIM/Microsoft_Windows_AuditEvent_WindowsEvent_IngestedLogs_.csv at daa1d3717a3c6240cf15f7f06041905b73208720 · Azure/Azure-Sentinel | github.com"
[2]: https://web.archive.org/web/20231004182336/https://techcommunity.microsoft.com/t5/ask-the-performance-team/the-program-compatibility-assistant-part-one/ba-p/372538 "The Program Compatibility Assistant - Part One - Microsoft Community Hub | techcommunity.microsoft.com"
[3]: https://web.archive.org/web/20231004182349/https://techcommunity.microsoft.com/t5/ask-the-performance-team/the-program-compatibility-assistant-part-two/ba-p/372543 "The Program Compatibility Assistant - Part Two - Microsoft Community Hub | techcommunity.microsoft.com"
[4]: https://web.archive.org/web/20231004182253/https://slideplayer.com/slide/12553555/ "Enhance Windows 10 deployment: What's new with Windows 10 deployment | Microsoft (from Microsoft Ignite 2016)"
[5]: https://web.archive.org/web/20231004182325/https://forums.malwarebytes.com/topic/274456-recurring-detection-infection-or-part-of-a-windows-update/ "Recurring Detection - infection or part of a Windows update? - File Detections - Malwarebytes Forums"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'PcaPatchDbTask'
taskPathPattern: \Microsoft\Windows\Application Experience\
taskNamePattern: PcaPatchDbTask
-
name: Disable compatibility adjustment data sharing (`SdbinstMergeDbTask`)
recommend: strict
docs: |-
This script disables the "SdbinstMergeDbTask" scheduled task.
The 'SdbinstMergeDbTask' task merges pending shim application compatibility databases, as described in
Task Scheduler (Windows 11 22H2), facilitating the running of older software on newer Windows versions.
According to Task Scheduler (Windows 11 22H2), the task utilizes the `sdbinst.exe` tool [1] [2] [3].
This tool is known as the "Application Compatibility Database Installer" [4].
It is part of the Application Compatibility Toolkit (ACT) [4] [5].
It allows the deployment of SDB files (Windows Shim Database [6] [7]) to the computer [4] [5].
Before any compatibility fixes or messages are applied [5], this tool is used to make sure applications run correctly, a process called application shimming [8].
This task is associated with the collection of telemetry data [1] [2] [3].
Telemetry data is information that software providers, such as Microsoft, gather about software usage.
By disabling this task, the amount of telemetry data that Microsoft collects is reduced, which boosts user privacy.
Additionally, there have been instances where malicious actors exploited this Windows feature to covertly gain
unauthorized access and execute code within genuine Windows processes [2] [9] [10] [11].
Disabling this task provides an added layer of security against such threats.
Standard administrator rights are insufficient to turn off this task [12].
Attempts to do so result in an `ERROR: Access is denied` message.
To overcome this, the script escalates its privileges ensuring the task is correctly disabled.
### Overview of default task statuses
`\Microsoft\Windows\Application Experience\SdbinstMergeDbTask`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231005111407/https://github.com/elastic/detection-rules/issues/2354 "[Rule Tuning] Potential Application Shimming via Sdbinst (Windows) · Issue #2354 · elastic/detection-rules | github.com"
[2]: https://web.archive.org/web/20231005111515/https://www.elastic.co/guide/en/security/current/potential-application-shimming-via-sdbinst.html "Potential Application Shimming via Sdbinst | Elastic Security Solution [8.10] | Elastic"
[3]: https://web.archive.org/web/20231005111850/https://www.bleepingcomputer.com/forums/t/785832/farbar-loghijackthis-log/ "FarBar log/HijackThis log - Virus, Trojan, Spyware, and Malware Removal Help | bleepingcomputer.com"
[4]: https://web.archive.org/web/20231005111905/https://download.microsoft.com/download/4/a/2/4a28d2bb-2916-43a6-9c88-a819d3bfa70f/05_CHAPTER_3_Planning_and_Testing_for_Application_Deployment.doc "Planning and Testing for Application Deployment (Word Document) | microsoft.com"
[5]: https://web.archive.org/web/20231005111314/https://learn.microsoft.com/en-us/windows/deployment/planning/using-the-sdbinstexe-command-line-tool "Using the Sdbinst.exe Command-Line Tool (Windows 10) - Windows Deployment | Microsoft Learn"
[6]: https://web.archive.org/web/20231005111428/https://www.microfocus.com/documentation/idol/IDOL_23_2/KeyviewViewingSDK_23.2_Documentation/Guides/html/Content/kv_formats/_KV_FMT__AllDetected.htm "Supported Formats | microfocus.com"
[7]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com"
[8]: https://web.archive.org/web/20231005111828/https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ "Process Injection and Persistence using Application Shimming | Andrea Fortuna | andreafortuna.org"
[9]: https://web.archive.org/web/20231005112020/https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sdbinst_shim_persistence/ "Potential Shim Database Persistence via Sdbinst.EXE | Detection.FYI"
[10]: https://web.archive.org/web/20231005112110/https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sdbinst_susp_extension/ "Suspicious Shim Database Installation via Sdbinst.EXE | Detection.FYI"
[11]: https://web.archive.org/web/20231005112255/https://jpcertcc.github.io/ToolAnalysisResultSheet/details/SDB-UAC-Bypass.htm "SDB UAC Bypass | jpcertcc.github.io"
[12]: https://web.archive.org/web/20231005111150/https://discuss.techlore.tech/t/will-windows-11-force-me-to-sign-in-to-a-microsoft-account/1869/9 "Will Windows 11 force me to sign in to a Microsoft Account? - Privacy and Security / Get Advice - Techlore Discussions | discuss.techlore.tech"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'SdbinstMergeDbTask'
taskPathPattern: \Microsoft\Windows\Application Experience\
taskNamePattern: SdbinstMergeDbTask
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 11 23H2]
-
name: Disable application backup data gathering (`MareBackup`)
recommend: strict
docs: |-
This script disables the "MareBackup" scheduled task.
According to the Task Scheduler, this task gathers Win32 application data for backups.
It executes `%WINDIR%\System32\CompatTelRunner.exe`.
Although this task is intended for backup and system reliability, some users may prefer limiting the amount of data
collected by Windows, thus enhancing their privacy.
> **Caution**: Designed for application data backup, this task supports data recovery processes.
### Overview of default task statuses
`\Microsoft\Windows\Application Experience\MareBackup`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
| Windows 11 23H2 | 🟢 Ready |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Application Experience\' -TaskName 'MareBackup'
taskPathPattern: \Microsoft\Windows\Application Experience\
taskNamePattern: MareBackup
-
category: Disable Application Compatibility Framework
docs: |-
This category disables the Application Compatibility (AppCompat) framework on Windows.
The Application Compatibility (AppCompat) framework is a feature in Windows that collects data about application compatibility.
This includes gathering information about application crashes, issues, and other operational details to help improve the
compatibility of applications on Windows [1].
It is controlled by a set of policies within the Microsoft Windows operating system aimed at enabling applications designed
for older versions of Windows to function properly on newer versions [1].
However, the Application Compatibility framework involves various forms of data collection that may be considered invasive from
a privacy standpoint [1]. It can potentially be exploited to reveal more data about your application usage or to inject your
computer with malware [2] [3] [4].
By disabling the AppCompat framework, this script contributes to enhancing users' privacy by limiting potential data collection
and exposure to malware exploitation.
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230927174707/https://docplayer.net/15700963-The-active-use-and-exploitation-of-microsoft-s-application-compatibility-framework-jon-erickson.html "'The active use and exploitation of Microsoft's Application Compatibility Framework' by Jon Erickson"
[3]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com"
[4]: https://web.archive.org/web/20230927174559/https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf "Malicious Application Compatibility Shims | blackhat.com"
children:
-
name: Disable Application Impact Telemetry (AIT)
recommend: standard
docs: |-
This script disables Application Impact Telemetry (AIT).
Application Impact Telemetry (AIT) is a function that tracks the usage of certain Windows system components by
various applications [1]. Turning this feature off stops the collection of usage data [1], enhancing your privacy
by ensuring that your usage patterns and behaviors are not sent to external servers.
Disabling telemetry will take effect on any newly launched applications [1]. To ensure that telemetry collection has
stopped for all applications, please reboot your machine [1].
Note that if the Customer Experience Improvement Program (CEIP) is turned off, Application Telemetry will be disabled
regardless of this setting [1].
This script performs its function by modifying a specific registry key:
`HKLM\Software\Policies\Microsoft\Windows\AppCompat!AITEnable`. This is the switch that controls the AIT setting
within the operating system [1].
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffapplicationimpacttelemetry "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat
valueName: AITEnable
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2)
-
name: Disable Application Compatibility Engine
recommend: standard
docs: |-
This script disables the Application Compatibility Engine on Windows systems.
The Application Compatibility Engine examines a compatibility database every time an application starts [1]. If it finds a match
for the application, it either applies compatibility fixes or displays a help message for known problems with the application [1].
This process may inadvertently reveal data about the applications you run on your system, especially if the query functions are
intercepted [2]. Moreover, this database can be utilized by malware creators to modify an application and make it perform unintended
actions [3].
Disabling the Application Compatibility Engine leads to enhanced system performance [1]. However, this might compromise the compatibility
of many older, popular applications and permit the installation of known incompatible applications [1]. Additionally, certain Windows
features like Windows Resource Protection and User Account Control use this engine to resolve application issues [1]. Without the engine,
these solutions won't be applied, and applications may not install or run correctly [1].
This option is suitable for users seeking faster performance who are knowledgeable about the compatibility of the applications they use [1].
Keep in mind that any changes to this setting require a system reboot to take effect as many system processes cache this setting's value for
performance reasons [1].
The script achieves its goal by altering a specific registry key: `HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableEngine` [1].
By disabling this engine, known to be a vulnerability exploited by malware [4], the script reduces the potential attack surface on the system,
enhancing overall security.
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffengine "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230927174559/https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf "Malicious Application Compatibility Shims | blackhat.com"
[3]: https://web.archive.org/web/20230927174609/https://tzworks.com/prototype_page.php?proto_id=33 "Windows Shim Database (SDB) Parser | tzworks.com"
[4]: https://web.archive.org/web/20230927174707/https://docplayer.net/15700963-The-active-use-and-exploitation-of-microsoft-s-application-compatibility-framework-jon-erickson.html "'The active use and exploitation of Microsoft's Application Compatibility Framework' by Jon Erickson"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat
valueName: DisableEngine
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2)
-
name: Remove "Program Compatibility" tab from file properties (context menu)
recommend: strict
docs: |-
This script removes the "Program Compatibility" tab from the file properties context menu. This tab is visible on the property context menu
of any program shortcut or executable file, and displays options that can be applied to the application to solve common issues affecting
older applications [1].
When enabled, this script prevents the compatibility property page from appearing in the context menus, though it does not impact any prior
compatibility settings applied to applications through this interface [1].
This script achieves its functionality by modifying a specific registry key:
`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePropPage` [1].
This setting is often used in organizational environments to prevent end-users from modifying the compatibility settings of applications.
It ensures that applications operate with the settings considered most suitable by the system administrator or IT department. This restriction
aids in upholding system stability and security by ensuring users cannot run applications in modes recognized to be insecure or unstable.
This script assists in upholding a more secure and stable environment by barring unauthorized changes to application compatibility settings.
The security benefits include:
- **Restricting User Actions**: By limiting the actions that a user can perform, administrators can prevent unintended security vulnerabilities.
Users may inadvertently (or intentionally) choose settings that could expose the system to risks, and this script helps in preventing
such scenarios.
- **Maintaining Known Configurations**: By ensuring that applications can only run in certain compatibility modes, administrators can more
effectively manage and secure their environments. They can thoroughly test and verify the security of the allowed configurations, leading to
a more robust security posture.
- **Preventing Exploitation of Vulnerabilities**: Some compatibility settings might make applications run in a less secure mode to maintain
compatibility with older software or systems. Preventing users from enabling such settings can help in avoiding potential vulnerabilities
associated with these modes.
By preventing users from changing compatibility settings, you could prevent them from selecting settings that send additional data to
software vendors (for example, certain compatibility modes might enable additional telemetry or error reporting). Though primarily aimed at
control and stability, this restriction indirectly contributes to privacy protection by reducing potential unwanted data transmission.
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatremoveprogramcompatproppage "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat
valueName: DisablePropPage
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2)
-
name: Disable Steps Recorder (collects screenshots, mouse/keyboard input and UI data)
recommend: standard
docs: |-
This script disables Steps Recorder on your device.
Steps Recorder, formerly known as Problem Steps Recorder [1] [2], is a tool that records the actions taken on a computer, including keyboard and mouse inputs,
user interface interactions, and screenshots with every click [2] [3].This tool is used to diagnose and troubleshoot problems by capturing the exact steps
taken when an issue occurs [1]. The data collected by Steps Recorder can be sent to Microsoft or third-party developers [3] [4], potentially revealing sensitive
user information.
By running this script, the Steps Recorder functionality will be turned off by altering a specific registry key:
`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableUAR` [3]. This prevents the automatic recording and sharing of user action data, enhancing the
privacy and security of the user's device.
Not running this script leaves the Steps Recorder enabled by default on Windows [3], allowing it to record and potentially share user actions and information.
Using this script enhances user privacy by ensuring that personal actions taken on a computer are not automatically recorded and shared without the
user's knowledge or consent. It's a straightforward measure to increase your control over your own device and data. Additionally, disabling Steps Recorder
is recommended by The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) [5].
While enhancing privacy, this script may complicate the troubleshooting process as Steps Recorder will not be available to easily record and share encountered
issues.
[1]: https://web.archive.org/web/20230927120359/https://support.microsoft.com/en-us/windows/record-steps-to-reproduce-a-problem-46582a9b-620f-2e36-00c9-04e25d784e47 "Record steps to reproduce a problem - Microsoft Support"
[2]: https://web.archive.org/web/20230927120405/https://cloudblogs.microsoft.com/dynamics365/no-audience/2016/03/08/capturing-repro-scenarios-using-windows-steps-recorder/ "Capturing Repro Scenarios Using Windows Steps Recorder - Microsoft Dynamics 365 Blog"
[3]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffuseractionrecord "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
[4]: https://web.archive.org/web/20230927120745/https://learn.microsoft.com/en-us/windows/win32/win7appqual/windows-error-reporting-problem-steps-recorder "Windows Error Reporting Problem Steps Recorder - Win32 apps | Microsoft Learn"
[5]: https://web.archive.org/web/20210729125842/https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-1909-workstations "Hardening Microsoft Windows 10 version 1909 Workstations | Cyber.gov.au"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\AppCompat
valueName: DisableUAR
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2)
-
name: Disable "Inventory Collector" task
recommend: standard
docs: |-
This script disables the "Inventory Collector" task on your computer.
The Inventory Collector is a feature in Windows that gathers data about the applications, files, devices, and drivers on your system and sends
this information to Microsoft [1]. This process is used to help solve compatibility problems, ensuring that your software and hardware work
together without issues [1].
Running this script will turn off the Inventory Collector, ensuring no data is sent to Microsoft [1]. It also stops the collection of installation
data through the Program Compatibility Assistant [1]. By disabling these features, you prevent potentially sensitive information from being shared
and avoid uncontrolled updates to your system [2] [3]. If not disabled, the Inventory Collector remains active, continuing to send data [1].
If the Customer Experience Improvement Program is turned off, the Inventory Collector will already be inactive, and running this script will have no
effect [1].
Disabling Inventory Collector is advised by several organizations and authorities for enhanced security:
- The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) [4]
- The Department of Defense (DoD) information systems in the USA [2]
- Microsoft, as part of Windows security baseline for Azure [3]
- National Institute of Standards and Technology (NIST) in the USA [5]
This advice is based on the principle of limiting the amount of data shared, contributing to better privacy and security.
When you run this script, it modifies a specific registry key (`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableInventory`) to turn off the
Inventory Collector [1].
> **Caution:** Disabling the Inventory Collector may lead to challenges in identifying and resolving compatibility issues
> between your software and hardware.
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffprograminventory "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230927174739/https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63663 "The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft | stigviewer.com"
[3]: https://web.archive.org/web/20231105200918/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#windows-components "Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20210729125842/https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-microsoft-windows-10-version-1909-workstations "Hardening Microsoft Windows 10 version 1909 Workstations | Cyber.gov.au"
[5]: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls "USGCB Windows Settings | nist.gov"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat
valueName: DisableInventory
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2)
-
category: Disable Program Compatibility Assistant (PCA)
docs: |-
This category covers disabling the Program Compatibility Assistant (PCA) in Windows.
The PCA is designed to help users run desktop applications created for earlier versions of Windows by tracking and identifying known compatibility
issues [1]. When an issue is detected, PCA offers the user a recommended fix to help the app run better on Windows [1].
**Privacy Implications:**
1. **Tracking and Monitoring of Application Activities:** PCA tracks the activities and behaviors of applications to identify symptoms of compatibility
issues [1]. Continuous monitoring could inadvertently collect user data, depending on the nature of the applications being monitored and the specifics
of the compatibility issues. This persistent oversight could be seen as an invasion of privacy as users' application usage is consistently observed.
2. **Application and System Data Access:** PCA accesses data about the application and system to determine appropriate compatibility modes and fixes [1].
Access to application and system data might inadvertently lead to access to sensitive or personal information. The extent of PCA's access to such information
is not clear from the official documentations, presenting a potential privacy concern.
3. **Automatic Modifications and Permissions:** PCA automatically applies certain compatibility modes to resolve issues, such as giving applications
administrative privileges or preventing an app from freeing a DLL from memory [1]. Automatic changes in application permissions or behavior could potentially
introduce security risks, as apps might gain access to resources or data they would not normally have access to. Users may not be fully aware of the extent of
the changes applied, leading to unintentional security or privacy vulnerabilities.
4. **User Notification and Consent:** While PCA does notify users and often requires their input to apply recommended settings, some fixes are applied silently [1].
Users might not be aware of all the changes PCA makes to application settings and system configurations, limiting their control over their own system and potential
impacts on their privacy.
5. **User Feedback and Data Sharing with Microsoft**: At the end of each scenario, after the app is run with recommended compatibility settings, the Program Compatibility
Assistant (PCA) will ask the user a simple question to gather feedback on whether the app worked or failed with the compatibility setting [1]. This data is sent to
Microsoft [1]. Users may have concerns about sending any kind of data to Microsoft. Some users might be wary of potential data mishandling or misuse. It's crucial
to ensure that the data collected is securely stored and processed, and that users are adequately informed about what data is being collected and how it will be used.
6. **Detection and Mitigation Measures by PCA**: The PCA automatically detects issues with applications and applies various mitigation measures [1]. The automatic
detection and mitigation by PCA imply that the system is continuously monitoring application behavior, which might be seen as invasive by some users. There could be
concerns regarding what kind of data is accessed by PCA during this monitoring and whether any sensitive data could potentially be exposed.
7. **Downloading Missing Components for Apps:** PCA provides a recommendation to download missing components and install them after the app terminates [1].
This could involve downloading software from the internet, which may introduce security and privacy risks [1]. Users might inadvertently download malicious software or
software with privacy-invasive features if not adequately guided [1].
8. **Handling of Administrative Privileges:** PCA handles various scenarios involving administrative privileges and User Account Control (UAC) dialogs, including applying
the `RUNASADMIN` compatibility mode to certain installers and applets [1]. This handling of administrative privileges could potentially be exploited by malicious software
to gain elevated privileges without adequate user knowledge or consent. It is important to ensure that the mechanisms for handling administrative privileges are secure and
not prone to exploitation.
9. **Using the Compatibility Troubleshooter**: The Compatibility Troubleshooter allows users to apply recommended fixes to get apps working properly [1]. Use of the
Compatibility Troubleshooter involves sharing more data regarding app behavior and issues with Microsoft, raising similar concerns as mentioned above regarding data sharing.
By disabling PCA, these potential privacy and security concerns can be mitigated, giving users more control over their data and application behavior, and reducing the risk
of unintentional data collection and sharing.
[1]: https://web.archive.org/web/20230928141226/https://learn.microsoft.com/en-us/windows/compatibility/pca-scenarios-for-windows-8 "Program Compatibility Assistant scenarios - Compatibility Cookbook | Microsoft Learn"
children:
-
name: Disable "Program Compatibility Assistant (PCA)" feature
recommend: standard
docs: |-
This script disables the Program Compatibility Assistant (PCA) feature in Windows [1].
The purposes include:
- Enhances privacy by stopping the continuous monitoring and data collection by PCA. The PCA monitors applications run by the user [1].
- Users gain more control over their system by manually managing application compatibility issues. When a potential compatibility issue with an
application is detected, the PCA will prompt the user with recommended solutions [1].
- Potentially avoids the automatic changes made by PCA that might introduce security risks.
- It increases the system performance. Microsoft recommends turning off the PCA can be useful for those who require better performance and are
already aware of application compatibility issues [1].
This script modifies a specific registry key (`HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePCA`) to turn off the PCA [1].
As a result, users will not receive automatic solutions to known compatibility issues when running applications [1], ensuring that they have
control over the solutions they apply.
By default, if you do not run this script or disable PCA manually, the PCA will be turned on [1].
Once this script is executed and PCA is turned off, the user won't be presented with solutions to known compatibility issues when running applications [1].
[1]: https://web.archive.org/web/20230924112733/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-appcompat#appcompatturnoffprogramcompatibilityassistant_2 "ADMX_AppCompat Policy CSP - Windows Client Management | Microsoft Learn"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat
valueName: DisablePCA
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2)
-
name: Disable "Program Compatibility Assistant Service" (`PcaSvc`)
recommend: standard
docs: |-
This script disables the "Program Compatibility Assistant Service" (`PcaSvc`) in Windows [1].
The `PcaSvc` assists the Program Compatibility Assistant (PCA) in monitoring programs installed and run by the user [1], detecting known compatibility problems [1],
and aiding in Windows appraiser data collection [2]. By disabling this service, the script prevents PCA from functioning [1], thereby halting application monitoring
and data collection, leading to enhanced user privacy.
This script turns off the `PcaSvc` which is, by default, automatically started in Windows [1].
Microsoft has clarified that disabling this service does not have a negative impact on the system's functionality, affirming that it's safe to execute this action [1].
By running this script, you prevent the continuous surveillance and data gathering activities conducted by PCA.
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🟢 Running | Automatic |
| Windows 11 (≥ 22H2) | 🟢 Running | Automatic |
[1]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#program-compatibility-assistant-service "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
[2]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#appraiser-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn"
call:
function: DisableService
parameters:
serviceName: PcaSvc # Check: (Get-Service -Name 'PcaSvc').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
category: Disable Windows telemetry and data collection
children:
-
category: Disable diagnostics telemetry services
children:
-
name: Disable "Connected User Experiences and Telemetry" (`DiagTrack`) service # Connected User Experiences and Telemetry
recommend: standard
docs: |-
Details: [Connected User Experiences and Telemetry - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314062548/https://batcmd.com/windows/10/services/diagtrack/)
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🟢 Running | Automatic |
| Windows 11 (≥ 22H2) | 🟢 Running | Automatic |
call:
function: DisableService
parameters:
serviceName: DiagTrack # Check: (Get-Service -Name DiagTrack).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable WAP push notification routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service
recommend: standard
docs: |-
Details: [Device Management Wireless Application Protocol (WAP) Push message Routing Service - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314090537/http://batcmd.com/windows/10/services/dmwappushservice/)
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Manual |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Manual |
call:
function: DisableService
parameters:
serviceName: dmwappushservice # Check: (Get-Service -Name dmwappushservice).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Diagnostics Hub Standard Collector" service
docs: |-
Details: [Microsoft (R) Diagnostics Hub Standard Collector Service - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314090703/https://batcmd.com/windows/10/services/diagnosticshub-standardcollector-service/)
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Manual |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Manual |
call:
function: DisableService
parameters:
serviceName: diagnosticshub.standardcollector.service # Check: (Get-Service -Name diagnosticshub.standardcollector.service).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Diagnostic Execution Service" (`diagsvc`)
docs: |-
Details: [Diagnostic Execution Service - Windows 10 Service - batcmd.com](https://web.archive.org/web/20240314091013/https://batcmd.com/windows/10/services/diagsvc/)
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Manual |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Manual |
call:
function: DisableService
parameters:
serviceName: diagsvc # Check: (Get-Service -Name diagsvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
category: Disable census data collection
docs: |-
This category focuses on disabling Windows Census.
Windows Census is a component that collects device configuration data [1].
This configuration data includes your operating system, region, language, and hardware architecture [2].
Microsoft uses this data to determine which updates are appropriate for your system [3].
Disabling Census enhances privacy by preventing the collection and transmission of device data to Microsoft [1] [2] [3].
However, this may affect Windows' ability to provide tailored updates.
[1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn"
[2]: https://web.archive.org/web/20231017234118/https://answers.microsoft.com/en-us/windows/forum/all/what-is-device-census/6f0b9f58-86b6-4e36-8fc8-4701218b49b6 "What is Device Census? - Microsoft Community"
[3]: https://web.archive.org/web/20231017234127/https://support.microsoft.com/en-us/topic/update-to-windows-10-version-1703-version-1607-version-1511-and-version-1507-for-update-applicability-march-15-2018-3aad1c66-2b88-c012-4623-dee1410891ad "Update to Windows 10 Version 1703, Version 1607, Version 1511, and Version 1507 for update applicability: March 15, 2018 - Microsoft Support"
children:
-
name: Disable "Device" task
recommend: standard
docs: |-
This script disables the "Device" scheduled task.
According to the Task Scheduler, this task triggers the execution of the
`%WINDIR%\System32\devicecensus.exe SystemCxt` command in Windows 10 and 11.
This component collects device and configuration data, which is then sent to Microsoft [1].
By disabling this task, users can prevent this specific data collection process, enhancing their privacy.
### Overview of default task statuses
`\Microsoft\Windows\Device Information\Device`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Device Information\' -TaskName 'Device'
taskPathPattern: \Microsoft\Windows\Device Information\
taskNamePattern: Device
-
name: Disable "Device User" task
recommend: standard
docs: |-
This script disables the "Device User" scheduled task.
According to the Task Scheduler, this task triggers the execution of the
`%WINDIR%\System32\devicecensus.exe UserCxt` command in Windows 10 and 11.
This component collects device and configuration data, which is then sent to Microsoft [1].
By disabling this task, users can prevent this specific data collection process, enhancing their privacy.
### Overview of default task statuses
`\Microsoft\Windows\Device Information\Device User`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Device Information\' -TaskName 'Device User'
taskPathPattern: \Microsoft\Windows\Device Information\
taskNamePattern: Device User
-
name: Disable device and configuration data collection tool
recommend: standard
docs: |-
This script prevents the execution of `devicecensus.exe`, also known as the "device and configuration data collection tool" [1].
This tool is located at `%WINDIR%\System32\DeviceCensus.exe` [1] [2] and is responsible for gathering data used for compatibility updates [3].
Disabling this tool helps keeping the device's data private and preventing its usage for diagnostic collections or determining update
applicability [1] [2] [3].
[1]: https://web.archive.org/web/20231017234102/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/monitor-connection-health#census-data-collection "Monitor connection health - Configuration Manager | Microsoft Learn"
[2]: https://web.archive.org/web/20231017234628/https://strontic.github.io/xcyclopedia/library/DeviceCensus.exe-594993E23161BB37E365D8784DE020EA.html "DeviceCensus.exe | Device Census | STRONTIC | strontic.github.io"
[3]: https://web.archive.org/web/20231017234127/https://support.microsoft.com/en-us/topic/update-to-windows-10-version-1703-version-1607-version-1511-and-version-1507-for-update-applicability-march-15-2018-3aad1c66-2b88-c012-4623-dee1410891ad "Update to Windows 10 Version 1703, Version 1607, Version 1511, and Version 1507 for update applicability: March 15, 2018 - Microsoft Support"
call:
function: TerminateAndBlockExecution
parameters:
executableNameWithExtension: DeviceCensus.exe
-
category: Disable enterprise/business focused data collection
docs: |-
This category contains scripts to disable data collection capabilities focused on enterprise/business uses.
The scripts target various Windows features like Desktop Analytics, Windows Update for Business, and Azure services.
These capabilities are meant to provide insights for IT administrators but collect and transmit data from end user devices.
By disabling these enterprise/business focused data collection features, you can increase privacy and reduce data sharing
from your personal device. However, note that some functionality expected by business IT administrators may be reduced.
These scripts can help limit enterprise/Microsoft visibility into your device, but may limit management capabilities on
managed business devices.
children:
-
category: Disable Desktop Analytics telemetry
docs: |-
Desktop Analytics is a cloud-based service that provides insights about Windows devices in an organization.
The service provides insight and intelligence from user data [1].
Desktop Analytics collects diagnostic data from enrolled Windows devices and sends it to Microsoft cloud services [1].
It creates an inventory of apps running in an organization. This data provides insights about application compatibility
and pilot identification to help IT administrators in organizations evaluate the readiness and compatibility of devices
for Windows feature updates [1].
To enable data collection, Desktop Analytics configures settings on the device registry and group policies related
to commercial ID, telemetry levels, and data sharing [2].
While this data sharing raises potential privacy concerns, Microsoft states that privacy controls allow organizations
to limit data collection [1].
Desktop Analytics is retired since November 30, 2022 in favor of Microsoft Intune and Configuration Manager [3].
[1]: https://web.archive.org/web/20230528031527/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn"
[2]: https://web.archive.org/web/20230531234446/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn"
[3]: https://web.archive.org/web/20230601065209/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/whats-new "What's new in Desktop Analytics - Configuration Manager | Microsoft Learn"
children:
-
name: Disable processing of Desktop Analytics
recommend: strict
docs: |-
This script ensures that Microsoft does not process Windows diagnostic data from your device [1].
When activated, it modifies a setting known as the Group Policy object on your device. This object is a set of policies that determine how your system operates.
The script disables a policy related to Microsoft's Desktop Analytics service. This service is designed to provide insights into the health and usage of your
devices but may involve processing diagnostic data [2].
By disabling this policy, the script helps to enhance the privacy of your device by preventing the processing of its diagnostic data by Microsoft. This means
that information about the usage and performance of your device will not be sent to Microsoft's Desktop Analytics service [1][2].
[1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowdesktopanalyticsprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs"
[2]: https://web.archive.org/web/20211127031547/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDesktopAnalyticsProcessing "Allow Desktop Analytics Processing | admx.help"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
valueName: AllowDesktopAnalyticsProcessing
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable sending device name in Windows diagnostic data
recommend: strict
docs: |-
This script enhances privacy by ensuring that the name of your device is anonymized in any diagnostic data collected by Microsoft Desktop Analytics [1].
In other words, instead of your actual device name, "Unknown" will appear in the data [1].
Since the release of Windows 10, version 1803, the device name is not included in the diagnostic data by default [1].
This script guarantees that this privacy-enhancing measure remains in place [1].
When implemented, it changes a specific registry setting, `AllowDeviceNameInTelemetry`, which controls whether the device name is included
in Windows diagnostic data [2]. The script sets this value to `0`, thus disabling the inclusion of the device name in the data [2].
[1]: https://web.archive.org/web/20220903043346/https://docs.microsoft.com/en-US/mem/configmgr/desktop-analytics/enroll-devices#device-name "Enroll devices in Desktop Analytics - Configuration Manager | Microsoft Docs"
[2]: https://web.archive.org/web/20210228151919/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowDeviceNameInDiagnosticData "Allow device name to be sent in Windows diagnostic data"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
valueName: AllowDeviceNameInTelemetry
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable collection of Edge browsing data for Desktop Analytics
recommend: strict
docs: |-
This script configures Microsoft Edge to prevent it from sending your browsing history data to Desktop Analytics [1].
This browsing data can include information from either your intranet or internet history, or both [1].
When you use Microsoft Edge for browsing, it can collect and send your browsing history to Desktop Analytics, a Microsoft
service that helps enterprises to analyze and improve their IT environment. If this setting is disabled, Microsoft Edge
does not send any browsing history data, thereby enhancing your privacy.
The script achieves this by modifying a specific value in the Windows Registry. The specific value that the script modifies
is `MicrosoftEdgeDataOptIn` located at `HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection`. The script sets this value
to `0`, which indicates to Microsoft Edge that it should not send browsing history data to Desktop Analytics [1].
While enhancing privacy, this could limit the functionality of Desktop Analytics for enterprises that rely on this service
for IT insights. However, for individual users, this script can help prevent unwanted data collection and transmission,
contributing to an overall safer browsing experience [1].
[1]: https://web.archive.org/web/20220524020212/https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.MicrosoftEdge::ConfigureTelemetryForMicrosoft365Analytics "Configure collection of browsing data for Desktop Analytics"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
valueName: MicrosoftEdgeDataOptIn # MDM name: ConfigureTelemetryForMicrosoft365Analytics
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable diagnostics data processing for Business cloud
recommend: strict
docs: |-
This script controls whether diagnostic data from your device is processed by Windows Update for Business cloud [1] [2].
If enabled, the script can enhance privacy by ensuring that diagnostic data from your device is not processed by the
Windows Update for Business cloud (WufB) [1], an update management service provided by Microsoft [3]. This service
typically helps businesses manage updates on their devices efficiently. But if privacy is a concern, you can opt
to disable it [3].
The policy is applicable to devices joined to Azure Active Directory [1]. Azure Active Directory is a Microsoft cloud
service that provides identity and access capabilities.
Disabling this policy means that some features of the Windows Update for Business deployment service might not be
available. However, your device will gain an added layer of privacy as diagnostic data will not be processed by the
business cloud [1].
[1]: https://web.archive.org/web/20220903042236/https://docs.microsoft.com/en-US/windows/client-management/mdm/policy-csp-system#system-allowwufbcloudprocessing "Policy CSP - System - Windows Client Management | Microsoft Docs"
[2]: https://web.archive.org/web/20210307173837/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowWUfBCloudProcessing "Allow WUfB Cloud Processing"
[3]: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-management-for-windows-on-a-windows-365-cloud-pc/ba-p/3452703
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
valueName: AllowWUfBCloudProcessing
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Update Compliance processing of diagnostics data
recommend: standard
docs: |-
Update Compliance is a service provided by Microsoft hosted in Azure, which uses Windows diagnostic data [1].
This service doesn't meet the US Government community compliance (GCC) requirements [1], and is utilized by
both Desktop Analytics and Azure Update Management [1].
This script is designed to disable the Update Compliance processing of diagnostic data on your device. When
this script is run, it modifies the system registry to prevent diagnostic data from your device being processed
by Update Compliance. This change in settings increases the privacy of your device by limiting the diagnostic data
that can be accessed and analyzed by Microsoft's services.
Diagnostic data, in this context, includes information about device health, system events, and usage metrics. By
disabling the processing of this data, the script helps protect the privacy of your activities on your device [1].
This script can be reversed at any time by using the provided `revertCode` if you decide to re-enable the processing
of diagnostic data by Update Compliance.
In technical terms, the script sets the `AllowUpdateComplianceProcessing` value in the
`HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection` registry path to 0, which disables the processing of
diagnostic data by Update Compliance [2].
[1]: https://web.archive.org/web/20220703201221/https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started "Get started with Update Compliance - Windows Deployment | Microsoft Docs"
[2]: https://web.archive.org/web/20220610123725/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowUpdateComplianceProcessing "Allow Update Compliance Processing"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
valueName: AllowUpdateComplianceProcessing
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable commercial usage of collected data
recommend: standard
docs: |-
This protects your privacy by placing a limit on the commercial usage of your data. It manages
how Windows diagnostic data is handled by controlling whether Microsoft is a processor or controller
for Windows diagnostic data collected from your device [1] [2].
In the default setting, Microsoft operates as the controller of this diagnostic data, thus enabling it to use the data
for commercial purposes. This script alters that setting to limit the commercial usage of your data [1] [2].
This script does not affect the operation of optional analytics processor services like Desktop Analytics and
Windows Update for Business reports. Moreover, it doesn't change whether diagnostic data is collected or the ability
of the user to change the level.
[1]: https://web.archive.org/web/20230803142206/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline "System Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230330140620/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::AllowCommercialDataPipeline "Allow commercial data pipeline"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
valueName: AllowCommercialDataPipeline
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable diagnostic and usage telemetry
recommend: standard
docs: |-
This script improves your privacy by blocking the transmission of diagnostic and usage telemetry data
from your Windows device [1]. This includes data about your device's usage, app compatibility, and
system performance, which can be sensitive in nature. By stopping this data from being sent, you reduce
the amount of personal information that could potentially be accessed by third parties.
The script works by configuring the Group Policy Object (GPO) and Local Policy preferences, which
essentially govern your device's data sharing policies [2]. These modifications restrict the data that Windows
and its built-in apps can collect and send.
Upon executing this script, Desktop Analytics will be disabled, as it relies on basic diagnostic data to
function [2]. Desktop Analytics is a cloud-based service provided by Microsoft [4]. It provides insights
and intelligence for IT administrators [4]. Desktop Analytics is deprecated and was retired on November 30, 2022.
Once this script is executed, even if the policy permits a telemetry setting of Security or Basic, users
will not have the capability to opt for a higher data sharing level [3]. This restriction is limited to the
operating system and apps included with Windows, and does not pertain to third-party apps installed on your
device [3].
[1]: https://web.archive.org/web/20230731225232/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#allowtelemetry "System Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230731225319/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/group-policy-settings "Group policy settings - Configuration Manager | Microsoft Learn"
[3]: https://web.archive.org/web/20211129155126/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection%3A%3AAllowTelemetry "Allow Telemetry"
[4]: https://web.archive.org/web/20230731225544/https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview "Desktop Analytics - Configuration Manager | Microsoft Learn"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection
valueName: AllowTelemetry
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 22H3)
-
function: SetRegistryValue # Using Group policy object (GPO)
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
valueName: AllowTelemetry
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable automatic cloud configuration downloads
recommend: strict
docs: |-
This script turns off the OneSettings service, a feature from Microsoft that downloads configuration settings [1].
This action can enhance the privacy and security of your Windows desktop environment by managing a feature called
the Services Configuration [1].
Services Configuration is a mechanism that various Windows components and apps use to update their settings dynamically [2] [3].
By default, Windows periodically tries to connect with the OneSettings service to download configuration settings [1].
This script turns off that function, reducing the chance of data being shared with third-party vendors [1].
This script is recommended by CIS Microsoft Windows Desktop Benchmarks [1]. Please be aware that turning off this service might
affect how certain apps that rely on this service work [3].
The script changes a registry setting to disable OneSettings downloads [3] [1]. It also provides a revert code to undo this change,
if needed, which returns the system to its previous state.
If you want to limit how much data is sent to Microsoft, turning off the OneSettings service can help enhance your privacy [1].
For more information about the impact of OneSettings on privacy, visit
[learn.microsoft.com](https://web.archive.org/web/20230803025857/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809).
This script lets you manage your privacy by restricting the automatic configuration updates of Windows components and apps,
including telemetry services, from the cloud [3] [1].
By using this script, Windows will not connect to OneSettings to fetch any configuration settings [1].
This reduces the amount of data sent to third-party vendors, which can help alleviate potential security concerns [1].
However, please be aware that while this setting can enhance privacy, turning off this service could lead to some applications
not working properly. These applications may depend on dynamic configuration updates that will be stopped when the service is
disabled [3] [1].
[1]: https://web.archive.org/web/20230803030428/https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_Bitlocker_v1.12.0.audit:b3aec171f406cbe87f37e57bc9dd1411 "18.9.17.3 Ensure 'Disable OneSettings Downloads' is set to 'En... | Tenable"
[2]: https://web.archive.org/web/20230803024926/https://learn.microsoft.com/en-us/windows/win32/services/service-configuration "Service Configuration - Win32 apps | Microsoft Learn"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\DataCollection
valueName: DisableOneSettingsDownloads
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable license telemetry
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform
valueName: NoGenTicket
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable error reporting
recommend: standard
docs: |-
This script disables the Windows Error Reporting (WER) feature.
Windows Error Reporting collects and sends error logs from your computer to Microsoft [1], which can be a potential privacy concern for users.
By disabling it, this script ensures that your system errors remain local to your machine and are not sent to external servers.
Here's a breakdown of what the script does:
1. **Registry Changes**: The script modifies specific registry entries to disable the WER functionality and its related settings.
2. **Scheduled Tasks**: The script disables scheduled tasks related to error details updates and queue reporting.
3. **Services**: The script disables the services related to error reporting.
### Registry changes
- `HKLM\Software\Microsoft\Windows\Windows Error Reporting!DefaultConsent` [2]
- `HKLM\Software\Microsoft\Windows\Windows Error Reporting!DefaultOverrideBehavior` [2]
- `HKLM\Software\Microsoft\Windows\Windows Error Reporting!DontSendAdditionalData` [2]
- `HKLM\Software\Microsoft\Windows\Windows Error Reporting!LoggingDisabled` [2]
- `HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting!Disabled` [2]
- `HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting` [3]
### Overview of default service statuses
Windows Error Reporting Service (`wersvc`) [4]:
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Manual |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Manual |
Problem Reports Control Panel Support (`wercplsupport) [5]:
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Manual |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Manual |
### Overview of default task statuses
`\Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
`\Microsoft\Windows\Windows Error Reporting\QueueReporting`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231018135854/https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/windows-error-reporting-diagnostics-enablement-guidance "Windows Error Reporting and Windows diagnostics enablement guidance - Windows Client | Microsoft Learn"
[2]: https://web.archive.org/web/20231018135903/https://learn.microsoft.com/en-us/windows/win32/wer/wer-settings "WER Settings - Win32 apps | Microsoft Learn"
[3]: https://web.archive.org/web/20231018135918/https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493 "The system must be configured to allow a local or DOD-wide collector to request additional error reporting diagnostic data to be sent. | stigviewer.com"
[4]: https://web.archive.org/web/20231018135930/https://batcmd.com/windows/10/services/wersvc/ "Windows Error Reporting Service - Windows 10 Service - batcmd.com"
[5]: https://web.archive.org/web/20231019222221/https://batcmd.com/windows/10/services/wercplsupport/ "Problem Reports Control Panel Support - Windows 10 Service - batcmd.com"
call:
-
function: Comment
parameters:
codeComment: Disable Windows Error Reporting (WER)
revertCodeComment: Revert Windows Error Reporting (WER)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting
valueName: Disabled
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting
valueName: Disabled
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: Comment
parameters:
codeComment: Disable Windows Error Reporting (WER) consent
revertCodeComment: Revert Windows Error Reporting (WER) consent
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent
valueName: DefaultConsent
dataType: REG_DWORD
data: '1'
dataOnRevert: '4' # Default value: `4` on Windows 10 Pro (≥ 22H2) | `4` on Windows 11 Pro (≥ 22H3)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent
valueName: DefaultOverrideBehavior
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: Comment
parameters:
codeComment: Disable WER sending second-level data
revertCodeComment: Revert WER sending second-level data
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting
valueName: DontSendAdditionalData
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\Windows\Windows Error Reporting
valueName: LoggingDisabled
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ErrorDetails\' -TaskName 'EnableErrorDetailsUpdate'
taskPathPattern: \Microsoft\Windows\ErrorDetails\
taskNamePattern: EnableErrorDetailsUpdate
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Error Reporting\' -TaskName 'QueueReporting'
taskPathPattern: \Microsoft\Windows\Windows Error Reporting\
taskNamePattern: QueueReporting
- # Windows Error Reporting Service
function: DisableService
parameters:
serviceName: wersvc # Check: (Get-Service -Name wersvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- # Problem Reports Control Panel Support
function: DisableService
parameters:
serviceName: wercplsupport # Check: (Get-Service -Name wercplsupport).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
category: Disable connectivity checks
docs: |- # refactor-with-variables: Same • NCSI caution
This category contains scripts that disable various connectivity checks performed by Windows.
Connectivity checks allow Windows to assess network status and quality.
These checks involve communication with Microsoft servers, which may raise privacy concerns.
Disabling these checks reduces data sent to Microsoft, potentially enhancing your privacy.
Connectivity checks are considered **noise** because they constantly generate small amounts of network traffic.
**Noise** in networking refers to excessive data that doesn't help data transmission.
This has both security and performance implications.
Connectivity checks can contribute to **fingerprinting**, as they regularly communicate with specific servers.
**Fingerprinting** in network terms is a way to identify or track a device based on its unique characteristics or behavior.
These regular checks can potentially be used to identify or track your device on a network.
Connectivity checks can be seen as a form of **homecalling** because they involve your device regularly communicating with Microsoft servers.
**Homecalling** is when software automatically sends data back to its creator or a third party, often without the user's explicit knowledge or consent.
While the primary purpose of these checks is to ensure network functionality, they also provide Microsoft with information about your
device's online status and potentially your location [1].
Disabling these checks stops the automatic 'calls home,' enhancing privacy but potentially affecting system functions.
Disabling these checks may enhance privacy by:
- Reducing data transmission to Microsoft servers
- Limiting the collection of your IP address and location information [1]
- Decreasing the attack surface for potential vulnerabilities
However, disabling these checks may also lead to several side effects, including:
- Inaccurate reporting of network status (e.g., showing "no internet" when connected) [2] [3]
- Issues with captive portal detection (hotspot) common in public Wi-Fi networks [4] [5] [6]
- Functionality problems in some Microsoft and third-party applications [1] [2] [7] [8]
- Reduced ability to automatically adapt to different network environments
Consider your privacy needs and the potential impact on system functionality before applying these scripts.
Some users may find the privacy benefits outweigh the inconveniences, while others might prefer to keep
these checks enabled for smoother network interactions.
> **Caution**: This may lead to:
> - Lack of immediate feedback on network status.
> - Potential functionality issues in the system and applications that rely on NCSI for network information.
> - Reduced ability of Windows and other components to determine internet connectivity.
> - Windows and other software may incorrectly report that you're offline.
> - Issues with automatically opening the sign-in page when a captive portal (hotspot) is detected.
[1]: https://web.archive.org/web/20220510033228/https://www.techrepublic.com/article/what-do-microsoft-and-ncsi-have-in-common/ "What do Microsoft and NCSI have in common? | TechRepublic | www.techrepublic.com"
[2]: https://web.archive.org/web/20240525013542/https://superuser.com/questions/1400187/get-rid-of-false-no-internet-network-message "networking - Get rid of false \"no Internet\" network message - Super User | superuser.com"
[3]: https://web.archive.org/web/20240620134357/https://github.com/undergroundwires/privacy.sexy/issues/216 "[BUG]: The network icon shows as unavailable even though it is available · Issue #216 · undergroundwires/privacy.sexy | github.com"
[4]: https://web.archive.org/web/20240114123718/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-overview "Network Connectivity Status Indicator overview for Windows | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240114123854/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions "Network Connectivity Status Indicator FAQ for Windows | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240809202657/https://learn.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/captive-portals "Captive Portals - Windows drivers | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240809202709/https://learn.microsoft.com/en-us/azure/backup/install-mars-agent "Install the Microsoft Azure Recovery Services (MARS) agent - Azure Backup | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240809202750/https://learn.microsoft.com/en-us/azure/backup/backup-support-matrix-mabs-dpm "MABS & System Center DPM support matrix - Azure Backup | Microsoft Learn | learn.microsoft.com"
children:
-
name: >-
Disable active connectivity tests
(breaks internet connection status, captive portals)
docs: |- # refactor-with-variables: Same • NCSI caution
This script prevents Network Connectivity Status Indicator (NCSI) from performing active connectivity checks.
### Active Probing Overview
NCSI checks internet connectivity by requesting and downloading specific web pages [1] [2] [3] [4] [5] [6].
This process is also known as *active probing* [3] [4] [5] [6] [7] [8] [9] [10] [11] or *active tests* [1] [2] [4] [7] [11] [12].
Active probing checks internet connection by accessing certain URLs:
- `http://www.msftconnecttest.com/connecttest.txt` [5] [6] [7] [10] [12] [13] [14].
- `http://www.msftconnecttest.com/redirect` [7].
- `http://www.msftncsi.com/ncsi.txt` (on earlier versions) [4] [7] [12] [13] [15].
- `dns.msftncsi.com` [3] [4] [6] [7] [15].
Windows conducts these tests by default [1] [2] [3].
They ensure accurate reporting of internet connectivity across the system [1] [2] [3].
Active probes are triggered in the following situations:
- General interface or network condition changes [6].
E.g., when a wireless connection is established [6].
- Proxy detection or changes [6].
- Hotspot detection or changes [6].
### Impacts of Disabling Active Probing
Microsoft recommends keeping these tests enabled due to their crucial role in detecting network status [4] [7].
Disabling active connectivity tests may lead to:
- Windows indicating no internet access despite an active connection [4] [9] [16].
- The no internet symbol appearing even though there is internet connectivity [8] [11] [13] [17].
- Applications and system services that rely on NCSI's status reports may malfunction [1] [2].
For instance, Microsoft Outlook might fail to connect to its server, or Windows updates could fail despite an active internet connection [7].
- Disabling NCSI tests disrupts the automatic detection of captive portals [4] [5] [6] [17].
This feature is common in public Wi-Fi networks, and its absence may inconvenience frequent users of these networks.
Without this feature, connecting to these networks may require manual intervention as no popup will appear automatically.
Disabling these tests improves your privacy, by preventing:
- The operating system from automatically checking connectivity by communicating with Microsoft servers [7] [14].
- Microsoft from collecting your IP addresses and location information through these tests [15].
Disabling these tests can also enhance security:
- These tests carry a security risk by allowing attackers to hijack DNS and gain access to your computer [14], potentially spreading malware [10].
- Active probes can interfere with security and privacy software such as VPN [4] [6] and firewalls [4], potentially disrupting their functionality.
> **Caution**: This may lead to:
> - Lack of immediate feedback on network status.
> - Potential functionality issues in the system and applications that rely on NCSI for network information.
> - Reduced ability of Windows and other components to determine internet connectivity.
> - Windows and other software may incorrectly report that you're offline.
> - Issues with automatically opening the sign-in page when a captive portal (hotspot) is detected.
### Technical Details
This script modifies the following registry settings:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!NoActiveProbe` [1] [2] [7] [9] [12].
This setting affects components like `ncsi.dll` [18].
It requires a computer restart to take effect [12].
- `HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet!EnableActiveProbing` [3] [4] [7] [9] [11] [13].
This setting affects components like `ncsi.dll` [18] and `WebRuntimeManager.dll` [19].
Some sources may suggest modifying `HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!EnableActiveProbing` registry key.
However, this key is undocumented and this script does not modify this undocumented setting.
[1]: https://web.archive.org/web/20240117111510/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::NoActiveProbe "Turn off Windows Network Connectivity Status Indicator active tests | admx.help"
[2]: https://web.archive.org/web/20240511203932/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-connectivity#disallownetworkconnectivityactivetests "Connectivity Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240722112607/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-ncsi-guidance "Network Connection Status Indicator (NCSI) troubleshooting guidance - Windows Server | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20121226172641/http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx "The Network Connection Status Icon - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com"
[5]: https://web.archive.org/web/20240114123718/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-overview "Network Connectivity Status Indicator overview for Windows | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240114123854/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions "Network Connectivity Status Indicator FAQ for Windows | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240609083747/https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/internet-explorer-edge-open-connect-corporate-public-network "An Internet Explorer or Edge window opens when your computer connects to a corporate network or a public network - Windows Client | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240722112723/https://learn.microsoft.com/en-us/answers/questions/474998/internet-probe-icon-ncsi "Internet probe Icon - NCSI - Microsoft Q&A | learn.microsoft.com"
[9]: https://web.archive.org/web/20230606033610/https://learn.microsoft.com/en-us/office/troubleshoot/activation/issue-when-activate-office-365-proplus "We are unable to connect right now when try to activate Microsoft 365 Apps for enterprise - Microsoft 365 Apps | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240405095920/https://www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-to-spread-malicious-covid-19-apps/ "Hackers Hijack Routers DNS to Spread Malicious COVID-19 Apps | www.bleepingcomputer.com"
[11]: https://web.archive.org/web/20240722112804/https://superuser.com/questions/688049/windows-shows-limited-connection-when-it-isnt "networking - Windows shows \"Limited Connection\" when it isn't - Super User | superuser.com"
[12]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#14-network-connection-status-indicator "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[13]: https://web.archive.org/web/20240525013542/https://superuser.com/questions/1400187/get-rid-of-false-no-internet-network-message "networking - Get rid of false \"no Internet\" network message - Super User | superuser.com"
[14]: https://web.archive.org/web/20201013020905/https://github.com/Disassembler0/Win10-Initial-Setup-Script/pull/111 "Add \"DisableNetConnectionTest\" and \"SetMozillaForNetConnTest\" by antipatico · Pull Request #111 · Disassembler0/Win10-Initial-Setup-Script | github.com"
[15]: https://web.archive.org/web/20220510033228/https://www.techrepublic.com/article/what-do-microsoft-and-ncsi-have-in-common/ "What do Microsoft and NCSI have in common? | TechRepublic | www.techrepublic.com"
[16]: https://web.archive.org/web/20240620134420/https://github.com/undergroundwires/privacy.sexy/issues/189 "[BUG]: Dropbox Client no longer works with the script to disable Automatic Update Services applied · Issue #189 · undergroundwires/privacy.sexy | github.com"
[17]: https://web.archive.org/web/20240620134357/https://github.com/undergroundwires/privacy.sexy/issues/216 "[BUG]: The network icon shows as unavailable even though it is available · Issue #216 · undergroundwires/privacy.sexy | github.com"
[18]: https://web.archive.org/web/20240810075215/https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/System32/ncsi.dll.strings "10_0_22623_1020/C/Windows/System32/ncsi.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com"
[19]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/WebRuntimeManager.dll.strings#L7625 "10_0_22622_601/C/Windows/System32/WebRuntimeManager.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator
valueName: NoActiveProbe
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
valueName: EnableActiveProbing
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 21H2) | `1` on Windows 11 Pro (≥ 22H2)
-
function: ShowComputerRestartSuggestion
-
name: >-
Disable passive connectivity tests
(breaks internet connection status)
docs: |- # refactor-with-variables: Same • NCSI caution
This script stops passive connectivity checks on your Windows device.
Passive connectivity tests are also known as *Network Connectivity Status Indicator (NCSI)* [1]
or *passive polling* [1] [2] [3] [4].
It tracks the network activity of applications on your computer [1] [3].
This feature is turned on by default [1].
These tests run every 15 seconds by default [5] [6].
They use information from received data, such as recently sent or received packets and
their Time To Live (TTL) values, to determine network status [7].
When NCSI fails to check internet connectivity, it opens the MSN Portal in your default browser [1].
This involves making an HTTP connection to `http://www.msftconnecttest.com/redirect` and then to the MSN Portal [1].
This method may expose your activities to Microsoft, bypass local network rules, and leak network configuration details,
posing privacy and security risks.
It may also inadvertently load external content or scripts from the MSN Portal, introducing vulnerabilities or tracking mechanisms.
Malicious actors may exploit this behavior to detect active internet connections or trigger specific network activities,
compromising your privacy and security.
Disabling passive polling enhances privacy by reducing continuous network monitoring.
It may also improve system performance by decreasing background network activity.
Disabling passive connectivity tests prevents Windows from automatically connecting to Microsoft servers
and opening external web pages [1].
This reduces the risk of data leakage, tracking, and potential exploitation of this automated network activity.
It can also improve security because passive probes sometimes conflict with VPN software [7] [8] and firewalls [7] [9].
Disabling them may improve system functionality when using such security or privacy software [8] [9].
However, this change has significant drawbacks.
It may cause the system to incorrectly report no internet connection, even when one exists [2] [10] [11].
This can affect functionality of system components and applications that rely on NCSI for network information [1].
For example, it can interfere with Windows' ability to download updates [1].
Microsoft does not recommend disabling the NCSI probes [1] [7].
> **Caution**: This may lead to:
> - Lack of immediate feedback on network status.
> - Potential functionality issues in the system and applications that rely on NCSI for network information.
> - Reduced ability of Windows and other components to determine internet connectivity.
> - False reporting of no internet connection even though there is internet connectivity.
### Technical Details
This script configures:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!DisablePassivePolling` [1] [2] [3].
This group policy controls passive polling [1] [2] [3].
It's used by system components such as `ncsi.dll` [4].
- `HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet!PassivePollPeriod` [5] [6]
It's used by system components such as `ncsi.dll` [4].
[1]: https://web.archive.org/web/20240620094739/https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/internet-explorer-edge-open-connect-corporate-public-network "An Internet Explorer or Edge window opens when your computer connects to a corporate network or a public network - Windows Client | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240722112723/https://learn.microsoft.com/en-us/answers/questions/474998/internet-probe-icon-ncsi "Internet probe Icon - NCSI - Microsoft Q&A | learn.microsoft.com"
[3]: https://web.archive.org/web/20240729100358/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.NCSI::NCSI_PassivePolling "Specify passive polling | admx.help"
[4]: https://web.archive.org/web/20240810075215/https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/System32/ncsi.dll.strings "10_0_22623_1020/C/Windows/System32/ncsi.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com"
[5]: https://web.archive.org/web/20240114123854/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions "Network Connectivity Status Indicator FAQ for Windows | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240722112607/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-ncsi-guidance "Network Connection Status Indicator (NCSI) troubleshooting guidance - Windows Server | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20121226172641/http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx "The Network Connection Status Icon - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com"
[8]: https://web.archive.org/web/20240729100350/https://forums.openvpn.net/viewtopic.php?t=27321 "Openvpn breaks NLA and NCSI services for Windows / Office 365 - OpenVPN Support Forum | forums.openvpn.net"
[9]: https://web.archive.org/web/20240729100551/https://github.com/henrypp/simplewall/issues/709 "no internet / sometimes simplewall automatically denies internet · Issue #709 · henrypp/simplewall | github.com"
[10]: https://web.archive.org/web/20240525013542/https://superuser.com/questions/1400187/get-rid-of-false-no-internet-network-message "networking - Get rid of false \"no Internet\" network message - Super User | superuser.com"
[11]: https://web.archive.org/web/20240729100329/https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool/issues/136 "Servers Reporting No Internet After Restart · Issue #136 · The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool | github.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator
valueName: DisablePassivePolling
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
valueName: PassivePollPeriod
dataType: REG_DWORD
data: "0"
deleteOnRevert: '15' # Default value: 15 on Windows 10 Pro (≥ 22H2) | 15 on Windows 11 Pro (≥ 23H2)
-
name: >-
Remove "Network Connectivity Status Indicator (NCSI)" app
(breaks internet connection status icon)
recommend: strict
docs: |- # refactor-with-variables: Same • NCSI caution
This script removes the "NcsiUwpApp" system app.
It is also known as the "Network Connectivity Status Indicator Universal Windows Platform App".
It is primarily responsible for indicating network connectivity status.
The NCSI feature provides the functionality that allows Windows to offer visual feedback on network
connection status, usually seen at the bottom-right of the taskbar [1].
It is used not only by the Windows operating system but also by third-party applications for determining
network configurations [1].
NCSI employs both active and passive probes to assess network connectivity [1]
Active probes involve HTTP requests to Microsoft-managed servers [1], hosted by Akamai [1], with connectivity tests
directed to `www.msftconnecttest.com` [2].
Passive probes assess connectivity by examining network traffic [1].
The app's configuration, located in `%WINDIR%\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\AppxManifest.xml`, indicates
that it operates without a visible user interface and is not listed in the start menu or app list.
Its primary function is to manage the maintenance of the NCSI component and communicate over the internet.
This absence of a user interface can be confirmed by running `explorer.exe shell:appsFolder\NcsiUwpApp_8wekyb3d8bbwe!App`.
Removing this app improves privacy by reducing data transmission to external servers for connectivity checks.
It also increases security by diminishing the operating system's vulnerability surface through the removal of
unnecessary software and provides greater control over the visibility of device network status.
This app comes pre-installed on certain versions of Windows [3].
> **Caution**: This may lead to:
> - Lack of immediate feedback on network status.
> - Potential functionality issues in the system and applications that rely on NCSI for network information.
### Overview of default preinstallation
| OS | Version | Existence |
| -- | ------- | --------- |
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20240114123718/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-overview "Network Connectivity Status Indicator overview for Windows | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240114123854/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions "Network Connectivity Status Indicator FAQ for Windows | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230610014325/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn | learn.microsoft.com"
call:
function: UninstallNonRemovableStoreApp
parameters:
packageName: NcsiUwpApp # Get-AppxPackage NcsiUwpApp
publisherId: 8wekyb3d8bbwe
-
name: >-
Block Microsoft connectivity check hosts
(breaks internet connection status, captive portals)
docs: |- # refactor-with-variables: Same • NCSI caution
This script prevents Windows from connecting to Microsoft connectivity check URLs.
This script enhances your privacy by blocking specific hosts that Microsoft uses to collect your IP address [1].
The blocked hosts are:
- `msftncsi.com` [2] [3] [4]
- `www.msftncsi.com` [2] [5] [6] [7] [8]
- `dns.msftncsi.com` [2] [3] [5] [7] [8] [9] [10]
- `ipv6.msftncsi.com` [2] [8]
- `msftconnecttest.com` [2] [3] [4] [9] [11]
- `www.msftconnecttest.com` [2] [3] [7] [9] [10] [12]
- `ipv6.msftconnecttest.com` [8] [10] [11]
However, this script may cause several side effects:
- It disrupts captive portal (hotspot) detection [5] [6] [13].
- It impairs functionality of Microsoft software like Azure Backup MARS agent [14] and on-premises data gateway [15].
- A 'no internet' symbol may appear even when you are connected to the internet [2].
Carefully weigh the privacy benefits against potential functionality issues before applying this script.
> **Caution**: This may lead to:
> - Lack of immediate feedback on network status.
> - Potential functionality issues in the system and applications that rely on NCSI for network information.
> - Reduced ability of Windows and other components to determine internet connectivity.
> - Windows and other software may incorrectly report that you're offline.
> - Issues with automatically opening the sign-in page when a captive portal (hotspot) is detected.
[1]: https://web.archive.org/web/20220510033228/https://www.techrepublic.com/article/what-do-microsoft-and-ncsi-have-in-common/ "What do Microsoft and NCSI have in common? | TechRepublic | www.techrepublic.com"
[2]: https://web.archive.org/web/20240525013542/https://superuser.com/questions/1400187/get-rid-of-false-no-internet-network-message "networking - Get rid of false \"no Internet\" network message - Super User | superuser.com"
[3]: https://web.archive.org/web/20240620094739/https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/internet-explorer-edge-open-connect-corporate-public-network "An Internet Explorer or Edge window opens when your computer connects to a corporate network or a public network - Windows Client | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240809202709/https://devblogs.microsoft.com/oldnewthing/20221115-00/?p=107399 "How does Windows decide whether your computer has limited or full Internet access? - The Old New Thing | devblogs.microsoft.com"
[5]: https://web.archive.org/web/20121226172641/http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx "The Network Connection Status Icon - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com"
[6]: https://web.archive.org/web/20240809202657/https://learn.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/captive-portals "Captive Portals - Windows drivers | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240114123854/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions "Network Connectivity Status Indicator FAQ for Windows | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240722112607/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-ncsi-guidance "Network Connection Status Indicator (NCSI) troubleshooting guidance - Windows Server | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240620094739/https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/internet-explorer-edge-open-connect-corporate-public-network#workaround "An Internet Explorer or Edge window opens when your computer connects to a corporate network or a public network - Windows Client | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240809202640/https://learn.microsoft.com/en-us/microsoftteams/troubleshoot/teams-rooms-and-devices/monitored-offline-status-unhealthy "The Monitored or Offline status of a Teams Rooms device is Unhealthy - Microsoft Teams | Microsoft Learn | learn.microsoft.com"
[11]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[12]: https://web.archive.org/web/20240809202624/https://learn.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/provisioning-windows-using-a-website "Provisioning Windows Using a Website - Windows drivers | Microsoft Learn | learn.microsoft.com"
[13]: https://web.archive.org/web/20240114123718/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-overview "Network Connectivity Status Indicator overview for Windows | Microsoft Learn | learn.microsoft.com"
[14]: https://web.archive.org/web/20240809202709/https://learn.microsoft.com/en-us/azure/backup/install-mars-agent "Install the Microsoft Azure Recovery Services (MARS) agent - Azure Backup | Microsoft Learn | learn.microsoft.com"
[15]: https://web.archive.org/web/20240809202750/https://learn.microsoft.com/en-us/azure/backup/backup-support-matrix-mabs-dpm "MABS & System Center DPM support matrix - Azure Backup | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockViaHostsFile
parameters:
domain: msftncsi.com
-
function: BlockViaHostsFile
parameters:
domain: dns.msftncsi.com
-
function: BlockViaHostsFile
parameters:
domain: ipv6.msftncsi.com
-
function: BlockViaHostsFile
parameters:
domain: msftconnecttest.com
-
function: BlockViaHostsFile
parameters:
domain: www.msftconnecttest.com
-
function: BlockViaHostsFile
parameters:
domain: ipv6.msftconnecttest.com
-
name: >-
Disable "Network Location Awareness (NLA)" service
(breaks auto-reconnect, connectivity status, network identification)
docs: |- # refactor-with-variables: Same • NCSI caution
This script disables the Network Location Awareness (NLA) service.
NLA collects and stores network configuration information and notifies programs of changes [1] [2] [3] [4] [5] [6].
This data collection can pose privacy concerns.
It determines network connectivity type and properties, helping Windows manage connections [7] [8].
NLA uses the Network Connectivity Status Indicator (NCSI) to assess internet connectivity [7] [9].
NCSI is responsible for detecting Internet connectivity status [9].
Key functions of NLA:
- Generates unique identifiers (GUIDs) for each network interface [6] [10]
- Interacts with Windows Firewall to apply appropriate rules based on network profiles [10]
- Provides connectivity status for various applications such as Microsoft Teams and Windows Update [8]
Benefits of disabling NLA:
- Enhances privacy by stopping communication with Microsoft servers for connectivity detection (NCSI) [7] [8] [9] [11]
- Increases security by reducing potential vulnerabilities [12] [13]
- Reduces background processes, potentially optimizing system performance [4] [15]
Microsoft considers this service 'OK to disable' to reduce data collection and optimize system performance [4].
Disabling NLA does not impact the essential operations of the operating system [14].
Citrix recommends disabling it on VDI/RDS machines [15].
Side effects of disabling NLA:
- Lack of network configuration information [1] [2] [3] [4] [5] [11]
- Failure of related services on Windows 10 such as `Dhcp`, `nsi`, `RpcSs`, `Tcpip`
`EventLog` and `netprofm` [2] [3]
- Issues with network identification (such as "Home", "Work", "Public") and firewall profile determination [10]
- Broken internet connectivity status detection and network status alerts [7] [9]
- Problems with captive portal (hotspot) detection [11]
- Difficulties with the auto-reconnect functionality of different apps [6] [14] [16]
> **Caution**: This may lead to:
> - Lack of immediate feedback on network status.
> - Potential functionality issues in the system and applications that rely on NCSI for network information.
> - Reduced ability of Windows and other components to determine internet connectivity.
> - Windows and other software may incorrectly report that you're offline.
> - Issues with automatically opening the sign-in page when a captive portal (hotspot) is detected.
### Overview of default service statuses
This service runs and starts by default on Windows 10 [2] [3] but not on Windows 11 [1].
NLA service is available on both Windows 10 [2] [3] and Windows 11 [1],
but its NCSI functionality applies to Windows 10 and Windows Server 2019 and earlier versions [11].
Its functionality has been replaced by Network List Service (NLS) on Windows 11 and Windows Server 2022 and later [8] [11].
This script does not disable this service on Windows 11 as it no longer manages NCSI and offers no clear privacy benefit.
This script targets Windows 10, where disabling NLA enhances privacy by preventing NCSI functionality.
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Automatic |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
[1]: https://web.archive.org/web/20240810075341/https://batcmd.com/windows/11/services/nlasvc/ "Network Location Awareness - Windows 11 Service - batcmd.com | batcmd.com"
[2]: https://web.archive.org/web/20240520132332/https://batcmd.com/windows/10/services/nlasvc/ "Network Location Awareness - Windows 10 Service - batcmd.com | batcmd.com"
[3]: https://web.archive.org/web/20240113010240/https://revertservice.com/10/nlasvc/ "Network Location Awareness (NlaSvc) Service Defaults in Windows 10 | revertservice.com"
[4]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
[5]: https://web.archive.org/web/20240218231654/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#network-location-awareness "Security guidelines for system services in Windows Server 2016 | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240809205224/https://learn.microsoft.com/en-us/windows/win32/winsock/the-role-of-nla-2 "The Role of NLA - Win32 apps | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240620094739/https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/internet-explorer-edge-open-connect-corporate-public-network "An Internet Explorer or Edge window opens when your computer connects to a corporate network or a public network - Windows Client | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240722112607/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-ncsi-guidance "Network Connection Status Indicator (NCSI) troubleshooting guidance - Windows Server | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20121226172641/http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx "The Network Connection Status Icon - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com"
[10]: https://web.archive.org/web/20121103135524/http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx "Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com"
[11]: https://web.archive.org/web/20240114123854/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions "Network Connectivity Status Indicator FAQ for Windows | Microsoft Learn | learn.microsoft.com"
[12]: https://web.archive.org/web/20240809205000/https://nvd.nist.gov/vuln/detail/CVE-2020-1437 "NVD - CVE-2020-1437 | nvd.nist.gov"
[13]: https://web.archive.org/web/20240809205115/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0006 "CVE - CVE-2015-0006 | cve.mitre.org"
[14]: https://web.archive.org/web/20240809205040/https://security.stackexchange.com/questions/15466/how-do-these-windows-services-affect-the-security-of-windows-firewall "How do these Windows services affect the security of Windows Firewall? - Information Security Stack Exchange | security.stackexchange.com"
[15]: https://web.archive.org/web/20240809205236/https://jans.cloud/wp-content/uploads/2017/12/Execute_History.html "Citrix Optimizer Report | jans.cloud"
[16]: https://web.archive.org/web/20240809205207/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/mpc/checking-availability-before-attempting-use "Checking Availability Before Attempting Use | Microsoft Learn | learn.microsoft.com"
call:
function: DisableService
parameters:
serviceName: NlaSvc # Check: (Get-Service -Name NlaSvc).StartType
defaultStartupMode: Automatic # Set "Automatic" as this script is Windows 10 only. Default: Automatic on Windows 10 | Manual on Windows 11
maximumWindowsVersion: Windows10-MostRecent # Windows 10 only - The service does not provide NCSI functionality in Windows 11
-
name: >-
Disable "Network List Service (NLS)" service
(breaks connectivity status, network identification, network connection icon, connectivity with some Microsoft apps)
docs: |-
This script disables "Network List Service (NLS)" service.
This service is technically identified as `netprofm` [1] [2] [3] [4] [5] [6].
NLS collects and stores properties for connected networks and notifies applications of changes [1] [2] [4] [5] [6] [7] [8].
It manages network-related information similarly to how a computer caches domain name IP addresses [7].
Benefits of disabling NLS:
- Enhancing your privacy.
Disabling this service halts communication with Microsoft servers for connectivity detection [1] [3].
- Improving your security by reducing the attack surface.
Any service or application is a potential point of attack [1].
It's a security best-practices to disable or remove any unneeded services [1].
NLS has had vulnerabilities in the past [9].
- Optimizing system performance.
This service is associated with high CPU usage [10].
However, disabling NLS may cause several issues:
- Windows Firewall may default to the Public profile [11].
- The **Network Sharing Center** may not display profile types or connection status [11].
- The network connection icon may not appear on the Windows taskbar [11].
- **Microsoft** 365 and **Office** apps may have activation [12] and network connection issues [13].
- **SQL Server** and **SQL Server Agent** services may fail to start [14].
- Network properties may not change or be managed efficiently [7].
- Other Windows services may fail:
- On Windows 10:
Network Location Awareness (`NlaSvc`) [4] [6], Remote Procedure Call (RPC) (`RpcSs`) [4] [6],
HomeGroup Provider (`HomeGroupProvider`) [4] [6], Microsoft App-V Client (`AppVClient`) [4] [6],
Network Connected Devices Auto-Setup (`NcdAutoSetup`) [4] [6].
- On Windows 11:
Network Store Interface Service (`nsi`) [5], Remote Procedure Call (RPC) (`RpcSs`) [5],
TCP/IP Protocol Driver (`tcpip`) [5], Microsoft App-V Client (`AppVClient`) [5],
Network Connected Devices Auto-Setup (`NcdAutoSetup`) [5]
NLS is responsible for NCSI functionality only on Windows 11 and Windows Server 2022 or later [3] [15].
Earlier versions like Windows Server 2019 and Windows 10 use Network Location Awareness (NLA) for NCSI [15].
Microsoft states that disabling NLS only affects network information display and does not impact system behavior [11].
Broadcom confirms that it is safe to disable this service [16].
The Center for Internet Security (CIS) recommends disabling this service [1].
Citrix recommends disabling this service on VDI\RDS machines [17].
However, Microsoft has not provided clear guidance on whether this service should be disabled [2] [8].
It states that the effects of disabling this service are not fully evaluated [2].
Despite recommendations from authorities, this script does not disable NLS on Windows 11.
Disabling NLS on Windows 11 causes your `explorer.exe` to crash and relaunch repeatedly [18].
These issues were last confirmed in tests on Windows 11 Pro 23H2.
The `explorer.exe` process repeatedly crashes, causing the screen to flash continuously and preventing the taskbar from loading.
> **Caution**: This may lead to:
> - Lack of immediate feedback on network status.
> - Potential functionality issues in the system and applications that rely on NCSI for network information.
> - Reduced ability of Windows and other components to determine internet connectivity.
> - Windows and other software may incorrectly report that you're offline.
> - Issues with automatically opening the sign-in page when a captive portal (hotspot) is detected.
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Manual |
| Windows 11 (≥ 23H2) | 🟢 Running | Manual |
[1]: https://web.archive.org/web/20240714183805/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Windows_Server_2008_R2_v2_0_0.pdf "CIS Microsoft Windows Server 2008 R2 | v2.0.0 - 10-04-2013 | paper.bobylive.com"
[2]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
[3]: https://web.archive.org/web/20240722112607/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/troubleshoot-ncsi-guidance "Network Connection Status Indicator (NCSI) troubleshooting guidance - Windows Server | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240809205708/https://batcmd.com/windows/10/services/netprofm/ "Network List Service - Windows 10 Service - batcmd.com | batcmd.com"
[5]: https://web.archive.org/web/20240809205829/https://batcmd.com/windows/11/services/netprofm/ "Network List Service - Windows 11 Service - batcmd.com | batcmd.com"
[6]: https://web.archive.org/web/20240809205813/https://revertservice.com/10/netprofm/ "Network List Service (netprofm) Defaults in Windows 10 | revertservice.com"
[7]: https://web.archive.org/web/20240809205040/https://security.stackexchange.com/questions/15466/how-do-these-windows-services-affect-the-security-of-windows-firewall "How do these Windows services affect the security of Windows Firewall? - Information Security Stack Exchange | security.stackexchange.com"
[8]: https://web.archive.org/web/20240218231654/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#network-list-service "Security guidelines for system services in Windows Server 2016 | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240809210027/https://nvd.nist.gov/vuln/detail/CVE-2020-1209 "NVD - CVE-2020-1209 | nvd.nist.gov"
[10]: https://archive.ph/2024.08.09-210032/https://www.reddit.com/r/Windows10/comments/ix4n5h/what_is_network_list_service_why_is_it_using_up/ "What is network list service? Why is it using up all my cpu? : r/Windows10 | www.reddit.com"
[11]: https://web.archive.org/web/20240809205533/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/windows-fireware-rule-block-udp-communication "UDP communication is blocked by the Windows Firewall rule in WSFC - Windows Server | Microsoft Learn"
[12]: https://web.archive.org/web/20240809205558/https://learn.microsoft.com/en-us/office/troubleshoot/activation/network-connection-issues "Microsoft 365 Apps activation network connection issues - Microsoft 365 Apps | Microsoft Learn | learn.microsoft.com"
[13]: https://web.archive.org/web/20240809205739/https://learn.microsoft.com/en-us/office/troubleshoot/office-suite-issues/files-fail-to-open "Office files in SharePoint fail to open from an Office 2016 client - Microsoft 365 Apps | Microsoft Learn | learn.microsoft.com"
[14]: https://web.archive.org/web/20240809205639/https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/startup-shutdown/agent-service-fails-start-stand-alone-server "Agent Service fails to start on standalone server - SQL Server | Microsoft Learn | learn.microsoft.com"
[15]: https://web.archive.org/web/20240114123854/https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions "Network Connectivity Status Indicator FAQ for Windows | Microsoft Learn | learn.microsoft.com"
[16]: http://archive.ph/2024.08.10-101158/https://ftpdocs.broadcom.com/cadocs/0/CA%20Network%20Flow%20Analysis%209%201%203-ENU/Bookshelf_Files/HTML/NFA_Upgrade_Guide_en_US/1975755.html "Disable Unneeded Services on Windows Server 2008 R2 | ftpdocs.broadcom.com"
[17]: https://web.archive.org/web/20240809205236/https://jans.cloud/wp-content/uploads/2017/12/Execute_History.html "Citrix Optimizer Report | jans.cloud"
[18]: https://web.archive.org/web/20230307114810/https://www.elevenforum.com/t/services-in-22h2.11916/ "Services in 22H2 | Windows 11 Forum | www.elevenforum.com"
call:
function: DisableService
parameters:
serviceName: netprofm # Check: (Get-Service -Name netprofm).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
maximumWindowsVersion: Windows10-MostRecent # Disabling breaks `explorer.exe` (last tested Windows 11 Pro 23H2)
-
category: Disable Windows Update data collection
children:
-
category: Disable automatic driver updates by Windows Update
children:
-
name: Disable device metadata retrieval (breaks auto updates)
recommend: strict
docs:
- https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964
- https://web.archive.org/web/20240314125819/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#preventdevicemetadatafromnetwork
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata
valueName: PreventDeviceMetadataFromNetwork
dataType: REG_DWORD
data: '1'
dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 22H3)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata
valueName: PreventDeviceMetadataFromNetwork
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable inclusion of drivers with Windows updates
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::ExcludeWUDriversInQualityUpdate
recommend: strict
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: ExcludeWUDriversInQualityUpdate
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Windows Update device driver search
docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965
recommend: strict
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching
valueName: SearchOrderConfig
dataType: REG_DWORD
data: '1'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 22H3)
-
category: Disable obtaining updates from other PCs on the Internet (delivery optimization)
docs: |-
Windows Delivery Optimization is a feature introduced by Microsoft to facilitate a more efficient downloading process for Windows
updates, upgrades, and applications [1] [2]. Instead of exclusively relying on Microsoft's servers, this feature identifies other
PCs on a user's local network or even across the internet that already possess the desired updates or applications [2]. By breaking
the download into smaller segments and fetching each from the fastest and most reliable source, which can include other PCs, the
system ensures more efficient downloads [2]. To support this process, Delivery Optimization uses a local cache to temporarily store
downloaded files [2].
While Delivery Optimization is designed for speed and reliability, its operation raises privacy concerns. Specifically, when enabled,
it can distribute updates and applications from one user's PC to others [2], sharing users' data such as their IP addresses [3].
Benefits of disabling Delivery Optimization for privacy:
- **Minimizing Data Sharing**: By turning off Delivery Optimization, users ensure that updates and apps are neither downloaded from nor sent
to other devices [2]. This guarantees that all data remains strictly on the user's device [2] and the user IP is not shared [3].
- **Storage Conservation**: Users can save storage space by eliminating the local cache utilized by Delivery Optimization.
- **Guaranteed Source Authenticity**: Although Microsoft ensures the authenticity of updates and apps shared via Delivery Optimization [2],
disabling the feature guarantees that all updates and apps come directly from Microsoft's servers, eliminating potential intermediaries.
- **Bandwidth Conservation**: With the feature off, updates are restricted to direct downloads from Microsoft [1]. This is beneficial
for users on metered or capped internet connections, as it allows for more effective bandwidth monitoring [2].
- **Enhanced Security**: Devices using Delivery Optimization open port 7680 to accept peer requests [4]. Disabling the feature avoids this,
ensuring users are not exposed to unwanted inbound traffic and enhancing security [5].
- **VPN Protection**: Although Delivery Optimization attempts to detect VPNs and halts uploads when a VPN connection is detected [4], disabling
it removes any risk of unintended data sharing over a VPN.
Notably, the USA government [5] and Department of Defense (DoD) in the USA [6] recommends disabling this feature.
[1]: https://web.archive.org/web/20230914164204/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization "What is Delivery Optimization? - Windows Deployment | Microsoft Learn"
[2]: https://web.archive.org/web/20230914164355/https://support.microsoft.com/en-us/windows/windows-update-delivery-optimization-and-privacy-bf86a244-8f26-a3c7-a137-a43bfbe688e8 "Windows Update Delivery Optimization and privacy - Microsoft Support"
[3]: https://web.archive.org/web/20230914164646/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-monitor "Monitor Delivery Optimization - Windows Deployment | Microsoft Learn"
[4]: https://web.archive.org/web/20230905120220/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq "Delivery Optimization Frequently Asked Questions - Windows Deployment | Microsoft Learn"
[5]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov"
[6]: https://web.archive.org/web/20230914171410/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-65681 "Windows Update must not obtain updates from other PCs on the Internet | stigviewer.com"
children:
-
name: Disable peering download method for Windows Updates
recommend: standard
docs: |-
This script modifies Delivery Optimization's download method for Windows Updates [1] to disable peering. When this script is run, it sets the
download method to `0`, which means "HTTP only, no peering" [1] [2]. As a result, Windows Updates are downloaded solely from the internet and
not from other computers on the network (referred to as "peer-to-peer") [3].
Peer-to-peer is a method where multiple computers share data amongst themselves. For Windows Updates, the default setting is for computers
within a network to share updates (called LAN mode, represented by the value `1`) [1] [2].
Changing the setting to "HTTP only" reduces potential vulnerabilities [3]. When updates are fetched only from official servers, there's
less chance of unwanted or malicious data entering the system. This is why the Department of Defense (DoD) in the USA [4] and USA government [3]
recommends this setting. They assert that leaving it in its default configuration could expose the system to additional risks [3].
[1]: https://web.archive.org/web/20230914171524/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization "DeliveryOptimization Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230914171842/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference "Delivery Optimization reference - Windows Deployment | Microsoft Learn"
[3]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov"
[4]: https://web.archive.org/web/20230914171410/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-65681 "Windows Update must not obtain updates from other PCs on the Internet | stigviewer.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization
valueName: DODownloadMode
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2)
-
name: Disable "Delivery Optimization" service (breaks Microsoft Store downloads)
recommend: strict
docs: |-
Delivery Optimization is a Windows feature that provides the Windows Updates through peer-to-peer sharing [1]. In simple terms, instead of solely
relying on Microsoft's servers for updates, your computer can also fetch them from other devices that already possess the necessary files.
The "Delivery Optimization" service manages these content delivery tasks [2] [3]. It orchestrates the retrieval of updates both from other Windows users [3].
In doing so, it connects to various Microsoft service points to collect data, such as policies, content details, device specifications, and information about
other Windows users [3]. This data sharing raises privacy concerns.
This service also logs IP addresses [4] of peers which can be considered personal data. It listens on port 7680 for TCP/UDP traffic [5] that may expose the user
to unwanted inbound traffic and enhancing security [6].
By default, the "Delivery Optimization" service is set to start automatically when Windows boots up [2]. This script alters that behavior, ensuring
it doesn't run unless explicitly started by the user.
Taking control of this service prevents Microsoft from activating peer-to-peer sharing, enhancing user privacy. It ensures your device doesn't share update data
or fetch it from arbitrary peers.
> **Caution:** Disabling this service affects the functionality of Windows Store. It plays a role not just in Windows Updates but also in Microsoft Store app
downloads, especially since Windows 11 [7]. There have been reported issues with some app downloads on Windows 10 [8].
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🟢 Running | Automatic |
| Windows 11 (≥ 22H2) | 🟢 Running | Automatic |
[1]: https://web.archive.org/web/20230914164204/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization "What is Delivery Optimization? - Windows Deployment | Microsoft Learn"
[2]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#delivery-optimization "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
[3]: https://web.archive.org/web/20230914172129/https://learn.microsoft.com/en-us/windows/deployment/do/delivery-optimization-workflow "Delivery Optimization client-service communication explained - Windows Deployment | Microsoft Learn"
[4]: https://web.archive.org/web/20230914164646/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-monitor "Monitor Delivery Optimization - Windows Deployment | Microsoft Learn"
[5]: https://web.archive.org/web/20230914172319/https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-deployment "Deploying a privileged access solution | Microsoft Learn"
[6]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov"
[7]: https://web.archive.org/web/20230914164355/https://support.microsoft.com/en-us/windows/windows-update-delivery-optimization-and-privacy-bf86a244-8f26-a3c7-a137-a43bfbe688e8 "Windows Update Delivery Optimization and privacy - Microsoft Support"
[8]: https://github.com/undergroundwires/privacy.sexy/issues/173 "[BUG] Error 0x80004002 on Microsoft Store when attempting to download an app · Issue #173 · undergroundwires/privacy.sexy"
call:
function: DisableServiceInRegistry
# Using registry way because other options such as "sc config" or
# "Set-Service" returns "Access is denied" since Windows 10 1809.
parameters:
serviceName: DoSvc # Check: (Get-Service -Name 'DoSvc').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable cloud-based speech recognition
recommend: standard
docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-priv-speech
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy
valueName: HasAccepted
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2)
-
name: Opt out of Windows privacy consent
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Personalization\Settings
valueName: AcceptedPrivacyPolicy
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 21H2) | `1` on Windows 11 Pro (≥ 22H2)
-
name: Disable Windows feedback collection
recommend: standard
docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-priv-feedback
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Siuf\Rules
valueName: NumberOfSIUFInPeriod
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2)
-
function: DeleteRegistryValue
parameters:
keyPath: 'HKCU\SOFTWARE\Microsoft\Siuf\Rules'
valueName: PeriodInNanoSeconds
# Default values:
# Check : Get-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Siuf\Rules' -Name 'PeriodInNanoSeconds'
# Windows 10 (≥ 22H2) : Missing
# Windows 11 (≥ 23H2) : Missing
deleteOnRevert: 'true'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection
valueName: DoNotShowFeedbackNotifications
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection
valueName: DoNotShowFeedbackNotifications
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable text and handwriting data collection
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization
valueName: RestrictImplicitInkCollection
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization
valueName: RestrictImplicitTextCollection
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports
valueName: PreventHandwritingErrorReports
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC
valueName: PreventHandwritingDataSharing
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization
valueName: AllowInputPersonalization
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore
valueName: HarvestContacts
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 21H2) | `1` on Windows 11 Pro (≥ 23H2)
-
category: Disable location access
children:
-
name: Disable Windows Location Provider
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors
valueName: DisableWindowsLocationProvider
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable location scripting
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors
valueName: DisableLocationScripting
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable location
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors
valueName: DisableLocation
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}
valueName: Value
dataType: REG_SZ
data: "Deny"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}
valueName: SensorPermissionState
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Disable device sensors
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors
valueName: DisableSensors
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Windows search data collection
docs: |-
This category is dedicated to minimizing the personal data collected and utilized by Windows Search and Cortana.
It encompasses a range of scripts designed to curtail data sharing and bolster user privacy.
These scripts are crucial for preventing the search function from transmitting sensitive information such as
search history, account details, and location data to Microsoft's servers.
The Windows search functionality, often integrated with Cortana [1], is a key feature that allows for data collection
through various means. This includes gathering user searches, contacts, location data, voice inputs, browsing history,
and details from emails, calendars, and communication history [2].
The voice data thus collected aids in refining language understanding and machine learning models [2]. Furthermore,
Cortana's use of location data provides contextually relevant answers and suggestions, often estimating the user's
location via their IP address [2]. This feature extends to web browsing as well, where Cortana utilizes Microsoft Edge
browsing history for personalized suggestions [2].
Contacts, calendar details, and email information are also accessed by Cortana to track and offer tailored suggestions [2]
Additionally, when signed in, chat history with Cortana is retained, and typed searches are transmitted to Bing for
enhanced recommendation quality, even when Cortana is not actively in use [2].
By using the scripts in this category, users can significantly enhance their privacy and security.
These scripts enable users to control the extent of their personal data used by Windows, thereby ensuring a more secure
and private search experience.
[1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[2]: https://web.archive.org/web/20240121010852/https://support.microsoft.com/en-us/windows/cortana-and-privacy-47e5856e-3680-d930-22e1-71ec6cdde231 "Cortana and privacy - Microsoft Support | support.microsoft.com"
children:
# Excluding:
# Disable Bing adult content filter
# - `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings!SafeSearchMode`
# - `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchSafeSearch`
# It doesn't really add to privacy or security.
# Remove Search Button on Taskbar:
# `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search!SearchboxTaskbarMode`
# It doesn't really add to privacy or security.
-
category: Disable Cortana data collection
docs: |-
This category targets the reduction of Cortana's data collection practices.
Cortana, Microsoft's digital assistant, integrates deeply with Windows Search to provide personalized
assistance based on user data.
By disabling Cortana's data collection features, this category aims to enhance user privacy by preventing the
sharing of sensitive information with Microsoft.
The scripts within this category provide users with the tools to limit Cortana's reach into their personal data,
thereby fostering a more private and secure digital environment.
children:
-
name: Disable Cortana during search
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowCortana
- https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-cortana
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: AllowCortana
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable Cortana experience
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana
valueName: value
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Disable Cortana's access to cloud services such as OneDrive and SharePoint
recommend: standard
docs: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowcloudsearch
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: AllowCloudSearch
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable Cortana speech interaction while the system is locked
recommend: standard
docs: https://web.archive.org/web/20240314125714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-abovelock
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: AllowCortanaAboveLock
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable participation in Cortana data collection
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Search
valueName: CortanaConsent
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable enabling of Cortana
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Search
valueName: CanCortanaBeEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Cortana in start menu
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
valueName: CortanaEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
valueName: CortanaEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
category: Disable Cortana activity history
docs: |-
This category focuses on preventing Cortana from storing and displaying user interaction history.
When enabled, Cortana collects data on user activities, such as interactions with the assistant and search queries,
to personalize the user experience.
This collection can be a privacy concern as it involves the retention and potential analysis of personal behavior patterns.
By disabling this feature, users can prevent their activity history from being used for customization or other purposes,
thereby enhancing their privacy and potentially improving system performance by reducing background data processing tasks.
children:
-
name: Disable Cortana's history display
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
valueName: HistoryViewEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Cortana's device history usage
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
valueName: DeviceHistoryEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Remove "Cortana" icon from taskbar
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
valueName: ShowCortanaButton
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Key exists with value `0` since Windows 10 22H2, missing key since Windows 11 23H2
-
function: ShowExplorerRestartSuggestion
-
name: Disable Cortana in ambient mode
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
valueName: CortanaInAmbientMode
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
category: Disable Cortana voice listening
docs: |-
This category is designed to stop Cortana from listening for voice commands.
By default, Cortana can actively listen for voice input, which may include capturing and processing speech patterns and
potentially sensitive spoken content.
This capability raises privacy issues as voice data is often processed and stored remotely.
Disabling Cortana's voice listening features ensures that conversations or background noises are not inadvertently
recorded or analyzed, providing users with a greater level of privacy in their personal or work environments.
children:
-
name: Disable "Hey Cortana" voice activation
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Speech_OneCore\Preferences
valueName: VoiceActivationOn
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\Speech_OneCore\Preferences
valueName: VoiceActivationDefaultOn
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Cortana keyboard shortcut (**Windows logo key** + **C**)
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
valueName: VoiceShortcut
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable Cortana on locked device
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Speech_OneCore\Preferences
valueName: VoiceActivationEnableAboveLockscreen
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)f
-
name: Disable automatic update of speech data
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Speech_OneCore\Preferences
valueName: ModelDownloadAllowed
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Cortana voice support during Windows setup
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
valueName: DisableVoice
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable privacy-invasive indexing
docs: |-
This category is dedicated to preventing privacy-invasive indexing features within Windows.
Indexing can include details from emails, documents, and other files that may contain sensitive information.
Scripts in this category limit the exposure of personal data through search functionalities.
By controlling what and how information is indexed, these scripts help in protecting user privacy against
potential data breaches or unauthorized access.
children:
# There are other missing indexing settings such as:
# EnableIndexingDelegateMailboxes, DisableRemovableDriveIndexing, PreventIndexingEmailAttachments
# PreventIndexingLowDiskSpaceMB, PreventIndexingOfflineFiles, PreventIndexingOutlook, PreventIndexingPublicFolders,
# PreventIndexingUncachedExchangeFolders, PreventIndexOnBattery, AutoIndexSharedFolders
-
name: Disable indexing of encrypted items
recommend: standard
docs: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowindexingencryptedstoresoritems
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: AllowIndexingEncryptedStoresOrItems
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable automatic language detection when indexing
recommend: standard
docs: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#alwaysuseautolangdetection
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: AlwaysUseAutoLangDetection
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable remote access to search index
recommend: standard
docs: |-
This disables remote access to the search index of your computer [1] [2] [3] [4].
By executing this script, other computers will no longer be able to query your computer's search index remotely [1] [2] [4].
This means that when others are browsing network shares on your computer, they cannot use its index for searching [1] [2] [4].
By default, without this script, client computers can search using the host's index [1] [2] [3] [4], which might pose a privacy concern.
Implementing this change is crucial for maintaining both the privacy and security of your search data.
Not restricting this access is recognized as a security vulnerability [5].
The script targets the following registry key to implement the change:
`HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventRemoteQueries` [1] [2] [4] [5].
[1]: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#preventremotequeries "Search Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240120200959/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::PreventRemoteQueries "Prevent clients from querying the index remotely | admx.help"
[3]: https://web.archive.org/web/20240120200946/https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#search "Device restriction settings for Windows 10/11 in Microsoft Intune | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240120200943/https://www.windows-security.org/bcf256ddaff391fa2a294d42ffecbd90/prevent-clients-from-querying-the-index-remotely "Prevent clients from querying the index remotely | Windows security encyclopedia | www.windows-security.org"
[5]: https://web.archive.org/web/20240120200943/https://www.scaprepo.com/control.jsp?command=relation&relationId=CCE-93119-6&search=CCE-93119-6 "SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF) | www.scaprepo.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: PreventRemoteQueries
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable iFilters and protocol handlers
recommend: standard
docs: |-
This script enhances the security of Windows Desktop Search by restricting the use of iFilters and protocol handlers [1].
These components enhance Windows search capabilities by enabling the indexing of specific file types and the processing
of various file protocols [2] [3].
By default, Windows Desktop Search can use any installed iFilters and protocol handlers [1], which might
pose a security risk if untrusted components are used.
The script configures the system to only use iFilters and protocol handlers that are explicitly listed in an 'allow list' [1].
It does not prevent the installation of new iFilters or protocol handlers, nor does it restrict their use by other applications [1].
This measure is particularly useful for preventing unauthorized or potentially harmful search-related add-ins from being used by
Windows Desktop Search, thereby enhancing the overall security of the system.
[1]: https://web.archive.org/web/20240121002144/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::PreventUnwantedAddins "Prevent unwanted iFilters and protocol handlers | admx.help"
[2]: https://web.archive.org/web/20240121002129/https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-conceptual "Developing Filter Handlers for Windows Search - Win32 apps | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240121002136/https://learn.microsoft.com/en-us/windows/win32/search/-search-ifilter-registering-filters "Registering Filter Handlers - Win32 apps | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: PreventUnwantedAddIns
dataType: REG_SZ
data: " "
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable search's access to location
recommend: standard
docs: |-
This script blocks both the Windows search function and Cortana, Microsoft's virtual assistant, from
accessing your device's location data [1].
By default, Microsoft processes location data, impacting user privacy [2].
The U.S. Internal Revenue Service advises restricting access to this data to improve security, given the
sensitivity of location information [3].
Once this script is applied, search and Cortana will no longer be able to provide results based on the user's
location [1], thus enhancing privacy.
The script accomplishes this by modifying the following registry keys:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowSearchToUseLocation` [1] [2]
- `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search!AllowSearchToUseLocation` [4]
[1]: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowsearchtouselocation "Search Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[3]: https://web.archive.org/web/20230914171139/https://www.irs.gov/pub/irs-utl/win10.xlsx "Internal Revenue Service Office of Safeguards - Windows 10 | irs.gov"
[4]: https://web.archive.org/web/20240120230024/https://www.neowin.net/news/the-windows-10-spring-update-no-longer-lets-you-disable-web-search-in-start/ "The Windows 10 spring update no longer lets you disable web search in Start - workaround - Neowin | www.neowin.net"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: AllowSearchToUseLocation
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
valueName: AllowSearchToUseLocation
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
category: Disable search suggestions
docs: |-
This category focuses on enhancing privacy by disabling various search suggestions in
Windows, commonly associated with Cortana [1].
Cortana is a digital assistant integrated into Windows Search, capable of collecting extensive
personal data to provide its services [2].
This includes your search queries, contact information, location, voice inputs, browsing history,
and details from emails, calendars, and communication history [2].
These scripts are designed to limit the amount of personal data shared with Microsoft, preventing your
typed searches from being sent to Bing for search recommendations, even when Cortana is inactive [2].
[1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#2-cortana-and-search "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[2]: https://web.archive.org/web/20240121010852/https://support.microsoft.com/en-us/windows/cortana-and-privacy-47e5856e-3680-d930-22e1-71ec6cdde231 "Cortana and privacy - Microsoft Support | support.microsoft.com"
children:
-
name: Disable Bing search and recent search suggestions (breaks search history)
recommend: standard
docs: |-
This script improves privacy by disabling Bing search in the Start menu and recent search suggestions in File Explorer [1] [2] [3] [4] [5].
By default, Windows 10's Search Box includes suggestions from the Internet, alongside local search results [4] [5] [6] [7].
This script limits the search results to your local machine, improving privacy by not sending data to Microsoft servers [2].
The script:
- Stops Bing web search integration in the Start menu [1] [2] [3] [4] [5].
- Disables recent search suggestions in File Explorer [5] [6] [7].
- Prevents search entries from being stored in the registry for future use [5] [6] [7].
> **Caution:** Running this script will remove Bing web search [1] [2] [3] [4] [5] and recent query suggestions
> from the search box [5] [6] [7], breaking the functionality of File Explorer pop-up suggestions based on past entries [6] [7].
This script modifies:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer!DisableSearchBoxSuggestions` [2] [3] [4].
- `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search!DisableSearchBoxSuggestions` [8] [9].
These keys replace older `BingSearchEnabled` registry value [2] [3].
They apply to Windows 10 versions post 1909, including Windows 10 v2004 (20H1) and higher [5] [9].
[1]: https://web.archive.org/web/20240120193801/https://github.com/undergroundwires/privacy.sexy/pull/117 'Added "Disable Bing search suggestions in Start Menu" by Permanently · Pull Request #117 · undergroundwires/privacy.sexy | github.com'
[2]: https://web.archive.org/web/20240120182931/https://www.windowslatest.com/2020/10/04/disable-bing-in-windows-search/ "How to disable Bing search in the Windows 10 Start menu | www.windowslatest.com"
[3]: https://web.archive.org/web/20240120182853/https://borncity.com/win/2020/10/05/windows-10-disable-bing-in-the-search/ "Windows 10: Disable Bing in the search | Born's Tech and Windows World | borncity.com"
[4]: https://web.archive.org/web/20240120182943/https://www.techbout.com/disable-web-results-in-windows-search-44034/ "How to Disable Web Search Results in Windows 10 - Techbout | www.techbout.com"
[5]: https://web.archive.org/web/20240120135454/https://www.winhelponline.com/blog/disable-web-results-windows-10-start-menu/ "How to Disable Web Search in Windows 10 Start menu | Winhelponline | www.winhelponline.com"
[6]: https://web.archive.org/web/20240120194244/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::DisableSearchBoxSuggestions "Turn off display of recent search entries in the File Explorer search box | admx.help"
[7]: https://web.archive.org/web/20240120194340/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-windowsexplorer#disablesearchboxsuggestions "ADMX_WindowsExplorer Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[8]: https://archive.ph/2024.07.19-094152/https://www.pcastuces.com/pratique/astuces/6080-print.htm "PC Astuces - Désactiver les recommandations dans la recherche - Windows 10 | www.pcastuces.com"
[9]: https://web.archive.org/web/20240120194547/https://www.deskmodder.de/phpBB3/viewtopic.php?t=23243 "Websuche in der Windows 10 Taskleiste deaktivieren - Deskmodder.de | www.deskmodder.de"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer
valueName: DisableSearchBoxSuggestions
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
valueName: DisableSearchBoxSuggestions
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable Bing search in start menu # Obsolete since Windows 10 20H2, replaced by `DisableSearchBoxSuggestions`
recommend: standard
docs: |-
This script disables the Bing search integration in the Windows Start menu search function [1] [2] [3].
In Windows, typing in the Start menu search box displays results from the web via Bing, in addition
to local search results [2] [3].
By preventing the search function from sending queries to Microsoft servers, this script enhances user privacy
and optimizes system performance by reducing the search workload.
Running this script prevents such web searches by modifying the `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search!BingSearchEnabled`
registry key [1] [2] [3]. It is applicable to Windows version 1909 and older [1] [2] [4].
[1]: https://web.archive.org/web/20240120182931/https://www.windowslatest.com/2020/10/04/disable-bing-in-windows-search/ "How to disable Bing search in the Windows 10 Start menu | www.windowslatest.com"
[2]: https://web.archive.org/web/20240120135454/https://www.winhelponline.com/blog/disable-web-results-windows-10-start-menu/ "How to Disable Web Search in Windows 10 Start menu | Winhelponline | www.winhelponline.com"
[3]: https://web.archive.org/web/20240120182943/https://www.techbout.com/disable-web-results-in-windows-search-44034/ "How to Disable Web Search Results in Windows 10 - Techbout | www.techbout.com"
[4]: https://web.archive.org/web/20240120182853/https://borncity.com/win/2020/10/05/windows-10-disable-bing-in-the-search/ "Windows 10: Disable Bing in the search | Born's Tech and Windows World | borncity.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search # HKCU key is needed, not HKLM
valueName: BingSearchEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable web search in search bar # Obsolete since Windows 10 1803
recommend: standard
docs: |-
This script disables the ability to perform web searches directly from the Windows Desktop Search [1] [2] [3]
By executing this script, searches made from the desktop will be restricted to local content, omitting
results from the web [1] [2] [3].
Without this script, Windows Desktop Search includes web results by default, utilizing the user's default
web browser and search engine [1].
This script configures `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableWebSearch` registry key [1] [2] [3].
`DisableWebSearch` is not respected since Windows, version 1803 [1] [2].
[1]: https://web.archive.org/web/20240120163752/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DisableWebSearch "Do not allow web search | admx.help"
[2]: https://web.archive.org/web/20240120143549/https://community.spiceworks.com/topic/2145330-psa-gp-to-disable-web-connected-search-no-longer-works-in-1803-workaround "PSA: GP to disable web-connected search no longer works in 1803 - workaround - Windows 10 | community.spiceworks.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: DisableWebSearch
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable web results in Windows Search
recommend: standard
docs: |-
This script improves your privacy by disabling the display of web results in the Windows Search function [1] [2].
This prevents your search terms from being sent to Microsoft servers [3].
By default, the Windows Start menu Search box shows results from your computer, the Windows Store, and Bing's web search results [4].
This default behavior [2] means your queries are shared with Microsoft, which could impact your privacy [3].
Running this script stops the Start menu search from performing web searches and displaying web results [1] [2],
both generally and over metered connections [5], ensuring your searches remain local to your device [3] [5].
When executed, this script modifies the following registry keys:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWeb` [1] [3] [4].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWebOverMeteredConnections` [5].
[1]: https://web.archive.org/web/20240120135419/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DoNotUseWebResults "Don't search the web or display web results in Search"
[2]: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#donotusewebresults "Search Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[4]: https://web.archive.org/web/20240120135454/https://www.winhelponline.com/blog/disable-web-results-windows-10-start-menu/ "How to Disable Web Search in Windows 10 Start menu | Winhelponline | www.winhelponline.com"
[5]: https://web.archive.org/web/20240120135331/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DoNotUseWebResultsOnMeteredConnections "Don't search the web or display web results in Search over metered connections | admx.help"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: ConnectedSearchUseWeb
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: ConnectedSearchUseWebOverMeteredConnections
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable Windows search highlights
recommend: standard
docs: |-
This script disables the search highlights feature in the taskbar search box.
By default [1] [2], search highlights present content like holidays, anniversaries, and other special events,
both globally and regionally [1]. This feature, available since Windows 10 and 11 version 2004 [1] [3] [4],
periodically updates with content, including illustrations and text in the search box [1].
However, using search highlights can impact your privacy.
This feature is even considered a security vulnerability [2].
It reduces privacy by communicating personalized content including updates from
your organization, suggested people, files, and more [3]. Acknowledging this privacy concern, Windows provides
settings in the "Privacy & security" section to manage it [3].
This script adjusts following registry keys to turn off this feature:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!EnableDynamicContentInWSB` [4] [2] [5]
- `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings!IsDynamicSearchBoxEnabled` [6] [7] [8]
- `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings!ShowDynamicContent` [7]
[1]: https://web.archive.org/web/20240120213614/https://techcommunity.microsoft.com/t5/windows-it-pro-blog/group-configuration-search-highlights-in-windows/ba-p/3263989 "Group configuration: search highlights in Windows - Microsoft Community Hub | techcommunity.microsoft.com"
[2]: https://web.archive.org/web/20240120214205/https://www.scaprepo.com/view.jsp?id=CCE-99848-4 "SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF) | www.scaprepo.com"
[3]: https://web.archive.org/web/20240120214019/https://blogs.windows.com/windows-insider/2022/03/09/announcing-windows-11-insider-preview-build-22572/ "Announcing Windows 11 Insider Preview Build 22572 | Windows Insider Blog | blogs.windows.com"
[4]: https://web.archive.org/web/20240120214147/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowSearchHighlights "Allow search highlights | admx.help"
[5]: https://web.archive.org/web/20240120140023/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#allowsearchhighlights "Search Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240121145807/https://www.thewindowsclub.com/how-to-disable-search-highlights-in-windows "How to disable Search Highlights in Windows 11/10 | www.thewindowsclub.com"
[7]: https://web.archive.org/web/20240120214424/https://www.tenforums.com/tutorials/194711-enable-disable-search-highlights-windows-10-a.html "Enable or Disable Search Highlights in Windows 10 | Tutorials | www.tenforums.com"
[8]: https://web.archive.org/web/20240120214331/https://www.howtogeek.com/895945/how-to-turn-off-search-highlights-on-windows-11/ "How to Turn Off Search Highlights on Windows 11 | www.howtogeek.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: EnableDynamicContentInWSB
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings
valueName: IsDynamicSearchBoxEnabled
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable local search history (breaks recent suggestions)
recommend: strict
docs: |-
This disables the storage and display of search history in Windows [1] [2].
When executed, the script prevents the operating system from storing search queries in the registry [1] [2].
Consequently, suggestions based on previous searches will no longer appear in the search pane [1] [2].
However, suggestions based on local content from apps or Windows itself will remain available [1] [2].
The National Security Agency (NSA) in the USA recommends this setting for enhanced privacy and security [3].
By default, Windows provides search suggestions based on previous searches [1] [2] [4].
Running this script disables this feature, thereby enhancing privacy.
The script configures the following registry keys:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer!DisableSearchHistory` registry key [1] [2].
- `HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings!IsDeviceSearchHistoryEnabled` [5].
[1]: https://web.archive.org/web/20240120195206/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DisableSearchHistory "Turn off storage and display of search history | admx.help"
[2]: https://web.archive.org/web/20240120195237/https://www.windows-security.org/97ff7103a68191c257fcf3a98d3dd87f/turn-off-storage-and-display-of-search-history "Turn off storage and display of search history | Windows security encyclopedia | www.windows-security.org"
[3]: https://archive.ph/2024.01.20-195609/https://github.com/nsacyber/Windows-Secure-Host-Baseline/blob/a0bdd660753327addc3bf4c0500d03c2770a4740/Windows/Group%20Policy%20Templates/Search.admx%23L456 "Windows-Secure-Host-Baseline/Windows/Group Policy Templates/Search.admx · nsacyber/Windows-Secure-Host-Baseline | github.com"
[4]: https://web.archive.org/web/20240120211224/https://support.microsoft.com/en-us/windows/windows-search-and-privacy-99fb8251-7260-1cd6-1bbb-15c2370eb168 "Windows Search and privacy - Microsoft Support | support.microsoft.com"
[5]: https://web.archive.org/web/20240120211424/https://www.tenforums.com/tutorials/133365-how-turn-off-device-search-history-windows-10-a.html "How to Turn On or Off Device Search History in Windows 10 | Tutorials | www.tenforums.com"
[6]: https://web.archive.org/web/20240120211431/https://technoresult.com/how-to-disable-windows-search-history-feature-in-windows-10/ "How to Disable Windows Search History Feature in Windows 10? - Technoresult | technoresult.com"
[7]: https://web.archive.org/web/20240120211444/https://www.thewindowsclub.com/clear-windows-10-search-history-and-remove-recent-activities "How to clear Windows Search History and remove Recent Activities | www.thewindowsclub.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\Explorer
valueName: DisableSearchHistory
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings
valueName: IsDeviceSearchHistoryEnabled
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable sharing personal search data with Microsoft
recommend: standard
docs: |-
This script enhances privacy by limiting what search information is shared with Bing [1] [2] [3] [4] [5].
By default, Search in Windows shares user information, including search history, Microsoft account details, and location data,
to personalize search results and other Microsoft services [1] [2].
Executing this script ensures that search history, account details, or specific location data are not sent to Microsoft [1] [2].
Applicable to Windows 8.1 and later [1] [2] [3] [5], this script is a key privacy measure.
It is recommended by the US Department of Defense (DoD) and is considered a standard security practice [3].
Sharing this information is recognized as a security vulnerability [4].
The Center for Internet Security (CIS) also recommends this setting in its security framework [5].
The script modifies the following registry key to enforce this privacy setting:
`HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchPrivacy` [1] [2] [3] [4] [5].
[1]: https://web.archive.org/web/20240120203041/https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::SearchPrivacy "Set what information is shared in Search | admx.help"
[2]: https://web.archive.org/web/20240120203121/https://www.windows-security.org/c3a6b16451db61009c33a3be38dd1594/set-what-information-is-shared-in-search "Set what information is shared in Search | Windows security encyclopedia | www.windows-security.org"
[3]: https://web.archive.org/web/20240120202937/https://www.stigviewer.com/stig/windows_8_8.1/2015-06-16/finding/V-43242 "Information shared with Bing in Search must be configured to the most restrictive setting. (Windows 8.1) | www.stigviewer.com"
[4]: https://web.archive.org/web/20240120203138/https://www.scaprepo.com/control.jsp?command=relation&relationId=oval:org.secpod.oval:def:27705&search=oval:org.secpod.oval:def:27705 "SecPod SCAP Repo, a repository of SCAP Content (CVE, CCE, CPE, CWE, OVAL and XCCDF) | www.scaprepo.com"
[5]: https://web.archive.org/web/20240120203149/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2_1_0.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark v2.1.0 | bobylive.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search
valueName: ConnectedSearchPrivacy
dataType: REG_DWORD
data: "3"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable personal cloud content search in taskbar
recommend: standard
docs: |-
This script disables the integration of personal cloud content in the taskbar search box [1] [2] [3].
By default [2], Windows Search can access and display results from various Microsoft cloud services,
including OneDrive, Outlook, Bing, SharePoint [2] [3] [4] for both personal Microsoft accounts and
work or school accounts [1] [2] [3] [4].
This means your personal and work-related files stored on Microsoft's cloud platforms can be searched
through the Windows Search interface. While this feature increases convenience, it also poses privacy
concerns. For instance, someone with access to your computer can potentially view your personal search
results or data from your cloud storage. Additionally, your search queries are shared with Microsoft,
further impacting your privacy.
By disabling this feature, you ensure that Windows Search only returns results from your local device,
safeguarding your personal and professional information stored in cloud services. This action enhances
privacy by keeping your cloud-stored data separate from local search operations.
The script modifies two registry keys to disable cloud content search for different account types:
- For personal Microsoft accounts:
`HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings!IsMSACloudSearchEnabled` [1] [2] [3]
- For work or school accounts:
`HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings!IsAADCloudSearchEnabled` [1] [2] [3]
[1]: https://web.archive.org/web/20240121002929/https://r-pufky.github.io/docs/operating-systems/windows/10/20H2/settings/search/permissions-and-history.html "8.1. Permissions & History — Generic service & computer documentation. documentation | r-pufky.github.io"
[2]: https://web.archive.org/web/20240121002902/https://www.clasesordenador.com/como-activar-y-desactivar-la-busqueda-de-contenido-en-la-nube-en-windows-11/ "Cómo activar y desactivar la búsqueda de contenido en la nube en Windows 11 | www.clasesordenador.com"
[3]: https://web.archive.org/web/20240121002826/https://www.thewindowsclub.com/disable-cloud-content-search-in-taskbar-search-box "Disable Cloud Content Search in Taskbar search box in Windows 11/10 | www.thewindowsclub.com"
[4]: https://web.archive.org/web/20240121010645/https://support.microsoft.com/en-us/windows/windows-search-and-privacy-99fb8251-7260-1cd6-1bbb-15c2370eb168 "Windows Search and privacy - Microsoft Support | support.microsoft.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
valueName: IsMSACloudSearchEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
valueName: IsAADCloudSearchEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
category: Disable targeted advertisements and marketing
children:
-
name: Disable ad customization with Advertising ID
recommend: standard
docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo
valueName: Enabled
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo
valueName: DisabledByGroupPolicy
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable cloud-based advertising and tips
children:
-
name: Disable Windows Tips
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent
valueName: DisableSoftLanding
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Windows Spotlight (shows random wallpapers on lock screen)
recommend: strict
docs: |-
The script disables the Windows Spotlight feature. Windows Spotlight is a feature in Windows 10 and Windows 11 [1] that automatically downloads
and displays random wallpapers on the lock screen [1] [2]. These images are sourced from the internet [1] [2] [3]. At times, it might also promote
various Microsoft products, services [1] [2], or even third-party apps and content [4].
When the lock screen fetches images from the internet, there's a silent data exchange happening. This can inadvertently reveal details about the
user's device or their preferences.
To mitigate this potential privacy risk, the script makes a change to a key (`DisableWindowsSpotlightFeatures`) in the Windows operating system [3].
Originally, Windows Spotlight is turned on unless the user decides otherwise [2].
By applying this script, users can be sure their lock screen remains private and doesn't retrieve wallpapers from the internet, eliminating potential
data leaks.
[1]: https://web.archive.org/web/20230911110727/https://support.microsoft.com/en-us/windows/personalize-your-lock-screen-81dab9b0-35cf-887c-84a0-6de8ef72bea0 "Personalize your lock screen - Microsoft Support"
[2]: https://web.archive.org/web/20230911110748/https://learn.microsoft.com/en-us/windows/configuration/windows-spotlight "Configure Windows Spotlight on the lock screen - Configure Windows | Microsoft Learn"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[4]: https://web.archive.org/web/20230911110921/https://download.microsoft.com/download/8/F/B/8FBD2E85-8852-45EC-8465-92756EBD9365/Windows10andWindowsServer2016PolicySettings.xlsx "Group Policy Settings Reference - Microsoft"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\CloudContent
valueName: DisableWindowsSpotlightFeatures
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2)
-
name: Disable Microsoft Consumer Experiences
recommend: standard
docs:
- https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-71771
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures
- https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\CloudContent
valueName: DisableWindowsConsumerFeatures
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable suggested content in Settings app
recommend: standard
docs:
- https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004
- https://www.blogsdna.com/28017/how-to-disable-turn-off-suggested-content-on-windows-10-setting-app.htm
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
valueName: SubscribedContent-338393Enabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
valueName: SubscribedContent-353694Enabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager
valueName: SubscribedContent-353696Enabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable biometrics (breaks fingerprinting/facial login)
children:
-
name: Disable use of biometrics
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Biometrics
valueName: Enabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2)
-
name: Disable biometric logon
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider
valueName: Enabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2)
-
name: Disable "Windows Biometric Service"
recommend: strict
docs: |-
Details:
- [Security guidelines for system services in Windows Server 2016 | Microsoft Learn | learn.microsoft.com](https://web.archive.org/web/20240218231654/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-biometric-service)
- [Windows Biometric Service - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314062512/https://batcmd.com/windows/10/services/wbiosrvc/)
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Manual |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Manual |
call:
function: DisableService
parameters:
serviceName: WbioSrvc # Check: (Get-Service -Name WbioSrvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Wi-Fi Sense
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting
valueName: value
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots
valueName: Enabled
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 21H2) | `1` on Windows 11 Pro (≥ 22H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config
valueName: AutoConnectAllowedOEM
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 22H2)
-
name: Disable app launch tracking (hides most-used apps)
recommend: strict
docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
valueName: Start_TrackProgs
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable Website Access of Language List
recommend: standard
docs: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Control Panel\International\User Profile
valueName: HttpAcceptLanguageOptOut
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable automatic map downloads
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps
valueName: AllowUntriggeredNetworkTrafficOnSettingsPage
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps
valueName: AutoDownloadAndUpdateMapData
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable game screen recording
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\System\GameConfigStore
valueName: GameDVR_Enabled
dataType: REG_DWORD
data: '0'
dataOnRevert: '0' # Default value: `1` on Windows 10 Pro (≥ 21H2) | `0` on Windows 11 Pro (≥ 22H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR
valueName: AllowGameDVR
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable internet access for Windows DRM
recommend: standard
docs: https://web.archive.org/web/20231206191323/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\WMDRM
valueName: DisableOnline
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable typing feedback (sends typing data)
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Input\TIPC
valueName: Enabled
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Input\TIPC
valueName: Enabled
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Disable Activity Feed feature
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System
valueName: EnableActivityFeed
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Windows Insider Program
children:
-
name: Disable "Windows Insider Service"
docs: |-
Details:
- [Security guidelines for system services in Windows Server 2016 | Microsoft Learn | learn.microsoft.com](https://web.archive.org/web/20240218231654/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-insider-service)
- [Windows Insider Service - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314062528/https://batcmd.com/windows/10/services/wisvc/)
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Manual |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Manual |
recommend: standard
call:
function: DisableService
parameters:
serviceName: wisvc # Check: (Get-Service -Name wisvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Microsoft feature trials
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds
valueName: EnableExperimentation
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds
valueName: EnableConfigFlighting
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation
valueName: value
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Disable receipt of Windows preview builds
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds
valueName: AllowBuildPreview
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Remove "Windows Insider Program" from Settings
docs: https://winaero.com/how-to-hide-the-windows-insider-program-page-from-the-settings-app-in-windows-10/
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility
valueName: HideInsiderPage
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable cloud sync
docs: https://web.archive.org/web/20240314101013/https://support.microsoft.com/en-us/windows/about-windows-backup-and-sync-settings-deebcba2-5bc0-4e63-279a-329926955708
children:
-
name: Disable all settings synchronization
recommend: standard
# This script is a master switch that disables all other types of setting synchronizations in this category.
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableSettingSync
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableSettingSyncUserOverride
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableSyncOnPaidNetwork
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: SyncPolicy
dataType: REG_DWORD
data: "5"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Application" setting synchronization
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableApplicationSettingSync
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableApplicationSettingSyncUserOverride
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "App Sync" setting synchronization
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableAppSyncSettingSync
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableAppSyncSettingSyncUserOverride
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Credentials" setting synchronization
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableCredentialsSettingSync
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableCredentialsSettingSyncUserOverride
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials
valueName: Enabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Desktop Theme" setting synchronization
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableDesktopThemeSettingSync
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableDesktopThemeSettingSyncUserOverride
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Personalization" setting synchronization
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisablePersonalizationSettingSync
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisablePersonalizationSettingSyncUserOverride
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Start Layout" setting synchronization
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableStartLayoutSettingSync
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableStartLayoutSettingSyncUserOverride
dataType: REG_DWORD
data: "1"
-
name: Disable "Web Browser" setting synchronization
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableWebBrowserSettingSync
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableWebBrowserSettingSyncUserOverride
dataType: REG_DWORD
data: "1"
-
name: Disable "Windows" setting synchronization
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableWindowsSettingSync
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync
valueName: DisableWindowsSettingSyncUserOverride
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Language" setting synchronization
recommend: standard
docs:
- https://winaero.com/turn-on-off-sync-settings-windows-10/
- https://www.thewindowsclub.com/how-to-configure-windows-10-sync-settings-using-registry-editor
- https://tuxicoman.jesuislibre.net/blog/wp-content/uploads/Windows10_Telemetrie_1709.pdf # from guide on confidentiality and privacy with Windows 10 distributed to the French police, previous version of guide: https://www.pmenier.net/dotclear/docext/win10/.Windows10-Presentation.pdf
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language
valueName: Enabled
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Configure programs
children:
-
category: Disable Visual Studio data collection
docs: |-
These scripts disable future local and cloud data collection by Visual Studio about you and your behavior.
These do not clean existing data collected about you locally or on cloud servers.
children:
-
name: Disable participation in Visual Studio Customer Experience Improvement Program (VSCEIP)
recommend: standard
docs: |-
This script disables participation in the Visual Studio Customer Experience Improvement Program (VSCEIP),
enhancing your privacy and system performance.
Previously, VSCEIP was known as `PerfWatson` in Visual Studio [1].
It collects information about errors, hardware specifications, and usage patterns in Visual Studio [1] [2].
This data includes crashes, memory dumps, errors, stack traces, CPU and memory usage, interaction telemetry,
and other diagnostic data [2].
The collected information is sent to Microsoft servers for analysis [1] [2].
By default, VSCEIP data collection is enabled when Visual Studio is installed.
This means unless you actively opt out, Microsoft will collect and analyze your usage data.
By disabling VSCEIP, this script enhances your privacy by preventing Visual Studio from sending your usage
data to Microsoft.
It also improves system performance by reducing background data collection and transmission.
## Technical Details
The script modifies registry keys for Visual Studio versions from 2015 to 2022 [3]:
| Version | Product |
|:-------:|--------------------|
| 14.0 | Visual Studio 2015 |
| 15.0 | Visual Studio 2017 |
| 16.0 | Visual Studio 2019 |
| 17.0 | Visual Studio 2022 |
It sets the `OptIn` value to `0` in the following registry paths:
- `HKLM\SOFTWARE[\Wow6432Node]\Microsoft\VSCommon\<Version>\SQM` [2]
- `HKLM\Software\Policies\Microsoft\VisualStudio\SQM` (for Group Policy enabled users) [2]
The script modifies both 32-bit and 64-bit paths, except for Visual Studio 2022, which is 64-bit only [4].
By default, Visual Studio 2022 (last tested on version 17.10.5 on Windows 11 23H2) sets the `OptIn` value to `1`,
meaning the user is opted in to the program.
This script changes that value to `0`, opting the user out [2].
[1]: https://web.archive.org/web/20240808194752/https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/ "How we use your PerfWatson data to identify Unresponsive areas | Visual Studio Blog"
[2]: https://web.archive.org/web/20240314092010/https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program?view=vs-2022 "Customer Experience Improvement Program - Visual Studio (Windows) | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240808200605/https://en.wikipedia.org/wiki/Visual_Studio#History "Visual Studio - Wikipedia | en.wikipedia.org"
[4]: https://web.archive.org/web/20240808195819/https://devblogs.microsoft.com/visualstudio/visual-studio-2022/ "Visual Studio 2022 - Visual Studio Blog | devblogs.microsoft.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\VisualStudio\SQM # Group Policy
valueName: OptIn
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default on Windows 11 Pro 23H2 running Visual Studio 22 17.10.5
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM # Visual Studio 2015 on x86 (32-bit) Windows
valueName: OptIn
dataType: REG_DWORD
data: '0'
dataOnRevert: '1'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM # Visual Studio 2015 on x64 (64-bit) Windows
valueName: OptIn
dataType: REG_DWORD
data: '0'
dataOnRevert: '1'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM # Visual Studio 2017 on x86 (32-bit) Windows
valueName: OptIn
dataType: REG_DWORD
data: '0'
dataOnRevert: '1'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM # Visual Studio 2017 on x64 (64-bit) Windows
valueName: OptIn
dataType: REG_DWORD
data: '0'
dataOnRevert: '1'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM # Visual Studio 2019 on x86 (32-bit) Windows
valueName: OptIn
dataType: REG_DWORD
data: '0'
dataOnRevert: '1'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM # Visual Studio 2019 on x64 (64-bit) Windows
valueName: OptIn
dataType: REG_DWORD
data: '0'
dataOnRevert: '1'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM # Visual Studio 2022 on x64 (64-bit) Windows
valueName: OptIn
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Last tested on Windows 11 Pro 23H2 running Visual Studio 22 17.10.5
-
name: Disable Visual Studio telemetry
docs: |-
This key was first seen to be used in Visual Studio 15 (2017) [1] [2].
By default (after clean installation) the registry key set by this script does not exist
since Visual Studio 2022.
[1]: https://developercommunity.visualstudio.com/t/bad-crashes-when-visualstudiotelemetryturnoffswitc/208693 "Bad crashes when VisualStudio\Telemetry\TurnOffSwitch is set to 0 | Visual Studio Feedback"
[2]: https://web.archive.org/web/20231206212728/https://social.msdn.microsoft.com/Forums/vstudio/en-US/7796f0c5-ec9a-4fc8-9f62-584a663f9016/vs2015-pro-upd-3-quotthe-application-cannot-startquot-exception-in-obtainoptinstatus?forum=vssetup 'VS2015 (pro + upd 3): "Forum post showing logs for TurnOffSwitch key | MSDN Forums'
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\VisualStudio\Telemetry
valueName: TurnOffSwitch
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022
-
name: Disable Visual Studio feedback
recommend: standard
docs: |-
Feedback tool in Visual Studio allows users to report a problem from either Visual Studio or its installer.
It collects rich diagnostic information along with personally identifiable information [1]. Information includes large log files,
crash information, screenshots, repro recording, and other artifacts [1].
This script disables feedback dialog and screenshot capture/email input that's prompted to be sent as part of the feedback.
By default (after clean installation) the registry keys are not configured/set since Visual Studio 2022. Having these settings no
set imply that feedback is enabled.
[1]: https://web.archive.org/web/20240314101616/https://learn.microsoft.com/en-us/visualstudio/ide/how-to-report-a-problem-with-visual-studio?view=vs-2022 "Report a problem with Visual Studio - Visual Studio (Windows) | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback
valueName: DisableFeedbackDialog
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback
valueName: DisableEmailInput
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback
valueName: DisableScreenshotCapture
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022
-
name: Disable "Visual Studio Standard Collector Service"
recommend: standard
docs: |-
Visual Studio Standard Collector Service is a service that is part of
[Microsoft Visual Studio and .NET Log Collection Tool](https://web.archive.org/web/20231207105404/https://www.microsoft.com/en-us/download/details.aspx?id=12493) [1].
This service collects logs for Diagnostics Hub just like Diagnostic Hub Standard Collector [2].
It has been known to be vulnerable to privilege elevation [3] [4].
Disabling this service is recommended because otherwise it would:
- Increase the attack surface of your computer, making it open to potential future vulnerabilities.
- Use computer resources in favor of collecting more data about you and your behavior.
### Overview of default service statuses
`VSStandardCollectorService150` (tested on Microsoft Visual Studio Community 2022):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 11 (≥ 21H2) | 🟡 Missing | N/A |
[1]: https://web.archive.org/web/20240314123619/https://learn.microsoft.com/en-us/answers/questions/891356/i-cant-start-vsstandardcollectorservice150#answer-929168 "I can't start VSStandardCollectorService150 | Microsoft Q&A | learn.microsoft.com"
[2]: https://web.archive.org/web/20240413105955/https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service "CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service | Atredis Partners"
[3]: https://web.archive.org/web/20240413105849/https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0952 "Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability"
[4]: https://web.archive.org/web/20240413105849/https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0952 "CVE-2024-20656 - Local Privilege Escalation in the VSStandardCollectorService150 Service - MDSec | www.mdsec.co.uk"
call:
function: DisableService
parameters:
serviceName: VSStandardCollectorService150 # (Get-Service -Name VSStandardCollectorService150).StartType
defaultStartupMode: Manual # Manual since Visual Studio 2022, allowed values: Automatic | Manual
-
name: Disable Diagnostics Hub log collection
recommend: standard # Improves privacy, security and performance with low risk of system disruption
docs: |-
This script disables log collection by the Diagnostics Hub in Visual Studio.
The Diagnostics Hub is a feature that allows running multiple performance analysis
tools simultaneously [1].
This feature collects extensive data including CPU usage, user interface responsiveness,
and energy consumption. [1].
It presents data from multiple tools on a shared timeline, showing relationships between
different performance metrics [1].
The Diagnostics Hub collects additional logs [2] [3].
Microsoft recommends stopping this collection after necessary logs are collected [2] [3] [4] [5] [6].
It logs to a specified directory when enabled [2] [4] [5] [6].
Disabling this log collection improves privacy by reducing the amount of data collected
about your system and activities.
It also enhances security by limiting data accessible to attackers and reducing the attack
surface, given past vulnerabilities in this logging [7].
Additionally, it can improve system performance, as Microsoft warns that this logging is
resource-intensive [2].
This script deletes the `LogLevel` registry key at
`HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub` [2] [3] [4] [5] [6] [8].
Removing the `LogLevel` key effectively disables the Diagnostics Hub logging functionality [3] [4] [5] [6] [8].
In Visual Studio 2022 and later versions, these registry keys are not set by default after installation.
> **Caution:**
> Disabling this feature may impact the use of certain performance analysis tools in Visual Studio.
> Enable logging only when necessary if you need these tools for development.
[1]: https://web.archive.org/web/20240803142436/https://devblogs.microsoft.com/devops/combining-tools-in-the-performance-and-diagnostics-hub-in-visual-studio-2013/ "Combining Tools in the Performance and Diagnostics Hub in Visual Studio 2013 - Azure DevOps Blog | devblogs.microsoft.com"
[2]: https://web.archive.org/web/20240314093647/https://stackoverflow.com/questions/39308334/visual-studio-2015-diagnostic-tools-no-longer-working/39380284#39380284 "c# - Visual Studio 2015 diagnostic tools no longer working | Stack Overflow"
[3]: https://web.archive.org/web/20240803133649/https://learn.microsoft.com/en-us/visualstudio/profiling/troubleshoot-profiler-errors?view=vs-2022#error-could-not-create-a-manifest-file-for-this-diagsession-or-error-could-not-create-manifest-file-for-diagsession-visual-studio-will-not-able-to-reopen-this-session "Troubleshoot profiling errors - Visual Studio (Windows) | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240803141453/https://developercommunity.visualstudio.com/t/diagnostic-tool-no-registered-class/1099781#T-N1106849 "diagnostic tool No registered class | Visual Studio Feedback"
[5]: https://web.archive.org/web/20240803141131/https://developercommunity.visualstudio.com/t/collectionstartfailedhubexception-on-profiler-laun/414212#T-N447791 "CollectionStartFailedHubException on profiler launch | Visual Studio Feedback"
[6]: https://web.archive.org/web/20240803141105/https://developercommunity.visualstudio.com/t/diagnostics-tools-failed-unexpectedly-unable-to-st/437117#T-N447777 "Diagnostics tools failed unexpectedly--unable to start standard collector | Visual Studio Feedback"
[7]: https://web.archive.org/web/20240803141911/https://nvd.nist.gov/vuln/detail/CVE-2018-0952 "NVD - CVE-2018-0952 | nvd.nist.gov"
[8]: https://web.archive.org/web/20240803141609/https://developercommunity.visualstudio.com/t/cant-disable-diagnostics-hub-in-visual-stuido/1449322#T-N1449680 "Can't disable Diagnostics hub in visual stuido | Visual Studio Feedback"
call:
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub'
valueName: LogLevel
deleteOnRevert: 'true' # This key does not exist by default on Visual Studio 2022 and higher
-
name: Disable participation in IntelliCode data collection
recommend: standard
docs: |-
This script prevents IntelliCode in Visual Studio from collecting data.
IntelliCode uses AI to suggest code improvements by analyzing usage and error reports [1].
In scenarios like team model training, user code is shared with Microsoft [2] [3] [4].
Opting out does not affect IntelliCode's local suggestion capabilities [3] [4].
By relying on local data models [3] [4], this script improves privacy, reducing the amount of data shared with Microsoft.
The script works by modifying registry keys to disable the feature that sends data to Microsoft for remote analysis [3].
By default, Visual Studio 2022 and newer versions do not contain these registry keys.
The backend servers for IntelliCode model training are discontinued, making the data collection feature outdated [5].
Thus, this script provides peace of mind for users of older Visual Studio 2022 versions, even though the feature is outdated.
[1]: https://web.archive.org/web/20231112024816/https://learn.microsoft.com/en-us/visualstudio/ide/intellicode-visual-studio?view=vs-2022 "IntelliCode for Visual Studio | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231112024456/https://learn.microsoft.com/en-us/visualstudio/ide/intellicode-privacy?view=vs-2022 "IntelliCode privacy - Visual Studio IntelliCode | Microsoft Learn | docs.microsoft.com"
[3]: https://web.archive.org/web/20231112024639/https://raw.githubusercontent.com/MicrosoftDocs/intellicode/50ea60c91a7175e749ed5e094403568a583a292e/docs/intellicode-privacy.md "intellicode/docs/intellicode-privacy.md at 50ea60c91a7175e749ed5e094403568a583a292e · MicrosoftDocs/intellicode | github.com"
[4]: https://web.archive.org/web/20231122105835/https://raw.githubusercontent.com/microsoft/vscode-docs/main/docs/csharp/intellicode.md "vscode-docs/docs/csharp/intellicode.md at main · microsoft/vscode-docs | github.com"
[5]: https://web.archive.org/web/20240409110051/https://github.com/MicrosoftDocs/intellicode/issues/510#issuecomment-1982513204 "Is `DisableRemoteAnalysis` no longer supported? · Issue #510 · MicrosoftDocs/intellicode · GitHub | github.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode # Global policy
valueName: DisableRemoteAnalysis
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode # Local policy
valueName: DisableRemoteAnalysis
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode # Local policy
valueName: DisableRemoteAnalysis
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # This key is not set by the default installation since Visual Studio 2022
-
name: Disable NET Core CLI telemetry
recommend: standard
code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1
revertCode: setx DOTNET_CLI_TELEMETRY_OPTOUT 0
-
name: Disable PowerShell telemetry
recommend: standard
docs: https://web.archive.org/web/20221011165907/https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry?view=powershell-7.2
code: setx POWERSHELL_TELEMETRY_OPTOUT 1
revertCode: setx POWERSHELL_TELEMETRY_OPTOUT 0
-
category: Disable Nvidia telemetry
docs:
- https://github.com/privacysexy-forks/nVidia-modded-Inf
- https://github.com/privacysexy-forks/Disable-Nvidia-Telemetry
- https://web.archive.org/web/20231206190157/https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20
children:
-
name: Remove Nvidia telemetry packages
recommend: standard
code: |-
if exist "%ProgramFiles%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL" (
rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer
rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry
)
-
name: Remove Nvidia telemetry components
recommend: standard
call:
-
function: SoftDeleteFiles
parameters:
fileGlob: '%PROGRAMFILES(X86)%\NVIDIA Corporation\NvTelemetry\*'
recurse: 'true'
-
function: SoftDeleteFiles
parameters:
fileGlob: '%PROGRAMFILES%\NVIDIA Corporation\NvTelemetry\*'
recurse: 'true'
-
name: Disable Nvidia telemetry drivers
recommend: standard
call:
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\DriverStore\FileRepository\NvTelemetry*.dll'
recurse: 'true'
-
name: Disable participation in Nvidia telemetry
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client
valueName: OptInOrOutPreference
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS
valueName: EnableRID44231
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS
valueName: EnableRID64640
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS
valueName: EnableRID66610
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup
valueName: SendTelemetryData
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true'
-
name: Disable "Nvidia Telemetry Container" service
docs: |-
[Disable Nvidia Telemetry tracking on Windows - gHacks Tech News](https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/)
### Overview of default service statuses
`NvTelemetryContainer` (tested on driver version 497.09 on Windows 11 23H2):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 11 (≥ 21H2) | 🟡 Missing | N/A |
call:
function: DisableService
parameters:
serviceName: NvTelemetryContainer # (Get-Service -Name NvTelemetryContainer).StartType
# Display name: "NVIDIA Telemetry Container"
# Description: "Container service for NVIDIA Telemetry"
defaultStartupMode: Automatic
-
category: Disable Nvidia telemetry scheduled tasks
docs: |-
This category contains scripts that disable Nvidia telemetry tasks. Telemetry tasks are programmed to transmit data, which
may encompass system performance details or error reports [1] [2]. By disabling these tasks, you can improve your privacy by ensuring
your system's data remains confidential and is not shared with external sources.
[1]: https://web.archive.org/web/20231019222235/https://www.file.net/process/nvtmrep.exe.html "NvTmRep.exe Windows process - What is it? | file.net"
[2]: https://web.archive.org/web/20231019222243/https://www.file.net/process/nvtmmon.exe.html "NvTmMon.exe Windows process - What is it? | file.net"
children:
-
name: Disable "NVIDIA Telemetry Report" task
recommend: standard
docs: |-
This script disables the "NVIDIA Telemetry Report" scheduled task, which is related to the `NvTmRep` process.
This process is called "NVIDIA crash and telemetry reporter" [1].
Disabling it stops the `C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe` [2] program from executing and reporting data [1].
### Overview of default task statuses
`\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231019222235/https://www.file.net/process/nvtmrep.exe.html "NvTmRep.exe Windows process - What is it? | file.net"
[2]: https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/ "Disable Nvidia Telemetry tracking on Windows - gHacks Tech News"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}'
taskPathPattern: \
taskNamePattern: NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
-
name: Disable "NVIDIA Telemetry Report on Logon" task
recommend: standard
docs: |-
This script disables the "NVIDIA Telemetry Report on Logon" scheduled task, associated with the `NvTmRep` process.
This process is also known as "NVIDIA crash and telemetry reporter" [1].
When enabled, this task executes the `C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe --logon` [2]
program during user logon, sending telemetry data [1].
### Overview of default task statuses
`\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231019222235/https://www.file.net/process/nvtmrep.exe.html "NvTmRep.exe Windows process - What is it? | file.net"
[2]: https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/ "Disable Nvidia Telemetry tracking on Windows - gHacks Tech News"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}'
taskPathPattern: \
taskNamePattern: NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
-
name: Disable "NVIDIA telemetry monitor" task
docs: |-
This script disables the "NVIDIA telemetry monitor" scheduled task related to the `NvTmMon` process.
The telemetry monitor collects and sends data to NVIDIA [1].
Turning off this task prevents `C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe` [2] from running and transmitting data [1].
### Overview of default task statuses
`\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231019222243/https://www.file.net/process/nvtmmon.exe.html "NvTmMon.exe Windows process - What is it? | file.net"
[2]: https://web.archive.org/web/20231019222346/https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/ "Disable Nvidia Telemetry tracking on Windows - gHacks Tech News"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}'
taskPathPattern: \
taskNamePattern: NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
-
category: Disable Visual Studio Code data collection
docs: |-
- [Visual Studio Code July 2018 | code.visualstudio.com](https://web.archive.org/web/20221029170840/https://code.visualstudio.com/updates/v1_26#_offline-mode)
- [Visual Studio Code User and Workspace Settings | code.visualstudio.com](https://web.archive.org/web/20231206190826/https://code.visualstudio.com/docs/getstarted/settings)
children:
-
name: Disable Visual Studio Code telemetry
docs: https://web.archive.org/web/20221029171138/https://code.visualstudio.com/docs/getstarted/telemetry
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: telemetry.enableTelemetry
powerShellValue: $false
-
name: Disable Visual Studio Code crash reporting
docs: https://web.archive.org/web/20221029171138/https://code.visualstudio.com/docs/getstarted/telemetry
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: telemetry.enableCrashReporter
powerShellValue: $false
-
name: Disable online experiments by Microsoft in Visual Studio Code
docs: https://github.com/privacysexy-forks/vscode/blob/1aee0c194cff72d179b9f8ef324e47f34555a07d/src/vs/workbench/contrib/experiments/node/experimentService.ts#L173
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: workbench.enableExperiments
powerShellValue: $false
-
name: Disable Visual Studio Code automatic updates in favor of manual updates
call:
function: SetVsCodeSetting
parameters:
setting: update.mode
powerShellValue: "'manual'" # The double quotes around 'manual' is important for PowerShell to correctly interpret the value.
-
name: Disable fetching release notes from Microsoft servers after an update
call:
function: SetVsCodeSetting
parameters:
setting: update.showReleaseNotes
powerShellValue: $false
-
name: Automatically check extensions from Microsoft online service
call:
function: SetVsCodeSetting
parameters:
setting: extensions.autoCheckUpdates
powerShellValue: $false
-
name: Fetch recommendations from Microsoft only on demand
call:
function: SetVsCodeSetting
parameters:
setting: extensions.showRecommendationsOnlyOnDemand
powerShellValue: $true
-
name: Disable automatic fetching of remote repositories in Visual Studio Code
call:
function: SetVsCodeSetting
parameters:
setting: git.autofetch
powerShellValue: $false
-
name: Disable fetching package information from NPM and Bower in Visual Studio Code
call:
function: SetVsCodeSetting
parameters:
setting: npm.fetchOnlinePackageInfo
powerShellValue: $false
-
category: Disable Microsoft Office telemetry
docs: |-
This category includes scripts that disable various telemetry and data collection features in Microsoft Office applications.
Microsoft Office collects telemetry data to improve user experience and product functionality [1].
However, this data collection raises privacy concerns.
The scripts in this category aim to enhance user privacy by limiting or disabling the transmission of usage data,
diagnostic information, and other potentially sensitive details to Microsoft.
Disabling Office telemetry will:
- Enhance privacy by preventing the collection and transmission of user data.
- Potentially improve system performance by reducing background processes related to data collection.
- Reduce network usage associated with sending telemetry data.
Disabling telemetry may impact Microsoft's ability to provide personalized experiences, troubleshoot issues, or deliver certain updates.
However, for users prioritizing privacy, the benefits often outweigh these potential drawbacks.
[1]: https://web.archive.org/web/20240314130549/https://learn.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office "Manage the privacy of data monitored by Office Telemetry Dashboard - Deploy Office | Microsoft Learn"
children:
-
name: Disable Microsoft Office logging
recommend: standard
docs: |-
This script disables logging and data collection features in Microsoft Office applications.
It improves your privacy by preventing Office from recording and potentially sharing
information about your usage patterns and document activities.
This data may include details about the files you open, edit, or create.
The script may also improve system performance by reducing background processes
related to logging and data collection.
### Technical Details
This script affects Office versions from 2013 to 2021 [1]:
| Version Number | Product Name |
| -------------- | ------------ |
| 15.0 | Office 2013 |
| 16.0 | Office 2016 |
| 16.0 | Office 2019 |
| 16.0 | Office 2021 |
The script modifies registry settings to disable:
- Mail logging in Outlook: `HKCU\SOFTWARE\Microsoft\Office\<Version>\Outlook\Options\Mail!EnableLogging`
- Calendar logging in Outlook: `HKCU\SOFTWARE\Microsoft\Office\<Version>\Outlook\Options\Calendar!EnableCalendarLogging`
- Logging in Word: `HKCU\SOFTWARE\Microsoft\Office\<Version>\Word\Options!EnableLogging`
- Office Software Management (OSM) logging: `HKCU\SOFTWARE\Policies\Microsoft\Office\<Version>\OSM!EnableLogging`
- Office Software Management (OSM) data upload: `HKCU\SOFTWARE\Policies\Microsoft\Office\<Version>\OSM!EnableUpload`
Tests on Office versions 2013, 2016, 2019, and 2021 confirm that these registry values are not present in a default installation.
[1]: https://web.archive.org/web/20240809090857/https://en.wikipedia.org/wiki/History_of_Microsoft_Office#Summary "History of Microsoft Office - Wikipedia | en.wikipedia.org"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail
valueName: EnableLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail
valueName: EnableLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar
valueName: EnableCalendarLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar
valueName: EnableCalendarLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options
valueName: EnableLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options
valueName: EnableLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM
valueName: EnableLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM
valueName: EnableLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM
valueName: EnableUpload
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM
valueName: EnableUpload
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
name: Disable Microsoft Office client telemetry
recommend: standard
docs: |-
This script disables telemetry data collection in Microsoft Office applications.
It improves your privacy by preventing Office from sending usage data and diagnostic
information to Microsoft.
This data may include details about your Office usage patterns, document content,
and system information.
The script may also improve system performance by reducing background processes
related to data collection and transmission.
### Technical Details
The script modifies registry settings for multiple Office versions (Common, 15.0, and 16.0).
It includes (but not limited to) following products [1]:
| Version Number | Product Name |
| -------------- | ------------ |
| 15.0 | Office 2013 |
| 16.0 | Office 2016 |
| 16.0 | Office 2019 |
| 16.0 | Office 2021 |
The script modifies registry settings to disable:
- Telemetry: `HKCU\SOFTWARE\Microsoft\Office[\<Version>]\Common\ClientTelemetry!DisableTelemetry`
- Verbose logging: `HKCU\SOFTWARE\Microsoft\Office[\<Version>]\Common\ClientTelemetry!VerboseLogging`
Tests on Office versions 2013, 2016, 2019, and 2021 confirm that these registry values are not present in a default installation.
[1]: https://web.archive.org/web/20240809090857/https://en.wikipedia.org/wiki/History_of_Microsoft_Office#Summary "History of Microsoft Office - Wikipedia | en.wikipedia.org"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry
valueName: DisableTelemetry
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\ClientTelemetry
valueName: DisableTelemetry
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry
valueName: DisableTelemetry
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry
valueName: VerboseLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\ClientTelemetry
valueName: VerboseLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry
valueName: VerboseLogging
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
name: Disable user participation in Office Customer Experience Improvement Program (CEIP)
recommend: standard
docs: |-
This script disables user participation in the Microsoft Office Customer Experience Improvement Program (CEIP) [1].
The CEIP allows Microsoft Office users to send usage information to Microsoft [1].
When users join this program, Office applications transmit data to Microsoft about the user's interaction with the software [1].
Part of this data includes identifying details, such as the user's IP address used during the data transfer [1].
By default, when running Microsoft Office for the first time, users are given the choice to join the CEIP [1].
If they accept, their Office applications will periodically send usage statistics to Microsoft [1].
Implementing this script ensures:
- Users will not have the choice to participate in the CEIP [1].
- Office applications won't send any CEIP usage data to Microsoft [1].
Prioritizing privacy, the US Department of Defense (DoD) suggests this configuration to enhance the security and privacy of the operating system [2].
### Technical Details
This modifies the `HKCU\Software\Policies\Microsoft\Office\<Version>\Common!QMEnable` policy setting [1] [2] [3].
If this policy is not configured, it acts as if the policy is set to `Enabled` [1].
This means that users are offered the choice to join the CEIP during their initial use of Office [1] [2].
This script sets this value to `0`, which disables the Customer Experience Improvement Program [1] [2] [3].
This script affects Office versions from 2013 to 2021 [4]:
| Version Number | Product Name |
| -------------- | ------------ |
| 15.0 | Office 2013 |
| 16.0 | Office 2016 |
| 16.0 | Office 2019 |
| 16.0 | Office 2021 |
Tests on Office versions 2013, 2016, 2019, and 2021 confirm that these registry values are not present in a default installation.
[1]: https://web.archive.org/web/20230922125001/https://download.microsoft.com/download/c/3/f/c3f8bd05-1743-4d7d-849c-c352b0f61835/office2010grouppolicyandoctsettings_reference.xls "ADMX, ADML, and ADM Settings - Download Center | microsoft.com"
[2]: https://web.archive.org/web/20230922125003/https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612 "The Customer Experience Improvement Program for Office must be disabled. | stigviewer.com"
[3]: https://web.archive.org/web/20221205201409/https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_EnableCustomerExperienceImprovementProgram "Enable Customer Experience Improvement Program | admx.help"
[4]: https://web.archive.org/web/20240809090857/https://en.wikipedia.org/wiki/History_of_Microsoft_Office#Summary "History of Microsoft Office - Wikipedia | en.wikipedia.org"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Policies\Microsoft\Office\15.0\Common
valueName: QMEnable
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Policies\Microsoft\Office\16.0\Common
valueName: QMEnable
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
name: Disable Microsoft Office feedback
recommend: standard
docs: |-
This script disables feedback collection in Microsoft Office applications.
It enhances your privacy by blocking Office from collecting and sending your usage data to Microsoft.
This limits the personal information Microsoft receives about how you use Office.
It may also slightly boost system performance by removing background processes that collect feedback.
### Technical Details
This script configures `HKCU\SOFTWARE\Microsoft\Office\<Version>\Common\Feedback!Enabled` registry value.
It affects Office versions from 2013 to 2021 [1]:
| Version Number | Product Name |
| -------------- | ------------ |
| 15.0 | Office 2013 |
| 16.0 | Office 2016 |
| 16.0 | Office 2019 |
| 16.0 | Office 2021 |
Tests on Office versions 2013, 2016, 2019, and 2021 confirm that this registry value is not present in a default installation.
[1]: https://web.archive.org/web/20240809090857/https://en.wikipedia.org/wiki/History_of_Microsoft_Office#Summary "History of Microsoft Office - Wikipedia | en.wikipedia.org"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback
valueName: Enabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback
valueName: Enabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default for Office 2013/2016/2019/2021 (all tested on Windows 11 Pro 23H2)
-
name: Disable Microsoft Office telemetry agent
recommend: standard
docs: |-
This script disables the scheduled tasks associated with the Office telemetry agent.
The Office Telemetry Agent, introduced in Office 2013, collects and uploads a variety of data for monitoring purposes [1].
This data includes runtime logs, properties of Office documents, and other insights from Office applications [1] [2].
Notably, it can upload file names, paths, and document titles in their original format [1].
The data is stored locally before being uploaded to a shared folder (at `%LOCALAPPDATA%\Microsoft\Office\16.0\Telemetry`) [3].
This poses privacy risks as it may contain personal or confidential information.
The `OfficeTelemetryAgentLogOn` scheduled task, collects data for the Office Telemetry Dashboard [1]. This task activates upon
user login to an Office client and continues to scan and collect data during the session [1]. The types of data collected encompass
file names of recently accessed Office documents [2] [3], names of add-ins and solutions interacting with Office [3], and system information
including user and computer names [2].
Disabling these tasks is recommended for enhancing privacy. The script effectively prevents privacy risks associated with telemetry
data collection by disabling the related scheduled tasks. It prevents the collection and upload of potentially sensitive information,
thereby protecting users from exposure of personal or internal process-related details.
### Overview of default task statuses
`\Microsoft\Office\OfficeTelemetryAgentFallBack` (tested on Office version 2208):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
`\Microsoft\Office\OfficeTelemetryAgentFallBack2016` (tested on Office version 2208):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
`\Microsoft\Office\OfficeTelemetryAgentLogOn` (tested on Office version 2208):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
`\Microsoft\Office\OfficeTelemetryAgentLogOn2016` (tested on Office version 2208):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231022114220/https://learn.microsoft.com/en-us/deployoffice/compat/deploy-telemetry-dashboard "Deploy Office Telemetry Dashboard - Deploy Office | Microsoft Learn"
[2]: https://web.archive.org/web/20231022114227/https://learn.microsoft.com/en-us/deployoffice/compat/data-that-the-telemetry-agent-collects-in-office "Data collected by the agent for Office Telemetry Dashboard - Deploy Office | Microsoft Learn"
[3]: https://web.archive.org/web/20240314130549/https://learn.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office "Manage the privacy of data monitored by Office Telemetry Dashboard - Deploy Office | Microsoft Learn"
call:
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentFallBack'
taskPathPattern: \Microsoft\Office\
taskNamePattern: OfficeTelemetryAgentFallBack
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentFallBack2016'
taskPathPattern: \Microsoft\Office\
taskNamePattern: OfficeTelemetryAgentFallBack2016
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentLogOn'
taskPathPattern: \Microsoft\Office\
taskNamePattern: OfficeTelemetryAgentLogOn
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'OfficeTelemetryAgentLogOn2016'
taskPathPattern: \Microsoft\Office\
taskNamePattern: OfficeTelemetryAgentLogOn2016
# - (breaks office, see https://answers.microsoft.com/en-us/office/forum/office_2016-officeapps/office-2016-click-to-run-service-is-it-necessary/07f87963-7193-488a-9885-d6339105824b)
# name: Disable ClickToRun Service Monitor
# docs: https://web.archive.org/web/20180201221907/https://technet.microsoft.com/en-us/library/jj219427.aspx
# call:
# -
# function: DisableScheduledTask
# parameters:
# # Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'Office ClickToRun Service Monitor'
# taskPathPattern: \Microsoft\Office\
# taskNamePattern: Office ClickToRun Service Monitor
# -
# function: DisableService
# parameters:
# serviceName: ClickToRunSvc # Check: (Get-Service -Name ClickToRunSvc).StartType
# defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable "Microsoft Office Subscription Heartbeat" task
docs: |-
This script disables the "Microsoft Office Subscription Heartbeat" scheduled task.
The primary function of the Office Subscription Heartbeat task is to periodically check the subscription status of Microsoft Office products [1] [2],
verifying their licenses are active and valid [1]. This task actively communicates with Microsoft servers, transmitting Microsoft account data [3] for
license verification.
Disabling this task improves privacy as it prevents these regular communications and data transmissions, though it may lead to complications
regarding license compliance over time.
The task creates and utilizes cache files located at `%SYSTEMDRIVE%\Program Files\Microsoft Office 15\root\vfs\Common AppData\microsoft\office\Heartbeat` [1]
and `%PROGRAMDATA%\Microsoft\Office\Heartbeat\HeartbeatCache` [3] [4], in `HeartbeatCache.xml` file [1] [4]. It executes the `OLicenseHeartbeat.exe` process
daily [2], also known as "Office Subscription Licensing Heartbeat" [2].
`\Microsoft\Office\Office 15 Subscription Heartbeat` (tested since Office version 2208):
| OS Version | Default Status |
| ---------------- | -------------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
> **Caution:** Consider that while disabling this task may lead to increased privacy, it could also impact license compliance and the overall functionality
of Microsoft Office products in the long run.
[1]: https://web.archive.org/web/20231024130456/https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/licensing/subscription-automatic-license-renew-fails "Microsoft 365 subscription automatic license renewal fails when heartbeatcache in wrong location - Microsoft 365 | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231024130510/https://www.shouldiblockit.com/olicenseheartbeat.exe-9886.aspx "OLicenseHeartbeat.exe - Should I Block It? (Office Subscription Licensing Heartbeat) | shouldiblockit.com"
[3]: https://web.archive.org/web/20231024130503/https://support.microsoft.com/en-us/office/-product-key-is-not-valid-error-when-activating-office-4f89be39-26eb-404f-b485-8e2014bd3790#ID0EBBD=Microsoft_365_subscription '"Product key is not valid" error when activating Office - Microsoft Support | support.microsoft.com'
[4]: https://web.archive.org/web/20231024130510/https://support.microsoft.com/en-us/office/about-the-microsoft-support-and-recovery-assistant-e90bb691-c2a7-4697-a94f-88836856c72f#ID0ED6=Office "About the Microsoft Support and Recovery Assistant - Microsoft Support | support.microsoft.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Office\' -TaskName 'Office 15 Subscription Heartbeat'
taskPathPattern: \Microsoft\Office\
taskNamePattern: Office 15 Subscription Heartbeat
# "Office 16 Subscription Heartbeat":
# For Office 16, there isn't a separate and verified task named "Office 16 Subscription Heartbeat".
# Instead, it appears to utilize the "Office 15 Subscription Heartbeat" task,
# but runs the `OLicenseHeartbeat.exe` process from the Office16 folder.
-
category: Configure browsers
docs: |-
This category includes scripts that enhance privacy by adjusting browsers to prevent tracking,
minimize data leaks, and restrict personalized ads.
These changes help protect user privacy across different web browsers and optimize system performance
by reducing privacy-invasive processing.
children:
-
category: Configure Edge
docs: |- # Similar to "Configure Chrome"
This category contains scripts that adjust Microsoft Edge settings to enhance privacy, security,
and potentially improve system performance
This category is designed for Chromium-based Edge only, not for legacy Edge.
Edge (Chromium) is the current version of Microsoft Edge, replacing Edge (Legacy) [1] [2].
It comes pre-installed on all Windows versions starting from Windows 10 20H2 [2].
Older versions are automatically upgraded to Edge (Chromium) through Windows updates [1].
Edge collects personal data, including browsing history, favorite sites, usage data, web content, and device
information [3].
This data is used for personal identification, targeted advertising, and product improvement, raising privacy concerns [3].
The scripts in this category are designed to enhance your privacy by offering options to disable data collection
and improve security while using Microsoft Edge.
These scripts enable you to configure Microsoft Edge to limit these data collection practices,
enhancing your online privacy, security, and system performance.
[1]: https://web.archive.org/web/20240517223534/https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-microsoft-edge-to-replace-microsoft-edge-legacy-with-april-s/ba-p/2114224 "New Microsoft Edge to replace Microsoft Edge Legacy with Aprils Windows 10 Update Tuesday release - Microsoft Community Hub | techcommunity.microsoft.com"
[2]: https://web.archive.org/web/20240517225921/https://blogs.windows.com/windowsexperience/2020/06/16/whats-next-for-windows-10-updates/ "Whats next for Windows 10 updates | Windows Experience Blog | blogs.windows.com"
[3]: https://web.archive.org/web/20240623170024/https://support.microsoft.com/en-us/microsoft-edge/microsoft-edge-browsing-activity-for-personalized-advertising-and-experiences-37aa831e-6372-238e-f33f-7cd3f0e53679 "Microsoft Edge browsing activity for personalized advertising and experiences - Microsoft Support | support.microsoft.com"
children:
-
category: Disable Edge telemetry
docs: |-
This category includes scripts that enhance privacy by disabling Microsoft Edge telemetry.
Telemetry is the automatic collection and sharing of data about you and your usage patterns of a software.
These scripts prevent the automatic transmission of diagnostic and usage data to Microsoft, optimize system
performance by reducing background data transmission, and safeguard personal data by limiting third-party sharing.
children:
-
name: Disable Edge diagnostic data sending
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution • "Disabling this telemetry.."
This script disables the sending of diagnostic data in Edge.
This script blocks all diagnostic data related to your browser usage, including websites
visited, feature usage, and browser configuration [1] [2].
Disabling this telemetry reduces potential privacy risks by preventing data sharing with third parties.
This may also improve system performance by reducing processing workload.
This script configures the `DiagnosticData` policy [1] [2].
Changes will take effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#diagnosticdata "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624083056/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::DiagnosticData "Send required and optional diagnostic data about browser usage | admx.help"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: DiagnosticData # Edge ≥ 122
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
name: Disable outdated Edge metrics data sending
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution • "Disabling this telemetry.."
This script stops Edge from reporting metrics data.
This script stops the reporting of usage and crash-related data [1] [2].
This data includes information about how the browser operates and the causes of any failures [1] [2].
Disabling this telemetry potential privacy risks by preventing data sharing with third-parties.
This may also improve system performance by reducing processing workload.
This script applies to Edge versions between 77 and 89 [1] [2].
It does not affect newer versions of Edge as this settings is deprecated [1] [2].
This script configures the `MetricsReportingEnabled` policy [1] [2].
Changes will take effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#metricsreportingenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624083344/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::MetricsReportingEnabled "Enable usage and crash-related data reporting (deprecated) | admx.help"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: MetricsReportingEnabled # Edge ≥ 77 and Edge ≤ 89
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
name: Disable outdated Edge site information sending
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution • "Disabling this telemetry.."
This script prevents Edge from sending site-related information.
This prevents the browser from sending site information used to improve Microsoft services [1] [2].
This may might include URLs and page interaction data [1] [2].
Disabling this telemetry potential privacy risks by preventing data sharing with third-parties.
This may also improve system performance by reducing processing workload.
This script configures the `SendSiteInfoToImproveServices` policy [1] [2].
Changes will take effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#sendsiteinfotoimproveservices "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624083104/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SendSiteInfoToImproveServices "Send site information to improve Microsoft services (deprecated) | admx.help"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: SendSiteInfoToImproveServices # Edge ≥ 77 and Edge ≤ 89
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
name: Disable Edge Feedback
recommend: standard # DISA recommended
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the Edge Feedback feature in Microsoft Edge, enhancing user privacy by preventing feedback and data
from being sent to Microsoft.
The feature is enabled by default and cannot be disabled through standard browser settings [1] [2].
When signed into Microsoft Edge with a work or school account, feedback is linked to the user's account and organization,
potentially exposing sensitive information [1].
Disabling this feature addresses privacy concerns by ensuring that feedback does not inadvertently share usage data or
personal information with external servers.
This may also improve system performance by reducing processing workload.
Authorities like The Defense Information Systems Agency (DISA) [2] and The Center for Internet Security (CIS) [3]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [2].
Once applied, this script prevents the Edge Feedback feature from being used [1] [2].
This script configures the `UserFeedbackAllowed` Edge policy [1] [2].
The change takes effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#userfeedbackallowed "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624221221/https://www.stigviewer.com/stig/microsoft_edge/2021-06-23/finding/V-235769 "User feedback must be disabled. | www.stigviewer.com"
[3]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: UserFeedbackAllowed # Edge ≥ 77
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
category: Disable Edge and WebView2 automatic updates
docs: |- # refactor-with-variable: Same • Edge Update Caution
This category encompasses scripts that disable automatic updates for Microsoft Edge and its WebView2 component.
Disabling updates for Edge and WebView2 prevents automatic download and installation of new versions and patches.
Both Edge and WebView2 share the same mechanisms for updates [1] [2].
This mechanism is a way Microsoft collects user data [1].
WebView2 uses Edge technologies to render web content within applications [3].
It's widely integrated across various software products.
This widespread integration exposes users to significant privacy risks associated with web browsing and data
collection [4].
Both Edge and WebView2 collect extensive user data, including browsing and download history [5] [6].
Disabling updates blocks tracking features from being introduced, thus significantly enhancing your control
over personal data privacy.
Disabling updates increases privacy by reducing data shared with update servers.
However, this could leave your system vulnerable to security risks if attackers exploit unpatched vulnerabilities in
older versions.
Disabling updates is beneficial if you do not rely on Edge or WebView2 daily, as it reduces unnecessary data
transmission and unwanted system changes.
> **Caution:** Disabling updates may reduce security if you use Edge and its components (WebView2).
[1]: https://archive.ph/2024.06.21-133037/https://github.com/undergroundwires/privacy.sexy/issues/309 "[BUG]: Microsoft Edge still alive after removal · Issue #309 · undergroundwires/privacy.sexy"
[2]: https://web.archive.org/web/20240621150615/https://joji.me/en-us/blog/understanding-the-edge-and-edge-webview2-update-logs/ "Understanding the Edge and Edge WebView2 Update Logs | joji.me"
[3]: https://web.archive.org/web/20240623112820/https://learn.microsoft.com/en-us/microsoft-edge/webview2/ "Introduction to Microsoft Edge WebView2 - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com"
[4]: https://archive.today/2022.12.15-232158/https://learn.microsoft.com/en-us/microsoft-edge/webview2/concepts/distribution%23evergreen-distribution-mode "Distribute your app and the WebView2 Runtime - Microsoft Edge Development | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240623112758/https://learn.microsoft.com/en-us/microsoft-edge/webview2/concepts/data-privacy?tabs=dotnetcsharp "Data and privacy in WebView2 - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240623112809/https://support.microsoft.com/en-us/windows/microsoft-edge-browsing-data-and-privacy-bb8174ba-9d73-dcf2-9b4a-c582b4e640dd "Microsoft Edge, browsing data, and privacy - Microsoft Support | support.microsoft.com"
children:
-
name: Disable Edge automatic update services
recommend: standard # Safe-to-disable as they're stopped by default
docs: |- # refactor-with-variable: Same • Edge Update Caution
This script disables services responsible for automatically updating Microsoft Edge.
It disables the `edgeupdate` [1] [2] [3] and `edgeupdatem` [1] [2] [4] services.
These services keep your Microsoft software up to date [1] [3] [4].
Disabling these services:
- Enhances privacy by stopping automatic data transmission, preventing background data collection.
- Improves system performance by reducing background processes.
- Allows more control over which updates are installed.
Keep in mind:
- Security vulnerabilities and issues in Edge won't be fixed if updates are disabled [1] [3] [4].
- Manual updates are still possible as these services start automatically for manual updates.
### Overview of default service statuses
Microsoft Edge Update Service (`edgeupdate`) (tested on version Edge 126.0.2592.68):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Automatic |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Automatic |
Microsoft Edge Update Service (`edgeupdatem`) (tested on version Edge 126.0.2592.68):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Manual |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Manual |
> **Caution:** Disabling updates may reduce security if you use Edge and its components (WebView2).
[1]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
[2]: https://archive.ph/2024.06.21-133037/https://github.com/undergroundwires/privacy.sexy/issues/309 "[BUG]: Microsoft Edge still alive after removal · Issue #309 · undergroundwires/privacy.sexy"
[3]: https://web.archive.org/web/20240621143823/https://revertservice.com/10/edgeupdate/ "Microsoft Edge Update Service (edgeupdate) Defaults in Windows 10 | revertservice.com"
[4]: https://web.archive.org/web/20240621143835/https://revertservice.com/10/edgeupdatem/ "Microsoft Edge Update Service (edgeupdatem) Defaults in Windows 10 | revertservice.com"
call:
-
function: DisableService
parameters:
serviceName: edgeupdate # Check: (Get-Service -Name edgeupdate).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: edgeupdatem # Check: (Get-Service -Name edgeupdatem).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Edge automatic update scheduled tasks
recommend: strict
docs: |- # refactor-with-variable: Same • Edge Update Caution
This script stops Microsoft Edge from updating automatically by disabling specific scheduled tasks.
Specifically, it targets two tasks:
- `MicrosoftEdgeUpdateTaskMachineCore` [1] [2] [3]
- `MicrosoftEdgeUpdateTaskMachineUA` [3]
These tasks:
- Start Edge at logon [1]
- Run updates at least every hour [3]
- Update Edge and its WebView2 components [3]
Disabling these tasks:
- Enhances privacy by preventing automatic data transmission for updates.
- Improves system performance by reducing background tasks.
- Reduces your attack surface, as these tasks can be targeted by malware [4].
However, remember that disabling updates means security vulnerabilities in Edge won't be fixed automatically;
manual updates will be necessary.
> **Caution:** Disabling updates may lead to decreased security if you rely on Edge and its components (WebView2).
### Overview of default task statuses
`\MicrosoftEdgeUpdateTaskMachineCore{RandomString}` (tested since Edge version 126):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
`\MicrosoftEdgeUpdateTaskMachineUA{RandomString}` (tested since Edge version 126):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20220112180622/https://techcommunity.microsoft.com/t5/discussions/edge-97-starting-automatically-at-logon/m-p/3057166 "Edge 97 starting automatically at logon - Microsoft Community Hub | techcommunity.microsoft.com"
[2]: https://web.archive.org/web/20240621141001/https://www.file.net/process/microsoftedgeupdate.exe.html "MicrosoftEdgeUpdate.exe Windows process - What is it? | www.file.net"
[3]: https://web.archive.org/web/20240621150615/https://joji.me/en-us/blog/understanding-the-edge-and-edge-webview2-update-logs/ "Understanding the Edge and Edge WebView2 Update Logs | joji.me"
[4]: https://archive.today/2024.06.21-151340/https://vms.drweb.com/virus/?i=25158791 "Trojan.Siggen17.58258 — Dr.Web Malware description library | vms.drweb.com"
call:
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'MicrosoftEdgeUpdateTaskMachineCore{*}'
taskPathPattern: \
taskNamePattern: MicrosoftEdgeUpdateTaskMachineCore{*}
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{*}'
taskPathPattern: \
taskNamePattern: MicrosoftEdgeUpdateTaskMachineUA{*}
-
name: Disable Edge update executable
recommend: strict
docs: |- # refactor-with-variable: Same • Edge Update Caution
This script disables the Microsoft Edge Update executable to enhance your privacy and control over system updates.
`MicrosoftEdgeUpdate.exe` is responsible for updating Microsoft Edge as part of the Microsoft Edge Update system [1] [2] [3].
It's also responsible for updating Edge WebView2 [3].
Blocking this executable:
- Enhances privacy by preventing communication with the update server [4] [5].
- Increases security by giving you control over software installations.
- Boosts system performance by reducing background processes.
- May decrease security if you rely on Edge or WebView2, as missing updates can lead to security vulnerabilities.
Executable locations:
- `%PROGRAMFILES(x86)%\Microsoft\EdgeUpdate\<version>\MicrosoftEdgeUpdate.exe` [4]
- `%PROGRAMFILES(x86)%\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe` [1] [2] [4] [5] [6].
> **Caution:** Disabling updates may reduce security if you use Edge and its components (WebView2).
[1]: https://web.archive.org/web/20240621140833/https://learn.microsoft.com/en-us/deployedge/deploy-edge-with-windows-10-updates "Deploy Microsoft Edge with Windows 10 updates | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240621141001/https://www.file.net/process/microsoftedgeupdate.exe.html "MicrosoftEdgeUpdate.exe Windows process - What is it? | www.file.net"
[3]: https://web.archive.org/web/20240621150615/https://joji.me/en-us/blog/understanding-the-edge-and-edge-webview2-update-logs/ "Understanding the Edge and Edge WebView2 Update Logs | joji.me"
[4]: https://web.archive.org/web/20240621141128/https://support.microsoft.com/en-us/microsoft-edge/troubleshooting-tips-for-installing-and-updating-microsoft-edge-a5eceb94-c2b1-dfab-6569-e79d0250317b "Troubleshooting tips for installing and updating Microsoft Edge - Microsoft Support | support.microsoft.com"
[5]: https://archive.ph/2024.06.21-133037/https://github.com/undergroundwires/privacy.sexy/issues/309 "[BUG]: Microsoft Edge still alive after removal · Issue #309 · undergroundwires/privacy.sexy"
[6]: https://web.archive.org/web/20240621141031/https://strontic.github.io/xcyclopedia/library/MicrosoftEdgeUpdate.exe-0F11E6717C1FE6DD20AE2D12F63AF3F7.html "MicrosoftEdgeUpdate.exe | Microsoft Edge Update | STRONTIC | strontic.github.io"
call:
-
function: TerminateAndBlockExecution
parameters:
executableNameWithExtension: MicrosoftEdgeUpdate.exe
-
function: SoftDeleteFiles
parameters:
fileGlob: '%PROGRAMFILES(x86)%\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
-
function: SoftDeleteFiles
parameters:
fileGlob: '%PROGRAMFILES(x86)%\Microsoft\EdgeUpdate\*\MicrosoftEdgeUpdate.exe'
# Version specific e.g. C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdate.exe
-
name: Disable Edge automatic updates across all channels
recommend: strict
docs: |- # refactor-with-variable: Same • Edge Update Caution • Chromium Policy Caution • Active Directory only • Edge Channels
This script prevents Microsoft Edge from automatically updating across all channels.
Microsoft Edge offers four update channels—Stable, Beta, Dev, and Canary—each designed with different stability
levels and update frequencies [1].
This script disables updates for all of these channels.
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [2] [3].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
Disabling automatic updates enhances privacy by controlling data sharing during updates and improves
system performance by reducing background activities.
If you use Edge, manually check for and distribute updates after using this script to maintain security [2] [3] [4].
This script configures update policies for different Edge channels:
- `UpdateDefault` to configure all channels [3].
- `56EB18F8-B008-4CBD-B6D2-8C97FE7E9062` for Edge (Stable) [2] [4] [5].
- `2CD8A007-E189-409D-A2C8-9AF4EF3C72AA` to Edge (Beta) [2] [4] [6].
- `65C35B14-6C1D-4122-AC46-7148CC9D6497` to Edge (Canary) [2] [4] [7].
- `0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10` to Edge (Dev) [2] [4] [8].
- `F3C4FE00-EFD5-403B-9569-398A20F1BA4A` to Edge Insider [9].
> **Caution:**
> - Disabling updates may reduce security if you use Edge and its components (WebView2).
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240624181311/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-channels "Microsoft Edge channel overview | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#update "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#updatedefault "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240623111327/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_DefaultUpdatePolicy "Update policy override default | admx.help"
[5]: https://web.archive.org/web/20240623111917/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdatePolicyMicrosoftEdge "Update policy override | admx.help"
[6]: https://web.archive.org/web/20240623111334/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdatePolicyMicrosoftEdgeBeta "Update policy override | admx.help"
[7]: https://web.archive.org/web/20240623111327/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdatePolicyMicrosoftEdgeCanary "Update policy override | admx.help"
[8]: https://web.archive.org/web/20240623111849/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdatePolicyMicrosoftEdgeDev "Update policy override | admx.help"
[9]: https://web.archive.org/web/20240623111904/https://www.bleepingcomputer.com/news/microsoft/what-we-know-about-microsoft-s-chromium-based-edge-browser/ "What We Know About Microsofts Chromium-Based Edge Browser | bleepingcomputer.com"
call:
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: UpdateDefault # Microsoft Edge Update ≥ 1.2.145.5
dwordData: '0'
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Update{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} # Microsoft Edge Update ≥ 1.2.145.5
dwordData: '0'
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Update{2CD8A007-E189-409D-A2C8-9AF4EF3C72AA} # Microsoft Edge Update ≥ 1.2.145.5
dwordData: '0'
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Update{65C35B14-6C1D-4122-AC46-7148CC9D6497} # Microsoft Edge Update ≥ 1.2.145.5
dwordData: '0'
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Update{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10} # Microsoft Edge Update ≥ 1.2.145.5
dwordData: '0'
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Update{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}
dwordData: '0'
-
name: Disable Edge WebView and WebView2 updates
recommend: strict
docs: |- # refactor-with-variable: Same • Edge Update Caution • Chromium Policy Caution
This script disables automatic updates for Microsoft Edge WebView components.
Microsoft Edge WebView and WebView2 Runtime are components that enable applications to display web content [1] [2].
By default, these components receive updates automatically [1] [2].
Running this script will prevent automatic downloading and application of updates for both older WebView [1] and newer WebView2 [2].
This action might lead to compatibility issues with applications relying on the latest features of WebView [1] [2].
This script configures `Update{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}` Edge Policy [1] [2].
> **Caution:**
> - Disabling updates may reduce security if you use Edge and its components (WebView2).
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240622124745/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdatePolicyMicrosoftEdgeWebView "Update policy override | admx.help"
[2]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#update-webview "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Update{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5} # Microsoft Edge Update ≥ 1.3.127.1
dwordData: '0'
-
name: Disable Edge automatic update checks
recommend: strict
docs: |- # refactor-with-variable: Same • Edge Update Caution • Chromium Policy Caution
This script stops the Microsoft Edge Update agent from automatically checking for updates.
This script prevents the Microsoft Edge Update agent from performing any automatic update checks [1].
This includes updates for all Edge applications [2], including WebView2.
Disabling these updates enhances privacy by eliminating the regular network activity initiated
by Microsoft Edge Update [2]. It can also improve performance due to the reduction of background
network operations.
If you choose not to run this script, Microsoft Edge will continue to check for updates every 10 hours [1].
Although disabling updates can enhance privacy, it may compromise security, particularly if you rely
on Edge and its components like WebView2.
Automatic updates help ensure that the browser and its components receive stability and security updates promptly [1].
This script configures `AutoUpdateCheckPeriodMinutes` [1] [2] Edge policy.
Setting to `0` disables all periodic network traffic by Microsoft Edge Update [1] [2].
> **Caution:**
> - Disabling updates may reduce security if you use Edge and its components (WebView2).
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240622121922/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_AutoUpdateCheckPeriod "Auto-update check period override | admx.help"
[2]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#autoupdatecheckperiodminutes "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: AutoUpdateCheckPeriodMinutes # Microsoft Edge Update ≥ 1.2.145.5
dwordData: '0'
-
name: Maximize Edge update suppression duration
recommend: strict
docs: |- # refactor-with-variable: Same • Edge Update Caution • Chromium Policy Caution
This script suppresses automatic updates for Microsoft Edge for the longest possible duration.
If you do not run this script, Microsoft Edge checks for updates periodically throughout the day by default [1] [2].
This script limits update checks to the least frequent interval permitted by policy settings.
This reduces network traffic and decreases system load, thereby enhancing both privacy and performance.
However, this delay in updates can expose you to security risks, especially if you depend on Edge for critical tasks.
Keep in mind, automatic updates play a crucial role in protecting your system against emerging security threats.
The script configures the `UpdatesSuppressedDurationMin`, `UpdatesSuppressedStartHour`, and `UpdatesSuppressedStartMin`
Edge policies [1] [2].
> **Caution:**
> - Disabling updates may reduce security if you use Edge and its components (WebView2).
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#updatessuppressed "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240622123413/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Update::Pol_UpdateCheckSuppressedPeriod "Time period in each day to suppress auto-update check | admx.help"
call:
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: UpdatesSuppressedDurationMin # Microsoft Edge Update ≥ 1.3.33.5
dwordData: '1440' # Total number of minutes in a day = 24×60 minutes = 1440 minutes.
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: UpdatesSuppressedStartHour # Microsoft Edge Update ≥ 1.3.33.5
dwordData: '0'
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: UpdatesSuppressedStartMin # Microsoft Edge Update ≥ 1.3.33.5
dwordData: '0'
-
category: Disable automatic installation of Edge and WebView
docs: |-
This category contains scripts that prevent the automatic installation of Microsoft Edge, allowing users
to maintain control over software installations on their systems.
These scripts help ensure that Edge and its components like WebView and WebView2 are only installed when explicitly
approved by the user, which can significantly enhance privacy and security.
Automatic installations can potentially introduce unwanted features or security vulnerabilities, and by preventing
these installations, users can manage their system's exposure to such risks.
Overall, these scripts help to:
- Prevent unsolicited installations of Microsoft Edge.
- Enable users to decide when and if Edge WebView should be installed, aligning with best practices for security and privacy.
- Provide users with tools to manage software deployment in a controlled manner.
children:
-
name: Disable automatic installation of Edge
recommend: standard # Preventing automatic installation helps control unwanted software without impacting system stability or security
docs: |-
This script prevents the automatic installation of Edge (Chromium) via Windows Update.
Microsoft Edge (Chromium), designed to replace Edge (Legacy), is automatically distributed
to devices running Windows 10 version 1803 or newer [1] [2] [3].
This script does not impact Windows 10, version 20H2 and later [3].
Windows 10 version 20H2 and later already include Edge (Chromium) by default [4].
This script only blocks the automatic installation of Edge (Chromium) through Windows Update,
without affecting other installation methods [2] [3] or system updates [2].
As Microsoft has ceased support for Edge (Legacy), including security updates [1], this script
enables you to manage the installation timing and method for Edge (Chromium),
aligning the updates with your preferences.
This script modifies the `HKLM\SOFTWARE\Microsoft\EdgeUpdate!DoNotUpdateToEdgeWithChromium` [2] [3] registry
key to to configure this setting.
[1]: https://web.archive.org/web/20240517223534/https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-microsoft-edge-to-replace-microsoft-edge-legacy-with-april-s/ba-p/2114224 "New Microsoft Edge to replace Microsoft Edge Legacy with Aprils Windows 10 Update Tuesday release - Microsoft Community Hub | techcommunity.microsoft.com"
[2]: https://web.archive.org/web/20240517225010/https://admx.help/?Category=EdgeChromium_Blocker&Policy=Microsoft.Policies.EdgeUpdate::NoUpdate "Do not allow delivery of Microsoft Edge (Chromium-Based) through Automatic Updates | admx.help"
[3]: https://web.archive.org/web/20210118230052/https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit "Blocker Toolkit to disable automatic delivery of Microsoft Edge | Microsoft Docs | docs.microsoft.com"
[4]: https://web.archive.org/web/20240517225921/https://blogs.windows.com/windowsexperience/2020/06/16/whats-next-for-windows-10-updates/ "Whats next for Windows 10 updates | Windows Experience Blog | blogs.windows.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\EdgeUpdate
valueName: DoNotUpdateToEdgeWithChromium
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable automatic installation of Edge across all channels
recommend: standard # Preventing automatic installation helps control unwanted software without impacting system stability or security
docs: |- # refactor-with-variables: Same • Active Directory only • Edge Channels • Chromium Policy Caution
This script disables the automatic installation of Microsoft Edge across all update channels, enhancing
user control over their systems and privacy.
Microsoft Edge offers four update channels—Stable, Beta, Dev, and Canary—each designed with different stability
levels and update frequencies [1].
This script blocks automatic installations for all these channels [2] [3].
This allows users to manually manage their updates and potentially reduce exposure to unstable or privacy-intrusive software.
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [2] [3].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
This script configures update policies for different Edge channels:
- `InstallDefault` to configure all channels [3].
- `56EB18F8-B008-4CBD-B6D2-8C97FE7E9062` for Edge (Stable) [2].
- `2CD8A007-E189-409D-A2C8-9AF4EF3C72AA` to Edge (Beta) [2].
- `65C35B14-6C1D-4122-AC46-7148CC9D6497` to Edge (Canary) [2].
- `0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10` to Edge (Dev) [2].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240624181311/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-channels "Microsoft Edge channel overview | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#install "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#installdefault "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: InstallDefault # Microsoft Edge Update ≥ 1.2.145.5
dwordData: '0'
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Install{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} # Microsoft Edge Update ≥ 1.3.155.43
dwordData: '0'
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Install{2CD8A007-E189-409D-A2C8-9AF4EF3C72AA} # Microsoft Edge Update ≥ 1.3.155.43
dwordData: '0'
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Install{65C35B14-6C1D-4122-AC46-7148CC9D6497} # Microsoft Edge Update ≥ 1.3.155.43
dwordData: '0'
-
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Install{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10} # Microsoft Edge Update ≥ 1.3.155.43
dwordData: '0'
-
name: Disable automatic installation of WebView and WebView2
recommend: standard # Preventing automatic installation helps control unwanted software without impacting system stability or security
docs: |- # refactor-with-variables: Same • Chromium Policy Caution
This script prevents the automatic installation of Microsoft Edge WebView and WebView2 components.
By default, the WebView2 Runtime is installed automatically through Microsoft Edge Update [1].
After applying this script, automatic installation of the WebView2 Runtime via Microsoft Edge Update is blocked [1].
This improves your privacy and control over installed software on your system.
This script configures the `Install{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}` policy [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies#install-webview "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgeUpdatePolicyViaRegistry
parameters:
valueName: Install{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5} # Microsoft Edge Update ≥ 1.3.155.43
dwordData: '0'
-
category: Disable Copilot in Edge
docs: |-
This category contains scripts to disable Copilot features in Microsoft Edge.
Copilot, initially known as *Bing Chat* [1], integrates generative AI into Edge [1] [2].
Despite its capabilities, it raises significant privacy and security concerns:
- **Privacy Concerns**:
Microsoft may retain chat data, which could include sensitive information [2].
It also collects personal data, such as URLs, page titles, user queries, and browsing context [2].
- **Security Risks**:
Language models like those used in Copilot are susceptible to specific attacks and vulnerabilities [3].
Read more: [Attacks on language models](https://erkinekici.com/articles/attacks-on-language-models/).
- **Targeted Advertising**:
Copilot can display targeted ads based on chat interactions, raising further privacy issues [4].
Disabling Copilot capabilities bolsters privacy, reduces security threats, improves browser speed, and provides
a cleaner browsing experience.
[1]: https://web.archive.org/web/20240623213328/https://blogs.bing.com/search/november-2023/our-vision-to-bring-microsoft-copilot-to-everyone-and-more "Our vision to bring Microsoft Copilot to everyone, and more | Bing Search Blog | blogs.bing.com"
[2]: https://web.archive.org/web/20240519104435/https://learn.microsoft.com/en-us/copilot/edge "Copilot in Edge | Microsoft Learn | learn.microsoft.com" "Copilot in Edge | Microsoft Learn | learn.microsoft.com"
[3]: https://erkinekici.com/articles/attacks-on-language-models/ "Attacks on language models :: Erkin Ekici | erkinekici.com"
[4]: https://web.archive.org/web/20240623220035/https://learn.microsoft.com/en-us/copilot/privacy-and-protections "Copilot Privacy and Protections | Microsoft Learn | learn.microsoft.com"
children:
-
name: Disable Edge Copilot and Hubs Sidebar
docs: |- # refactor-with-variables: Same • Chromium Policy Caution
This script enhances your privacy and system performance by disabling multiple
linked features in Microsoft Edge.
This script primarily disables the **Hubs Sidebar**.
This is a launcher bar on the right side of Microsoft Edge's screen [1].
By default, the Sidebar is visible [1], but running this script will permanently hide it [1].
Disabling the Hubs Sidebar also deactivates the following features:
- **Copilot in Edge**:
This feature was known as *Bing Chat* [2], *Discover in Edge* [3] [4], *Bing Discover* [3],
*Discover app* [5], *Discover experience* [4], or simply *Discover* [3] [4].
It collects personal data including URLs, page titles, user queries, browsing context, and
conversation histories [6] [7].
It enables the discovery of content relevant to the page you are browsing, such as summaries and
source information [4].
Disabling the Hubs Sidebar is the recommended method to also disable Copilot in Edge [4] [8].
Disabling it stops this data collection, improving your privacy.
- **Sidebar apps**:
Disabling the Hubs Sidebar also deactivates all sidebar apps [5].
This script disables also the sidebar in Progressive Web Apps (PWAs) [5].
This script prevents all sidebar apps from being activated [5].
- **Standalone Sidebar**:
Disabling the Hubs Sidebar also turns off any standalone sidebar modes [9].
This mode displays the Sidebar in a fixed position on the desktop, separate from the browser frame [9].
Disabling this reduces background resource usage, thereby optimizing system performance [10].
The script configures the following Edge policies:
| Edge policy | Affected Edge versions |
|-------------------------------------------|------------------------------|
| `HubsSidebarEnabled` [1] [3] [5] [8] [11] | Edge ≥ 99 [1] |
| `StandaloneHubsSidebarEnabled` [9] [10] | Edge ≥ 88 and ≤ 119 [9] |
The new settings will take effect after you restart the browser [5].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#hubssidebarenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240623213328/https://blogs.bing.com/search/november-2023/our-vision-to-bring-microsoft-copilot-to-everyone-and-more "Our vision to bring Microsoft Copilot to everyone, and more | Bing Search Blog | blogs.bing.com"
[3]: https://web.archive.org/web/20240328062746/https://techcommunity.microsoft.com/t5/discussions/copilot-or-discover-browser-extension-not-working-as-expected/m-p/4097297 "Copilot or Discover browser extension not working as expected for managed Edge browser - Microsoft Community Hub | techcommunity.microsoft.com"
[4]: https://web.archive.org/web/20240101215939/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-archive-beta-channel "Archived release notes for Microsoft Edge Beta Channel | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240519104338/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-sidebar#allow-or-block-the-sidebar-in-group-policy "Manage the sidebar in Microsoft Edge | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240623123514/https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#shopping "Microsoft Edge Privacy Whitepaper - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240519104435/https://learn.microsoft.com/en-us/copilot/edge#data-used-by--in-edge "Copilot in Edge | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240519104435/https://learn.microsoft.com/en-us/copilot/edge#manage--in-edge "Copilot in Edge | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#standalonehubssidebarenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240519104546/https://answers.microsoft.com/en-us/microsoftedge/forum/all/microsoft-edge-running-in-the-background/b827d6dc-8853-4258-a2e1-a760e93df561 "Microsoft Edge running in the background - Microsoft Community | answers.microsoft.com"
[11]: https://web.archive.org/web/20240122064120/https://learn.microsoft.com/en-us/windows/client-management/manage-windows-copilot "Manage Copilot in Windows - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: HubsSidebarEnabled # Edge ≥ 99
dwordData: '0'
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: StandaloneHubsSidebarEnabled # Edge ≥ 114
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
name: Disable Edge Copilot browsing data collection
recommend: strict
docs: |- # refactor-with-variables: Same • Chromium Policy Caution
This script limits data access for Copilot in Microsoft Edge to enhance user privacy.
This script blocks Copilot's access to web pages in the Edge sidebar [1] [2] [3].
This stops Microsoft from collecting page contents, browser history, and user preferences [2] [3].
Otherwise, this data would automatically be sent to Bing [1].
This setting is specific to Microsoft Entra ID profiles [2], previously called AAD profiles [1].
Additionally, this script applies to "Copilot with Commercial Data Protection" [3]
By default, Copilot has access to page contents [1] [2] [3].
This access enables summarizing pages and interacting with text selections [1] [2].
This feature was previously known as **Discover** [1] and is based on Bing Chat [1].
> **Caution**:
> Disabling this feature will disable Copilot's abilities to summarize pages and
> interact with text selections in Edge.
The script configures the following Edge policies:
| Edge policy | Affected Edge versions |
|-------------------------------------|-------------------------------|
| `DiscoverPageContextEnabled` [1] | Edge ≥ 113 and Edge ≤ 127 [1] |
| `CopilotPageContext` [2] | Edge ≥ 124 [2] |
| `CopilotCDPPageContext` [2] | Edge ≥ 124 [2] |
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#discoverpagecontextenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#copilotpagecontext "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#copilotcdppagecontext "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: DiscoverPageContextEnabled # Edge ≥ 113 and Edge ≤ 127
dwordData: '0'
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: CopilotPageContext # Edge ≥ 124
dwordData: '0'
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: CopilotCDPPageContext # Edge ≥ 124
dwordData: '0'
-
name: Disable Edge Copilot access on new tab page
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the Copilot access on the new tab page of Microsoft Edge.
Originally known as Bing Chat, Copilot is a generative AI solution developed by Microsoft, integrated
directly into the Edge browser [2].
By default, the new tab page in Edge features two access points to Copilot: within the search box and in
the Bing Autosuggest drawer upon clicking [1].
Without this script, these Copilot entry-points remain active, offering AI-driven assistance directly
from the new tab page [1].
Running this script removes these, ensuring a simpler, distraction-free new tab page experience
in Microsoft Edge [1].
This script configures the `NewTabPageBingChatEnabled` Edge policy [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#newtabpagebingchatenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240623213328/https://blogs.bing.com/search/november-2023/our-vision-to-bring-microsoft-copilot-to-everyone-and-more "Our vision to bring Microsoft Copilot to everyone, and more | Bing Search Blog | blogs.bing.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: NewTabPageBingChatEnabled # Edge ≥ 117
dwordData: '0'
-
name: Disable outdated Edge Discover button
docs: |- # refactor-with-variables: Same • Chromium Policy Caution
This script disables the outdated Discover feature in Microsoft Edge.
Initially called *Bing Chat* [1] [2] or *Bing Discover* [2], this feature has evolved into what is now known as **Copilot** [1] [2].
In recent versions of Edge, the Discover button in the toolbar has been replaced with the new Copilot button [2].
This script is applicable only to versions of Edge between 97 and 105 [3].
It disables the obsolete Discover feature and button on older versions of Edge [3] [4].
When enabled, this feature used to send URLs to Microsoft Bing to search for related content [3].
By default, the Discover feature remains accessible in earlier Edge versions [3].
This script configures the `EdgeDiscoverEnabled` Edge policy [3] [4].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240623213328/https://blogs.bing.com/search/november-2023/our-vision-to-bring-microsoft-copilot-to-everyone-and-more "Our vision to bring Microsoft Copilot to everyone, and more | Bing Search Blog | blogs.bing.com"
[2]: https://archive.today/2024.06.23-222710/https://www.askvg.com/disable-or-remove-bing-chat-button-or-icon-from-microsoft-edge-toolbar/ "How to Disable or Remove Bing Chat Button from Microsoft Edge Toolbar AskVG | www.askvg.com"
[3]: https://web.archive.org/web/20220930193320/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#edgediscoverenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240101215939/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-archive-beta-channel "Archived release notes for Microsoft Edge Beta Channel | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: EdgeDiscoverEnabled # Edge ≥ 97 and Edge ≤ 105
dwordData: '0'
-
category: Disable Edge ads
docs: |-
### Overview
This category blocks several types of advertisements in Microsoft Edge,
such as promotional suggestions, notifications, and recommendations.
### Impact
- **User Experience**:
Provides a cleaner, less distracting browsing experience.
- **Privacy**:
Enhances privacy by reducing potential tracking mechanisms.
- **Performance**:
Improves system performance by reducing unnecessary processing.
### Scope
- **Targeted Ad Blocking**:
Disables only those ads that can be suppressed without affecting other features.
- **Feature Integrity**:
Blocks ads selectively, ensuring the functionality of Edge's features is not compromised.
- **External Ads**:
Does not affect advertisements displayed by external websites.
children:
-
name: Disable Edge spotlight recommendations
recommend: standard # Recommended by CIS
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables spotlight recommendations in Microsoft Edge to enhance privacy protection.
By default, Microsoft Edge offers spotlight experiences and recommendations [1] [2] [3].
These include personalized background images, text, suggestions, notifications, and tips based on your browsing activities [1] [2] [3].
These features collect data about you and your interactions with Microsoft services [1].
Disabling these recommendations helps protect your privacy by preventing Microsoft from using your browsing data to personalize and display content [1].
This is especially important because such data could inadvertently be exposed or shared with unauthorized third parties [1].
The Center for Internet Security recommends disabling these features as they consider them a potential security risk [1].
This script configures the `SpotlightExperiencesAndRecommendationsEnabled` [2] [3] Edge policy.
After running this script, users will no longer receive any spotlight experiences or recommendations from Microsoft Edge [1] [2] [3], maintaining
a more generic and less intrusive browsing environment.
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20231129023615/https://www.tenable.com/audits/items/CIS_Microsoft_Edge_v1.1.0_L2.audit:399926c716539508b62eeb5dfec08582 "1.3.2 Ensure 'Choose whether users can receive customized back... | Tenable® | www.tenable.com"
[2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#spotlightexperiencesandrecommendationsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240618225121/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SpotlightExperiencesAndRecommendationsEnabled "Choose whether users can receive customized background images and text, suggestions, notifications, and tips for Microsoft services | admx.help"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: SpotlightExperiencesAndRecommendationsEnabled # Edge ≥ 86
dwordData: '0'
-
name: Disable Edge feature ads
recommend: standard # Recommended by Microsoft
docs: |- # refactor-with-variables: • Chromium Policy Caution • Microsoft recommends
This script disables promotional notifications and feature recommendations in Microsoft Edge, providing a distraction-free browsing experience.
By default, Microsoft Edge may show notifications encouraging users to explore various features [1] [2],
such as using vertical tabs for improved tab management [1].
These notifications typically appear in situations like having multiple tabs open [1], and can include suggestions
to link Edge with a smartphone [3] or to use Bing as a search engine in Chrome [4].
Running this script stops these notifications [1], ensuring users do not receive prompts even in scenarios where they are
typically triggered [1].
Such recommendations may pose privacy concerns by potentially tracking user interactions and preferences.
By disabling these features, the script helps safeguard user privacy by reducing exposure to tracking mechanisms.
This action is beneficial for those who prefer a less intrusive interface while browsing.
Microsoft recommends this script for users who favor a streamlined browser setup without unsolicited suggestions or interruptions [2].
This script configures the `ShowRecommendationsEnabled` [1] [2] Edge policy.
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#allow-feature-recommendations-and-browser-assistance-notifications-from-microsoft-edge "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240618223116/https://www.tenforums.com/browsers-email/204773-microsoft-edge-promotional-messages-homepage.html "Microsoft Edge Promotional Messages On Homepage - Windows 10 Forums | www.tenforums.com"
[4]: https://archive.ph/2024.06.18-223049/https://www.reddit.com/r/windows/comments/15yo389/this_popped_up_on_my_desktop_while_i_was_using/ "This popped up on my desktop while I was using Firefox and I am unreasonably annoyed. I feel like I have less and less control over my OS each year. : r/windows | www.reddit.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: ShowRecommendationsEnabled # Edge ≥ 89
dwordData: '0'
-
name: Disable Edge Bing ads
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script blocks all advertisements on Bing when using Edge,
enhancing the search experience by eliminating interruptions and unwanted content.
By default, `bing.com` displays ads within search results [1].
This intrudes on privacy by tracking user behavior.
This script blocks these ads [1], providing a cleaner and more private search environment.
It also sets the SafeSearch filter to 'Strict' [1].
This limits adult content for safer browsing, particularly in educational settings.
The 'Strict' setting may also limit the accessibility of some legitimate search results,
which can affect search efficiency.
Once applied, these settings cannot be changed by the user [1], solidifying the search environment
configuration. You will need to run the revert script.
This script applies only on K-12 SKUs identified as educational tenants by Microsoft [1].
It is effective only in educational institutions recognized by Microsoft.
This script configures the `BingAdsSuppression` [1] Edge policy.
The changes will take effect upon the next restart of the Edge browser [1].
> **Caution**:
> - While this script offers an ad-free experience on Bing.com, it also enforces strict content filtering
> which may overly restrict search results.
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#bingadssuppression "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: BingAdsSuppression # Edge ≥ 83
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
name: Disable Edge promotional pages
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables full-tab promotional content in Microsoft Edge.
By default, Microsoft Edge may display full-tab content [1] [2].
These promotions may include product feature highlights, sign-in assistance, default browser selection, or tutorials on new features [1] [2].
This content can include welcome pages and educational material [1] [2].
Running this script modifies the `PromotionalTabsEnabled` policy [1] [2] to prevent Microsoft Edge from showing this
type of promotional content. After executing the script, Edge will no longer display these full-tab promotions [1] [2].
This improves user privacy by reducing exposure to unsolicited promotional material and helps streamline the browsing experience
by eliminating potential distractions. Additionally, it improves system performance by reducing the load times associated with
these promotional tabs.
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#promotionaltabsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240414222217/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge%3A%3APromotionalTabsEnabled "Enable full-tab promotional content | admx.help"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: PromotionalTabsEnabled # Edge ≥ 77
dwordData: '0'
-
name: Disable Edge browsing history collection for ads
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities
This script stops Microsoft from personalizing ads and content using your browsing data across its services,
thereby enhancing your privacy.
Microsoft Edge collects and transmits your browsing history, favorites, usage data, and other web activities to Microsoft [1] [2] [3].
This data is used to personalize advertisements and content to your interests [1] [2] [3] [4].
This information is shared with other Microsoft services, such as Microsoft Edge, Bing, and News [1] [2] [3] [4].
For instance, based on your activity, Microsoft may show you ads for products from stores you frequently visit or
news related to topics you often read about [1] [3].
By executing this script, you prevent Microsoft from utilizing your browsing data to personalize ads and content [1].
This ensures your browsing habits are kept private and not used for advertising purposes.
Authorities like The Defense Information Systems Agency (DISA) [5] and The Center for Internet Security (CIS) [6]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [5].
This setting is applicable only to personal Microsoft accounts and does not apply to child or enterprise accounts [2] [4].
Once applied, the setting cannot be altered by the user, indicating that the browser is being managed [2] [4].
This script configures the `PersonalizationReportingEnabled` [2] [3] [4] [5] [6] Edge policy.
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240623170024/https://support.microsoft.com/en-us/microsoft-edge/microsoft-edge-browsing-activity-for-personalized-advertising-and-experiences-37aa831e-6372-238e-f33f-7cd3f0e53679 "Microsoft Edge browsing activity for personalized advertising and experiences - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#personalizationreportingenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240623151609/https://www.elevenforum.com/t/enable-or-disable-personalize-advertising-and-experiences-in-microsoft-edge.16986/ "Enable or Disable Personalize Advertising and Experiences in Microsoft Edge Tutorial | Windows 11 Forum | www.elevenforum.com"
[4]: https://web.archive.org/web/20240623151615/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::PersonalizationReportingEnabled "Allow personalization of ads, search and news by sending browsing history to Microsoft | admx.help"
[5]: https://web.archive.org/web/20240623151630/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235748 "Personalization of ads, search, and news by sending browsing history to Microsoft must be disabled. | www.stigviewer.com"
[6]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: PersonalizationReportingEnabled # Edge ≥ 80
dwordData: '0'
-
name: Disable Edge Insider ads
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution • Microsoft recommends
This script disables Microsoft Edge Insider promotions to create a cleaner and more streamlined browser experience.
By default, Edge displays content promoting its Insider channels on the "About Microsoft Edge" settings page [1].
Running this script prevents these promotional materials from appearing [1] [2].
Disabling these ads helps maintain a more private and less cluttered browsing interface.
Microsoft recommends this script for users who favor a streamlined browser setup without unsolicited suggestions or interruptions [2].
This script configures the `MicrosoftEdgeInsiderPromotionEnabled` Edge policy to stop these promotions [1] [2] [3].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#microsoftedgeinsiderpromotionenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240104223003/https://borncity.com/win/2022/03/10/edge-99-0-1150-36-edge-insider-werbung-endlich-per-gpo-abschaltbar/ "Edge 99.0.1150.36: Edge Insider ads can finally be deactivated via GPO | Born's Tech and Windows World | borncity.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: MicrosoftEdgeInsiderPromotionEnabled # Edge ≥ 98
dwordData: '0'
-
name: Disable Edge Adobe Acrobat subscription ads
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script removes the Adobe Acrobat subscription button from Microsoft Edge's PDF viewer.
In 2023, Microsoft integrated Adobe's PDF viewer into Edge and added a subscription button
for purchasing Acrobat services [1].
This button is visible by default [2] and prompts users to subscribe to Adobe Acrobat,
offering access to premium features [1] [2].
This script conceals the subscription button, thus preventing direct prompts to
purchase Adobe's premium services from the PDF viewer [1].
This action creates a cleaner interface and minimizes commercial distractions.
This script configures the `ShowAcrobatSubscriptionButton` [1] [2] Edge policy
to hide the subscription button.
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240623192157/https://www.ghacks.net/2023/03/19/how-to-remove-the-try-acrobat-advertisement-from-microsoft-edges-new-pdf-viewer/ "How to remove the Try Acrobat advertisement from Microsoft Edge's new PDF Viewer - gHacks Tech News | www.ghacks.net"
[2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#showacrobatsubscriptionbutton "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: ShowAcrobatSubscriptionButton # Edge ≥ 111
dwordData: '0'
-
name: Disable Edge top sites and sponsored links on new tab page
recommend: standard # Remove ads and increase privacy without compromising essential functionality
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the display of default top sites and sponsored links on Microsoft Edge's new tab page, enhancing privacy by
eliminating commercial content and preventing the exposure of your frequently visited sites.
By default, Microsoft Edge displays tiles of frequently visited sites, known as top sites, on the new tab page [1].
These sites, saved from your browsing history, facilitate quick access to frequently visited destinations [2].
The display also includes sponsored links [3], which are advertisements.
Running this script will hide these default top site tiles and remove all sponsored quick links from the new tab page [3].
Removing these links helps minimize tracking from your visits and interactions with ads, promoting a more private browsing environment.
Microsoft recommends this script for users who favor a streamlined browser setup without unsolicited suggestions or interruptions [4].
Furthermore, removing these top sites and sponsored links protects sensitive browsing data from exposure to others, including friends,
family, and potential attackers, maintaining your privacy and security.
This script configures the `NewTabPageHideDefaultTopSites` Edge policy [1] [3] [4].
Running this script does not require a browser restart for the changes to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#newtabpagehidedefaulttopsites "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240625091756/https://www.anoopcnair.com/how-to-add-remove-top-sites-in-edge-browser/ "How To Add Remove Top Sites In Edge Browser HTMD Blog | www.anoopcnair.com"
[3]: https://web.archive.org/web/20240623123512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-archive-stable-channel#feature-updates-4 "Archived release notes for Microsoft Edge Stable Channel | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: NewTabPageHideDefaultTopSites # Edge ≥ 77
dwordData: '0'
-
name: Disable Edge Follow feature
recommend: standard # Recommended by CIS
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the Follow feature in Microsoft Edge.
The Follow feature in Edge allows users to receive updates from influencers, websites,
or topics directly in the browser [1].
By default, this feature is enabled [1].
The feature sends the URLs of websites you visit to Microsoft's Bing API, compromising privacy [2] [3].
It risks exposing sensitive information, such as search terms and personal details.
It creates a personalized feed in Edge's Collections by collecting browsing data [4].
To protect privacy, it's advisable not to send browsing data to third parties [4].
Disabling this feature stops Edge from sending visited URLs to Microsoft [2] [3],
and prevents communication with the Follow service [1],
keeping browsing data private and local.
The Center for Internet Security (CIS) advises disabling this feature to bolster security [4].
This script configures the `EdgeFollowEnabled` Edge policy [1] [3] [5].
Running this script does not require a browser restart for the changes to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#edgefollowenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240625101642/https://www.theverge.com/2023/4/25/23697532/microsoft-edge-browser-url-leak-bing-privacy "Microsoft Edge is leaking the sites you visit to Bing - The Verge | www.theverge.com"
[3]: https://web.archive.org/web/20240625101605/https://borncity.com/win/2023/04/27/microsoft-edge-feature-follow-creators-sends-nerly-all-visited-website-urls-to-bing-api/ "Microsoft Edge feature \"Follow creators\" sends nerly all visited website URLs to Bing API | Born's Tech and Windows World | borncity.com"
[4]: https://web.archive.org/web/20240625100526/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks/syx-1033-12814.html "Follow Service Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com"
[5]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/2ad030524021e94dbd09c7771e6ee4d9794bb4af/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-2.0.0%23RegistrySettings.ps1#L3381-L3416 "Audit-Test-Automation/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 at 2ad030524021e94dbd09c7771e6ee4d9794bb4af · fbprogmbh/Audit-Test-Automation | github.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: EdgeFollowEnabled # Edge ≥ 98
dwordData: '0'
-
name: Disable Edge Shopping Assistant
recommend: strict # Recommended by DISA
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities • Microsoft recommends
This script disables Microsoft Edge's shopping features.
Microsoft refers to these features as *shopping assistant* [1] [2] [3] [4], *shopping features* [2] [5], or *Microsoft Shopping* [5].
These features allow users to compare prices, receive coupons, and use autofill during checkout to speed up the process [2].
They also provide notifications for coupons and rebates when shopping online [5].
Disabling these features addresses several privacy concerns:
- **Data Collection and Profiling:**
Microsoft collects extensive data about users' shopping habits and online activities.
This includes users' shopping habits [5], preferences [5], websites visited [4] [5], and search history [4].
This contributes to detailed user profiling.
- **Continuous Network Communication:**
The browser continuously communicates with Microsoft servers.
It receives retailer information [5].
It sends data about visited shopping sites and system details to Microsoft servers [5].
- **Email Scanning:**
Microsoft Edge scans users' email accounts for promotional coupons [5].
The email data sent may include sensitive information.
- **Targeted Advertising and Tracking:**
Collected data can be used to tailor precise ads, enhancing targeted advertising efforts.
Edge modifies URLs for affiliate tracking, which aids persistent online tracking [5].
- **Persistent Cookies:**
Persistent cookies are used for various functions including debugging, fraud detection, and analytics [5], further compromising
user privacy.
- **Data Sharing:**
Data is shared with Bing Rebates and Shopping services [5], potentially exposing sensitive user information to third parties [4].
This aggregation of data could lead to more detailed collection of personal information.
Running this script prevents the automatic activation of features such as price comparison, coupons, and express checkout on retail websites [2].
Authorities like The Center for Internet Security (CIS) [1] [4] recommend this script for enhanced security.
Microsoft recommends this script for users who favor a streamlined browser setup without unsolicited suggestions or interruptions [3].
This script configures the `EdgeShoppingAssistantEnabled` Edge policy to disable Edge's shopping features [1] [2] [3].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/2ad030524021e94dbd09c7771e6ee4d9794bb4af/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-2.0.0%23RegistrySettings.ps1#L4315-L4350 "Audit-Test-Automation/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 at 2ad030524021e94dbd09c7771e6ee4d9794bb4af · fbprogmbh/Audit-Test-Automation | github.com"
[2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#edgeshoppingassistantenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com"
[4]: https://archive.ph/2024.06.26-144015/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks/syx-1033-12839.html "Edge Shopping Assistant Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com"
[5]: https://web.archive.org/web/20240623123514/https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#shopping "Microsoft Edge Privacy Whitepaper - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: EdgeShoppingAssistantEnabled # Edge ≥ 87
dwordData: '0'
-
name: Disable Edge Search bar on desktop
recommend: strict # refactor-with-variables: • Chromium Policy Caution
docs: |-
This script disables the **Search bar** feature.
This feature is formerly known as **Edge bar** [1] [2] [3] [4] [5] and **Web Widget** [1] [2] [3] [4] [6] [7].
This feature allows users to perform web searches directly from their desktop or within applications [5] [8].
The search is powered by Bing [6] [7], or the default search engine of Microsoft Edge [6] [7] [8].
It provides search and URL suggestions [6] [7] [8].
It also displays personalized news and content such as headlines, weather, sports, traffic, along with some tools [4] [5].
Users can access the Search bar from the "More tools" menu or jump list in Microsoft Edge [6] [7] [8].
The Search bar is enabled by default across all profiles unless disabled [6] [7] [8].
It does not start at Windows startup by default [1] [2] [9].
This feature raises privacy concerns as it collects data to provide personalized content [4] [5].
Once opened, it remains active even after you close Microsoft Edge [3].
You must explicitly close it using the "Quit" option in the System tray or the 3-dot menu [6] [7].
Running this script will disable:
- The Search bar [6] [7] [8].
- The option to launch the Search bar from Microsoft Edge "More tools" menu [6] [7] [8]
- The option to launch the Search bar from Microsoft Edge jump list menu [6] [7] [8]
- Automatical launch of the Search bar at Windows startup [1] [2] [9].
- The option to start the Edge bar at Windows startup in Microsoft Edge settings [1] [2] [9].
The script configures the following Edge policies:
| Edge policy | Affected Edge versions |
|-----------------------------------------|-------------------------------|
| `WebWidgetAllowed` [3] [6] [7] | Edge ≥ 88 and ≤ 119 [6] [7] |
| `WebWidgetIsEnabledOnStartup` [1] [2] | Edge ≥ 88 and ≤ 119 [1] [2] |
| `SearchbarAllowed` [8] | Edge ≥ 117 [8] |
| `SearchbarIsEnabledOnStartup` [9] | Edge ≥ 117 [9] |
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#webwidgetisenabledonstartup "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240517212629/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::WebWidgetIsEnabledOnStartup "Enable the Web widget | admx.help"
[3]: https://web.archive.org/web/20240517212623/https://www.elevenforum.com/t/enable-or-disable-edge-bar-in-microsoft-edge.6001/ "Enable or Disable Edge Bar in Microsoft Edge Tutorial | Windows 11 Forum | elevenforum.com"
[4]: https://web.archive.org/web/20210506115349/https://blogs.msn.com/enus-get-started-with-the-web-widget/ "EN-US - Get started with the Web widget - Microsoft News | blogs.msn.com"
[5]: https://web.archive.org/web/20240517205709/https://ntp.msn.com/web-widget "Edge bar | ntp.msn.com"
[6]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#webwidgetallowed "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240517212639/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::WebWidgetAllowed "Allow the Web widget at Windows startup | admx.help"
[8]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#searchbarallowed "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#searchbarisenabledonstartup "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: WebWidgetAllowed # Edge ≥ 88 and ≤ 119
dwordData: '0'
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: WebWidgetIsEnabledOnStartup # Edge ≥ 88 and ≤ 119
dwordData: '0'
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: SearchbarAllowed # Edge ≥ 117
dwordData: '0'
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: SearchbarIsEnabledOnStartup # Edge ≥ 117
dwordData: '0'
-
name: Disable Edge Microsoft Rewards
recommend: strict
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables Microsoft Rewards in Edge.
This feature is enabled by default, activating the Microsoft Rewards experience in Edge [1].
Users participating in search and earn markets will notice this feature within their Microsoft Edge user profile [1] [2].
Microsoft Rewards encourages users to earn points through Bing searches, which can be redeemed for items at the Microsoft Store [1].
However, this feature involves tracking user activities, which may pose privacy risks by potentially sharing sensitive data with third parties [1].
Running this script prevents Microsoft Rewards notifications and features from appearing in Edge [1], enhancing privacy.
The script modifies the `ShowMicrosoftRewards` policy to turn off these features [2] [3]
It's recommended for those who prefer not to have their search activities monitored or used for advertising purposes.
The Center for Internet Security suggests disabling these features, viewing them as a potential security risk [1].
After applying this script, the Microsoft Rewards experience will no longer be visible in the Edge user profile [1].
Changes will take effect after restarting the browser [3].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240618232029/https://www.tenable.com/audits/items/CIS_Microsoft_Edge_v1.1.0_L2.audit:e25958b42c6f13d957a456bfbfd06744 "1.106 Ensure 'Show Microsoft Rewards experiences' is set to 'D... | Tenable® | www.tenable.com"
[2]: https://web.archive.org/web/20240618232113/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::ShowMicrosoftRewards_recommended "Show Microsoft Rewards experiences | admx.help"
[3]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#showmicrosoftrewards "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: ShowMicrosoftRewards # Edge ≥ 88
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
name: Disable Edge Bing suggestions in address bar
recommend: strict
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables suggestions from Microsoft Search in Bing within the address bar.
This enhances privacy by reducing unsolicited data sharing with Bing.
By default, Microsoft Edge may display results powered by Microsoft Search in Bing within the address bar suggestions [1] [2].
This occurs even if Bing is not the default search provider [1].
This feature can raise privacy concerns, as it involves sending query data to Bing.
This script stops the display of Microsoft Search in Bing suggestions in the address bar as users type their search terms [1] [2].
It modifies the `AddressBarMicrosoftSearchInBingProviderEnabled` Edge policy [1] [2].
This script specifically targets Bing suggestions without affecting other search providers [1] [2].
Additionally, the script disables internal search results for users logged in with an Entra ID (Azure AD) within their organization [1] [2].
The changes take effect after restarting the browser [1].
> **Caution**:
> - This will block the display of internal search results within an organization when logged in.
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#addressbarmicrosoftsearchinbingproviderenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240619091742/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::AddressBarMicrosoftSearchInBingProviderEnabled "Enable Microsoft Search in Bing suggestions in the address bar | admx.help"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: AddressBarMicrosoftSearchInBingProviderEnabled # Edge ≥ 81
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
name: Disable Edge "Find on Page" data collection
recommend: standard # Recommended by CIS
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script stops Edge from sending data to Microsoft during 'Find on Page' searches, enhancing privacy.
'Find on Page' allows users to search for text on a webpage, highlighting matches and suggesting related terms [1] [2] [3] [4] [5].
This feature sends data to Microsoft for processing [1] [3] [4].
This data transmission is enabled by default [1] [3].
The data includes the text of the webpage, search terms, and a service token [5].
Sharing browsing and search history may expose data to third parties [3].
After applying this script, the 'Find on Page' feature remains usable, but without sending data to Microsoft [1] [3].
Instead, all related matches are generated on the user's device, significantly enhancing privacy without sacrificing functionality.
Local processing minimizes exposure of sensitive data and aligns with security best practices from the CIS (Center for Internet Security) [3] [6].
This script configures the `RelatedMatchesCloudServiceEnabled` Edge policy [1] [3] [4] [6].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#relatedmatchescloudserviceenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240623123237/https://www.microsoft.com/en-us/edge/features/find-on-page?ch=1&form=MA13FJ "Find on Page | Microsoft Edge | www.microsoft.com"
[3]: https://web.archive.org/web/20240623123235/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks/syx-1033-12793.html "Related Matches Cloud Service Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com"
[4]: https://web.archive.org/web/20240623123512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-archive-stable-channel#feature-updates-4 "Archived release notes for Microsoft Edge Stable Channel | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240623123514/https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#find-on-page "Microsoft Edge Privacy Whitepaper - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com"
[6]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/72d878930bc5b31295d50271314e591fa087ee42/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-1.1.0%23RegistrySettings.ps1#L2159-L2193 "Audit-Test-Automation/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-1.1.0#RegistrySettings.ps1 at 72d878930bc5b31295d50271314e591fa087ee42 · privacysexy-forks/Audit-Test-Automation | github.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: RelatedMatchesCloudServiceEnabled # Edge ≥ 99
dwordData: '0'
-
name: Disable Edge sign-in prompt on new tab page
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script removes the sign-in prompt from the new tab page in Microsoft Edge to
minimize distractions and protect your privacy.
By default, Microsoft Edge shows a sign-in prompt on the new tab page, asking users to log in [1].
This prompt, which resembles advertising, can compromise your privacy by encouraging the sharing of
personal information.
After applying this script, the sign-in prompt will no longer appear on the new tab page [1].
This change leads to a cleaner and more private browsing environment.
This script configures the `SignInCtaOnNtpEnabled` Edge policy [1].
This change only takes effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#signinctaonntpenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: SignInCtaOnNtpEnabled # Edge ≥ 99
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
category: Harden Edge privacy # Same name as Linux > "Harden Firefox privacy"
docs: |-
This category contains scripts designed to enhance privacy settings in Microsoft Edge
by reducing tracking mechanisms encountered during web browsing.
These scripts do not block data collection conducted directly by Microsoft through Edge.
Instead, these scripts empower users by providing control over the exposure of their
browsing data to external entities, thereby significantly enhancing privacy.
children:
-
name: Enable Edge tracking prevention
recommend: strict # Recommended by DISA
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities
This script configures Microsoft Edge's tracking prevention to the 'Strict' level,
enhancing user privacy by blocking extensive web tracking
The tracking prevention feature in Microsoft Edge restricts online trackers from accessing
browser storage and network resources, which helps safeguard user data [1].
By default, the 'Balanced' level is activated [1] [2].
While the 'Balanced' level does not block ads or analytics [1], this script activates the 'Strict'
level to provide a higher degree of privacy by blocking these elements [1].
Although recommended for maximum privacy, the 'Strict' level may disrupt some website functionalities [3] [4].
Authorities like The Defense Information Systems Agency (DISA) [4] and The Center for Internet Security (CIS) [2]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [4].
Once applied, this script prevents users from changing the tracking prevention level themselves [3] [4].
This script configures the `TrackingPrevention` Edge policy [1] [2] [3] [4].
Running this script does not require a browser restart for the changes to take effect [2].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
> - Aggressive tracking prevention may cause some websites to not function properly.
[1]: https://web.archive.org/web/20240623143037/https://learn.microsoft.com/en-us/microsoft-edge/web-platform/tracking-prevention "Tracking prevention in Microsoft Edge - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
[3]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#trackingprevention "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240623143146/https://www.stigviewer.com/stig/microsoft_edge/2023-06-02/finding/V-235766 "Tracking of browsing activity must be disabled. | www.stigviewer.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: TrackingPrevention # Edge ≥ 78
dwordData: '3' # 3: Strict | 2: Balanced | 1: Basic | 0: Off (no tracking prevention)
-
name: Block Edge third party cookies
recommend: strict # refactor-with-variables: • Chromium Policy Caution • Authorities
docs: |-
This script blocks third-party cookies in Microsoft Edge, enhancing your privacy by reducing
tracking across various webpages.
It prevents websites from setting cookies unless they match the domain in the address bar [1].
This action limits potential tracking activities by third-party entities, which could otherwise
track your web activities and gather information about you [2].
Third-party cookies are enabled and not blocked by default on Edge [1].
Disabling third-party cookies may impact the performance of websites like Microsoft 365 or
Salesforce, which depend on these cookies for some of their features [2].
Authorities like The Center for Internet Security (CIS) [1]
recommend this script for enhanced security.
This script configures the `BlockThirdPartyCookies` Edge policy [1] [2].
Running this script does not require a browser restart for the changes to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
> - Some websites may not function properly without third-party cookies.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#blockthirdpartycookies "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: BlockThirdPartyCookies # Edge ≥ 77
dwordData: '0'
-
name: Enable Do Not Track requests
recommend: standard # refactor-with-variables: • Chromium Policy Caution
docs: |-
This script enables Do Not Track requests in Microsoft Edge.
Do Not Track communicates to websites that you prefer not to have your browsing activity tracked [1].
It enhances privacy by signaling your tracking preferences to websites, though compliance is not guaranteed.
By default, Edge does not send Do Not Track requests [1].
This script ensures these requests are always sent to websites that seek tracking information [1].
Additionally, Microsoft endorses this script as it helps create a cleaner browser interface by reducing
unsolicited suggestions [2] and improves privacy by better controlling data connections [3].
This script configures the `ConfigureDoNotTrack` Edge policy [1] [2].
Running this script does not require a browser restart for the changes to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#configuredonottrack "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#132-microsoft-edge-enterprise
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: ConfigureDoNotTrack # Edge ≥ 77
dwordData: '0'
-
name: Disable Edge search and site suggestions
recommend: strict
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities
This script disables search suggestions based on typed characters in Microsoft Edge,
enhancing user privacy by preventing typed data collection.
When you type in the address bar, Microsoft Edge sends characters to Microsoft servers to provide search
and site suggestions [1] [2].
This data-sharing feature is enabled by default [1].
Running this script prevents these suggestions from appearing [3].
It ensures your inputs remain private and are not used to generate suggestions or telemetry [1] [2].
Authorities like The Defense Information Systems Agency (DISA) [2] and The Center for Internet Security (CIS) [4]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [2].
Microsoft recommends this script for privacy and managing connections [5].
Impacts of running this script:
- Disables search suggestions and auto-suggest features in the address bar [1] [2].
- Blocks the collection of typed characters and visited URLs for telemetry by Microsoft [1] [2].
- Retains local history and favorites suggestions, without sending this data to Microsoft [1] [2].
- Prevents users from changing this configuration [1] [2].
This script configures the `SearchSuggestEnabled` Edge policy [1] [2] [3] [4] [5].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#searchsuggestenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240623154047/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235729 "Search suggestions must be disabled. | www.stigviewer.com"
[3]: https://web.archive.org/web/20240623153945/https://learn.microsoft.com/en-us/microsoftsearch/edge-shortcuts "Customize address bar shortcuts for Microsoft Edge | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
[5]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#132-microsoft-edge-enterprise "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: SearchSuggestEnabled # Edge ≥ 77
dwordData: '0'
-
name: Disable outdated Edge automatic image enhancement
recommend: standard # Removed feature
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the automatic image enhancement feature.
This feature is present in Microsoft Edge versions 97 to 121 [1].
It improves image sharpness, color, lighting, and contrast [1].
This feature uploads viewed images online to Microsoft for processing [2].
Starting with version 122, Microsoft Edge has removed this feature, limiting this
script's use to versions 97 to 121 [1].
This script configures the `EdgeEnhanceImagesEnabled` Edge policy [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#edgeenhanceimagesenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240623171433/https://www.malwarebytes.com/blog/news/2023/06/edge-browser-feature-sends-images-you-view-back-to-microsoft "Edge browser feature sends images you view back to Microsoft | www.malwarebytes.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: EdgeEnhanceImagesEnabled # Edge ≥ 97 and Edge ≤ 121
dwordData: '0'
-
name: Disable Edge quick links on the new tab page
recommend: strict # May reduce productivity / personal preferences
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the display of quick links on the new tab page in Microsoft Edge.
By default, Microsoft Edge displays quick links on the new tab page [1].
This feature provides one-click access to your most frequently visited sites by automatically adding them to this menu [2].
Running this script will hide these quick links and disable the user's ability to modify this setting in the NTP settings flyout [1].
This may reduce convenience as users will need to manually enter website addresses, but it enhances privacy by preventing
the inadvertent exposure of frequently visited sites.
The changes made by this script apply only to Microsoft Edge profiles associated with local user accounts, Microsoft Accounts,
or Active Directory accounts [1]. They do not affect Enterprise new tab pages configured through Azure Active Directory [1].
This script configures the `NewTabPageQuickLinksEnabled` Edge policy [1] [2].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#newtabpagequicklinksenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240623172131/https://www.thewindowsclub.com/hide-quick-links-on-a-new-tab-page-in-edge "How to hide Quick Links on a New tab page in Edge using Registry Editor | www.thewindowsclub.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: NewTabPageQuickLinksEnabled # Edge ≥ 91
dwordData: '0'
-
name: Disable Edge remote background images on new tab page
recommend: strict # Minor privacy impact
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables background images recevied by Microsoft servers on new tab.
By default, if you do not run this script, all background image types on the new tab page are enabled [1] [2].
It allows using custom image disabling only daily background image type [1] [2].
Disabling this feature removes unecessary network traffic with Microsoft servers that may leak data
and your usage of behavior. It also optimizes system by simplifying the browser usage and removing nunnecssary network traffic.
This script configures the `NewTabPageAllowedBackgroundTypes` Edge policy to value `1` (`DisableImageOfTheDay`) [1] [2].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#newtabpageallowedbackgroundtypes "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240623173326/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::NewTabPageAllowedBackgroundTypes "Configure the background types allowed for the new tab page layout | admx.help"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: NewTabPageAllowedBackgroundTypes # Edge ≥ 86
dwordData: '1' # DisableImageOfTheDay (1) = Disable daily background image type | DisableCustomImage (2) = Disable custom background image type | DisableAll (3) = Disable all background image types
-
name: Disable Edge Collections feature
recommend: strict
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities
This script disables the Collections feature in Microsoft Edge.
By default, if this script is not executed, users can access and use the Collections feature in Microsoft Edge [1].
The Collections feature in Edge compiles and manages web content—articles, images, and videos—for activities like shopping, trip planning, or research [2] [3].
This feature syncs across devices when logged into Microsoft Edge, keeping your collections updated no matter where you access the browser [2].
The Collections feature enables efficient collection, organization, sharing, and exporting of content, with seamless integration into Office [1] [4].
The feature lets users save and categorize web pages, text, images, and videos into groups for specific projects or interests [3].
Additionally, it enhances saved items with thumbnails and metadata, such as price and star ratings [3].
This feature raises several privacy concerns:
- Microsoft analyzes saved web pages to understand item names and primary images [3].
- Data is stored on Microsoft servers once a user signs into Edge [2].
- Microsoft analyzes data from Collections to personalize advertising and user experiences [5].
Authorities like The Defense Information Systems Agency (DISA) [4]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [4].
Running this script prevents access to this feature [1] [6], thereby mitigating associated privacy risks and
adhering to security recommendations
This script configures the `EdgeCollectionsEnabled` Edge policy [1] [4] [6].
This change only takes effect after restarting the browser [6].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240623183109/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::EdgeCollectionsEnabled "Enable the Collections feature | admx.help"
[2]: https://web.archive.org/web/20240623182734/https://support.microsoft.com/en-us/microsoft-edge/organize-your-ideas-with-collections-in-microsoft-edge-60fd7bba-6cfd-00b9-3787-b197231b507e "Organize your ideas with Collections in Microsoft Edge - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240623123514/https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#collections "Microsoft Edge Privacy Whitepaper - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240623183057/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235770 "The collections feature must be disabled. | www.stigviewer.com"
[5]: https://web.archive.org/web/20240623170024/https://support.microsoft.com/en-us/microsoft-edge/microsoft-edge-browsing-activity-for-personalized-advertising-and-experiences-37aa831e-6372-238e-f33f-7cd3f0e53679 "Microsoft Edge browsing activity for personalized advertising and experiences - Microsoft Support | support.microsoft.com"
[6]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#edgecollectionsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: EdgeCollectionsEnabled # Edge ≥ 78
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
name: Disable Edge failed page data collection and suggestions
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities
This script prevents Microsoft Edge from sending data to Microsoft and
suggesting alternatives when URLs fail to load.
By default, Edge contacts a web service to suggest URLs and searches upon
encountering network errors like DNS failures [1] [2] [3].
This feature presents several privacy concerns, including:
- Exposing the websites a user visits [4]
- Redirecting to potentially malicious sites if the service is compromised [4].
Authorities like The Defense Information Systems Agency (DISA) [2]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [2].
Running this script ensures:
- Edge will not request suggestions from the web service but will display
a standard error page instead [1] [2] [3].
- Once applied, users cannot change the setting [1] [2] [3].
This script configures the `AlternateErrorPagesEnabled` Edge policy [1] [2] [3] [4] [5].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#alternateerrorpagesenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240623190006/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235768 "Suggestions of similar web pages in the event of a navigation error must be disabled. | www.stigviewer.com"
[3]: https://web.archive.org/web/20240623185848/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::AlternateErrorPagesEnabled "Suggest similar pages when a webpage can't be found | admx.help"
[4]: https://web.archive.org/web/20240623185753/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks/syx-1033-12845.html "Alternate Error Pages Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com"
[5]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/2ad030524021e94dbd09c7771e6ee4d9794bb4af/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-2.0.0%23RegistrySettings.ps1#L4603-L4637 "Audit-Test-Automation/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 at 2ad030524021e94dbd09c7771e6ee4d9794bb4af · fbprogmbh/Audit-Test-Automation | github.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: AlternateErrorPagesEnabled # Edge ≥ 80
dwordData: '0'
-
name: Disable outdated Edge games menu
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the outdated games menu in older versions of Microsoft Edge.
The games menu in Microsoft Edge offers one-click access to various free-to-play casual and arcade games,
including Microsoft Solitaire, Microsoft Jewel, Microsoft Mahjong, and the Microsoft Edge Surf Game [1].
In modern versions, this menu is integrated into the sidebar [2] [3].
Disabling the games menu leads to a less cluttered browser interface.
Microsoft recommends this script for those favoring a streamlined browser setup without unsolicited suggestions or interruptions [3].
Minimizing unnecessary features enhances security and privacy by reducing data exposure and attack surface.
Moreover, removing these features can improve system performance by reducing resource usage.
This script targets older versions of Edge where games were accessible from the options menu [1].
By default, this menu is enabled and accessible on these versions [2].
It configures the `AllowGamesMenu` Edge policy to prevent access to the games menu [2] [3].
The change takes effect after restarting the browser [2].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240623225633/https://blogs.windows.com/windowsexperience/2022/06/23/welcome-to-the-best-browser-for-gamers/ "Welcome to the best browser for gamers | Windows Experience Blog | blogs.windows.com"
[2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#allowgamesmenu "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240623225719/https://www.microsoft.com/en-us/edge/features/games-menu?ch=1&form=MA13FJ "Games menu | www.microsoft.com"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: AllowGamesMenu # Edge ≥ 99
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
name: Disable Edge in-app support
recommend: strict
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities • Microsoft recommends
This script disables the in-app support feature of Microsoft Edge.
The in-app support allows users to contact Microsoft support directly from the browser [1].
This feature is enabled by default, activating the Microsoft Rewards experience in Edge [1].
It cannot be disabled by users through the standard browser settings [1].
This feature leads to sharing of browser usage data with Microsoft.
Microsoft support agents directly from the browser [1].
Authorities like The Center for Internet Security (CIS) [2]
recommend this script for enhanced security.
Microsoft recommends this script for users who favor a streamlined browser setup without unsolicited suggestions or interruptions [3].
This script configures the `InAppSupportEnabled` Edge policy [1] [2] [3].
The change takes effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#inappsupportenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/2ad030524021e94dbd09c7771e6ee4d9794bb4af/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-2.0.0%23RegistrySettings.ps1#L4029-L4063 "Audit-Test-Automation/ATAPAuditor/AuditGroups/Microsoft Edge-CIS-2.0.0#RegistrySettings.ps1 at 2ad030524021e94dbd09c7771e6ee4d9794bb4af · fbprogmbh/Audit-Test-Automation | github.com"
[3]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetEdgePolicyViaRegistry
parameters:
valueName: InAppSupportEnabled # Edge ≥ 98
dwordData: '0'
-
function: ShowEdgeRestartSuggestion
-
name: Disable Edge payment data storage and ads
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities
This script disables Microsoft Edge's AutoFill feature for payment data and suppresses payment-related advertisements,
enhancing privacy by preventing the storage and suggestion of unsolicited financial information.
By default, Microsoft Edge allows users to save and autofill payment information, such as credit and debit card details,
for quicker transactions in web forms [1] [2].
This script prevents the browser from storing new payment data [1] [2] and stops suggestions for financial instruments like
'Buy Now, Pay Later' options during checkout [1].
Authorities like The Defense Information Systems Agency (DISA) [2] and The Center for Internet Security (CIS) [3]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [2].
Furthermore, Microsoft recommends the use of this script for a cleaner browser interface free from unsolicited suggestions [4]
and to improve privacy by controlling data connections [5].
This script configures the `AutofillCreditCardEnabled` Edge policy [1] [2] [3] [4] [5].
Running this script does not require a browser restart for the changes to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#autofillcreditcardenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624224149/https://www.stigviewer.com/stig/microsoft_edge/2022-09-09/finding/V-235745 "AutoFill for credit cards must be disabled. | www.stigviewer.com"
[3]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
[4]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#132-microsoft-edge-enterprise "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: AutofillCreditCardEnabled # Edge ≥ 77
dwordData: '0'
-
name: Disable Edge address data storage
recommend: strict
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities
This script disables the AutoFill feature for addresses in Microsoft Edge, ensuring that address data
is not stored or automatically completed in web forms.
The AutoFill feature, by default, allows users to quickly complete address forms using previously stored information [1] [2].
Running this script results in:
- No new address information being saved [1] [2].
- AutoFill not suggesting or filling in any previously stored address information [1] [2].
- AutoFill remaining inactive for address forms, except in payment and password fields [1].
- Microsoft Edge will not suggest, store, or AutoFill any new address entries [1].
Authorities like The Defense Information Systems Agency (DISA) [2] and The Center for Internet Security (CIS) [3]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [2].
Furthermore, Microsoft supports the use of this script for a cleaner browser interface free from unsolicited suggestions [4]
and to improve privacy by controlling data connections [5].
This script configures the `AutofillAddressEnabled` Edge policy [1] [2] [3] [4] [5].
Running this script does not require a browser restart for the changes to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#autofilladdressenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624224149/https://www.stigviewer.com/stig/microsoft_edge/2022-09-09/finding/V-235745 "Autofill for addresses must be disabled. | www.stigviewer.com"
[3]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
[4]: https://web.archive.org/web/20240618221222/https://learn.microsoft.com/en-us/mem/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge "Common Education Microsoft Edge configuration | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#132-microsoft-edge-enterprise "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: AutofillAddressEnabled # Edge ≥ 77
dwordData: '0'
-
name: Disable Edge experimentation and remote configurations
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the Experimentation and Configuration Service in Microsoft Edge, effectively stopping
automatic updates and data exchanges that are typically used for testing new features and optimizing the user
experience.
This service sends payloads to Edge that may contain experimental features and settings recommendations designed
to improve user experience [1].
It may also change the browser's behavior on specific websites, for example, by overriding the User Agent string [1].
By default, the service operates in `FullMode`, downloading both experimental and configuration data [1].
In certain configurations, the service may download only the settings recommendations (`ConfigurationsOnlyMode`) [1].
Disabling this service through this script sets it to `RestrictedMode`, meaning no data will be sent back
to Microsoft [2], and no payloads will be delivered [1].
This setting is recommended by authorities like The Center for Internet Security (CIS) for enhanced security [2]
and by Microsoft to control data connections more securely [3].
This service can potentially compromise privacy because it involves sending data back to Microsoft,
which includes feedback on development features and actions taken on certain domains [2].
It can also deliver a payload that contains a list of actions to take on certain domains [2].
This script configures the `ExperimentationAndConfigurationServiceControl` Edge policy [1].
Running this script does not require a browser restart for the changes to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#experimentationandconfigurationservicecontrol "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#132-microsoft-edge-enterprise
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: ExperimentationAndConfigurationServiceControl # Edge ≥ 77
dwordData: '0' # RestrictedMode (0) = Disable | ConfigurationsOnlyMode (1) = Configurations | FullMode (2) = Configurations + Experiments
-
name: Disable Edge automatic startup
recommend: standard
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the Startup Boost feature in Microsoft Edge.
Startup Boost enables Edge to launch more quickly by allowing certain processes to start at OS sign-in [1].
It keeps running in the background even after all browser windows are closed [1] [2].
While this can decrease the browser's start time [2], it might also pose privacy and security risks.
Disabling this feature prevents Edge from starting automatically with your computer, enhancing privacy
by stopping the background processes that could transmit data without active user interaction.
This also bolsters security by ensuring no residual or malicious scripts continue to operate after the browser is closed [3].
Additionally, it may improve system performance by freeing up resources otherwise used by these background processes.
The Center for Internet Security (CIS) recommends disabling this feature to secure personal data and reduce potential
vulnerabilities [3].
This script configures the `StartupBoostEnabled` Edge policy [1] [4].
Running this script does not require a browser restart for the changes to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#startupboostenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240625103236/https://support.microsoft.com/en-us/topic/get-help-with-startup-boost-ebef73ed-5c72-462f-8726-512782c5e442 "Get help with startup boost - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240625103212/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks/syx-1033-12749.html "Startup Boost Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com"
[4]: https://github.com/privacysexy-forks/Audit-Test-Automation/blob/2ad030524021e94dbd09c7771e6ee4d9794bb4af/ATAPAuditor/AuditGroups/Microsoft%20Edge-CIS-2.0.0%23RegistrySettings.ps1#L685-L720
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: StartupBoostEnabled # Edge ≥ 88
dwordData: '0'
-
name: Disable Edge external connectivity checks
recommend: standard # Edge can still rely on native connectivity check APIs
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the automatic use of a web service for resolving navigation errors in Microsoft Edge.
By default, Microsoft Edge contacts a web service to diagnose connectivity issues, especially in public
networks such as those in hotels and airports [1] [2].
This functionality can unintentionally reveal network-related information, potentially including sensitive
personal data [2].
The Center for Internet Security (CIS) recommends deactivating this feature to prevent potential privacy breaches
and security threats from network data leaks [2].
Running this script ensures that Edge relies solely on native APIs to handle network connectivity and navigation errors,
enhancing privacy by not transmitting data to external services [1] [2].
It ensures that all navigational errors are managed locally without external web services, maintaining the resolution
process entirely within the system [1] [2].
This action does not impede Edge's ability to resolve connectivity issues using its native capabilities [1] [2].
This script configures the `ResolveNavigationErrorsUseWebService` Edge policy [1].
Running this script does not require a browser restart for the changes to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#resolvenavigationerrorsusewebservice "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: ResolveNavigationErrorsUseWebService # Edge ≥ 77
dwordData: '0'
-
name: Disable Edge Family Safety settings
recommend: strict
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the Family Safety settings in Microsoft Edge.
Microsoft Family Safety collects personal information such as names, email addresses, birth dates, and other
diagnostic data [1].
By default, Edge features a dedicated family settings page and offers a Kids Mode for safer browsing experiences
tailored for children [2].
This script:
- Removes the Family page from the settings menu, which provides information on features associated with Microsoft Family Safety [2].
- Blocks navigation to the `edge://settings/family` URL [2].
- Disables Kids Mode, a child-friendly environment that includes custom themes and restricted browsing, and requires a device password to exit [2].
Disabling these features helps protect privacy by preventing the collection of personal and diagnostic data associated with family settings.
It prevents the unintentional sharing or management of children's browsing data and other sensitive details via Edge's Family Safety protocols.
This script configures the `FamilySafetySettingsEnabled` Edge policy [2].
Running this script does not require a browser restart for the changes to take effect [2].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20231008130529/https://support.microsoft.com/en-us/account-billing/family-safety-data-collection-and-privacy-options-3d01b791-e48a-498f-bfa6-97f0d373cd9c "Family Safety data collection and privacy options - Microsoft Support"
[2]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#familysafetysettingsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: FamilySafetySettingsEnabled # Edge ≥ 83
dwordData: '0'
-
name: Disable Edge site information gathering from Bing
recommend: strict
docs: |- # refactor-with-variables: • Chromium Policy Caution
This script disables the Site Safety Services in Microsoft Edge.
By default, this service displays top site information in the page information dialog [1].
Clicking the lock icon in the address bar causes Edge to retrieve detailed site information from Microsoft Bing [2] [3].
Although intended to enhance security by providing detailed website information [3], this feature also collects data
about your visits, posing privacy risks.
This script stops Edge from displaying this information [1], enhancing your privacy by reducing data transmission to Microsoft.
It prevents Microsoft from automatically querying or storing information about the sites you visit, thereby
maintaining greater control over your personal browsing data.
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#sitesafetyservicesenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240625110427/https://www.tenforums.com/browsers-email/148535-latest-microsoft-edge-released-windows-212.html#post2292645 "Latest Microsoft Edge released for Windows - Page 212 - Windows 10 Forums | www.tenforums.com"
[3]: https://web.archive.org/web/20240625111427/https://www.digitalinformationworld.com/2021/09/microsoft-edge-to-soon-have-feature.html "Microsoft Edge to soon have a feature that will allow its users to be able to know more about a site in its information box | www.digitalinformationworld.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: SiteSafetyServicesEnabled # Edge ≥ 101
dwordData: '0'
-
category: Configure Edge (Legacy)
docs: |-
This category contains scripts for configuring Edge (Legacy).
Edge (Legacy) has been replaced by Edge (Chromium) [1] [2].
It is no longer included on modern Windows versions starting with Windows 10 20H2 [1].
Additionally, it is systematically removed from older Windows versions through updates [2].
[1]: https://web.archive.org/web/20240517225921/https://blogs.windows.com/windowsexperience/2020/06/16/whats-next-for-windows-10-updates/ "Whats next for Windows 10 updates | Windows Experience Blog | blogs.windows.com"
[2]: https://web.archive.org/web/20240517223534/https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-microsoft-edge-to-replace-microsoft-edge-legacy-with-april-s/ba-p/2114224 "New Microsoft Edge to replace Microsoft Edge Legacy with Aprils Windows 10 Update Tuesday release - Microsoft Community Hub | techcommunity.microsoft.com"
children:
-
name: Disable Edge (Legacy) Live Tile data collection
recommend: standard
docs: |- # refactor-with-variables: Same • live tiles • Performance + Privacy • Edge (Legacy) only
This script disables Live Tile data collection in Edge (Legacy).
**Live Tiles**, a feature within UWP apps, automatically collect and display updated information
directly on the Start menu, without opening the app [1].
The Live Tiles feature, once available on Windows 8.1 and 10 [2], has been replaced by the
**Widgets** feature in Windows 11 [3].
By default, pinning a Live Tile to the Start menu allows Microsoft Edge to collect and send metadata to Microsoft [4] [5] [6].
This script prevents Edge from sending this metadata [4] [5] [6].
It also blocks the collection of Live Tile metadata from `ieonline.microsoft.com` when you pin a Live Tile to the Start menu [6].
This limitation may affect the user experience [4] [5] [6].
Disabling this feature reduces potential privacy risks by preventing data sharing.
This may also improve system performance by reducing processing workload.
This script configures the `PreventLiveTileDataCollection` policy [4] [5] [6].
This script only applies to Edge (Legacy) and does not impact newer versions of Edge.
[1]: https://web.archive.org/web/20240502092842/https://learn.microsoft.com/en-us/archive/msdn-magazine/2017/april/uwp-apps-develop-hosted-web-apps-for-uwp#getting-started "UWP Apps - Develop Hosted Web Apps for UWP | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240502095239/https://answers.microsoft.com/en-us/windows/forum/all/live-tiles-what-are-they/71084023-f50b-4531-973d-3ba03d2c0d44 "Live Tiles, what are they? - Microsoft Community | answers.microsoft.com"
[3]: https://web.archive.org/web/20240502093116/https://www.microsoft.com/en-ca/windows/windows-11-specifications "Windows 11 Specs and System Requirements | Microsoft | www.microsoft.com"
[4]: https://web.archive.org/web/20240314101034/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/group-policies/telemetry-management-gp#prevent-microsoft-edge-from-gathering-live-tile-information-when-pinning-a-site-to-start "Microsoft Edge - Telemetry and data collection group policies | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies#prevent-microsoft-edge-from-gathering-live-tile-information-when-pinning-a-site-to-start "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240314125209/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection "Browser Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
function: SetLegacyEdgePolicyViaRegistry
parameters:
policySubkey: Main
valueName: PreventLiveTileDataCollection
dwordData: "1"
-
name: Disable Edge (Legacy) search suggestions
recommend: standard
docs: |- # refactor-with-variables: Same • Performance + Privacy • Edge (Legacy) only
This script disables the search suggestions feature in the Address bar of Edge (Legacy).
By default, typing in the Address bar of Edge (Legacy) displays search suggestions [1] [2] [3],
potentially compromising privacy by sending typed data to Microsoft.
This script prevents such data sharing by disabling the search suggestions feature [1] [2] [3].
As a result, users will no longer receive search suggestions when typing in the Address bar,
thereby enhancing privacy [1] [2] [3] [4].
Disabling this feature reduces potential privacy risks by preventing data sharing.
Microsoft recommends this action to reduce their data collection to protect your privacy [4].
This may also improve system performance by reducing processing workload.
This script configures the `ShowSearchSuggestionsGlobal` policy [1] [2] [3] [4].
This script only applies to Edge (Legacy) and does not impact newer versions of Edge.
[1]: https://web.archive.org/web/20240314100851/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/group-policies/address-bar-settings-gp#configure-search-suggestions-in-address-bar "Microsoft Edge - Address bar group policies | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624135139/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar "Configure search suggestions in Address bar | admx.help"
[3]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/configure-search-suggestions-in-address-bar "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#131-microsoft-edge-group-policies "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
call:
function: SetLegacyEdgePolicyViaRegistry
parameters:
policySubkey: SearchScopes
valueName: ShowSearchSuggestionsGlobal
dwordData: "0"
-
name: Disable Edge (Legacy) Books telemetry
recommend: standard
docs: |- # refactor-with-variables: • Edge (Legacy) only
This script prevents Microsoft Edge (Legacy) from sending additional telemetry data from the Books tab.
By default, Edge collects basic telemetry data based on your device settings [1].
This script ensures that only this basic telemetry is collected, and no extra data is transmitted when accessing
the Books feature.
This script configures the `EnableExtendedBooksTelemetry` Edge policy [1].
This script only applies to Edge (Legacy) and does not impact newer versions of Edge.
[1]: https://web.archive.org/web/20240314125209/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#enableextendedbookstelemetry "Browser Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
function: SetLegacyEdgePolicyViaRegistry
parameters:
policySubkey: BooksLibrary
valueName: EnableExtendedBooksTelemetry
dwordData: "0"
-
category: Configure Internet Explorer
children:
-
name: Disable Internet Explorer geolocation
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation
valueName: PolicyDisableGeolocation
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Internet Explorer InPrivate logging
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE
valueName: DisableLogging
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Internet Explorer Customer Experience Improvement Program (CEIP) participation
recommend: standard
docs: |-
This script disables the Customer Experience Improvement Program (CEIP) in Internet Explorer [1].
The CEIP allows users to send information about their use of the software to Microsoft [2]. However, the CEIP does not
collect users' personal details like names or addresses, only the IP address used to send the data [2].
By applying this script:
- Users will no longer be able to participate in the CEIP [1].
- The option "Customer Feedback Options" will be removed from the "Help" menu [1].
This script achieves its purpose by modifying a policy setting under the
`HKLM\Software\Policies\Microsoft\Internet Explorer\SQM!DisableCustomerImprovementProgram` key [1] [2] [3]. Notably,
this specific setting doesn't exist by default [2]. If left unconfigured (i.e., the setting doesn't exist), users have
the option to join the CEIP [1] [2].
Disabling CEIP participation enhances privacy by preventing the sending of usage information and personally identifiable
information except such as the the IP address.
For added credibility, the US Department of Defense (DoD) also recommends this configuration to improve the
security [2] [3].
[1]: https://web.archive.org/web/20230922123717/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#disablecustomerexperienceimprovementprogramparticipation "InternetExplorer Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20230922123807/https://www.stigviewer.com/stig/internet_explorer_8/2014-07-03/finding/V-15492 "Prevent participation in the Customer Experience Improvement Program is not disabled. | stigviewer.com"
[3]: https://web.archive.org/web/20230922123654/https://csrc.nist.gov/CSRC/media/Projects/National-Checklist-Program/documents/DoD-IE8-Security-Settings_Jan10.xlsx "USAF v3 Master Settings Spreadsheet | nist.gov"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM
valueName: DisableCustomerImprovementProgram
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2)
-
name: Disable legacy WCM policy calls
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
valueName: CallLegacyWCMPolicies
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 21H1) and Windows 11 Pro (≥ 22H2)
-
name: Disable SSLv3 fallback
recommend: standard
docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-04-02/finding/V-64729
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
valueName: EnableSSL3Fallback
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable certificate error ignoring
recommend: standard
docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2017-03-01/finding/V-64717
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
valueName: PreventIgnoreCertErrors
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Configure Chrome
docs: |- # Similar to "Configure Edge"
This category contains scripts that adjust Google Chrome settings to enhance privacy, security, and
potentially improve system performance
Google Chrome collects a variety of data:
- **Browsing Data**: URLs, cached content, and IP addresses from visited pages [1].
- **Personal Information and Passwords**: Data used to autofill forms and sign into sites [1].
- **Cookies and Site Data**: Information from websites you visit [1].
- **Download Records**: Details of your internet downloads [1].
- **Usage Statistics and Crash Reports**: Includes performance stats and crash data [1].
- **Media Licenses and Identifiers**: Locally stored session identifiers and media licenses [1].
- **Location Data**: Estimated location based on Wi-Fi and cell signal data [1].
- **Information for Web Services**: Data sent to Google during the use of web services [1].
- **Search and Navigation Data**: Data typed into the omnibox for search predictions [1].
- **Autofill and Payment Information**: Information about web forms, passwords, and payment methods stored for autofill [1].
- **Sync Data**: Browsing history and other browser settings synced across devices [1].
- **Incognito and Guest Mode Data**: Data not saved when using these browser modes [1].
This data collection raises privacy concerns because it can be used for personal identification,
targeted advertising, and product improvement [1].
Additionally, Google Chrome may share aggregated, non-personally identifiable information with third parties
like publishers and advertisers [1].
These scripts enable you to configure Google Chrome to limit these data collection practices,
enhancing your online privacy, security, and system performance.
[1]: https://web.archive.org/web/20230402091425/https://www.google.com/chrome/privacy/ "Chrome Browser Privacy Policy - Google Chrome | www.google.com"
children:
-
name: Disable outdated Chrome Software Reporter Tool
recommend: standard # Outdated component, removal improves security and privacy
docs: |- # refactor-with-variables: • Performance + Privacy
This script blocks the execution of the Chrome Software Reporter Tool, enhancing your privacy by preventing
unnecessary data transmissions to Google, and boosting system performance through reduced resource consumption.
This tool is also known as the *Software Reporter Tool* [1] [2] [3], *Software Reporter Tool for Chrome Cleanup* [4],
*Chrome Cleanup Tool* [2] [3] and *Software Removal Tool* [2].
It exists in Google Chrome [1] versions prior to v111 [3].
Newer versions of Google Chrome do not include this tool [3].
This tool scans for harmful software that may disrupt Chrome's operations [1] [3] [5] [6].
It automatically removes software that degrades your browsing experience [1] [3] [5] [6].
It can connect to the Internet, monitor applications, record keyboard and mouse inputs, and manipulate other programs [2].
It reports findings to Google [1] [3] [4], which raises privacy concerns due to potential data collection and online reporting.
The Software Reporter Tool may also significantly consume CPU and memory resources [1] [3] [4] [5], potentially leading to performance issues.
By disabling it, you reduce CPU and memory usage, potentially speeding up your computer.
It is located in the `%LOCALAPPDATA%\Google\Chrome\User Data\SwReporter` directory [1] [2] [3] [5].
Its executable name is `software_reporter_tool.exe` [1] [2] [3] [4] [5] [6].
This file reappears with each update of Chrome [3].
Instead of deleting or moving the file, the script blocks its execution to ensure it remains disabled after Chrome updates.
Disabling this feature reduces potential privacy risks by preventing data sharing.
This may also improve system performance by reducing processing workload.
Disabling this tool protects your privacy by:
- Preventing sending scan results to Google [1] [3] [4].
- Some malware disguise themselves as `software_reporter_tool.exe` [2] so running this script will also protect you against these.
- This outdated component [3] may contain known vulnerabilities; disabling it helps mitigate these security risks by reducing your attack surface.
> **Caution**: Disabling this component may limit Chrome's ability to automatically detect and remove problematic software.
[1]: https://web.archive.org/web/20240528101432/https://www.softwaretestinghelp.com/software-reporter-tool/ "Software Reporter Tool: How To Disable Chrome Cleanup Tool | www.softwaretestinghelp.com"
[2]: https://web.archive.org/web/20240528101420/https://www.file.net/process/software_reporter_tool.exe.html "software_reporter_tool.exe Windows process - What is it? | www.file.net"
[3]: https://web.archive.org/web/20240528101406/https://www.thewindowsclub.com/disable-google-chrome-software-reporter-tool "How to disable Google Chrome Software Reporter Tool | www.thewindowsclub.com"
[4]: https://web.archive.org/web/20240528101617/https://support.google.com/chrome/a/thread/99323901/the-software-reporter-tool-exe-is-malware-admins-need-control-back-over-this-unwanted-software?hl=en "The software_reporter_tool.exe is malware - admins need control back over this unwanted software. - Chrome Enterprise & Education Community | support.google.com"
[5]: https://web.archive.org/web/20240528101401/https://appuals.com/how-to-fix-software-reporter-tool-high-cpu-usage/ "How to Fix Software Reporter Tool High CPU usage | appuals.com"
[6]: https://archive.ph/2018.05.24-082444/https://productforums.google.com/forum/%23!topic/chrome/bFhfVkR-ENo "Clarification from a Google community specialist | What is software_reporter_tool in this version of Chrome? Software Reporter Tool - Google Product Forums | productforums.google.com"
call:
function: TerminateAndBlockExecution
parameters:
executableNameWithExtension: software_reporter_tool.exe
-
category: Configure Chrome cleanup
children:
-
name: Disable sharing scanned software data with Google
recommend: standard # DISA recommends
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities • Performance + Privacy • Active Directory only
This script stops the Chrome Cleanup Tool from sending scan data to Google, enhancing privacy.
By default, when the Chrome Cleanup Tool detects unwanted software, it reports metadata about the scan and the software to Google [1] [2].
The reported data includes file metadata, automatically installed extensions, and registry keys [1] [2].
Users can choose to share cleanup results with Google to enhance future software detection [1] [2].
Disabling this feature reduces potential privacy risks by preventing data sharing.
This may also improve system performance by reducing processing workload.
Authorities like The Defense Information Systems Agency (DISA) [2]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [2].
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1] [2].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
This script configures the `ChromeCleanupReportingEnabled` policy [1] [2].
Changing this policy does not require restarting the browser to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20200606120247/https://www.chromium.org/administrators/policy-list-3#ChromeCleanupReportingEnabled "Policy List - The Chromium Projects | www.chromium.org"
[2]: https://web.archive.org/web/20240624111317/https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81593 "Chrome Cleanup reporting must be disabled. | www.stigviewer.com"
call:
function: SetChromePolicyViaRegistry
parameters:
valueName: ChromeCleanupReportingEnabled # Chrome ≥ 68
dwordData: "0"
-
name: Disable Chrome system cleanup scans
recommend: standard # DISA recommends
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities • Performance + Privacy • Active Directory only
This script disables Chrome system cleanup scans to enhance user privacy and improve system performance.
By default, Chrome Cleanup Tool periodically scans the system for unwanted software and prompts the user for removal [1] [2].
This feature can also be manually triggered from the `chrome://settings/cleanup` page [1] [2].
Running this script stops the Chrome Cleanup Tool from performing system scans and cleanups [1] [2],
which protects your system's information from being analyzed and shared.
It also disables the manual trigger of this feature from the settings page [1] [2].
Disabling this feature reduces potential privacy risks by preventing data sharing.
This may also improve system performance by reducing processing workload.
Authorities like The Defense Information Systems Agency (DISA) [2]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [2].
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1] [2].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
This script configures the `ChromeCleanupEnabled` policy [1] [2].
Changes will take effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20200606120247/https://www.chromium.org/administrators/policy-list-3#ChromeCleanupEnabled "Policy List - The Chromium Projects | www.chromium.org"
[2]: https://web.archive.org/web/20240624112722/https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81591 "Chrome Cleanup must be disabled. | www.stigviewer.com"
call:
-
function: SetChromePolicyViaRegistry
parameters:
valueName: ChromeCleanupEnabled # Chrome ≥ 68
dwordData: "0"
-
function: ShowChromeRestartSuggestion
-
name: Disable Chrome metrics reporting
recommend: standard # DISA recommends
docs: |- # refactor-with-variables: • Chromium Policy Caution • Authorities • Performance + Privacy • Active Directory only
This script disables Chrome's metrics reporting, enhancing user privacy and system performance.
By default, Chrome may send anonymous usage and crash-related data to Google [1] [2].
If no user preference is set, Chrome follows the initial choice made during installation or first run [1] [2].
This script ensures that anonymous reporting of usage and crash-related data is stopped, preventing this data from
being sent to Google [1] [2].
Additionally, it locks this setting, making it immutable by users [1] [2].
Disabling this feature reduces potential privacy risks by preventing data sharing.
This may also improve system performance by reducing processing workload.
Authorities like The Defense Information Systems Agency (DISA) [2]
recommend this script for enhanced security.
DISA categorizes the absence of this setting as a medium severity security vulnerability [2].
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1] [2].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
This script configures the `MetricsReportingEnabled` policy [1] [2].
Changes will take effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
[1]: https://web.archive.org/web/20200606120247/https://www.chromium.org/administrators/policy-list-3#MetricsReportingEnabled "Policy List - The Chromium Projects | www.chromium.org"
[2]: https://web.archive.org/web/20240624113958/https://www.stigviewer.com/stig/google_chrome_v23_windows/2013-01-11/finding/V-35780 "Metrics reporting to Google must be disabled | www.stigviewer.com"
call:
-
function: SetChromePolicyViaRegistry
parameters:
valueName: MetricsReportingEnabled # Chrome ≥ 8
dwordData: "0"
-
function: ShowChromeRestartSuggestion
-
category: Configure Firefox
docs: |-
This category provides scripts for enhancing Firefox privacy by limiting data shared with Mozilla.
children:
-
name: Disable Firefox default browser and system data reporting
recommend: standard
docs: |-
This script disables the Firefox *Default Browser Agent*.
The agent collects and sends information about the user's default browser to Mozilla [1]
Disabling it halts the transmission of details such as the currently set default browser, the previous one,
and the operating system's locale and version number [2] [3].
This enhances privacy by preventing browser preferences and usage data from being shared with Mozilla.
The script configures `HKLM\SOFTWARE\Policies\Mozilla\Firefox!DisableDefaultBrowserAgent` registry key to
prevent the Default Browser Agent from taking any actions [4].
[1]: https://web.archive.org/web/20231201223153/https://firefox-source-docs.mozilla.org/toolkit/mozapps/defaultagent/default-browser-agent/index.html "Default Browser Agent — Firefox Source Docs documentation | firefox-source-docs.mozilla.org"
[2]: https://web.archive.org/web/20240313164703/https://blog.mozilla.org/data/2020/03/16/understanding-default-browser-trends/ "Understanding default browser trends Data@Mozilla | blog.mozilla.org"
[3]: https://web.archive.org/web/20240313164715/https://github.com/mozilla-services/mozilla-pipeline-schemas/pull/495/files#diff-48f14d6bdea5bf803f8b8cff5f018172 "Bug 1602463 - Add a schema for the new default-browser ping · Pull Request #495 · mozilla-services/mozilla-pipeline-schemas · GitHub | github.com/mozilla-services"
[4]: https://web.archive.org/web/20240529061535/https://github.com/privacysexy-forks/policy-templates#disabledefaultbrowseragent "GitHub - privacysexy-forks/policy-templates: Policy Templates for Firefox | github.com/privacysexy-forks"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Mozilla\Firefox
valueName: DisableDefaultBrowserAgent
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2), last tested on Firefox v126
-
name: Disable Firefox background browser checks
recommend: standard
docs: |-
This script stops Firefox from automatically checking its default browser status and reporting to Mozilla every 24 hours [1] [2] by
disabling specific scheduled tasks that initiate Firefox's *Default Browser Agent*.
It protects your privacy by preventing regular data sharing.
### Overview of default task statuses
`\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB` (tested on version 118):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
`\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD` (tested on version 118):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231201223153/https://firefox-source-docs.mozilla.org/toolkit/mozapps/defaultagent/default-browser-agent/index.html "Default Browser Agent — Firefox Source Docs documentation | firefox-source-docs.mozilla.org"
[2]: https://web.archive.org/web/20240313164703/https://blog.mozilla.org/data/2020/03/16/understanding-default-browser-trends/ "Understanding default browser trends Data@Mozilla | blog.mozilla.org"
call:
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Mozilla\' -TaskName 'Firefox Default Browser Agent 308046B0AF4A39CB'
taskPathPattern: \Mozilla\
taskNamePattern: Firefox Default Browser Agent 308046B0AF4A39CB
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Mozilla\' -TaskName 'Firefox Default Browser Agent D2CEEC440E2074BD'
taskPathPattern: \Mozilla\
taskNamePattern: Firefox Default Browser Agent D2CEEC440E2074BD
-
name: Disable Firefox telemetry data collection
recommend: standard
docs: |-
This script disables Firefox's telemetry to prevent the collection and transmission of browser
performance and usage data to Mozilla [1].
Disabling telemetry prevents both the storage and transmission of this data [1], ensuring users'
browsing habits remain private.
The telemetry is disabled by configuring `HKLM\SOFTWARE\Policies\Mozilla\Firefox!DisableTelemetry` registry key [1].
[1]: https://web.archive.org/web/20240529061535/https://github.com/privacysexy-forks/policy-templates#disabletelemetry "privacysexy-forks/policy-templates: Policy Templates for Firefox | github.com/privacysexy-forks"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Mozilla\Firefox
valueName: DisableTelemetry
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2), last tested on Firefox v126
-
category: Disable Google background automatic updates
docs: |-
This category includes scripts to manage the automatic updates of various Google products in background.
These products include Google Chrome, Google Earth, along with other applications [1].
This category aims to give users control over the automatic update processes running in the background,
without disabling manual updates or affecting the overall functionality of Google products [1].
Google Chrome checks for, downloads, and installs updates in the background [2], without requiring user interaction [2].
This includes constant network communication in background with Google servers, which reveals data about your device
and usage behavior.
By using the scripts provided, users can stop automatic update services and scheduled tasks related to Google software updates.
This empowers users to initiate updates at their discretion, ensuring they have the final say in what gets installed on their systems.
[1]: https://web.archive.org/web/20231026233855/https://github.com/google/omaha "google/omaha: Google Update for Windows | github.com/google"
[2]: https://web.archive.org/web/20110218173854/http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414 "Update Google Chrome : Install or update Google Chrome - Google Chrome Help | google.com/support"
children:
# 💡 Valuable resources of information for this category:
# - https://bugs.chromium.org: Chromium project's bug tracker
# - https://github.com/google/omaha: The open-source version of Google Update
-
name: Disable "Google Update Service" services
recommend: standard # Safe-to-disable as they're stopped by default
docs: |-
This script disables the "Google Update Service" services.
These services are identified as `gupdate` and `gupdatem` [1] [2] [3].
They are responsible for keeping Google software up to date by initiating updates [4].
They are linked to the `GoogleUpdate.exe` executable located in the `%PROGRAMFILES%\Google\Update` directory [5] [6] [7].
The services operate based on a client/service model, where the client requests services to conduct updates [1].
Despite both services being named "Google Update Service" [3] [8] [9], they are associated with different aspects of updating.
The `gupdate` service is linked to regular update check [2] [5] [7], while `gupdatem` is connected to medium level service updates [2] [5] [6].
According to Google's documentation, these services play a crucial role in maintaining the software's security and functionality [3].
These services will uninstall themselves if no Google software is utilizing them [3].
However, there are privacy and security concerns associated with these services. They continuously run in the background, sending data back to Google [10] [11],
and they log Event Logs [12] [13] [14] [15] [16], which reveals information about the system's state. There have also been vulnerabilities found in these services
in the past, adding an additional layer of risk [17].
Disabling these services do not affect manual updates as these services are started for manual updates automatically [4].
Often administrators choose to delete these services to prevent auto-updates [9], a practice that is acknowledged by the Google team [9].
By disabling these services, this script aims to give users more control over their system and mitigate potential privacy and security risks, albeit at the cost
of not receiving automatic software updates from Google.
### Overview of default service statuses
Google Update Service (`gupdate`) (tested on version Chrome 123.0.6312.106):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Automatic |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Automatic |
Google Update Service (`gupdatem`) (tested on version Chrome 123.0.6312.106):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🔴 Stopped | Manual |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Manual |
[1]: https://archive.ph/2023.10.26-231300/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/goopdate/omaha3_idl.idl%23L178-L186 "omaha/omaha/goopdate/omaha3_idl.idl at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha | github.com/google"
[2]: https://archive.ph/2023.10.26-231313/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/common/omaha_customization_unittest.cc%23L290-L299 "omaha/omaha/common/omaha_customization_unittest.cc at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha | github.com/google"
[3]: https://archive.ph/2023.10.26-224813/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/internal/grit/goopdateres.grd%23L166-L177 "omaha/omaha/internal/grit/goopdateres.grd at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha · GitHub | github.com/google"
[4]: https://archive.ph/2023.10.26-231136/https://bugs.chromium.org/p/chromium/issues/detail?id=137915%23c138 "Comment 138 | 137915 - Update failed (error:3) | bugs.chromium.org"
[5]: https://archive.ph/2023.10.26-231114/https://bugs.chromium.org/p/chromium/issues/detail?id=114356 "114356 - Loading issue... | bugs.chromium.org"
[6]: https://web.archive.org/web/20231026231058/http://windows.fyicenter.com/4677_Google_Update_Service_gupdatem_-GoogleUpdate_exe_Service_on_Windows_7.html '"Google Update Service (gupdatem) - GoogleUpdate.exe" Service on Windows 7 | windows.fyicenter.com'
[7]: https://web.archive.org/web/20231026231059/http://windows.fyicenter.com/4676_Google_Update_Service_gupdate_-GoogleUpdate_exe_Service_on_Windows_7.html '"Google Update Service (gupdate) - GoogleUpdate.exe" Service on Windows 7 | windows.fyicenter.com'
[8]: https://archive.ph/2023.10.26-231235/https://bugs.chromium.org/p/chromium/issues/detail?id=948427%23c9 "Comment 9 | 948427 - Update disabled not working in Chrome 73.0.3683.86 | bugs.chromium.org"
[9]: https://archive.ph/2023.10.26-231246/https://bugs.chromium.org/p/chromium/issues/detail?id=1096494 "1096494 - google update service should never be deleted | bugs.chromium.org"
[10]: https://web.archive.org/web/20231026231341/https://support.google.com/chrome/thread/207230079/high-ghost-data-usage-by-chrome-on-pc-past-midnight?hl=en "High ghost data usage by Chrome on PC past midnight - Google Chrome Community | support.google.com"
[11]: https://web.archive.org/web/20231026231335/https://support.google.com/chrome/thread/113993958/why-gupdate-uses-all-my-bandwidth-stopping-my-surfing-completely?hl=en 'Why "gupdate" uses all my bandwidth, stopping my surfing completely? - Google Chrome Community | support.google.com'
[12]: https://archive.ph/2023.10.26-231121/https://bugs.chromium.org/p/chromium/issues/detail?id=237227 "237227 - Update service spam to Event Log | bugs.chromium.org"
[13]: https://archive.ph/2023.10.26-231148/https://bugs.chromium.org/p/chromium/issues/detail?id=71377%23c5 'Comment 5 | 71377 - Random but frequent crashes after downloads, "CSRBthFtpShellExt.dll_unloaded" | bugs.chromium.org'
[14]: https://archive.ph/2023.10.26-231155/https://bugs.chromium.org/p/chromium/issues/detail?id=100548%23c2 "Comment 2 | 100548 - Please remove Googe Update from the Google Chrome Enterprise installation | bugs.chromium.org"
[15]: https://archive.ph/2023.10.26-231214/https://bugs.chromium.org/p/chromium/issues/detail?id=309362%23c12 'Comment 12 | 309362 - "Nearly up-to-date! Relaunch Google Chrome to finish updating." message is not going away | bugs.chromium.org'
[16]: https://archive.ph/2023.10.26-231222/https://bugs.chromium.org/p/chromium/issues/detail?id=338776%23c3 "Comment 3 | 338776 - CRITICAL REGRESSION: unable to update to new version - relaunch after update does not finish updating - chromium | bugs.chromium.org"
[17]: https://archive.ph/2023.10.26-231205/https://bugs.chromium.org/p/chromium/issues/detail?id=167737 "167737 - Security: Unquoted search path vulnerability in GoogleUpdate.exe | bugs.chromium.org"
call:
-
function: DisableService
parameters:
serviceName: gupdate # Check: (Get-Service -Name gupdate).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: gupdatem # Check: (Get-Service -Name gupdatem).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Google automatic updates scheduled tasks (breaks Google Credential Provider)
recommend: strict
docs: |-
This script disables the scheduled tasks used by Google to automatically update its software on Windows.
The Google Update service creates two main tasks [1]:
- `GoogleUpdateTaskMachineCore`: Initiates automatic updates [2].
- `GoogleUpdateTaskMachineUA`: Corresponds to "Updates app" [3].
In newer versions of the Google Update service, these task names have random suffixes appended to them [4].
Both of these tasks call the executable file `C:\Program Files (x86)\Google\Update\GoogleUpdate.exe` [5] [6].
This process is officially named as "Google Installer" [7] or "Constant Shell" [8].
It is responsible for handling updates [9] [10].
Disabling these tasks can impact the functionality of the "Google Credential Provider for Windows" (GCPW) service [11] [12].
GCPW is a tool used to manage devices with Google endpoint management [13].
This tool is typically used to offer access to Google Workspace services on managed computers [13].
It allows users to sign in to a Windows 10 or 11 device using their Google Account for work or school [14].
These tasks are described by Google as following [15]:
> Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security
> vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it.
### Overview of default task statuses
`\GoogleUpdateTaskMachineCore{RandomString}` [4] (tested since Chrome version 118):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Running |
| Windows 11 22H2 | 🟢 Running |
`\GoogleUpdateTaskMachineUA{RandomString}` [4] (tested since Chrome version 118):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
`\GoogleUpdateTaskMachineCore` [16] (used by older versions of Chrome):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
`\GoogleUpdateTaskMachineUA` [16] (used by older versions of Chrome):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
[1]: https://archive.ph/2023.10.25-184810/https://bugs.chromium.org/p/chromium/issues/detail?id=114356%23c2 "Comment 2 | 114356 - Google Update Services (gupdate & gupdatem) | bugs.chromium.org"
[2]: https://archive.ph/2023.10.25-184936/https://bugs.chromium.org/p/chromium/issues/detail?id=440549%23c51 "Comment 51 | 440549 - Google Chrome Auto-Update Not working consistently / Google Update GPO policy not honored. | bugs.chromium.org"
[3]: https://archive.ph/2023.10.25-185011/https://bugs.chromium.org/p/chromium/issues/detail?id=440549%23c52 "Comment 52 | 440549 - Google Chrome Auto-Update Not working consistently / Google Update GPO policy not honored. | bugs.chromium.org"
[4]: https://archive.ph/2023.10.25-184839/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/common/scheduled_task_utils_internal.h "omaha/omaha/common/scheduled_task_utils_internal.h at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha | github.com/google"
[5]: https://archive.ph/2023.10.25-185032/https://bugs.chromium.org/p/chromium/issues/detail?id=137915%23c55 "Comment 55 | 137915 - Update failed (error:3) | bugs.chromium.org"
[6]: https://archive.ph/2023.10.25-185051/https://bugs.chromium.org/p/chromium/issues/detail?id=1394589%23c12 "Comment 12 | 1394589 - chrome 108 prematurely stopped checking for updates under Windows 7 - chromium"
[7]: https://web.archive.org/web/20231025184531/https://strontic.github.io/xcyclopedia/library/GoogleUpdate.exe-6BF197B8C7DE4B004C5D6FA415FC7867.html "GoogleUpdate.exe | Google Installer | STRONTIC | strontic.github.io"
[8]: https://archive.ph/2023.10.25-185455/https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/doc/Omaha3Walkthrough.md?plain=1%23L11 "omaha/doc/Omaha3Walkthrough.md at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha | github.com/google"
[9]: https://web.archive.org/web/20231025184546/https://www.shouldiblockit.com/googleupdate.exe-8f0de4fef8201e306f9938b0905ac96a.aspx "GoogleUpdate.exe - Should I Block It? (MD5 8f0de4fef8201e306f9938b0905ac96a) | shouldiblockit.com"
[10]: https://web.archive.org/web/20231025185202/https://raw.githubusercontent.com/google/omaha/8fa5322c5c35d0cede28f4c32454cb0285490b6d/doc/GoogleUpdateOnAScheduleOverview.html "omaha/doc/GoogleUpdateOnAScheduleOverview.html at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha | github.com/google"
[11]: https://web.archive.org/web/20231025184142/https://support.google.com/a/answer/9572621?hl=en#zippy=%2Cyour-administrator-doesnt-allow-you-to-sign-in-with-this-account-try-a-different-account "Troubleshoot GCPW - Google Workspace Admin Help | support.google.com"
[12]: https://web.archive.org/web/20231025184249/https://cloud.google.com/knowledge/kb/error-message-received-when-trying-to-login-000003983 "Error message received when trying to login | Google Cloud | cloud.google.com"
[13]: https://web.archive.org/web/20231025184232/https://support.google.com/a/topic/24642?hl=en "Manage devices for your organization - Google Workspace Admin Help | support.google.com"
[14]: https://web.archive.org/web/20231025184204/https://support.google.com/a/answer/9250996?hl=en "Install Google Credential Provider for Windows - Google Workspace Admin Help | support.google.com"
[15]: https://github.com/google/omaha/blob/8fa5322c5c35d0cede28f4c32454cb0285490b6d/omaha/internal/grit/goopdateres.grd#L166-L177 "omaha/omaha/internal/grit/goopdateres.grd at 8fa5322c5c35d0cede28f4c32454cb0285490b6d · google/omaha · GitHub | github.com/google"
[16]: https://archive.ph/2023.10.25-185536/https://bugs.chromium.org/p/chromium/issues/detail?id=1274960 "1274960 - GoogleUpdateSetup.exe don't check ACL of Schedule task files GoogleUpdateTaskMachineCore and GoogleUpdateTaskMachineUA - chromium | bugs.chromium.org"
call:
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineCore'
taskPathPattern: \
taskNamePattern: GoogleUpdateTaskMachineCore
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineUA'
taskPathPattern: \
taskNamePattern: GoogleUpdateTaskMachineUA
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineCore{*}'
taskPathPattern: \
taskNamePattern: GoogleUpdateTaskMachineCore{*}
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'GoogleUpdateTaskMachineUA{*}'
taskPathPattern: \
taskNamePattern: GoogleUpdateTaskMachineUA{*}
-
category: Disable Adobe background automatic updates
docs: |-
This category includes scripts designed to disable Adobe's background automatic update services and tasks.
These automatic updates run in the background [1], typically starting up with your PC, and work to keep your Adobe software up to date [1].
By disabling them, you optimize your system's performance, reduce unwanted data collection, and minimize your vulnerability surface.
These scripts only disable automatic updates; manual updates are still possible.
[1]: https://web.archive.org/web/20230624030406/https://helpx.adobe.com/x-productkb/global/adobe-background-processes.html "Why do I need the Adobe background processes? | helpx.adobe.com"
children:
-
name: Disable "Adobe Acrobat Update Service" service
recommend: standard
docs: |-
This script disables the `AdobeARMservice` service.
This service is officially named "Adobe Acrobat Update Service" [1].
It starts automatically when your PC boots, runs in the background, and installs updates if found [1] [2].
Its primary function is to keep your Adobe software up to date [1].
Disabling this service can help optimize your system's performance and reduce unwanted data collection.
### Overview of default service statuses
`AdobeARMservice` (tested on Adobe Acrobat version 23.006):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Automatic |
| Windows 11 (≥ 22H2) | 🟢 Running | Automatic |
[1]: https://web.archive.org/web/20231027145411/https://www.shouldiblockit.com/armsvc.exe-2873.aspx "armsvc.exe - Should I Block It? (Adobe Acrobat Update Service) | shouldiblockit.com"
[2]: https://web.archive.org/web/20231027145343/https://www.file.net/process/armsvc.exe.html "armsvc.exe Windows process - What is it? | file.net"
call:
function: DisableService
parameters:
serviceName: AdobeARMservice # Check: (Get-Service -Name AdobeARMservice).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable "Adobe Update Service" service
recommend: standard
docs: |-
This script disables the `adobeupdateservice` service.
This service is responsible for updating Creative Cloud desktop apps [1] [2].
It runs continuously in the background [3].
It manages the privileges required for various actions, such as installing app updates and syncing fonts [3].
This allows Adobe to perform its actions without prompting you for your system password or approval [3].
This service has had vulnerabilities in the past, including the Privilege Escalation Unquoted Service Path
vulnerability [4], making it a potential security risk.
The service's executable is typically found at
`C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe` [1] [2].
### Overview of default service statuses
`adobeupdateservice` (tested on Adobe Acrobat version 23.006):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🟡 Missing | N/A |
| Windows 11 (≥ 22H2) | 🟡 Missing | N/A |
[1]: https://web.archive.org/web/20231027145409/https://helpx.adobe.com/creative-cloud/kb/all-apps-displayed-aam.html "Not all apps displayed for download | Creative Cloud desktop app"
[2]: https://web.archive.org/web/20231027145700/https://helpx.adobe.com/se/xd/kb/adobe-xd-not-compatible-on-windows-machine.html "Adobe XD appears as not compatible on Creative Cloud desktop app | helpx.adobe.com"
[3]: https://web.archive.org/web/20230624030406/https://helpx.adobe.com/x-productkb/global/adobe-background-processes.html "Why do I need the Adobe background processes? | helpx.adobe.com"
[4]: https://web.archive.org/web/20231027145430/https://www.exploit-db.com/exploits/39954 "AdobeUpdateService 3.6.0.248 - Unquoted Service Path Privilege Escalation - Windows local Exploit | exploit-db.com"
call:
function: DisableService
parameters:
serviceName: adobeupdateservice # Check: (Get-Service -Name adobeupdateservice).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
ignoreMissingOnRevert: 'true'
-
name: Disable "Adobe Acrobat Update Task" scheduled task
recommend: standard
docs: |-
This script disables the "Adobe Acrobat Update Task" scheduled task.
It is responsible for keeping your Adobe Reader and Acrobat applications up to date with the latest enhancements and security fixes [1].
By disabling it, you reduce the system's exposure to potential vulnerabilities, though at the cost of not receiving automatic updates
in the background.
### Overview of default task statuses
`\Adobe Acrobat Update Task` [1] (tested on Adobe Acrobat version 23.006):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231027145509/http://windows.fyicenter.com/4324_Adobe_Acrobat_Update_Task_Scheduled_Task_on_Windows_7.html '"Adobe Acrobat Update Task" Scheduled Task on Windows 7 | windows.fyicenter.com'
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'Adobe Acrobat Update Task'
taskPathPattern: \
taskNamePattern: Adobe Acrobat Update Task
-
name: Disable "Razer Game Scanner Service"
recommend: standard
docs: |-
This script disables the `Razer Game Scanner Service`.
The service is part of the **Razer Synapse** software suite [1] [2].
It runs the `GameScannerService.exe` process [3] [4].
This process scans your computer for installed games to optimize Razer device settings
and saves all settings to the cloud [2].
Disabling this service enhances privacy by preventing data transmission to Razer servers.
It also improves system performance by reducing heavy resource usage [1] [2] [3].
Recent versions of the Razer Synapse software no longer include this service (last tested on version 3.9.311).
### Overview of default service statuses
`Razer Game Scanner Service` (tested with Razer Synapse 3.9.311 and Razer Cortex 10.12.6.0):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 21H1) | 🟡 Missing | N/A |
| Windows 11 (≥ 22H2) | 🟡 Missing | N/A |
[1]: https://web.archive.org/web/20240719204604/https://blog.ultimateoutsider.com/2016/02/razers-terrible-game-scanner-service.html "Ultimate Outsider: Razer's Terrible Game Scanner Service | blog.ultimateoutsider.com"
[2]: https://web.archive.org/web/20240719205425/https://www.file.net/process/gamescannerservice.exe.html "GameScannerService.exe Windows process - What is it? | file.net"
[3]: https://web.archive.org/web/20240719205207/https://bugzilla.mozilla.org/show_bug.cgi?id=1326362 "1326362 - Detect and alert for Razer Game Scanner service | bugzilla.mozilla.org"
[4]: https://web.archive.org/web/20240719205527/https://www.shouldiblockit.com/gamescannerservice.exe-3c242c31d44c9ce758ce1f5c1e614c24.aspx "GameScannerService.exe - Should I Block It? (MD5 3c242c31d44c9ce758ce1f5c1e614c24)"
call:
function: DisableService
parameters:
serviceName: Razer Game Scanner Service # Check: (Get-Service -Name 'Razer Game Scanner Service').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
ignoreMissingOnRevert: 'true'
-
name: Disable "Logitech Gaming Registry Service"
recommend: standard
docs: |-
### Overview of default service statuses
`LogiRegistryService` (tested on Logitech Gaming Software version on 04.49):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Automatic |
| Windows 11 (≥ 22H2) | 🟢 Running | Automatic |
call:
function: DisableService
parameters:
serviceName: LogiRegistryService # Check: (Get-Service -Name 'LogiRegistryService').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
category: Disable Dropbox background automatic updates
docs: |-
This category focuses on disabling continuous background processes related to automatic updates of Dropbox. Although these processes are
intended to keep Dropbox up to date, they can be intrusive and use system resources unnecessarily. Disabling them does not prevent updates,
but stops the automatic background processes that are running constantly, contributing to both privacy and system optimization. Users have
to manually update Dropbox to ensure they have the latest version and security features.
children:
-
name: Disable "Dropbox Update Service" services
recommend: standard
docs: |-
Dropbox operates using two Windows services, `dbupdate` and `dbupdatem`, to manage automatic updates [1].
Disabling these services can help enhance privacy and optimize system performance.
### Overview of default service statuses
`dbupdate` (Dropbox Update Service, tested on Dropbox version 184.4):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Automatic |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Automatic |
`dbupdatem` (Dropbox Update Service, tested on Dropbox version 184.4):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Automatic |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Automatic |
[1]: https://web.archive.org/web/20231101153431/https://belkasoft.com/investigating_dropbox_desktop_app "Investigating the Dropbox Desktop App for Windows with Belkasoft X | belkasoft.com"
call:
-
function: DisableService
parameters:
serviceName: dbupdate # Check: (Get-Service -Name 'dbupdate').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: dbupdatem # Check: (Get-Service -Name 'dbupdatem').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable Dropbox automatic updates scheduled tasks
recommend: standard
docs: |-
This script disables the scheduled tasks that Dropbox uses to trigger updates.
These tasks, named `DropboxUpdateTaskMachineUA` and `DropboxUpdateTaskMachineCore`,
are referred to as "Dropbox Update tasks" by Dropbox [1].
Disabling these scheduled tasks can further enhance privacy and optimize system performance.
Dropbox disables these tasks for enterprise installations by default [1].
### Overview of default task statuses
`\DropboxUpdateTaskMachineCore` (tested on Dropbox version 184.4):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
`\DropboxUpdateTaskMachineUA` (tested on Dropbox version 184.4):
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://archive.ph/2023.11.01-153622/https://github.com/dropbox/DropboxBusinessScripts/blob/4f4c32ddd488b29e7fd16a40966761e70a758239/QA%20Installer/Dropbox%20Enterprise%20Installer.ps1%23L127-L136 "DropboxBusinessScripts/QA Installer/Dropbox Enterprise Installer.ps1 at 4f4c32ddd488b29e7fd16a40966761e70a758239 · dropbox/DropboxBusinessScripts | github.com/dropbox"
call:
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'DropboxUpdateTaskMachineUA'
taskPathPattern: \
taskNamePattern: DropboxUpdateTaskMachineUA
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'DropboxUpdateTaskMachineCore'
taskPathPattern: \
taskNamePattern: DropboxUpdateTaskMachineCore
-
category: Disable Media Player data collection
children:
-
name: Disable sending Windows Media Player statistics
recommend: standard
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences
valueName: UsageTracking
dataType: REG_DWORD
data: "0"
# Key is missing by default on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2).
# On Windows 10 22H2, the key is created with value `1` when Windows Media Player is installed.
# Windows 11 uses a new Media Player app and lacks this legacy registry key.
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable metadata retrieval
recommend: standard
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Policies\Microsoft\WindowsMediaPlayer
valueName: PreventCDDVDMetadataRetrieval
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Policies\Microsoft\WindowsMediaPlayer
valueName: PreventMusicFileMetadataRetrieval
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Policies\Microsoft\WindowsMediaPlayer
valueName: PreventRadioPresetsRetrieval
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\WMDRM
valueName: DisableOnline
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Windows Media Player Network Sharing Service" (`WMPNetworkSvc`)
recommend: standard
docs: |-
Details: [Windows Media Player Network Sharing Service - Windows 10 Service - batcmd.com | batcmd.com](https://web.archive.org/web/20240314091022/https://batcmd.com/windows/10/services/wmpnetworksvc/)
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Manual |
| Windows 11 (≥ 22H2) | 🔴 Stopped | Manual |
call:
function: DisableService
parameters:
serviceName: WMPNetworkSvc # Check: (Get-Service -Name 'WMPNetworkSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable CCleaner data collection
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: Monitoring
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: HelpImproveCCleaner
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: SystemMonitoring
dataType: REG_DWORD
data: "0"
dataOnRevert: "1" # Default value: `1` on Windows 10 22H2 | `1` on Windows 11 23H2 (CCleaner v6.23)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: UpdateAuto
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: UpdateCheck
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: UpdateBackground
dataType: REG_DWORD
data: "0"
dataOnRevert: "1" # Default value: `1` on Windows 11 23H2 (CCleaner v6.26)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: CheckTrialOffer
dataType: REG_DWORD
data: "0"
dataOnRevert: "0" # Default value: `0` on Windows 10 22H2 | `1` on Windows 11 23H2 (CCleaner v6.26)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: (Cfg)HealthCheck
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: (Cfg)QuickClean
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: (Cfg)QuickCleanIpm
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: (Cfg)GetIpmForTrial
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: (Cfg)SoftwareUpdater
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Piriform\CCleaner
valueName: (Cfg)SoftwareUpdaterIpm
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) (CCleaner v6.23)
-
category: Security improvements
docs: |-
This category encompasses a range of scripts designed to improve the security of your system by enforcing security best practices.
These scripts help protect your system against various types of cyber threats and unauthorized access.
children:
-
category: Improve network security
docs: |-
This category is dedicated to improving network security.
It aims to minimize vulnerabilities by offering various settings that improve the integrity and confidentiality
of data transmitted over the network.
It features a range of measures to protect data transmission from unauthorized access, interception, and other
cyber threats to maintain a secure and private communication environment.
By improving network security, you secure your system and data from attackers, ISPs, VPN companies,
and state actors.
children:
-
category: Enable strong secret key requirements
docs: |- # refactor-with-variables: Same • Key Size Caution
This category contains scripts that enhance system security by implementing stronger encryption key lengths.
Stronger keys help prevent unauthorized data access and potential leaks.
These scripts aim to protect your data when sent over network (Internet), making sure your security matches up with the
latest guidelines and practices.
> **Caution**:
> - Using bigger keys increases security but may not work with some old or less secure apps.
> - This can make your device slower and drain the battery faster.
children:
-
name: Enable strong Diffie-Hellman key requirement
recommend: standard # Default on modern Windows, less size considered insecure
docs: |- # refactor-with-variables: Same • Key Size Caution • handshake
This script improves your security by setting the `Diffie-Hellman` [1] [2] [3] key exchange
to a minimum of 2048 bits.
This is a secure way to exchange keys over public networks.
This script only affects the *SSL/TLS handshake* process.
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
By default, modern Windows versions use a 2048-bit size for Diffie-Hellman key exchanges [1].
Sizes under 1024 bits are considered weak [4] [5].
NIST in USA [4] and Federal Office for Information Security (BSI) in Germany [3] disallows usage of sizes
under 2048 bits.
NSA (National Security Agency) recommends at least 3072 bits [6].
This script hardens your system's security by using keys of adequate strength, following best practices.
> **Caution**:
> - Using bigger keys increases security but may not work with some old or less secure apps.
> - This can make your device slower and drain the battery faster.
[1]: https://web.archive.org/web/20240402105325/https://learn.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644 "Microsoft Security Advisory 3174644 | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderugen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov"
[5]: https://web.archive.org/web/20240402112905/https://weakdh.org/ "Weak Diffie-Hellman and the Logjam Attack | weakdh.org"
[6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
function: RequireTLSMinimumKeySize
parameters:
algorithmName: Diffie-Hellman
keySizeInBits: '2048'
-
name: Enable strong RSA key requirement (breaks Hyper-V VMs)
recommend: strict # Microsoft deprecated it and will end support; but breaks Hyper-V VMs, see #363
docs: |- # refactor-with-variables: Same • Key Size Caution • handshake
This script improves your security by enforcing a minimum of 2048 bits for RSA encryption keys (`PKCS` [1] [2]).
RSA encryption keys play a crucial role in securing communications over the internet.
The Public-Key Cryptography Standards (PKCS) define how to use RSA keys for secure communication encryption.
Using keys that are too weak can expose your data to unauthorized access.
This script only affects the *SSL/TLS handshake* process.
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
From Windows 10, version 1507, and Windows Server 2016 onwards, the default RSA key size is 1024 bits [2].
However, this script raises the client-side minimum to 2048 bits, aligning with modern security standards.
Server-side RSA key strength relies on the server certificate [2].
Since 2013, internet standards and regulatory bodies have banned 1024-bit RSA keys due to security vulnerabilities [3].
These entities, including the Federal Office for Information Security (BSI) in Germany [2] and the National Institute of Standards
and Technology (NIST) in the USA [4] [5], now recommend the use of keys that are 2048 bits or longer.
RSA key exchanges of 2048 bits or are widely accepted.
In 2012, Microsoft deprecated 1024-bit RSA keys for their applications [5] [6] and will end support for them in
Windows by March 2024 [3].
While 2048-bit keys balances security with efficiency [7], a shift towards stronger 4096-bit RSA keys is emerging.
Projects like Debian [8], Fedora [9], and CaCert.org [10] use larger keys for long-term tasks.
However, this script disrupts connections to Hyper-V virtual machines, which still require 1024-bit keys [11].
It does not affect other virtual environments such as Docker, WSL, or Windows Sandbox [11].
> **Caution**:
> - The script prevents access to Hyper-V VMs.
> - Using bigger keys increases security but may not work with some old or less secure apps.
> - This can make your device slower and drain the battery faster.
[1]: https://web.archive.org/web/20240403064025/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=rsa "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[3]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov"
[5]: https://web.archive.org/web/20240403064107/https://github.com/undergroundwires/privacy.sexy/pull/165 "request by bricedobson | undergroundwires/privacy.sexy | GitHub.com"
[6]: https://web.archive.org/web/20240403064204/https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/rsa-keys-under-1024-bits-are-blocked/ba-p/1128997 "RSA keys under 1024 bits are blocked - Microsoft Community Hub | techcommunity.microsoft.com"
[7]: https://web.archive.org/web/20240402113046/https://danielpocock.com/rsa-key-sizes-2048-or-4096-bits/ "RSA Key Sizes: 2048 or 4096 bits? | danielpocock.com"
[8]: https://web.archive.org/web/20240402105239/https://wiki.debian.org/Keysigning#Step_1:_Create_a_RSA_keypair "Keysigning - Debian Wiki | wiki.debian.org"
[9]: https://web.archive.org/web/20240402105244/https://fedoraproject.org/security/ "Fedora keeps you safe | The Fedora Project | fedoraproject.org"
[10]: https://web.archive.org/web/20240402112840/http://www.cacert.org/policy/CertificationPracticeStatement.html#p6.1.5 "Certification Practice Statement (CPS) | cacert.org"
[11]: https://web.archive.org/web/20240519131322/https://github.com/undergroundwires/privacy.sexy/issues/363 "Hyper-V VM connection issues after running \"Standard\" · Issue #363 · undergroundwires/privacy.sexy"
call:
function: RequireTLSMinimumKeySize
parameters:
algorithmName: PKCS
keySizeInBits: '2048'
ignoreServerSide: 'true' # Controlled by the specified server certificate
-
category: Disable insecure connections
docs: |- # refactor-with-variables: Same • Compatibility Caution
This category includes scripts designed to enhance users' security and privacy by disabling outdated or
vulnerable connections across the system.
It safeguards data against interception, unauthorized access, and attacks that exploit outdated technology
vulnerabilities, including man-in-the-middle attacks and data breaches.
By disabling these insecure connections, these scripts follow cybersecurity best practices and recommendations.
Although Windows supports insecure connections for compatibility, prioritizing security, these scripts disable them.
> **Caution:** This may cause compatibility issues with older devices or software.
children:
-
category: Disable insecure ciphers
docs: |- # refactor-with-variables: Same • Compatibility Caution
This category improves network security by disabling outdated and less secure cipher suites.
**Cipher suites** are sets of cryptographic algorithms used to secure network connections [1].
They include **ciphers**, known as **bulk encryption algorithms** [1] or simply **bulk ciphers** [2].
Ciphers encrypt messages exchanged between clients and servers [1].
Using outdated cipher suites exposes data to risks of interception and tampering during transmission [2].
Disabling insecure ciphers meets security standards set by NIST [3], CIS [4], IRS [5], OWASP [6]
and Germany's Federal Office for Information Security (BSI) [7].
This enhances data confidentiality and integrity [4].
It also protects against threats such as attackers exploiting cryptographic weaknesses, malicious insiders,
state actors, and cybercriminals [8].
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240421101955/https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel "Cipher Suites in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240421102018/https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/ "Recommendations for TLS/SSL Cipher Hardening | Acunetix | www.acunetix.com"
[3]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[5]: https://web.archive.org/web/20240404112509/https://www.irs.gov/privacy-disclosure/encryption-requirements-of-publication-1075 "Encryption Requirements of Publication 1075 | Internal Revenue Service | www.irs.gov"
[6]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org"
[7]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[8]: https://web.archive.org/web/20240421102031/https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography "M10: Insufficient Cryptography | OWASP Foundation | owasp.org"
children:
-
name: Disable insecure "RC2" ciphers
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps.
docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • authorities • cipher suite
This script disables RC2 ciphers.
This script only affects the *SSL/TLS handshake* process.
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
Authorities like Microsoft [1] [2] [3], NIST (FIPS) [4], CIS [5], Federal Office for Information Security
(BSI) [6], OWASP [7], and NSA (National Security Agency) [8]
classify this algorithm as weak and recommend against its use.
By disabling RC2, the script enhances network security and data integrity [5], as these ciphers are
susceptible to cryptographic attacks.
This script disables these cipher algorithms:
- `RC2 40/128` [1] [4] [5] [6] (40-bit RC2 [4])
- Enabled by default [4].
- Disabling it disallows the following cipher suites:
- `SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [1] [4]
- `TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [1] [4]
- `RC2 56/128` [2] [4] [5] [6] (56-bit RC2 [4])
- Enabled by default [4].
- Disabling it disallows the following cipher suites:
- `SSL_RSA_WITH_DES_CBC_SHA` [2]
- `TLS_RSA_WITH_DES_CBC_SHA` [2]
- `RC2 128/128` [3] [4] [6] (128-bit RC2 [4])
- Enabled by default [4].
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240421111726/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC2_40 "RC2 40/128 | admx.help"
[2]: https://web.archive.org/web/20240421111927/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC2_56 "RC2 56/128 | admx.help"
[3]: https://web.archive.org/web/20240421111841/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC2_128 "RC2 128/128 | admx.help"
[4]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[6]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[7]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org"
[8]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
-
function: DisableTLSCipher
parameters:
algorithmName: RC2 40/128
-
function: DisableTLSCipher
parameters:
algorithmName: RC2 56/128
-
function: DisableTLSCipher
parameters:
algorithmName: RC2 128/128
-
name: Disable insecure "RC4" ciphers
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps.
docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • authorities • cipher suite
This script disables the RC4 ciphers.
This script only affects the *SSL/TLS handshake* process.
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
Authorities like Microsoft [1] [2] [3] [4] [5], NIST (FIPS) [6], CIS [7], Federal Office for Information
Security (BSI) [8], OWASP [9], and NSA (National Security Agency) [10]
classify this algorithm as weak and recommend against its use.
This script disables these cipher algorithms:
- `RC4 128/128` [1] [6] [7] [8] (128-bit RC4 [6]):
- Enabled by default [6] [7].
- Disabling it disallows the following cipher suites:
- `SSL_RSA_WITH_RC4_128_MD5` [1] [6]
- `SSL_RSA_WITH_RC4_128_SHA` [1] [6]
- `TLS_RSA_WITH_RC4_128_MD5` [1] [6]
- `TLS_RSA_WITH_RC4_128_SHA` [1] [6]
- `RC4 64/128` [2] [6] [7] [8] (64-bit RC4 [6]):
- Enabled by default [6].
- Disabling it affects the functionality of the **Microsoft Money application [6].
- `RC4 56/128` [3] [6] [7] [8] (56-bit RC4 [6]):
- Enabled by default [6].
- Disabling it disallows the following cipher suites:
- `TLS_RSA_EXPORT1024_WITH_RC4_56_SHA` [3] [6]
- `RC4 40/128` [4] [6] [7] [8] (40-bit RC4 [6]):
- Enabled by default [6].
- Disabling this algorithm will disallow the following cipher suites:
- `SSL_RSA_EXPORT_WITH_RC4_40_MD5` [4] [6]
- `TLS_RSA_EXPORT_WITH_RC4_40_MD5` [4] [6]
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240421101752/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC4_128 "RC4 128/128 | admx.help"
[2]: https://web.archive.org/web/20240421101700/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC4_64 "RC4 64/128 | admx.help"
[3]: https://web.archive.org/web/20240421101714/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC4_56 "RC4 56/128 | admx.help"
[4]: https://web.archive.org/web/20240421101730/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::RC4_40 "RC4 40/128 | admx.help"
[5]: https://web.archive.org/web/20150315105026/http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx "Security Advisory 2868725: Recommendation to disable RC4 - Security Research & Defense - Site Home - TechNet Blogs"
[6]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[8]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[9]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org"
[10]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
-
function: DisableTLSCipher
parameters:
algorithmName: RC4 128/128
-
function: DisableTLSCipher
parameters:
algorithmName: RC4 64/128
-
function: DisableTLSCipher
parameters:
algorithmName: RC4 56/128
-
function: DisableTLSCipher
parameters:
algorithmName: RC4 40/128
-
name: Disable insecure "DES" cipher
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps.
docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • authorities • cipher suite
This script disables the `DES 56/56` [1] [2] [3] [4] cipher, also known as *DES 56* [2] or *56-bit DES* [2].
This script only affects the *SSL/TLS handshake* process.
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
Authorities like Microsoft [1], NIST (FIPS) [2], CIS [3], Federal Office for Information Security (BSI) [4],
OWASP [5], and NSA (National Security Agency) [6]
consider this cipher weak and either discourage or disallow its use
This algorithm is enabled by default on Windows [2].
Disabling RC2 ciphers helps maintain data confidentiality and integrity by preventing the
use of these weak encryption methods in network communications [3].
Disabling this algorithm will disallow the following cipher suites:
- `SSL_RSA_WITH_DES_CBC_SHA` [1] [2]
- `TLS_RSA_WITH_DES_CBC_SHA` [1] [2]
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240421101711/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::DES_56 "DES 56/56 | admx.help"
[2]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[5]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org"
[6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
function: DisableTLSCipher
parameters:
algorithmName: DES 56/56
# Some sources on Internet mention existence of `DES 56` value, but it there is no official documentation pointing to it.
-
name: Disable insecure "Triple DES" cipher
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps.
docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • authorities • cipher suite
This script disables the `Triple DES 168` [1] [2] [3] (`Triple DES 168/168` before Windows Vista [2] [4]) cipher,
also known as *3DES* [1] [3] [5] [6], *The Triple Data Encryption Algorithm (TDEA)* [6] [7] and **TDES** [8].
This script only affects the *SSL/TLS handshake* process.
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
Authorities like Apple [5] [9], NIST [5] [7] Federal Office for Information Security (BSI) [4],
NSA (National Security Agency) [8], and Office of the Chief Information Security Officer [6]
classify this cipher as weak and recommend against its use.
This algorithm is enabled by default on Windows [2].
Disabling 3DES secures your communication by mitigating vulnerabilities like Sweet32 Birthday attacks [5],
and the limited amount of data that can be processed under a single key [6].
Disabling this algorithm will disallow the following cipher suites:
- `SSL_CK_DES_192_EDE_CBC_WITH_MD5` [1]
- `SSL_RSA_WITH_3DES_EDE_CBC_SHA` [2]
- `SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA` [2]
- `TLS_RSA_WITH_3DES_EDE_CBC_SHA` [1] [2]
- `TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA` [1] [2]
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240421101519/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::3DES "Triple DES 168 | admx.help"
[2]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[5]: https://web.archive.org/web/20240421101545/https://sweet32.info/ "Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN"
[6]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[7]: https://web.archive.org/web/20240402105205/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf "NIST Special Publication 800-131A Revision 2 | Transitioning the Use of Cryptographic Algorithms and Key Lengths | nvlpubs.nist.gov"
[8]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[9]: https://web.archive.org/web/20240426092153/https://developer.apple.com/library/archive/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html "macOS Sierra 10.12 | developer.apple.com"
call:
-
function: DisableTLSCipher
parameters:
algorithmName: Triple DES 168 # After Windows Vista
-
function: DisableTLSCipher
parameters:
algorithmName: Triple DES 168/168 # Before Windows Vista
-
name: Disable insecure "NULL" cipher
recommend: standard # Disables encryption, turned off by default.
docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • authorities • cipher suite
This script disables the `NULL` [1] [2] [3] [4] cipher.
This script only affects the *SSL/TLS handshake* process.
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
This algorithm provides no encryption [1] [5], leaving data completely unprotected.
Authorities like Microsoft [2], NIST (FIPS) [1], CIS [3], and Federal Office for
Information Security (BSI) [4], NSA (National Security Agency) [6]
classify this algorithm as weak and recommend against its use.
This cipher is disabled by default [1].
Disabling these ciphers ensures that no data is transmitted in plaintext, which is crucial for
maintaining data confidentiality and integrity [3].
Disabling this algorithm will disallow the following cipher suites:
- `TLS_RSA_WITH_NULL_SHA` [2]
- `TLS_RSA_WITH_NULL_SHA256` [2]
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240421101539/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::NULL "NULL | admx.help"
[3]: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf "CIS Microsoft IIS 8 Benchmark v1.4.0 | paper.bobylive.com"
[4]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[5]: https://web.archive.org/web/20240421101051/https://datatracker.ietf.org/doc/html/rfc2410 "RFC 2410 - The NULL Encryption Algorithm and Its Use With IPsec | datatracker.ietf.org"
[6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
function: DisableTLSCipher
parameters:
algorithmName: 'NULL'
-
category: Disable insecure hashes
docs: |- # refactor-with-variables: Same • Compatibility Caution • vulnerability
This category includes scripts to disable insecure hash algorithms during cryptographic operations.
Hash algorithms are essential for internet security, electronic banking, and document signing.
Insecure hashes, however, are susceptible to collision attacks [1] [2].
This vulnerability enables attackers to spoof content, perform phishing, or execute man-in-the-middle attacks [3] [4].
Consequently, an attacker could intercept or modify data transmitted over what is believed to be a secure connection, without being detected.
For instance, attackers could exploit this to divert your payments to their accounts, creating significant risks.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240426084410/https://www.win.tue.nl/hashclash/rogue-ca/ "MD5 considered harmful today | win.tue.nl"
[2]: https://web.archive.org/web/20240426084414/https://phys.org/news/2017-02-cwi-google-collision-industry-standard.html "CWI, Google announce first collision for Industry Security Standard SHA-1 | phys.org"
[3]: https://web.archive.org/web/20240426084414/https://learn.microsoft.com/en-us/archive/technet-wiki/32288.windows-enforcement-of-sha1-certificates#microsoft-sha-1-plan "Windows Enforcement of SHA1 Certificates | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240426084436/https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2862973 "Microsoft Security Advisory 2862973 | Microsoft Learn | learn.microsoft.com"
children:
-
name: Disable insecure "MD5" hash
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, incompatible with third-party apps such as MEGA.
docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • vulnerability • authorities • cipher suite
This script disables the use of the `MD5` [1] [2] [3] hash algorithm during the SSL/TLS handshake process.
This script only affects the *SSL/TLS handshake* process.
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
This algorithm is vulnerable to collision attacks [4] [5].
This vulnerability enables attackers to spoof content, perform phishing, or execute man-in-the-middle attacks [6].
Consequently, an attacker could intercept or modify data transmitted over what is believed to be a secure connection, without being detected.
For instance, attackers could exploit this to divert your payments to their accounts, creating significant risks.
Authorities like NIST (FIPS) [2], Federal Office for Information Security (BSI) [3], Microsoft [6],
OWASP [4] [7], Internet Engineering Task Force (IETF) [8], Google [9] [10], Firefox [11] and OpenVPN [12]
classify this algorithm as weak and recommend against its use.
This algorithm is enabled by default on Windows [2].
Disabling this algorithm disallows the following cipher suites:
- `SSL_CK_DES_192_EDE3_CBC_WITH_MD5` [1]
- `SSL_CK_DES_64_CBC_WITH_MD5` [1]
- `SSL_CK_RC4_128_EXPORT40_MD5` [1]
- `SSL_CK_RC4_128_WITH_MD5` [1]
- `SSL_RSA_EXPORT_WITH_RC4_40_MD5` [2]
- `SSL_RSA_WITH_RC4_128_MD5` [2]
- `SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [2]
- `TLS_RSA_EXPORT_WITH_RC4_40_MD5` [1] [2]
- `TLS_RSA_WITH_NULL_MD5` [1]
- `TLS_RSA_WITH_RC4_128_MD5` [1] [2]
- `TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5` [2]
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240426090518/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::MD5 "MD5 | admx.help"
[2]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240426090555/https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection "WSTG - v4.1 | OWASP Foundation | owasp.org"
[5]: https://web.archive.org/web/20240426090632/https://link.springer.com/chapter/10.1007/11426639_2 "How to Break MD5 and Other Hash Functions | SpringerLink | link.springer.com"
[6]: https://web.archive.org/web/20240426084436/https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2014/2862973 "Microsoft Security Advisory 2862973 | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240426090632/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org"
[8]: https://web.archive.org/web/20240426090640/https://www.rfc-editor.org/rfc/rfc9155.html "RFC 9155: Deprecating MD5 and SHA-1 Signature Hashes in TLS 1.2 and DTLS 1.2 | www.rfc-editor.org"
[9]: https://web.archive.org/web/20240426090758/https://security.googleblog.com/2018/10/modernizing-transport-security.html "Google Online Security Blog: Modernizing Transport Security | security.googleblog.com"
[10]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com"
[11]: https://web.archive.org/web/20240426090747/https://wiki.mozilla.org/CA:MD5and1024 "CA:MD5and1024 - MozillaWiki | wiki.mozilla.org"
[12]: https://web.archive.org/web/20240426090919/https://openvpn.net/faq/md5-signature-algorithm-support/ "MD5 Signature Algorithm Support | OpenVPN | openvpn.net"
call:
function: DisableTLSHash
parameters:
algorithmName: MD5
-
name: Disable insecure "SHA-1" hash
recommend: strict # Considered weak and vulnerable by numerous authoritative sources, may be incompatible with third-party apps
docs: |- # refactor-with-variables: Same • Compatibility Caution • handshake • vulnerability • authorities • cipher suite
This script disables `SHA` [1] [2] [3] hash algorithm, also known as *Secure Hash Algorithm (SHA-1)* [2].
This script only affects the *SSL/TLS handshake* process.
The *SSL/TLS handshake* is a key part of establishing a secure connection over the internet.
By disabling this weak algorithm, the script improves the security of the connection.
This algorithm is vulnerable to collision attacks [4] [5] [6] [7].
This vulnerability enables attackers to spoof content, perform phishing, or execute man-in-the-middle attacks [8].
Consequently, an attacker could intercept or modify data transmitted over what is believed to be a secure connection, without being detected.
For instance, attackers could exploit this to divert your payments to their accounts, creating significant risks.
Authorities like NIST (FIPS) [2], Federal Office for Information Security (BSI) [3], Mozilla [5], Microsoft [8],
Google [4] [9] [10], OWASP [11], Internet Engineering Task Force (IETF) [12], and Apple [13]
classify this algorithm as weak and recommend against its use.
Disabling this algorithm disallows the following cipher suites:
- `SSL_RSA_WITH_RC4_128_SHA` [2]
- `SSL_RSA_WITH_DES_CBC_SHA` [2]
- `SSL_RSA_WITH_3DES_EDE_CBC_SHA` [2]
- `SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA` [2]
- `SSL_RSA_EXPORT1024_WITH_RC4_56_SHA` [2]
- `TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA` [1]
- `TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA` [1]
- `TLS_DHE_DSS_WITH_AES_128_CBC_SHA` [1]
- `TLS_DHE_DSS_WITH_AES_256_CBC_SHA` [1]
- `TLS_DHE_DSS_WITH_DES_CBC_SHA` [1]
- `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256` [1]
- `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384` [1]
- `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521` [1]
- `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256` [1]
- `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384` [1]
- `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521` [1]
- `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256` [1]
- `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384` [1]
- `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521` [1]
- `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256` [1]
- `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384` [1]
- `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521` [1]
- `TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA` [1] [2]
- `TLS_RSA_EXPORT1024_WITH_RC4_56_SHA` [1] [2]
- `TLS_RSA_WITH_3DES_EDE_CBC_SHA` [1] [2]
- `TLS_RSA_WITH_AES_128_CBC_SHA` [1]
- `TLS_RSA_WITH_AES_256_CBC_SHA` [1]
- `TLS_RSA_WITH_DES_CBC_SHA` [1] [2]
- `TLS_RSA_WITH_NULL_SHA` [1]
- `TLS_RSA_WITH_RC4_128_SHA` [1] [2]
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240426091852/https://admx.help/?Category=Schannel&Policy=JMU.Policies.Schannel::SHA "SHA | admx.help"
[2]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240426091847/https://chromestatus.com/feature/4832850040324096 "Deprecate TLS SHA-1 server signatures - Chrome Platform Status | chromestatus.com"
[5]: https://web.archive.org/web/20240426091939/https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/ "The end of SHA-1 on the Public Web - Mozilla Security Blog | blog.mozilla.org"
[6]: https://web.archive.org/web/20240426084414/https://phys.org/news/2017-02-cwi-google-collision-industry-standard.html "CWI, Google announce first collision for Industry Security Standard SHA-1 | phys.org"
[7]: https://web.archive.org/web/20240426092016/https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html "Google Online Security Blog: Announcing the first SHA1 collision | security.googleblog.com"
[8]: https://web.archive.org/web/20240426084414/https://learn.microsoft.com/en-us/archive/technet-wiki/32288.windows-enforcement-of-sha1-certificates#microsoft-sha-1-plan "Windows Enforcement of SHA1 Certificates | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240426091810/https://chromium.googlesource.com/chromium/src/+/main/docs/security/tls-sha1-server-signatures.md "Chromium Docs - TLS SHA-1 Server Signatures | chromium.googlesource.com"
[10]: https://web.archive.org/web/20240426090758/https://security.googleblog.com/2018/10/modernizing-transport-security.html "Google Online Security Blog: Modernizing Transport Security | security.googleblog.com"
[11]: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html "WSTG - v4.2 | OWASP Foundation | owasp.org"
[12]: https://web.archive.org/web/20240426090640/https://www.rfc-editor.org/rfc/rfc9155.html "RFC 9155: Deprecating MD5 and SHA-1 Signature Hashes in TLS 1.2 and DTLS 1.2 | www.rfc-editor.org"
[13]: https://web.archive.org/web/20240426092153/https://developer.apple.com/library/archive/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html "macOS Sierra 10.12 | developer.apple.com"
call:
function: DisableTLSHash
parameters:
algorithmName: SHA
-
name: Disable insecure renegotiation
recommend: strict # Important security improvement, but may limit compatibility with older software.
docs: |- # refactor-with-variables: Same • Compatibility Caution
This script enhances your security by reducing risks associated with secure communications.
By running this script, you proactively enhance your online privacy and secure against
well-known TLS vulnerabilities.
TLS secures internet communications.
It allows parties such as browsers and websites to update their encryption settings through **renegotiation** [2].
Without safeguards, attackers could intercept and compromise these
communications [1] [2] [3] [4] [5] [6].
Insecure renegotiation can let attackers hijack communications from the start, enabling
unauthorized control [1],
data manipulation [3] [6],
DoS attacks [3],
and identity spoofing [4] [5] [6].
To counter these threats, this script implements measures standardized in RFC 5746 [1] [2], effectively
closing the loophole that allowed these vulnerabilities.
This script enhances security by blocking insecure renegotiation attempts and
aims to improve compatibility with older software.
It modifies the following system settings to achieve this:
- `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!AllowInsecureRenegoClients` [1] [3]:
Stops the client from responding to insecure renegotiation attempts [1] [3].
- `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!AllowInsecureRenegoServers` [1] [3]:
Stops the server from responding to insecure renegotiation attempts [1] [3].
- `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!DisableRenegoOnClient` [3] [4]:
Prevents the client from initiating or responding to insecure renegotiation requests [3] [4].
- `HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL!DisableRenegoOnServer` [3] [4]:
Prevents the server from initiating or responding to insecure renegotiation requests [3] [4].
- `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL!UseScsvForTls` [1]:
Enhances compatibility with older software, preventing potential communication issues [1].
This script may impact the functionality of software using outdated and insecure communication methods [3].
Affected software includes older versions of:
- Internet Explorer [3] [4]
- Internet Information Services (IIS) [3] [4]
- Exchange ActiveSync [3] [4]
- Outlook [3]
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240329131258/https://support.microsoft.com/en-us/topic/ms10-049-vulnerabilities-in-schannel-could-allow-remote-code-execution-d4258037-ad3a-c00c-250f-6c67a408bd7c "MS10-049: Vulnerabilities in SChannel could allow remote code execution - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20240329131244/https://datatracker.ietf.org/doc/html/rfc5746 "RFC 5746 - Transport Layer Security (TLS) Renegotiation Indication Extension | ietf.org"
[3]: https://web.archive.org/web/20240329131420/https://blogs.iis.net/windowsserver/isa-2006-tmg-2010-disable-client-initiated-ssl-renegotiation-protecting-against-dos-attacks-and-malicious-data-injection "Windows Server team Blog - ISA 2006 / TMG 2010: DISABLE CLIENT-INITIATED SSL RENEGOTIATION, PROTECTING AGAINST DOS ATTACKS AND MALICIOUS DATA INJECTION | blogs.iis.net"
[4]: https://web.archive.org/web/20100213193718/http://support.microsoft.com/kb/977377 "Microsoft Security Advisory: Vulnerability in TLS/SSL could allow spoofing | support.microsoft.com"
[6]: https://web.archive.org/web/20240329131308/https://nvd.nist.gov/vuln/detail/cve-2009-3555 "NVD - cve-2009-3555 | nvd.nist.gov"
[5]: https://web.archive.org/web/20100212053756/http://www.microsoft.com/technet/security/advisory/977377.mspx "Microsoft Security Advisory (977377): Vulnerability in TLS/SSL Could Allow Spoofing | www.microsoft.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
valueName: AllowInsecureRenegoClients
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
valueName: AllowInsecureRenegoServers
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
valueName: DisableRenegoOnServer
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
valueName: DisableRenegoOnClient
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
valueName: UseScsvForTls
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing default value since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
category: Disable insecure protocols
docs: |- # refactor-with-variables: Same • Compatibility Caution • authorities
This category focuses on enhancing user privacy by disabling legacy and insecure communication
protocols.
It targets protocols that expose users to security vulnerabilities due to their outdated nature.
Retaining obsolete protocols creates a false sense of security because they may seem secure but are
vulnerable to exploitation [1].
Authorities like NIST [1] (FIPS [2]), NSA (National Security Agency) [1],
Office of the Chief Information Security Officer [2], Microsoft [3], Mozilla [4],
PCI Security Standards Council [5], the Center for Internet Security [6],
and IETF [9]
recommend disabling insecure and obsolete protocols.
Most modern operating systems [3] and browsers [4] disable these protocols by default.
However, certain protocols remain active on some Windows systems [3] [7], posing security risks.
It is crucial to disable these protocols to mitigate risks from well-known attacks such as
POODLE [5] and BEAST [5].
This category excludes the following protocols:
- **DTLS 1.1**:
DTLS 1.1 does not exist [8] [9];
its numbering was skipped to align with TLS versioning [8].
- **TLS 1.2**, and **DTLS 1.2** (based on TLS 1.2 [8]):
TLS 1.2 and DTLS 1.2 are enabled by default on Windows [7] and are approved by authorities like
NIST [2], and German Federal Office for Information Security [10].
Disabling them could affect application functionality, and earlier versions are not
widely supported by Windows [7] [10].
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[2]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[3]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org"
[5]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org"
[6]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
[7]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240429193737/https://datatracker.ietf.org/doc/html/rfc6347 "RFC 6347 - Datagram Transport Layer Security Version 1.2 | datatracker.ietf.org"
[9]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org"
[10]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
children:
-
name: Disable insecure "SMBv1" protocol
recommend: standard # Recommended by Microsoft, very old, has significant security vulnerabilities
docs: |- # refactor-with-variables: Same • Compatibility Caution
This script improves network security by disabling the outdated SMBv1 protocol.
**SMBv1**, or **Server Message Block version 1**, is an outdated network protocol developed
for file and printer sharing across networks [1] [2].
This protocol is well-known for its vulnerabilities to cyber attacks [1] [2] [3] [4] [5].
Microsoft deprecated SMBv1 in 2014 [6] [7].
Since 2007, newer and more secure versions of this protocol have
replaced SMBv1 in modern versions of Windows [6].
It is still enabled by default in older Windows versions [1].
Microsoft advises disabling this protocol to strengthen security [1] [8].
SMB1 is not necessary for most users, as Microsoft ensures vendor support for at least SMB 2.0 [2].
The primary reasons for disabling SMBv1 include:
- It uses the outdated MD5 hash algorithm, vulnerable to security attacks [3].
- It fails to meet modern security standards set by FIPS [3], CISA (US-CERT) [5],
CIS (Department of Defense) [3], and Microsoft Security Baseline [8].
- It lacks the efficiency and performance improvements present in newer versions of the protocol [2].
- It is vulnerable to various cyber threats [1] [2] [3] [4] [5],
, including ransomware and malware [1] [2].
Disabling SMBv1 may lead to compatibility issues with older network devices and software [1] [3] [6] [9].
This may affect file sharing and print services on systems like Windows Server 2003 [3]
and some older Network Attached Storage (NAS) devices [3].
These systems are insecure and are no longer supported.
This script makes the following changes to your system:
- Removal of SMBv1 components:
- `SMB1Protocol` [2] [3] [4] [10] (also known as `FS-SMB1` [2] [11])
- `SMB1Protocol-Client` [10]
- `SMB1Protocol-Server` [10].
- Disabling the `mrxsmb10` (SMB 1.x MiniRedirector [12]) driver,
linked with SMBv1 [1] [4] [13],
and adjusting related settings to keep older systems stable [1] [4] [13].
- Disabling server side processing of SMBv1 protocol using
`HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMBv1` registry key [1] [14] [15].
These changes require a system reboot to take effect [1] [4] [9].
> **Caution:** This may cause compatibility issues with older devices or software.
### Overview of default feature statuses
`SMB1Protocol`:
| | |
| ---- | --- |
| **Feature name** | `SMB1Protocol` |
| **Display name** | SMB 1.0/CIFS File Sharing Support |
| **Description** | Support for the SMB 1.0/CIFS file sharing protocol, and the Computer Browser protocol. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
`SMB1Protocol-Client`:
| | |
| ---- | --- |
| **Feature name** | `SMB1Protocol-Client` |
| **Display name** | SMB 1.0/CIFS Client |
| **Description** | Support for the SMB 1.0/CIFS client for accessing legacy servers. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
`SMB1Protocol-Server`:
| | |
| ---- | --- |
| **Feature name** | `SMB1Protocol-Server` |
| **Display name** | SMB 1.0/CIFS Server |
| **Description** | Support for the SMB 1.0/CIFS file server for sharing data with legacy clients and browsing the network neighborhood. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
### Overview of default service statuses
SMB 1.x MiniRedirector (`mrxsmb10`):
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 11 (≥ 23H2) | 🟡 Missing | N/A |
| Windows 10 (≥ 22H2) | 🟡 Missing | N/A |
[1]: https://web.archive.org/web/20240413122756/https://learn.microsoft.com/en-us/archive/blogs/secguide/disabling-smbv1-through-group-policy "Disabling SMBv1 through Group Policy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240413124106/https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 "Stop using SMB1 - Microsoft Community Hub | techcommunity.microsoft.com"
[3]: https://web.archive.org/web/20240413124245/https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220729 "The Server Message Block (SMB) v1 protocol must be disabled on the system. | www.stigviewer.com"
[4]: https://web.archive.org/web/20240413122807/https://learn.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server "Server | How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240413124050/https://www.cisa.gov/news-events/alerts/2017/01/16/smb-security-best-practices "SMB Security Best Practices | CISA | www.cisa.gov"
[6]: https://web.archive.org/web/20240413122812/https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows "SMBv1 is not installed by default in Windows 10 version 1709, Windows Server version 1709 and later versions | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240413124101/https://learn.microsoft.com/en-us/archive/blogs/josebda/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect "The Deprecation of SMB1 You should be planning to get rid of this old SMB dialect | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240413122800/https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-draft "Security baseline for Windows 10 \"Creators Update\" (v1703) DRAFT | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240413125713/https://learn.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=client "Client | How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240413124113/https://learn.microsoft.com/en-us/powershell/module/smbshare/remove-smbcomponent?view=windowsserver2025-ps&wt.mc_id=ps-gethelp "Remove-SmbComponent (SmbShare) | Microsoft Learn | learn.microsoft.com"
[11]: https://web.archive.org/web/20240413124320/https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73299 "The Server Message Block (SMB) v1 protocol must be uninstalled. | www.stigviewer.com"
[12]: https://web.archive.org/web/20240413124418/https://revertservice.com/10/mrxsmb10/ "SMB 1.x MiniRedirector (mrxsmb10) Service Defaults in Windows 10 | revertservice.com"
[13]: https://web.archive.org/web/20240413124409/https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-73523 "The Server Message Block (SMB) v1 protocol must be disabled on the SMB client. | www.stigviewer.com"
[14]: https://web.archive.org/web/20240413124606/https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0001_SMBv1_Server "Configure SMB v1 server | admx.help"
[15]: https://web.archive.org/web/20240418073214/https://support.microsoft.com/en-us/topic/908332b7-49de-a86c-dba3-401b9fe8116f "Server service configuration and tuning - Microsoft Support | support.microsoft.com"
call:
-
function: DisableWindowsFeature
parameters:
featureName: SMB1Protocol # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol' -Online
disabledByDefault: 'true'
-
function: DisableWindowsFeature
parameters:
featureName: SMB1Protocol-Client # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol-Client' -Online
disabledByDefault: 'true'
-
function: DisableWindowsFeature
parameters:
featureName: SMB1Protocol-Server # Get-WindowsOptionalFeature -FeatureName 'SMB1Protocol-Server' -Online
disabledByDefault: 'true'
-
function: DisableService
parameters:
serviceName: mrxsmb10 # Check: (Get-Service -Name 'mrxsmb10').StartType
defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual
ignoreMissingOnRevert: 'true' # This service is only available when SMB1 feature is installed
-
function: RunInlineCode
# This ensures that `lanmanworkstation` does not depend on `mrxsmb10` to avoid potential system issues.
# Its configuration is already the OS default on modern versions of Windows, see: `sc qc lanmanworkstation`.
parameters:
code: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
revertCode: sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
valueName: SMBv1
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing value by default since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
function: ShowComputerRestartSuggestion
-
name: Disable insecure "NetBios" protocol
recommend: standard
docs: |- # refactor-with-variables: Same • Compatibility Caution
This script enhances your network's security by turning off NetBIOS over TCP/IP for all network interfaces.
NetBIOS is a protocol primarily used for backward compatibility with older Windows systems [1] [2].
NetBIOS and LLMNR are susceptible to hacking techniques like spoofing [1] [2] [3] [4] [5] and man-in-the-middle
attacks [1] [2] [6], risking your credentials and unauthorized network access [2] [5] [6].
NetBIOS was initially created for communication between applications in small networks [1] [3] [5] [7].
Its lack of authentication makes it easy for attackers to redirect traffic or fake network services [1] [2] [3] [4] [5] [6].
Disabling NetBIOS helps protect against these security risks and reduces the exposure of Windows-specific services
to potential attackers.
The script disables NetBIOS by changing a specific registry values
(`HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\{Interface}!NetbiosOptions` [1] [8]) from their default
of `0` (enabled) [5] to `2` (disabled) [5] [8] for each network interface.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240218210552/https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/ "Disable NetBIOS and LLMNR Protocols in Windows Using GPO | bobcares.com"
[5]: https://web.archive.org/web/20240218210635/https://10dsecurity.com/blog-saying-goodbye-netbios.html "Saying Goodbye To NetBIOS | 10-D Security | 10dsecurity.com"
[3]: https://web.archive.org/web/20240218210736/https://4sysops.com/archives/disable-netbios-in-windows-networks/ "Disable NetBIOS in Windows networks 4sysops | 4sysops.com"
[4]: https://web.archive.org/web/20240218211817/https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning/ "Local Network Attacks: LLMNR and NBT-NS Poisoning - Stern Security | www.sternsecurity.com"
[2]: https://web.archive.org/web/20240218211748/https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP "NetBIOS over TCP/IP - Wikipedia | en.wikipedia.org"
[6]: https://web.archive.org/web/20240218210724/http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html "Packetstan: NBNS Spoofing on your way to World Domination | www.packetstan.com"
[7]: https://web.archive.org/web/20240218211730/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc940063%28v=technet.10%29?redirectedfrom=MSDN "NetBIOS Over TCP/IP | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240218210626/https://learn.microsoft.com/en-us/archive/msdn-technet-forums/c5f3c095-1ad2-4963-b075-787f800b81f2 "Disabling NETBIOS via GP | Microsoft Learn | social.technet.microsoft.com"
call:
function: RunPowerShell
parameters:
code: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 2 -Verbose
}
revertCode: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 0 -Verbose
}
-
name: Disable insecure "SSL 2.0" protocol
recommend: standard # Outdated protocol, removed from Windows
docs: |- # refactor-with-variables: Same • Compatibility Caution • identified as • authorities • previously enabled
This script disables the SSL 2.0 protocol.
This protocol is identified as `SSL 2.0` on Windows [1] [2] [3],
and also known as *SSL2* [4] [5].
Modern Windows systems no longer include SSL 2.0 due to its security flaws [2] [4].
It was previously enabled by default [4],
posing significant security risks from well-known vulnerabilities [5].
Authorities like NIST (FIPS) [6], NSA (National Security Agency) [7],
PCI Security Standards Council [8], IETF [5],
and Federal Office for Information Security (BSI) [3]
recommend disabling this insecure and obsolete protocol.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240429203554/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_SSL_2_0 "Secure Sockets Layer (SSL) 2.0 | admx.help"
[2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#ssl-20 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240429203545/https://datatracker.ietf.org/doc/html/rfc6176 "RFC 6176 - Prohibiting Secure Sockets Layer (SSL) Version 2.0 | datatracker.ietf.org"
[6]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[7]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[8]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org"
call:
function: DisableTLSProtocol
parameters:
protocolName: SSL 2.0
-
name: Disable insecure "SSL 3.0" protocol
recommend: standard # Outdated protocol, disabled by default
docs: |- # refactor-with-variables: Same • Compatibility Caution • identified as • authorities • previously enabled
This script disables the SSL 3.0.
This protocol is identified as `SSL 3.0` on Windows [1] [2] [3],
and also known as *SSL3* [4] or *SSLv3* [5].
Modern Windows systems disable SSL 3.0 by default due to its security flaws [2] [4].
It was previously enabled by default [4],
posing significant security risks from well-known vulnerabilities,
including the POODLE [6] [7] [8] [9] and BEAST [7] attacks.
Authorities like NIST (FIPS) [8] [9], IETF [6], Apple [5], PCI Security Standards Council [7],
Federal Office for Information Security (BSI) [3], Office of the Chief Information Security Officer [8]
NSA (National Security Agency) [10], and The Center for Internet Security (CIS) [9]
recommend disabling this insecure and obsolete protocol.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240429205252/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_SSL_3_0 "Secure Sockets Layer (SSL) 3.0 | admx.help"
[2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#ssl-30 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240426092153/https://developer.apple.com/library/archive/releasenotes/MacOSX/WhatsNewInOSX/Articles/OSXv10.html "macOS Sierra 10.12 | developer.apple.com"
[6]: https://web.archive.org/web/20240429205513/https://datatracker.ietf.org/doc/html/rfc7568 "RFC 7568 - Deprecating Secure Sockets Layer Version 3.0 | datatracker.ietf.org"
[7]: https://web.archive.org/web/20240429194236/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org"
[8]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[9]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
[10]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
function: DisableTLSProtocol
parameters:
protocolName: SSL 3.0
-
name: Disable insecure "TLS 1.0" protocol
recommend: strict # Newly disabled by Microsoft, but may lead to compatibility issues
docs: |- # refactor-with-variables: Same • Compatibility Caution • identified as • authorities • browsers • previously enabled
This script disables the TLS 1.0 [1] [2] [3] protocol.
This protocol is identified as `TLS 1.0` on Windows [1] [2] [3].
Although deprecated and unsupported in newer Windows versions [4],
it remains enabled by default in older versions [5].
This protocol has well-documented security vulnerabilities [6],
including security attacks such as BEAST and Klima [7].
Major browsers, including Safari [8], Firefox [9], Chrome [10] and Edge [11],
now disable this protocol by default.
Authorities like NIST (FIPS) [7], IETF [6] [9], NSA (National Security Agency) [7] [12],
Apple [8], Mozilla [9], Microsoft [4] [11], Google [10], PCI Security Standards Council [13] [14],
Federal Office for Information Security (BSI) in Germany [3],
Office of the Chief Information Security Officer [11],
and The Center for Internet Security (CIS) [14]
recommend disabling this insecure and obsolete protocol.
While disabling TLS 1.0 improves security, it may disrupt certain older applications that
depend on this protocol [4] [7].
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240429210356/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_TLS_1_0 "Transport Layer Security (TLS) 1.0 | admx.help"
[2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#dtls-10 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org"
[7]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[8]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org"
[9]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org"
[10]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com"
[11]: https://web.archive.org/web/20240029210517/https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ "Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Blog | blogs.windows.com"
[12]: https://web.archive.org/web/20240429104097/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[13]: https://web.archive.org/web/20240029194213/https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls "Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS | blog.pcisecuritystandards.org"
[14]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
call:
function: DisableTLSProtocol
parameters:
protocolName: TLS 1.0
-
name: Disable insecure "TLS 1.1" protocol
recommend: strict # Deprecated by Microsoft, but may lead to compatibility issues
docs: |- # refactor-with-variables: Same • Compatibility Caution • identified as • authorities • browsers • previously enabled
This protocol is identified as `TLS 1.1` on Windows [1] [2] [3].
Although deprecated and unsupported in newer Windows versions [4],
it remains enabled by default in older versions [5].
This protocol contains fundamental well-documented security vulnerabilities [6].
Major browsers [7], including Safari [8], Firefox [9], Chrome [10] and Edge [11],
now disable this protocol by default.
Authorities like NIST (FIPS) [12], IETF [6] [9], NSA (National Security Agency) [12] [13],
Apple [8], Mozilla [9], Microsoft [4] [11], Google [10], PCI Security Standards Council [3],
Federal Office for Information Security (BSI) in Germany [3],
Office of the Chief Information Security Officer [12],
and The Center for Internet Security (CIS) [7]
recommend disabling this insecure and obsolete protocol.
While disabling TLS 1.1 improves security, it may disrupt certain older applications that
depend on this protocol [4] [12].
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240429211424/https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::PROTO_Enable_TLS_1_1 "Transport Layer Security (TLS) 1.1 | admx.help"
[2]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-11 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[3]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[4]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org"
[7]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
[8]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org"
[9]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org"
[10]: https://archive.ph/2024.04.26-145435/https://chromestatus.com/feature/5759116003770368 "TLS 1.0 and TLS 1.1 - Chrome Platform Status | chromestatus.com"
[11]: https://web.archive.org/web/20240429210548/https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ "Modernizing TLS connections in Microsoft Edge and Internet Explorer 11 - Microsoft Edge Blog | blogs.windows.com"
[12]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[13]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
call:
function: DisableTLSProtocol
parameters:
protocolName: TLS 1.1
-
name: Disable insecure "DTLS 1.0" protocol
docs: |- # refactor-with-variables: Same • Compatibility Caution • identified as • authorities • DTLS explanation
This script disables the DTLS 1.0 protocol.
This protocol is identified as `DTLS 1.0` on Windows [1] [2].
It is enabled by default [2].
DTLS (*Datagram Transport Layer Security*) provides secure communication over the UDP protocol [3].
Based on the TLS protocol, DTLS offers equivalent security measures [3].
Common uses include online gaming, DNS lookups, and VPN services.
It is considered insecure [4] [5] and has been deprecated by Microsoft due to its vulnerabilities [6].
It's based on TLS 1.1 [4], which is also deprecated and insecure [4] [5] [6] [7].
Authorities like NIST (FIPS) [7], IETF [4], Microsoft [6], and NSA (National Security Agency) [5]
recommend disabling this insecure and obsolete protocol.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20180228160431/https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#dtls-10 "Transport Layer Security (TLS) registry settings | Microsoft Docs | docs.microsoft.com"
[2]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240503122222/https://learn.microsoft.com/en-us/windows-server/security/tls/datagram-transport-layer-security-protocol "Datagram Transport Layer Security protocol | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240429200613/https://datatracker.ietf.org/doc/html/rfc8996/ "RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 | datatracker.ietf.org"
[5]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[6]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
call:
function: DisableTLSProtocol
parameters:
protocolName: DTLS 1.0
-
name: Disable insecure "LM & NTLM" protocols
recommend: standard
docs: |-
This script improves security by setting the LanMan authentication level to send NTLMv2 responses only,
refusing LM and NTLM [1] [2], which are older and less secure methods [1] [3].
While Kerberos v5 is the default authentication protocol for domain accounts, NTLM is still used for compatibility
with older systems and for authenticating logons to standalone computers [1].
The script modifies the `HKLM\System\CurrentControlSet\Control\Lsa!LmCompatibilityLevel` registry key to enforce
this security measure [1] [2].
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240510175526/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801 "The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. | www.stigviewer.com"
[2]: https://web.archive.org/web/20240315114408/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level "Network security LAN Manager authentication level - Windows 10 | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240510182417/https://support.microsoft.com/en-us/topic/security-guidance-for-ntlmv1-and-lm-network-authentication-da2168b6-4a31-0088-fb03-f081acde6e73 "Security guidance for NTLMv1 and LM network authentication - Microsoft Support | support.microsoft.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
valueName: LmCompatibilityLevel
dataType: REG_DWORD
data: "5"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable insecure connections from .NET apps
recommend: strict # Default since .NET 4.6 and above, absence considered vulnerability, but can still break legacy apps
docs: |- # refactor-with-variables: Same • authorities • applies to all .NET
This script improves security by enforcing secure network connections across all .NET applications.
By setting the `SchUseStrongCrypto` configuration [1] [2] [3] [4], it prevents the use of outdated
and insecure connections, including:
- Protocols weaker than TLS 1.1 [1] [4] and TLS 1.2 [1] [2] [4].
- Cipher algorithms such as RC4 [4] [5], NULL [6], DES [6], and export suites [6].
- Hash algorithms like MD5 [6].
Authorities like Microsoft [1], and Department of Defense (DoD) [3]
recommend this configuration as part of their security guidelines.
This script applies to all .NET applications on the system [1].
A ***.NET application*** is any software developed using Microsoft's .NET platform [7].
This includes many third-party and system applications on Windows, like PowerShell [8].
A .NET application can be various of types, ranging from mobile apps to cloud services [7].
This script affects only the client-side (outgoing) connections of an application [1].
It secures outgoing data from the application without changing how incoming data is handled.
You must restart your system after running this script to activate the security improvements [2] [5].
> **Caution:** This script may disrupt applications relying on legacy services that lack support for
> modern cryptographic standards [1].
[1]: https://web.archive.org/web/20240503121044/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls "Transport Layer Security (TLS) best practices with .NET Framework | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240503121339/https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications "Manage SSL/TLS protocols and cipher suites for AD FS | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240503121520/https://www.stigviewer.com/stig/tanium_7.x/2022-08-24/finding/V-253876 "The SchUseStrongCrypto registry value must be set. | www.stigviewer.com"
[4]: https://web.archive.org/web/20240503121100/https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client "How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240503121456/https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358 "Microsoft Security Advisory 2960358 | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240503121605/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server#sch_use_strong_crypto-option-changes "TLS (Schannel SSP) | Microsoft Learn"
[7]: https://web.archive.org/web/20240503121040/https://en.wikipedia.org/wiki/.NET ".NET - Wikipedia | en.wikipedia.org"
[8]: https://web.archive.org/web/20240503103126/https://learn.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.4 "What is PowerShell? - PowerShell | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetDotNetRegistryKey
parameters:
valueName: SchUseStrongCrypto
valueData: '1'
-
function: ShowComputerRestartSuggestion
-
category: Enable secure connections
docs: |- # refactor-with-variables: Same • Compatibility Caution
This category configures essential security settings to protect network communications.
Newer security standards offer improved protection against vulnerabilities found in older versions [1].
Scripts within this category enhance your privacy and security by enabling these standards to
maintain the integrity of network communications.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
children:
-
name: Enable secure "DTLS 1.2" protocol
recommend: standard # Enabled by default ≥ Windows 10, version 1607, script does not run on older versions
docs: |- # refactor-with-variables: Same • Compatibility Caution • DTLS explanation • minimum version safeguard
This script enables the DTLS 1.2 protocol.
This protocol is identified as `DTLS 1.2` on Windows [1] [2].
DTLS (*Datagram Transport Layer Security*) provides secure communication over the UDP protocol [3].
Based on the TLS protocol, DTLS offers equivalent security measures [3].
Common uses include online gaming, DNS lookups, and VPN services.
Despite being superseded by the more secure DTLS 1.3 [4],
DTLS 1.2 is still approved by authorities like NIST [5], NSA [6],
and the German Federal Office for Information Security [2].
DTLS 1.2 is based on TLS 1.2 [7].
It's supported by Windows since Windows 10 version 1607 and by Windows Server 2016 Standard [8] [9].
privacy.sexy chooses DTLS 1.2 over DTLS 1.3 due to the lack of support for DTLS 1.3 on Windows platforms [8].
This script only works on Windows 10 version 1607 or newer.
This restriction is in place to maintain system stability
by allowing only supported Windows versions to use the protocol.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[3]: https://web.archive.org/web/20240503122222/https://learn.microsoft.com/en-us/windows-server/security/tls/datagram-transport-layer-security-protocol "Datagram Transport Layer Security protocol | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240503121839/https://datatracker.ietf.org/doc/html/rfc9147 "RFC 9147 - The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 | datatracker.ietf.org"
[5]: https://web.archive.org/web/20240503122007/https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf "Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program | National Institute of Standards and Technology Canadian Centre for Cyber Security | csrc.nist.gov"
[6]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[7]: https://web.archive.org/web/20240429193737/https://datatracker.ietf.org/doc/html/rfc6347 "RFC 6347 - Datagram Transport Layer Security Version 1.2 | datatracker.ietf.org"
[8]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240503121605/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server#dtls-12 "TLS (Schannel SSP) | Microsoft Learn"
call:
function: EnableTLSProtocol
parameters:
protocolName: DTLS 1.2
minimumWindowsVersion: Windows10-1607
-
name: Enable secure "TLS 1.3" protocol
recommend: standard # Enabled by default ≥ Windows 11, script does not run on older versions
docs: |- # refactor-with-variables: Same • Compatibility Caution • Authorities • minimum version safeguard
This script enables the TLS 1.3 protocol.
This protocol is identified as `TLS 1.3` on Windows [1].
TLS 1.3 is the latest and most secure version of the TLS protocol [2].
It is supported starting with Windows 11 and Windows Server 2022 [3] [4].
On these systems, TLS 1.3 is enabled by default [3].
Authorities like NSA (National Security Agency) [5] [6], Federal Office for Information Security
(BSI) [1], The Center for Internet Security [7], NIST [8], Microsoft [9], Mozilla [10],
and Apple [11]
recommend using this protocol for its enhanced security.
This script only works on Windows 11 or newer.
This restriction is in place to maintain system stability [3] [4]
by allowing only supported Windows versions to use the protocol.
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[2]: https://web.archive.org/web/20240503122214/https://datatracker.ietf.org/doc/html/rfc8446 "RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3 | datatracker.ietf.org"
[3]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240503122422/https://github.com/undergroundwires/privacy.sexy/issues/175 "Add TLS 1.3 support warning · Issue #175 · undergroundwires/privacy.sexy | github.com"
[5]: https://web.archive.org/web/20240429194121/https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF "Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations | National Security Agency | Cybersecurity Information | media.defense.gov"
[6]: https://web.archive.org/web/20240503122227/https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf "NIST SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of Transport | nvlpubs.nist.gov"
[7]: https://web.archive.org/web/20240429201328/https://www.tenable.com/audits/items/CIS_NGINX_v2.0.1_Level_1_Webserver.audit:fc59c7d0c53f27720fcbca1df8f8fcc2 "4.1.4 Ensure only modern TLS protocols are used | Tenable® | www.tenable.com"
[8]: https://web.archive.org/web/20240429201312/https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf "IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69 | www.gsa.gov"
[9]: https://web.archive.org/web/20240429200538/https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-10-11-deprecation-in-windows "TLS 1.0 and TLS 1.1 deprecation in Windows - Win32 apps | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240429202616/https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ "Removing Old Versions of TLS - Mozilla Security Blog | blog.mozilla.org"
[11]: https://web.archive.org/web/20240429210701/https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ "Deprecation of Legacy TLS 1.0 and 1.1 Versions | WebKit | webkit.org"
call:
function: EnableTLSProtocol
parameters:
protocolName: TLS 1.3
minimumWindowsVersion: Windows11-FirstRelease
-
name: Enable secure connections for legacy .NET apps
recommend: strict # Default since .NET 4.6 and above, but can still break legacy apps
docs: |- # refactor-with-variables: Same • Compatibility Caution • applies to all .NET
This script provides secure connections for older .NET Framework applications.
It enables the automatic adoption of newer, more secure protocols as supported by the operating system [1].
If the operating system supports newer TLS versions, applications will automatically use these without
any need for modifications to the application code or .NET Framework settings [1] [2] [3].
For example, this configuration enables .NET Framework 3.5 applications, which do not natively support
TLS 1.2, to adopt TLS 1.2 [2].
This script applies to all .NET applications on the system [1].
A ***.NET application*** is any software developed using Microsoft's .NET platform [4].
This includes many third-party and system applications on Windows, like PowerShell [5].
A .NET application can be various of types, ranging from mobile apps to cloud services [4].
This script modifies the `SystemDefaultTlsVersions` configuration [1] [2] [3] [6] [7].
This setting enables the operating system to automatically select the most secure available protocol for
.NET applications [1].
Thus, applications automatically benefit from future security enhancements and new protocols added to the
operating system, without the need for updates [1].
This maintains ongoing security as new TLS versions emerge and older ones are retired [1].
It may also resolve compatibility issues with older devices or software [7].
However, it may also result in compatibility issues if the system defaults are too restrictive [8].
> **Caution:** This may cause compatibility issues with older devices or software.
[1]: https://web.archive.org/web/20240503121044/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls "Transport Layer Security (TLS) best practices with .NET Framework | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240503120928/https://support.microsoft.com/en-us/topic/cumulative-update-for-windows-10-version-1511-and-windows-server-2016-technical-preview-4-may-10-2016-aaff80d8-b207-2238-fc9c-bf13fea1c566 "Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016 - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240503120718/https://support.microsoft.com/en-us/topic/support-for-tls-system-default-versions-included-in-the-net-framework-3-5-on-windows-8-1-and-windows-server-2012-r2-499ff5ef-a88a-128b-c639-ed038b7d2d5f "Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2 - Microsoft Support | support.microsoft.com"
[4]: https://web.archive.org/web/20240503121040/https://en.wikipedia.org/wiki/.NET ".NET - Wikipedia | en.wikipedia.org"
[5]: https://web.archive.org/web/20240503103126/https://learn.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.4 "What is PowerShell? - PowerShell | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240503121100/https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client "How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240503121004/https://learn.microsoft.com/en-us/security/engineering/solving-tls1-problem "Solving the TLS 1.0 Problem | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240503121004/https://learn.microsoft.com/en-us/answers/questions/717566/schusestrongcrypto-registry-value-does-windows-neg#answer-719469 "SchUseStrongCrypto registry value: does WIndows negotiation include older TLS versions? - Microsoft Q&A | learn.microsoft.com"
call:
function: SetDotNetRegistryKey
parameters:
valueName: SystemDefaultTlsVersions
valueData: '1'
-
category: Disable insecure remote administration access
docs: |- # refactor-with-variables: Same • Remote Connectivity Caution
This category improves security by disabling insecure remote administration features.
Organizations use remote administration tools to manage multiple systems from a central location,
performing tasks such as software updates, system checks, and configuration changes.
However, if not properly secured, unauthorized users could exploit these tools to access sensitive data
or control systems.
This category addresses such vulnerabilities by disabling outdated or insecure remote access methods,
thus securing systems against potential cyber threats.
While these measures maintain information confidentiality and integrity, they may restrict some remote
management functionalities.
> **Caution:**
> This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote
> administration is necessary.
children:
-
name: Disable basic authentication in WinRM
recommend: standard
docs: |- # refactor-with-variables: Same • Remote Connectivity Caution
This script configures the Windows Remote Management (WinRM) client to disable **basic authentication** [1] [2].
Basic authentication is a security protocol where a user provides a username and password in plain text for verification [3].
It improves security by preventing the interception and misuse of plain text passwords [1].
It achieves this by modifying the `HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client!AllowBasic`
registry key [1] [2].
While WinRM clients do not use Basic authentication by default [2], this script ensures that this less
secure method remains disabled.
> **Caution:**
> This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote
> administration is necessary.
[1]: https://web.archive.org/web/20240510175428/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335 "The Windows Remote Management (WinRM) client must not use Basic authentication. | www.stigviewer.com"
[2]: https://web.archive.org/web/20240510175528/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-remotemanagement#allowbasicauthentication_client "RemoteManagement Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240510223209/https://datatracker.ietf.org/doc/html/rfc7617 "RFC 7617 - The 'Basic' HTTP Authentication Scheme | datatracker.ietf.org"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client
valueName: AllowBasic
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable unauthorized user account discovery (anonymous SAM enumeration)
recommend: standard
docs: |- # refactor-with-variables: Same • Remote Connectivity Caution
This script increases your system's security by preventing unauthorized users from seeing account names in the
Security Accounts Manager (SAM) [1] [2] [3] [4] [5] [6].
The Security Accounts Manager (SAM) is a database in Windows that stores user account information and
is critical for user authentication processes.
When account names are exposed, attackers might use them for guessing passwords or tricking people into revealing
sensitive information [4] [6] [7] [8].
This is a security action recommended by organizations like the Department of Defense [1], NASA [2], IRS [8],
NIST [6], CIS [4], and Microsoft [3].
The change is enacted through the `HKLM\SYSTEM\CurrentControlSet\Control\Lsa!restrictanonymoussam` registry
value [1] [2] [4] [5]. By default, it's enabled [4] and Windows restricts this setting if the registry value does
not exist [3].
While the script protects against these threats, it may also affect compatibility with older systems.
It prevents trust with Windows NT 4.0 domains [4] [5] [7] [9] and causes issues for older systems such as Windows NT 3.51
and Windows 95 when accessing server resources [4] [5] [7].
Typically, anonymous connections are requested by earlier versions of clients (down-level clients) during SMB session setup [7].
The script has no impact on domain controllers since their behavior in this aspect is controlled by different settings [5] [7].
The policy setting does not require a restart to become effective [5], and there is no impact on current systems
where the default behavior already includes this restriction [4].
Despite the potential interoperability issues with older systems, the script maintains a security posture that is
important in modern networks to minimize unauthorized access and protect user privacy.
> **Caution:**
> This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote
> administration is necessary.
[1]: https://web.archive.org/web/20231105200434/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745 "Anonymous enumeration of SAM accounts must not be allowed. | www.stigviewer.com"
[2]: https://web.archive.org/web/20231105200713/https://asapdata.arc.nasa.gov/share/Paul/CIS_Microsoft_Windows_Server_2016_RTM_Release_1607_Benchmark_v1.1.0.pdf "CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark | nasa.gov"
[3]: https://web.archive.org/web/20231105200918/https://learn.microsoft.com/en-us/azure/governance/policy/samples/guest-configuration-baseline-windows#security-options---network-access "Reference - Azure Policy guest configuration baseline for Windows - Azure Policy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20231105201133/https://community.mis.temple.edu/mis5170sec001sec701sp2018/files/2018/02/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.1.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark | temple.edu"
[5]: https://web.archive.org/web/20231105201446/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852230%28v=ws.11%29 "Network access: Do not allow anonymous enumeration of SAM accounts | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20230927174843/https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/documentation/USGCB-Windows-Settings.xls "USGCB Windows Settings | nist.gov"
[7]: https://web.archive.org/web/20231105201346/https://support.microsoft.com/en-us/topic/client-service-and-program-issues-can-occur-if-you-change-security-settings-and-user-rights-assignments-0cb6901b-dcbf-d1a9-e9ea-f1b49a56d53a "Client, service, and program issues can occur if you change security settings and user rights assignments - Microsoft Support | support.microsoft.com"
[8]: https://web.archive.org/web/20231105200853/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-server2016.xlsx "IRS Office of Safeguards SCSEM | irs.gov"
[9]: https://web.archive.org/web/20231105201413/https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/trust-between-windows-ad-domain-not-work-correctly "Trust between a Windows NT domain and an Active Directory domain can't be established or it doesn't work as expected - Windows Server | Microsoft Learn | learn.microsoft.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
valueName: restrictanonymoussam
dataType: REG_DWORD
data: '1'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Disable anonymous access to named pipes and shares
recommend: standard
docs: |- # refactor-with-variables: Same • Remote Connectivity Caution
This script restricts anonymous access to Named Pipes and Shares [1] [2].
It reduces security risks by preventing unauthorized access [1] [2].
*Named Pipes* allow programs on a computer or network to communicate with each other.
*Anonymous access* lets users connect to services without a username or password, increasing
the risk of unauthorized access.
It configures the `HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters!restrictnullsessaccess` registry
setting [1] [2] to control null session access, which is a common exploit method via shared folders [2].
> **Caution:**
> This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote
> administration is necessary.
[1]: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759 "Anonymous access to Named Pipes and Shares must be restricted. | www.stigviewer.com"
[2]: https://web.archive.org/web/20240510180133/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares "Network access Restrict anonymous access to Named Pipes and Shares - Windows 10 | Microsoft Learn | learn.microsoft.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
valueName: restrictnullsessaccess
dataType: REG_DWORD
data: '1'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Disable hidden remote file access via administrative shares (breaks remote system management software)
recommend: strict
docs: |- # refactor-with-variables: Same • Remote Connectivity Caution
This script improves your privacy and security by disabling Windows administrative shares,
which are typically used for remote access to your computer's file system.
Windows automatically creates hidden administrative shares, such as `C$` and `D$`, that allow system administrators remote access to
every disk volume on your computer [1] [2]. These shares are often targeted as potential attack vectors [3].
Disabling administrative shares is generally a good practice for enhancing security. It is recommended by various security standards
and compliance frameworks, including some government standards [3], PCI-DSS [4], and CIS [2]. It reduces the system's vulnerability
to unauthorized remote access.
These shares are often used for system administrators to perform tasks like software installation and vulnerability scanning
remotely [1]. Disabling them may limit remote management capabilities. This might require setting up network shares manually
for specific folders or drives, which is more secure but requires additional effort.
Some software, such as Microsoft Systems Management Server (SMS) [2], Microsoft Operations Manager [2], Microsoft PsTools [5],
and certain third-party network backup applications [2], rely on administrative shares. Therefore, disabling these shares could
disrupt their functionality.
> **Caution:**
> This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote
> administration is necessary.
[1]: https://web.archive.org/web/20230831114315/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/remove-administrative-shares "Remove administrative shares - Windows Server | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231206152703/http://www.itref.ir/uploads/editor/1edad0.pdf "CIS Microsoft Windows 8 Benchmark | itref.ir"
[3]: https://web.archive.org/web/20230831124304/https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/Business-Partner-System-Security-Manual-BPSSM.pdf "CMS Manual System | Pub 100-17 Medicare Business Partners | Department of Health & Human Services (DHHS) & Centers for Medicare & Medicaid Services (CMS) | cms.gov"
[4]: https://web.archive.org/web/20230831124324/https://www.unifiedcompliance.com/products/search-authority-documents/authority-document/1071/ "Payment Card Organizations > PCI Security Standards Council | Unified Compliance | www.unifiedcompliance.com"
[5]: https://web.archive.org/web/20240510180222/https://github.com/undergroundwires/privacy.sexy/issues/249 "Disabling administrative shares breaks PsTools | undergroundwires/privacy.sexy | github.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
valueName: AutoShareWks
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable anonymous enumeration of shares
recommend: standard
docs: |- # refactor-with-variables: Same • Remote Connectivity Caution
This script disables the anonymous enumeration of shares to prevent unauthorized users from
listing account names and shared resources, which could serve as a roadmap for attackers [1].
It configures the `HKLM\SYSTEM\CurrentControlSet\Control\LSA!restrictanonymous` registry key to ensure that
such enumeration is blocked, improving system security against potential breaches [1].
> **Caution:**
> This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote
> administration is necessary.
[1]: https://web.archive.org/web/20240510180528/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749 "Anonymous enumeration of shares must be restricted. | www.stigviewer.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\LSA
valueName: restrictanonymous
dataType: REG_DWORD
data: '1'
dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
-
name: Disable "Telnet Client" feature
recommend: standard # Already disabled by default in Windows
docs: |- # refactor-with-variables: Same • Remote Connectivity Caution
This script disables the **Telnet Client** feature in Windows.
The Telnet Client enables remote server connections [1].
It is inherently insecure because it transmits all data, including sensitive credentials,
in clear text without encryption [2] [3].
This lack of encryption makes it vulnerable to interception and misuse [3].
Due to these security flaws, entities such as NIST [2], Department of Defense [2]
and Microsoft [1] recommend removing or disabling this feature.
Although this feature is disabled by default in newer versions of Windows [1], ensuring
that it remains disabled can prevent accidental or unauthorized use.
> **Caution:**
> This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote
> administration is necessary.
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `TelnetClient` |
| **Display name** | Telnet Client |
| **Description** | Allows you to connect to other computers remotely. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
[1]: https://web.archive.org/web/20231207105605/https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx "Windows 10: Enabling Telnet Client - TechNet Articles - United States (English) - TechNet Wiki | social.technet.microsoft.com"
[2]: https://web.archive.org/web/20240413140012/https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220721 "The Telnet Client must not be installed on the system. | stigviewer.com"
[3]: https://web.archive.org/web/20240413140230/https://it.mst.edu/policies/secure-telnet/ "Secure Telnet Information Technology | Missouri S&T | it.mst.edu"
call:
function: DisableWindowsFeature
parameters:
featureName: TelnetClient # Get-WindowsOptionalFeature -FeatureName 'TelnetClient' -Online
disabledByDefault: 'true'
-
name: Remove "RAS Connection Manager Administration Kit (CMAK)" capability
docs: |- # refactor-with-variables: Same • Remote Connectivity Caution
This script removes the "RAS Connection Manager Administration Kit (CMAK)" (`RasCMAK.Client` [1]) capability.
CMAK is a tool that allows the creation of profiles for connecting to remote servers and networks [1].
Though useful for remote connections, this capability might be unnecessary for many users.
Removing it can simplify the system's network configuration and enhance security by reducing potential attack vectors.
This capability is not included in the standard installation of Windows [1].
> **Caution:**
> This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote
> administration is necessary.
[1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com"
call:
function: UninstallCapability
parameters:
capabilityName: RasCMAK.Client
-
name: Disable Windows Remote Assistance feature
recommend: standard
docs: |-
This script disables the Windows Remote Assistance feature to improve your system's privacy and security.
Windows Remote Assistance allows a third party to remotely access your PC [1].
This capability, known as *Solicited Remote Assistance* [2], enables another user to view or take
control of your computer [2] [3] [4] [5].
Disabling Remote Assistance improves security by:
- Preventing others from remotely viewing or controlling your computer [2].
- Reducing the risk of exploitation from RDP-related vulnerabilities [5].
- Reducing the attack surface by eliminating unnecessary remote access functionalities.
The script modifies the following settings to achieve this:
- It configures `fAllowToGetHelp` to block users from requesting remote assistance [3].
- It configures `fAllowFullControl` to prevent remote users from gaining full control of the system [4].
These changes are applied via:
- The application setting in the Windows registry at `HKLM\System\CurrentControlSet\Control\Remote Assistance` [6].
- The Group Policy setting at `HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services` [2].
> **Caution:**
> This may lead to reduced functionality or connectivity issues, particularly in enterprise environments where remote
> administration is necessary.
[1]: https://web.archive.org/web/20240510233757/https://support.microsoft.com/en-us/windows/solve-pc-problems-remotely-with-remote-assistance-and-easy-connect-cf384ff4-6269-d86e-bcfe-92d72ed55922 "Solve PC problems remotely with Remote Assistance and Easy Connect - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20240510233343/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651 "Solicited Remote Assistance must not be allowed. | www.stigviewer.com"
[3]: https://web.archive.org/web/20240510233528/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowtogethelp "fAllowToGetHelp | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240510233541/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-remoteassistance-exe-fallowfullcontrol "fAllowFullControl | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240510233611/https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-053 "Microsoft Security Bulletin MS12-053 - Critical | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240510233842/https://support.microsoft.com/en-us/topic/an-update-to-disable-the-chat-feature-in-remote-assistance-msra-exe-is-available-for-windows-7-sp1-and-windows-server-2008-r2-sp1-a29674bc-ea7b-d5ab-1314-95cd3b93fcb3 "An update to disable the Chat feature in Remote Assistance (MSRA.exe) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 - Microsoft Support | support.microsoft.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance
valueName: fAllowToGetHelp
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance
valueName: fAllowFullControl
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
valueName: AllowBasic
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable non-essential network components
docs: |-
This category focuses on disabling or removal of specific networking features.
These are generally considered unnecessary or less secure for most users.
Disabling these features contributes to a more secure and privacy-focused environment by
eliminating potential vulnerabilities and reducing the system's attack surface.
These features may utilize outdated protocols or lack robust encryption and
authentication methods, making them vulnerable to cyberattacks.
If these features are not essential for your daily operations, it is
advisable to disable them to enhance your system's security.
The scripts target specific networking tools and protocols, ideal for users who don't need these
features, thus streamlining the system and potentially improving performance.
> **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations.
children:
-
name: Disable "Net.TCP Port Sharing" feature
recommend: strict
docs: |- # refactor-with-variables: Same • Generic Connectivity Caution
This script disables the "Net.TCP Port Sharing" feature.
This feature is part of Windows Communication Foundation (WCF) [1].
This feature enables multiple WCF applications to share the same TCP port [1].
It manages incoming connections and routes them to the appropriate application based on
the destination address found in the message stream [1].
This increases the system's attack surface [2]:
- When applications share the same port, more applications are exposed to network traffic.
- It runs under a system account with high permissions, making the system vulnerable to extensive
access by attackers if compromised [2].
- Poor application configuration can increase risk of serious damage if an application is compromised [1].
- The security of the system depends significantly on how well each individual application handles security.
It's disabled by default on Windows due to security concerns [1].
> **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations.
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `WCF-TCP-PortSharing45` |
| **Display name** | TCP Port Sharing |
| **Description** | TCP Port Sharing |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
[1]: https://web.archive.org/web/20240314102452/https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing "Net.TCP Port Sharing - WCF | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240413140234/https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-03-09/finding/V-3487 "Services will be documented and unnecessary services will not be installed or will be disabled. | stigviewer.com"
call:
function: DisableWindowsFeature
parameters:
featureName: WCF-TCP-PortSharing45 # Get-WindowsOptionalFeature -FeatureName 'WCF-TCP-PortSharing45' -Online
-
name: Disable "SMB Direct" feature
recommend: strict
docs: |- # refactor-with-variables: Same • Generic Connectivity Caution
This script disables "SMB Direct" feature.
SMB Direct improves file transfer speeds across networks by utilizing network adapters that are
Remote Direct Memory Access (RDMA) capable [1].
Although not inherently insecure [2], maintaining unnecessary software can increase the attack surface,
especially if the underlying RDMA hardware has vulnerabilities.
> **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations.
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `SMB Direct` |
| **Display name** | SMB Direct |
| **Description** | Remote Direct Memory Access (RDMA) support for the SMB 3.x file sharing protocol |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
[1]: https://web.archive.org/web/20240314102437/https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-direct?tabs=disable "Improve performance of a file server with SMB Direct | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240413124106/https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 "Stop using SMB1 - Microsoft Community Hub | techcommunity.microsoft.com"
call:
function: DisableWindowsFeature
parameters:
featureName: SmbDirect # Get-WindowsOptionalFeature -FeatureName 'SmbDirect' -Online
-
name: Disable "TFTP Client" feature
recommend: standard # Disabled by default
docs: |- # refactor-with-variables: Same • Generic Connectivity Caution
This script disables the "TFTP Client" feature.
The TFTP Client supports file transfers using the *Trivial File Transfer Protocol (TFTP)*.
TFTP protocol is insecure because it lacks authentication and encryption capabilities [1] [2] [3].
This makes data transferred via TFTP vulnerable to eavesdropping and tampering [2] [3].
Although TFTP's simplicity can be advantageous in certain contexts, such as configuring network devices,
its security risks generally outweigh these benefits.
Disabling it helps mitigate the risk of unauthorized data access and simplifies system security management [1] [2].
> **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations.
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `TFTP` |
| **Display name** | TFTP Client |
| **Description** | Transfer files using the Trivial File Transfer Protocol |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
[1]: https://web.archive.org/web/20240413142327/https://www.stigviewer.com/stig/windows_server_2016/2018-03-07/finding/V-73297 "The TFTP Client must not be installed. | www.stigviewer.com"
[2]: https://web.archive.org/web/20240413142325/https://www.tenable.com/audits/items/Juniper_Hardening_Junos_Devices.audit:0343769f1ea790c8345e961c9a442ec6 "Access Security - Disable insecure or unnecessary access servi...<!-- --> | Tenable® | www.tenable.com"
[3]: https://archive.ph/2024.04.13-142535/https://www.infosecinstitute.com/resources/incident-response-resources/network-traffic-analysis-for-ir-tftp-with-wireshark/ "Network traffic analysis for IR: TFTP with Wireshark | Infosec | www.infosecinstitute.com"
call:
function: DisableWindowsFeature
parameters:
featureName: TFTP # Get-WindowsOptionalFeature -FeatureName 'TFTP' -Online
disabledByDefault: 'true'
-
name: Remove "RIP Listener" capability
docs: |- # refactor-with-variables: *Caution**
This script removes the "RIP Listener" (`RIP.Listener` [1]) capability.
The RIP Listener listens for route updates from routers using the Routing Information Protocol version 1 (RIPV1) [1].
RIPV1 is an older protocol that might be redundant in modern networks, despite its specific utilities.
Removing this feature can contribute to a more secure system by eliminating unnecessary network
listening capabilities.
This capability is not included in the standard installation of Windows [1].
> **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations.
[1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com"
call:
function: UninstallCapability
parameters:
capabilityName: RIP.Listener
-
name: Remove "Simple Network Management Protocol (SNMP)" capability
docs: |- # refactor-with-variables: Same • Generic Connectivity Caution
This script removes the "Simple Network Management Protocol (SNMP)" (`SNMP.Client` [1]) capability.
SNMP is used for monitoring and managing network devices [1].
While it provides valuable information for network administration, it may not be essential for
all users and can expose the system to additional network traffic and potential vulnerabilities.
This capability is not included in the standard installation of Windows [1].
> **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations.
[1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com"
call:
function: UninstallCapability
parameters:
capabilityName: SNMP.Client
-
name: Remove "SNMP WMI Provider" capability
docs: |- # refactor-with-variables: Same • Generic Connectivity Caution
This script removes the "SNMP WMI Provider" (`WMI-SNMP-Provider.Client` [1]) capability.
This feature enables Windows Management Instrumentation (WMI) clients to access SNMP information [1].
SNMP is used for monitoring and managing network devices [1].
Integrating SNMP data into WMI, this capability may be extraneous for those not needing SNMP monitoring.
Removing this capability can simplify the system's management interfaces and improve its security posture
by limiting the ways in which network information is accessed and exposed.
This capability is not included in the standard installation of Windows [1].
> **Caution:** Disabling a networking component may cause connectivity issues if required for specific operations.
[1]: https://web.archive.org/web/20240411120309/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#networking-tools "Available features on demand | Microsoft Learn | learn.microsoft.com"
call:
function: UninstallCapability
parameters:
capabilityName: WMI-SNMP-Provider.Client
-
category: Disable clipboard data collection
docs: |-
This category includes scripts that focus on disabling various aspects of clipboard data collection in Windows.
The clipboard is a critical component of the operating system, often containing sensitive data such as usernames, passwords, and other
personal information [1].
However, features such as clipboard history and device synchronization can significantly increase privacy and security risks.
By default, Windows tends to store clipboard data in an unencrypted format [2], making it easily accessible to malicious applications or scripts.
Additionally, data synchronization features can lead to sensitive information being stored on remote servers or shared across devices, increasing the
risk of data exposure.
The scripts in this category address these risks by disabling the related features..
While these features offer convenience and productivity benefits, they can inadvertently compromise user privacy and security.
> **Caution**: Applying these scripts may lead to a loss of certain functionalities. Users who rely on these features for their daily tasks should
> consider the trade-offs before proceeding with these changes.
[1]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com"
[2]: https://web.archive.org/web/20240119151846/https://ghostvolt.com/blog/Is-the-Windows-Clipboard-Function-History-or-Sync-Secure.html "Is the Windows Clipboard Function, History or Sync Secure | ghostvolt.com"
children:
-
name: Disable Cloud Clipboard (breaks clipboard sync)
recommend: strict
docs: |-
This script disables the Cloud Clipboard feature [1], also known as the cross-device clipboard [2].
The Cloud Clipboard, introduced in the Windows 10 October 2018 Update [3], synchronizes clipboard contents across Windows
devices [1] [2] [4]. While this feature enhances usability, it can pose a privacy risk as sensitive information like passwords or credit card
details [5] might be inadvertently synchronized and stored on Microsoft servers.
Disabling Cloud Clipboard is recommended in secure environments where clipboard data should remain local to the system, avoiding
potential exposure or misuse of sensitive information [6]. The Center for Internet Security (CIS) recommends disabling this feature in
such settings for enhanced security [6]. Moreover, Microsoft acknowledges that disabling network connections linked to the Cloud Clipboard
can improve privacy [1]. This script secures your clipboard data by preventing unauthorized access from other processes on your computer
or network, reducing the risk of data theft.
The script configures the following registry keys:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!AllowCrossDeviceClipboard`: Disables the Cloud Clipboard feature, preventing
clipboard synchronization across devices [1] [2] [6].
- `HKCU\SOFTWARE\Microsoft\Clipboard!CloudClipboardAutomaticUpload`: Stops the automatic upload of clipboard data to the cloud [7].
> **Caution**: After running this script, clipboard contents will not synchronize across devices [1] [2] [6].
> Text or images copied on one device will not be accessible on other devices [3] [4] [5].
> This enhances privacy and security but limits the clipboard's functionality across your Windows devices.
[1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#30-cloud-clipboard "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[2]: https://web.archive.org/web/20240119150031/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#allowcrossdeviceclipboard "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20210619004804/https://community.windows.com/en-us/stories/cloud-clipboard-windows-10 "Copy and paste across Windows 10 devices using cloud clipboard | Windows Community | community.windows.com"
[4]: https://web.archive.org/web/20240119150040/https://support.microsoft.com/en-us/windows/clipboard-in-windows-c436501e-985d-1c8d-97ea-fe46ddf338c6 "Clipboard in Windows - Microsoft Support | support.microsoft.com"
[5]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com"
[6]: https://web.archive.org/web/20240119145854/https://www.tenable.com/audits/items/CIS_MS_InTune_for_Windows_11_Level_2_BitLocker_v1.0.0.audit:19bea796bd6a86f37028214bbed97ffd "18.8.31.1 Ensure 'Allow Clipboard synchronization across devic... | Tenable® | www.tenable.com"
[7]: https://web.archive.org/web/20240119145950/https://www.elevenforum.com/t/enable-or-disable-clipboard-sync-across-devices-in-windows-11.976/ "Enable or Disable Clipboard Sync Across Devices in Windows 11 Tutorial | Windows 11 Forum | elevenforum.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System
valueName: AllowCrossDeviceClipboard
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Clipboard
valueName: CloudClipboardAutomaticUpload
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable clipboard history
recommend: standard
docs: |-
This script deactivates the clipboard history feature in Windows, a feature that is enabled by default [1] [2].
Regularly, users copy sensitive data such as usernames and passwords to their clipboard, making clipboard history
valuable to attackers for gathering information for post-exploitation activities like lateral movement.
Microsoft introduced clipboard history in the Windows 10 October 2018 Update [1], offering enhanced functionality, including
multi-device sync and customizable history management [1].
Despite these benefits, clipboard history poses several security risks:
- **Plain Text Storage**: Clipboard data is stored unencrypted, making it vulnerable to access by malicious applications [3].
- **Persistent Memory**: The data remains in memory until overwritten or the machine restarts, exposing it to unauthorized access
by other users or malware [3].
- **Process Accessibility**: Most running processes and applications can access clipboard data, increasing the risk if any are malicious [3].
- **Open Network Threats**: Malicious website scripts could potentially access clipboard data, leading to data theft [3].
- **Windows Clipboard History**: Stores the last 25 copied text and image items, which could include sensitive information [3].
- **Increased Attack Surface**: Clipboard history is susceptible to exploitation by malware that silently accesses and logs clipboard data [3].
Microsoft's privacy statement also indicates that clipboard data could be used for marketing and advertising purposes [4].
Given these risks, especially when handling sensitive data like passwords or credit card numbers [5], it is advisable for
users concerned about security to disable clipboard history to safeguard their privacy.
This script modifies Windows Registry keys to turn off clipboard history and sync features:
- `HKCU\Software\Microsoft\Clipboard!EnableClipboardHistory`: Disables the local clipboard history for the current user [6] [7] [8].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!AllowClipboardHistory`: Disables the policy for storing clipboard contents [2] [9].
[1]: https://web.archive.org/web/20210619004804/https://community.windows.com/en-us/stories/cloud-clipboard-windows-10 "Copy and paste across Windows 10 devices using cloud clipboard | Windows Community | community.windows.com"
[2]: https://web.archive.org/web/20240119153212/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#allowclipboardhistory "Experience Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240119151846/https://ghostvolt.com/blog/Is-the-Windows-Clipboard-Function-History-or-Sync-Secure.html "Is the Windows Clipboard Function, History or Sync Secure | ghostvolt.com"
[4]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement Microsoft privacy | privacy.microsoft.com"
[5]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com"
[6]: https://web.archive.org/web/20240119153118/https://www.elevenforum.com/t/enable-or-disable-clipboard-history-in-windows-11.973/ "Enable or Disable Clipboard History in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[7]: https://web.archive.org/web/20240119153113/https://itechbrand.com/how-to-enable-and-use-clipboard-history-on-windows-10/ "How to: Enable and Use Clipboard History on Windows 10 | ITechBrand | itechbrand.com"
[8]: https://web.archive.org/web/20240119153250/https://labs.withsecure.com/tools/sharpcliphistory "SharpClipHistory | WithSecure™ Labs | labs.withsecure.com"
[9]: https://web.archive.org/web/20240119153231/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OSPolicy::AllowClipboardHistory "Allow Clipboard History | admx.help"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Clipboard
valueName: EnableClipboardHistory
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System
valueName: AllowClipboardHistory
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable background clipboard data collection (`cbdhsvc`) (breaks clipboard history and sync)
recommend: strict
docs: |-
This script disables `cbdhsvc` also known as "Clipboard User Service" [1].
This service is responsible for clipboard history and synchronization across devices [1].
Microsoft acknowledges that disabling this service does not adversely affect the system's core functionality [2].
Disabling this service enhances your security by reducing your system's
vulnerability surface. This service has been historically susceptible to vulnerabilities such as Privilege Escalation vulnerability [3].
Turning off `cbdhsvc` also helps improve system performance by reducing the number of background processes as `cbdhsvc` runs automatically
in the background [1].
Additionally, it enhances privacy by preventing the storage and sharing of clipboard history with Microsoft servers.
Clipboard data often contains sensitive information, including passwords and credit card numbers [4].
> **Caution**: Disabling this service will remove the functionalities for clipboard history and synchronization across devices.
> If you depend on these features, you should weigh the benefits against the loss of these functionalities.
[1]: https://web.archive.org/web/20240119153912/https://learn.microsoft.com/en-us/windows/application-management/per-user-services-in-windows "Per-user services - Windows Application Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services#per-user-services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
[3]: https://archive.ph/2024.01.19-154717/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21869 "CVE-2022-21869 - Security Update Guide - Microsoft - Clipboard User Service Elevation of Privilege Vulnerability | rc.microsoft.com"
[4]: https://web.archive.org/web/20240119160347/https://github.com/undergroundwires/privacy.sexy/issues/247 "Disable Clipboard History · Issue #247 · undergroundwires/privacy.sexy · GitHub | github.com"
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\cbdhsvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\cbdhsvc_*").Start
serviceName: cbdhsvc
defaultStartupMode: Automatic
-
category: Enable protection against Meltdown and Spectre
docs: https://support.microsoft.com/en-us/topic/kb4072698-windows-server-and-azure-stack-hci-guidance-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-2f965763-00e2-8f98-b632-0d96f30c8c8e
children:
-
name: Mitigate Spectre Variant 2 and Meltdown in host operating system
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
valueName: FeatureSettingsOverrideMask
dataType: REG_DWORD
data: "3"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
valueName: FeatureSettingsOverride
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
setupCode: |-
$cpuName = Get-CimInstance -ClassName Win32_Processor -ErrorAction Stop | Select-Object -ExpandProperty Name
if ($cpuName -NotMatch 'Intel') {
Write-Host 'Skipping, this action is intended for Intel CPUs only.'
Exit 0
}
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
valueName: FeatureSettingsOverride
dataType: REG_DWORD
data: "64"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
setupCode: |-
$cpuName = Get-CimInstance -ClassName Win32_Processor -ErrorAction Stop | Select-Object -ExpandProperty Name
if ($cpuName -NotMatch 'AMD') {
Write-Host 'Skipping, this action is intended for AMD CPUs only.'
Exit 0
}
-
name: Mitigate Spectre Variant 2 and Meltdown in Hyper-V
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization
valueName: MinVmVersionForCpuBasedMitigations
dataType: REG_SZ
data: "1.0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Enable Data Execution Prevention (DEP)
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer
valueName: NoDataExecutionPrevention
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System
valueName: DisableHHDEP
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable AutoPlay and AutoRun
recommend: standard
docs:
- https://en.wikipedia.org/wiki/AutoRun
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
valueName: NoDriveTypeAutoRun
dataType: REG_DWORD
data: "255" # 255 (0xff)
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
valueName: NoAutorun
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer
valueName: NoAutoplayfornonVolume
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable lock screen camera access
recommend: standard
docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization
valueName: NoLockScreenCamera
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable storage of the LAN Manager password hashes
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
valueName: NoLMHash
dataType: REG_DWORD
data: '1'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Disable "Always install with elevated privileges" in Windows Installer
recommend: standard
docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
valueName: AlwaysInstallElevated
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Enable Structured Exception Handling Overwrite Protection (SEHOP)
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
valueName: DisableExceptionChainValidation
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Enable security against PowerShell 2.0 downgrade attacks
recommend: standard
docs: |-
See: [The Windows PowerShell 2.0 feature must be disabled on the system. | stigviewer.com](https://web.archive.org/web/20240406114721/https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637)
### Overview of default feature statuses
`MicrosoftWindowsPowerShellV2`:
| | |
| ---- | --- |
| **Feature name** | `MicrosoftWindowsPowerShellV2` |
| **Display name** | Windows PowerShell 2.0 Engine |
| **Description** | Adds or Removes Windows PowerShell 2.0 Engine |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
`MicrosoftWindowsPowerShellV2Root`:
| | |
| ---- | --- |
| **Feature name** | `MicrosoftWindowsPowerShellV2Root` |
| **Display name** | Windows PowerShell 2.0 |
| **Description** | Adds or Removes Windows PowerShell 2.0 |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
call:
-
function: DisableWindowsFeature
parameters:
featureName: MicrosoftWindowsPowerShellV2 # Get-WindowsOptionalFeature -FeatureName 'MicrosoftWindowsPowerShellV2' -Online
-
function: DisableWindowsFeature
parameters:
featureName: MicrosoftWindowsPowerShellV2Root # Get-WindowsOptionalFeature -FeatureName 'MicrosoftWindowsPowerShellV2Root' -Online
-
name: Disable "Windows Connect Now" wizard
recommend: standard
docs:
- https://web.archive.org/web/20240314130322/https://learn.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now
- https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\WCN\UI
valueName: DisableWcnUi
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars
valueName: DisableFlashConfigRegistrar
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars
valueName: DisableInBand802DOT11Registrar
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars
valueName: DisableUPnPRegistrar
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars
valueName: DisableWPDRegistrar
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars
valueName: EnableRegistrars
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Block tracking hosts
docs: |-
This category includes scripts that enhance privacy by blocking communications with hosts known for tracking
and data collection.
A **host** is a domain name serving as an address for a computer or resource on the Internet.
These hosts are often used by software applications, operating systems, and services to collect data, which
can include personal information, usage patterns, and more.
By modifying the **hosts file** (a simple text file on your computer that maps domain names to IP addresses),
these scripts stop your computer from connecting to servers that collect user data.
This not only reduces personal data sent to companies and third-party trackers, enhancing privacy, but may also
optimize system performance by minimizing unnecessary network requests.
> **Caution**: These scripts may interfere with the functionality of apps or services relying on the blocked data.
> Balance privacy with functionality according to your preferences and needs.
children:
# Excluded hosts:
# - browser.events.data.microsoft.com
# Breaks "Windows Admin Center": https://web.archive.org/web/20240502104500/https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/deploy/network-requirements
# Breaks "Secure File Exchange": https://www.kuketz-forum.de/t/ms-teams-und-die-verbindungen-dorthin/537/4, https://web.archive.org/web/20240502104821/https://github.com/easylist/easylist/issues/15697
-
name: Block Windows crash report hosts
recommend: standard
docs: |-
This script prevents Windows from sending crash reports to Microsoft, enhancing your privacy.
Windows Error Reporting (WER) creates minidumps (small memory snapshots at crash time) and
sends them to Microsoft [1].
Although intended to improve software by analyzing crash data, this feature raises privacy concerns
such as:
- Inclusion of sensitive information within the dumps, such as personal data and passwords [2] [3].
- Data sharing with Microsoft and other third parties through the Windows Desktop Application Program [1].
To safeguard your privacy, this script blocks specific hosts that Windows uses to transmit crash data,
ensuring these minidump files remain on your local machine and are not sent to Microsoft or its partners.
The blocked hosts are:
- `oca.telemetry.microsoft.com` [4]
- `oca.microsoft.com` [4]
- `kmwatsonc.events.data.microsoft.com` [4]
[1]: https://web.archive.org/web/20240217185113/https://learn.microsoft.com/en-us/windows/win32/dxtecharts/crash-dump-analysis "Crash Dump Analysis - Win32 apps | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240107005535/https://blog.carnal0wnage.com/2013/07/mimikatz-minidump-and-mimikatz-via-bat.html "Mimikatz Minidump and mimikatz via bat file Carnal0wnage - Blog Carnal0wnage Blog | blog.carnal0wnage.com"
[3]: https://web.archive.org/web/20240217185037/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/read-small-memory-dump-file "Read small memory dump files - Windows Client | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240217185108/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockViaHostsFile
parameters:
domain: oca.telemetry.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: oca.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: kmwatsonc.events.data.microsoft.com
-
name: Block Windows error reporting hosts
recommend: standard
docs: |-
This script improves your privacy by preventing "Windows Error Reporting (WER)" from sending data about
hardware and software issues back to Microsoft.
WER is designed to collect diagnostic information [1] and report it back to Microsoft [1] [6], aiming to improve
user experience by offering solutions to encountered problems [1]. However, this feature can inadvertently expose
sensitive system information.
By default, error reporting information is sent to Microsoft [6], which may include details that users prefer to keep
private.
> **Caution**: This script may prevent receiving automatic solutions or feedback for reported errors [1].
### Blocked Hosts
The blocked hosts are:
- `watson.telemetry.microsoft.com` [2] [3] [4] [5] [7]
- `umwatsonc.events.data.microsoft.com` [2]
- `ceuswatcab01.blob.core.windows.net` [2]
- `ceuswatcab02.blob.core.windows.net` [2]
- `eaus2watcab01.blob.core.windows.net` [2]
- `eaus2watcab02.blob.core.windows.net` [2]
- `weus2watcab01.blob.core.windows.net` [2]
- `weus2watcab02.blob.core.windows.net` [2]
- `co4.telecommand.telemetry.microsoft.com` [5] [6]
- `cs11.wpc.v0cdn.net` [5] [6]
- `cs1137.wpc.gammacdn.net` [5] [6]
- `modern.watson.data.microsoft.com` [5] [6]
[1]: https://web.archive.org/web/20240217185900/https://learn.microsoft.com/en-us/windows/win32/wer/about-wer "About WER - Win32 apps | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240217185108/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240217190247/https://learn.microsoft.com/en-us/hololens/hololens-offline "Manage connection endpoints for HoloLens | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240217204237/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240217204251/https://www.michaelhorowitz.com/Windows10.spying.onsettings.php "Windows 10 spies on your use of System Settings | www.michaelhorowitz.com"
call:
-
function: BlockViaHostsFile
parameters:
domain: watson.telemetry.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: umwatsonc.events.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: ceuswatcab01.blob.core.windows.net
-
function: BlockViaHostsFile
parameters:
domain: ceuswatcab02.blob.core.windows.net
-
function: BlockViaHostsFile
parameters:
domain: eaus2watcab01.blob.core.windows.net
-
function: BlockViaHostsFile
parameters:
domain: eaus2watcab02.blob.core.windows.net
-
function: BlockViaHostsFile
parameters:
domain: weus2watcab01.blob.core.windows.net
-
function: BlockViaHostsFile
parameters:
domain: weus2watcab02.blob.core.windows.net
-
function: BlockViaHostsFile
parameters:
domain: co4.telecommand.telemetry.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: cs11.wpc.v0cdn.net
-
function: BlockViaHostsFile
parameters:
domain: cs1137.wpc.gammacdn.net
-
function: BlockViaHostsFile
parameters:
domain: modern.watson.data.microsoft.com
-
name: Block telemetry and user experience hosts
recommend: standard
docs: |-
This script improves privacy by blocking data sharing to the *Windows Connected User Experiences and
Telemetry* component [1].
This component is responsible for collecting and transmitting diagnostic data and usage
information to Microsoft [1] [2], which is used to identify and fix problems, enhancing
product and service offerings [2].
While the collection of this data is intended to improve user experience by allowing Microsoft
to address issues and enhance functionality [2], it raises privacy concerns for users who prefer to
keep their diagnostic information private.
Blocking these endpoints prevents the automatic transmission of this data to Microsoft [2],
safeguarding user privacy.
> **Caution**: This script may impact the delivery of diagnostic and usage-based solutions from
> Microsoft [1] [2].
### Blocked Hosts
The blocked hosts are:
- `functional.events.data.microsoft.com` [2]
- `browser.events.data.msn.com` [2] [3] [4]
- `self.events.data.microsoft.com` [2] [3]
- `v10.events.data.microsoft.com` [1] [2] [5] [6] [9]
- `v10c.events.data.microsoft.com` [1]
- `us-v10c.events.data.microsoft.com` [1]
- `eu-v10c.events.data.microsoft.com` [1]
- `v10.vortex-win.data.microsoft.com` [1] [6] [7]
- `vortex-win.data.microsoft.com` [8]
- `telecommand.telemetry.microsoft.com` [2]
- `www.telecommandsvc.microsoft.com` [2]
- `umwatson.events.data.microsoft.com` [3] [4]
- `watsonc.events.data.microsoft.com` [1]
- `eu-watsonc.events.data.microsoft.com` [1]
- `v20.events.data.microsoft.com` [9]
[1]: https://web.archive.org/web/20240217185108/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240217204251/https://www.michaelhorowitz.com/Windows10.spying.onsettings.php "Windows 10 spies on your use of System Settings | www.michaelhorowitz.com"
[4]: https://web.archive.org/web/20240217205130/https://www.thewindowsclub.com/edge-waiting-for-browser-events-data-msn-com "Edge Waiting for browser.events.data.msn.com | thewindowsclub.com"
[5]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240217190247/https://learn.microsoft.com/en-us/hololens/hololens-offline "Manage connection endpoints for HoloLens | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240217204237/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240217205118/https://support.microsoft.com/en-us/topic/update-for-customer-experience-and-diagnostic-telemetry-2649a645-0d3d-fa61-0773-ef84c0a8c8ac#ID0EDDBH "Update for customer experience and diagnostic telemetry - Microsoft Support | support.microsoft.com"
[9]: https://web.archive.org/web/20240219205201/https://learn.microsoft.com/en-us/windows/privacy/windows-endpoints-2004-non-enterprise-editions "Windows 10, version 2004, connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockViaHostsFile
parameters:
domain: functional.events.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: browser.events.data.msn.com
-
function: BlockViaHostsFile
parameters:
domain: self.events.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: v10.events.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: v10c.events.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: us-v10c.events.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: eu-v10c.events.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: v10.vortex-win.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: vortex-win.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: telecommand.telemetry.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: www.telecommandsvc.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: umwatson.events.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: watsonc.events.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: eu-watsonc.events.data.microsoft.com
-
name: Block remote configuration sync hosts
recommend: strict
docs: |-
This script blocks specific hosts used by applications, such as "System Initiated User Feedback" and the
"Xbox" app [1] [2], to dynamically update their configuration [1] [2]
These endpoints play a crucial role in remotely configuring diagnostics-related settings and data collection [3].
For instance, they allow for the remote blocking of events being sent back to Microsoft or enrolling a device
in the Windows diagnostic data processor configuration [3].
Blocking these hosts can enhance your privacy by preventing certain data from being collected and sent to Microsoft.
> **Caution**: Using this script might disrupt the normal operation of applications that depend on syncing their
> configurations online, leading to potential functionality issues [1].
### Blocked Hosts
The blocked hosts are:
- `settings-win.data.microsoft.com` [1] [2] [3] [4] [5]
- `settings.data.microsoft.com` [1] [2] [5]
[1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240217185108/https://learn.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization "Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240217205118/https://support.microsoft.com/en-us/topic/update-for-customer-experience-and-diagnostic-telemetry-2649a645-0d3d-fa61-0773-ef84c0a8c8ac#ID0EDDBH "Update for customer experience and diagnostic telemetry - Microsoft Support | support.microsoft.com"
[5]: https://web.archive.org/web/20240217204251/https://www.michaelhorowitz.com/Windows10.spying.onsettings.php "Windows 10 spies on your use of System Settings | www.michaelhorowitz.com"
call:
-
function: BlockViaHostsFile
parameters:
domain: settings-win.data.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: settings.data.microsoft.com
-
category: Block third-party app hosts
docs: |-
This category includes scripts that block network connections to third-party applications that collect data.
These scripts stop your system from sending data to third parties, thereby protecting your personal
information and possibly improving system performance by cutting down on superfluous data transfers.
children:
-
name: Block Dropbox telemetry hosts
recommend: standard
docs: |-
This script prevents your computer from sending personal data to Dropbox's data
collection servers [1], improving your privacy.
Dropbox collects data such as:
- **Account Information**: Includes your name, email, phone number, payment details, and address shared during account
creation or when upgrading plans [2].
- **Your Files**: Covers data on files you save in Dropbox, their usage, and details [2].
- **Contacts**: If granted access, Dropbox stores contacts [2].
- **Usage Information**: Tracks how you use Dropbox services, including file management and electronic signature activities [2].
- **Device Information**: Includes information from your devices like IP addresses, browsers, location data [2].
- **User Settings**: Uses cookies and pixel tags to remember your settings [2].
- **DocSend and Dropbox Analytics**: Collects data, including device and ID information, when you view content via these services [2].
- **Marketing Information**: Tracks your interactions with Dropbox or its representatives [2].
Dropbox also shares collected data with third parties, affiliates, and other users [2].
Applying this script significantly reduces the data Dropbox collects, directly enhancing your privacy protection.
### Blocked Hosts
The blocked hosts are:
- `telemetry.dropbox.com` [3]
- `telemetry.v.dropbox.com` [4]
[1]: https://web.archive.org/web/20240123113411/https://www.dropboxforum.com/t5/Integrations/Why-So-Much-Telemetry/m-p/463436/highlight/true#M4616 "Re: Why So Much Telemetry ? - Page 3 - Dropbox Community | www.dropboxforum.com"
[2]: https://web.archive.org/web/20240123113313/https://www.dropbox.com/privacy "Privacy Policy - Dropbox | www.dropbox.com"
[3]: https://web.archive.org/web/20240123113357/https://www.dropboxforum.com/t5/Integrations/Why-So-Much-Telemetry/td-p/455961/page/2 "Why So Much Telemetry ? - Page 2 - Dropbox Community | dropboxforum.com"
[4]: https://web.archive.org/web/20240123113411/https://www.dropboxforum.com/t5/Integrations/Why-So-Much-Telemetry/m-p/456421/highlight/true#M4592 "Re: Why So Much Telemetry ? - Dropbox Community | www.dropboxforum.com"
call:
-
function: BlockViaHostsFile
parameters:
domain: telemetry.dropbox.com
-
function: BlockViaHostsFile
parameters:
domain: telemetry.v.dropbox.com
-
name: Block Spotify Live Tile hosts
docs: |- # refactor-with-variables: Same • live tiles
This script enhances privacy by preventing the Spotify application from fetching and displaying live updates on its Live Tile [1].
Spotify, known for being pre-installed with Windows [2], can collect data in the background without user consent.
This script stops the transmission of real-time data to the Spotify Live Tile [1], which may contain user-specific content or usage patterns.
**Live Tiles**, a feature within UWP apps, automatically collect and display updated information
directly on the Start menu, without opening the app [3].
The Live Tiles feature, once available on Windows 8.1 and 10 [4], has been replaced by the
**Widgets** feature in Windows 11 [5].
> **Caution**: Using this script may have side effects on Spotify functionalities beyond the Live Tile, potentially influencing other app
> features or the Spotify website experience [6].
### Blocked Hosts
The blocked hosts are:
- `spclient.wg.spotify.com` [1]
[1]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240219224242/https://www.windowslatest.com/2022/09/28/spotify-app-is-automatically-getting-installed-on-windows-10-windows-11/ "Spotify app is automatically getting installed on Windows 10 & Windows 11 | windowslatest.com"
[3]: https://web.archive.org/web/20240502092842/https://learn.microsoft.com/en-us/archive/msdn-magazine/2017/april/uwp-apps-develop-hosted-web-apps-for-uwp#getting-started "UWP Apps - Develop Hosted Web Apps for UWP | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240502095239/https://answers.microsoft.com/en-us/windows/forum/all/live-tiles-what-are-they/71084023-f50b-4531-973d-3ba03d2c0d44 "Live Tiles, what are they? - Microsoft Community | answers.microsoft.com"
[5]: https://web.archive.org/web/20240502093116/https://www.microsoft.com/en-ca/windows/windows-11-specifications "Windows 11 Specs and System Requirements | Microsoft | www.microsoft.com"
[6]: https://web.archive.org/web/20240219205516/https://wiki.archlinux.org/title/spotify "Spotify - ArchWiki | wiki.archlinux.org"
call:
function: BlockViaHostsFile
parameters:
domain: spclient.wg.spotify.com
-
name: Block location data sharing hosts
recommend: strict
docs: |-
This script improves user privacy by disabling the transmission of location data to Microsoft's servers [1] [2] [3] [4] [5].
Location data is utilized by various Windows applications [1] [2] [3] [4] [5], including the Camera app [6] [7],
to provide location-based services.
However, the collection of such data raises privacy concerns as it involves transmitting potentially sensitive information
such as OS version, device details, nearby wireless access points (including MAC addresses and signal strengths), and various
unique identifiers [6].
Sending this data to Microsoft allows for detailed profiling of your location and movements [6].
This has led to privacy lawsuits alleging unauthorized tracking of users without their consent, particularly
regarding the Camera app's location tracking capabilities [6] [7].
By blocking the specified hosts, this script prevents Windows apps from accessing and sending location data [1] [2] [3] [4] [5],
thereby safeguarding your privacy.
> **Caution**: This script may impact the functionality of apps that rely on location data [1] [3] [4] [5].
> Users should weigh the benefits of enhanced privacy against the potential loss of location-based features in certain applications.
### Blocked Hosts
The blocked hosts are:
- `inference.location.live.net` [1] [2] [3] [4] [6] [7]
- `location-inference-westus.cloudapp.net` [3] [5]
[1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240217204237/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240217210446/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1909-endpoints "Connection endpoints for Windows 10 Enterprise, version 1909 - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240217210611/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1809-endpoints "Connection endpoints for Windows 10, version 1809 - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240217210525/https://www.zdnet.com/article/windows-phone-does-transmit-location-information-without-user-consent/ "Windows Phone DOES transmit location information without user consent | ZDNET | www.zdnet.com"
[7]: https://web.archive.org/web/20240217220328/https://www.slashgear.com/microsoft-denies-windows-phone-camera-location-tracking-accusations-05177143/ "Microsoft Denies Windows Phone Camera Location Tracking Accusations - SlashGear | www.slashgear.com"
call:
-
function: BlockViaHostsFile
parameters:
domain: inference.location.live.net
-
function: BlockViaHostsFile
parameters:
domain: location-inference-westus.cloudapp.net
-
name: Block maps data and updates hosts
recommend: strict # refactor-with-variables: Same excluded host: `r.bing.com`
docs: |-
This script blocks servers that update offline maps [1] [2] and provide Bing Maps APIs for
geospatial [3] and location services [4] [5].
This action enhances privacy by preventing the transmission of your location data to Microsoft.
> **Caution:**
> This script has potential side effects:
> - Impacts apps and websites using Bing Maps for location services, including third-party ones.
> - Disables offline map updates [1] [2], potentially leading to less accurate and outdated maps.
### Blocked Hosts
The blocked hosts are:
- `maps.windows.com` [1] [2]
- `dev.virtualearth.net` [2] [4] [6]
- `ecn.dev.virtualearth.net` [1] [2] [3]
- `ecn-us.dev.virtualearth.net` [1] [6]
- `weathermapdata.blob.core.windows.net` [1]
The following hosts are excluded (not blocked):
- `r.bing.com` [6] [7] [8]:
Blocking this host impacts several features, including Cortana [1] [2], Live Tiles [1] [2],
Copilot [9] [10] [11], and Bing Maps [6] [7] [8].
- `ssl.bing.com` [2]:
This host is not only associated with Maps but also other functionality such as viewing and
deleting search history for your privacy [12] and Bing Webmaster APIs [13].
[1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240217220311/https://learn.microsoft.com/en-us/bingmaps/articles/geospatial-endpoint-service "Geospatial Endpoint Service - Bing Maps | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240217220300/https://learn.microsoft.com/en-us/bingmaps/rest-services/locations/find-a-location-by-address "Find a Location by Address - Bing Maps | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240217220332/https://learn.microsoft.com/en-us/bingmaps/rest-services/common-parameters-and-types/base-url-structure "Bing Maps REST URL Structure - Bing Maps | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240426134902/https://learn.microsoft.com/en-us/fabric/security/power-bi-allow-list-urls "Add Power BI URLs to allowlist - Microsoft Fabric | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240426134243/https://stackoverflow.com/questions/73457359/how-do-i-catch-an-error-due-to-wrong-latitude-or-longitude-in-bing-maps-v8-web-c "javascript - How do I catch an error due to wrong latitude or longitude in Bing Maps V8 Web Control? - Stack Overflow | stackoverflow.com"
[8]: https://web.archive.org/web/20240426134404/https://answers.microsoft.com/en-us/bing/forum/all/bing-maps-not-working-in-edge-or-chrome/55092382-e1a0-466c-ac83-f5ff25eacff1 "Bing maps not working in Edge or Chrome - Microsoft Community | answers.microsoft.com"
[9]: https://web.archive.org/web/20240426133944/https://github.com/undergroundwires/privacy.sexy/issues/329#issuecomment-2062563970 "[BUG]: Bing (search engine) is broken · Issue #329 · undergroundwires/privacy.sexy"
[10]: https://archive.ph/2024.04.26-134254/https://github.com/privacysexy-forks/ios_rule_script/blob/f0ec2a3c74940ba7f54557439f943a2359e9f792/rule/Clash/Copilot/Copilot.yaml "ios_rule_script/rule/Clash/Copilot/Copilot.yaml at f0ec2a3c74940ba7f54557439f943a2359e9f792 · privacysexy-forks/ios_rule_script | github.com"
[11]: https://web.archive.org/web/20240426134112/https://urlscan.io/result/5c8c89a7-4d4a-4030-8bf2-381fded08b51#transactions "copilot.microsoft.com - urlscan.io | urlscan.io"
[12]: https://web.archive.org/web/20240502094006/https://ssl.bing.com/profile/history "Search - Search History | ssl.bing.com"
[13]: https://web.archive.org/web/20240502094210/https://learn.microsoft.com/en-us/bingwebmaster/getting-started#webmaster-api-interface "Getting Started with Webmaster API | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockViaHostsFile
parameters:
domain: maps.windows.com
-
function: BlockViaHostsFile
parameters:
domain: ecn.dev.virtualearth.net
-
function: BlockViaHostsFile
parameters:
domain: ecn-us.dev.virtualearth.net
-
function: BlockViaHostsFile
parameters:
domain: weathermapdata.blob.core.windows.net
-
name: Block Spotlight ads and suggestions hosts
recommend: strict
docs: |-
This script blocks specific hosts used by Windows Spotlight to retrieve metadata, which
includes image references, app suggestions, Microsoft account notifications, and Windows tips [1] [2] [3].
Windows Spotlight aims to deliver dynamic content on the lock screen and other parts of the
Windows interface, such as personalized ads and tips [1] [3].
By blocking these hosts, the script effectively prevents Windows Spotlight from downloading new lock screen
images, app suggestions, account notifications, and tips [1] [2] [3].
It improves your privacy by reducing unsolicited content and potential data collection.
> **Caution:** While Spotlight attempts to update content, suggested apps,
Microsoft account notifications, and Windows tips won't be downloaded once the script is in place [1] [3].
### Blocked Hosts
The blocked hosts are:
- `arc.msn.com` [1] [2] [3]
- `ris.api.iris.microsoft.com` [1] [2] [3]
- `api.msn.com` [1]
- `assets.msn.com` [1]
- `c.msn.com` [1]
- `g.msn.com` [3]
- `ntp.msn.com` [1]
- `srtb.msn.com` [1]
- `www.msn.com` [1]
- `fd.api.iris.microsoft.com` [1]
- `staticview.msn.com` [1]
- `mucp.api.account.microsoft.com` [2]
- `query.prod.cms.rt.microsoft.com` [3]
[1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240217204237/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
-
function: BlockViaHostsFile
parameters:
domain: arc.msn.com
-
function: BlockViaHostsFile
parameters:
domain: ris.api.iris.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: api.msn.com
-
function: BlockViaHostsFile
parameters:
domain: assets.msn.com
-
function: BlockViaHostsFile
parameters:
domain: c.msn.com
-
function: BlockViaHostsFile
parameters:
domain: g.msn.com
-
function: BlockViaHostsFile
parameters:
domain: ntp.msn.com
-
function: BlockViaHostsFile
parameters:
domain: srtb.msn.com
-
function: BlockViaHostsFile
parameters:
domain: www.msn.com
-
function: BlockViaHostsFile
parameters:
domain: fd.api.iris.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: staticview.msn.com
-
function: BlockViaHostsFile
parameters:
domain: mucp.api.account.microsoft.com
-
function: BlockViaHostsFile
parameters:
domain: query.prod.cms.rt.microsoft.com
-
name: Block Cortana and Live Tiles hosts
recommend: strict # refactor-with-variables: Same • Same excluded host: `r.bing.com` • live tiles
docs: |-
This script blocks specific hosts associated with Cortana and Live Tiles,
thereby enhancing your preventing updates to Cortana's greetings, tips, and Live Tiles [1].
**Cortana** and **Live Tiles**, part of the Universal Windows Platform (UWP), enable voice-activated
app control and deliver timely information directly to users [2]:
- **Live Tiles**, a feature within UWP apps, automatically collect and display updated information
directly on the Start menu, without opening the app [2].
The Live Tiles feature, once available on Windows 8.1 and 10 [3], has been replaced by the
**Widgets** feature in Windows 11 [4].
- **Cortana** is a voice-based interactive digital assistant on Windows devices [2].
Cortana listens to commands, activates the relevant app, passes the speech to/text commands to app [2].
> **Caution**:
> Blocking these hosts may reduce functionality, affecting not only Cortana and Live Tiles but also voice
> commands and voice-activated apps [2].
### Blocked Hosts
The blocked hosts are:
- `business.bing.com` [1] [5]
- `c.bing.com` [1] [5]
- `th.bing.com` [1]
- `edgeassetservice.azureedge.net` [1] [5]
- `c-ring.msedge.net` [1]
- `fp.msedge.net` [1] [5]
- `I-ring.msedge.net` [1]
- `s-ring.msedge.net` [1] [5]
- `dual-s-ring.msedge.net` [1]
- `creativecdn.com` [1]
- `a-ring-fallback.msedge.net` [1]
- `fp-afd-nocache-ccp.azureedge.net` [1]
- `prod-azurecdn-akamai-iris.azureedge.net` [1] [5]
- `widgetcdn.azureedge.net` [1] [5]
- `widgetservice.azurefd.net` [1] [5]
- `fp-vs.azureedge.net` [5]
- `ln-ring.msedge.net` [5]
- `t-ring.msedge.net` [5]
- `t-ring-fdv2.msedge.net` [5]
- `tse1.mm.bing.net` [5]
The following hosts are excluded (not blocked):
- `r.bing.com` [1] [5]:
Blocking this host impacts several features, including Cortana [1] [5], Live Tiles [1] [5],
Copilot [6] [7] [8], and Bing Maps [9] [10] [11].
- `www.bing.com` [1] [5]:
Blocking this host prevents access to the Bing search engine and its associated tools [12],
impacting more than just Cortana and Live Tiles.
[1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240502092842/https://learn.microsoft.com/en-us/archive/msdn-magazine/2017/april/uwp-apps-develop-hosted-web-apps-for-uwp#getting-started "UWP Apps - Develop Hosted Web Apps for UWP | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240502095239/https://answers.microsoft.com/en-us/windows/forum/all/live-tiles-what-are-they/71084023-f50b-4531-973d-3ba03d2c0d44 "Live Tiles, what are they? - Microsoft Community | answers.microsoft.com"
[4]: https://web.archive.org/web/20240502093116/https://www.microsoft.com/en-ca/windows/windows-11-specifications "Windows 11 Specs and System Requirements | Microsoft | www.microsoft.com"
[5]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240426133944/https://github.com/undergroundwires/privacy.sexy/issues/329#issuecomment-2062563970 "[BUG]: Bing (search engine) is broken · Issue #329 · undergroundwires/privacy.sexy"
[7]: https://archive.ph/2024.04.26-134254/https://github.com/privacysexy-forks/ios_rule_script/blob/f0ec2a3c74940ba7f54557439f943a2359e9f792/rule/Clash/Copilot/Copilot.yaml "ios_rule_script/rule/Clash/Copilot/Copilot.yaml at f0ec2a3c74940ba7f54557439f943a2359e9f792 · privacysexy-forks/ios_rule_script | github.com"
[8]: https://web.archive.org/web/20240426134112/https://urlscan.io/result/5c8c89a7-4d4a-4030-8bf2-381fded08b51#transactions "copilot.microsoft.com - urlscan.io | urlscan.io"
[9]: https://web.archive.org/web/20240426134902/https://learn.microsoft.com/en-us/fabric/security/power-bi-allow-list-urls "Add Power BI URLs to allowlist - Microsoft Fabric | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240426134243/https://stackoverflow.com/questions/73457359/how-do-i-catch-an-error-due-to-wrong-latitude-or-longitude-in-bing-maps-v8-web-c "javascript - How do I catch an error due to wrong latitude or longitude in Bing Maps V8 Web Control? - Stack Overflow | stackoverflow.com"
[11]: https://web.archive.org/web/20240426134404/https://answers.microsoft.com/en-us/bing/forum/all/bing-maps-not-working-in-edge-or-chrome/55092382-e1a0-466c-ac83-f5ff25eacff1 "Bing maps not working in Edge or Chrome - Microsoft Community | answers.microsoft.com"
[12]: https://web.archive.org/web/20240502092817/https://en.wikipedia.org/wiki/Microsoft_Bing "Microsoft Bing - Wikipedia | en.wikipedia.org"
call:
-
function: BlockViaHostsFile
parameters:
domain: business.bing.com
-
function: BlockViaHostsFile
parameters:
domain: c.bing.com
-
function: BlockViaHostsFile
parameters:
domain: th.bing.com
-
function: BlockViaHostsFile
parameters:
domain: edgeassetservice.azureedge.net
-
function: BlockViaHostsFile
parameters:
domain: c-ring.msedge.net
-
function: BlockViaHostsFile
parameters:
domain: fp.msedge.net
-
function: BlockViaHostsFile
parameters:
domain: I-ring.msedge.net
-
function: BlockViaHostsFile
parameters:
domain: s-ring.msedge.net
-
function: BlockViaHostsFile
parameters:
domain: dual-s-ring.msedge.net
-
function: BlockViaHostsFile
parameters:
domain: creativecdn.com
-
function: BlockViaHostsFile
parameters:
domain: a-ring-fallback.msedge.net
-
function: BlockViaHostsFile
parameters:
domain: fp-afd-nocache-ccp.azureedge.net
-
function: BlockViaHostsFile
parameters:
domain: prod-azurecdn-akamai-iris.azureedge.net
-
function: BlockViaHostsFile
parameters:
domain: widgetcdn.azureedge.net
-
function: BlockViaHostsFile
parameters:
domain: widgetservice.azurefd.net
-
function: BlockViaHostsFile
parameters:
domain: fp-vs.azureedge.net
-
function: BlockViaHostsFile
parameters:
domain: ln-ring.msedge.net
-
function: BlockViaHostsFile
parameters:
domain: t-ring.msedge.net
-
function: BlockViaHostsFile
parameters:
domain: t-ring-fdv2.msedge.net
-
function: BlockViaHostsFile
parameters:
domain: tse1.mm.bing.net
-
name: Block Edge experimentation hosts
recommend: standard
docs: |-
This script blocks the connection between Microsoft Edge and the Experimentation and Configuration Service (ECS) [1].
ECS delivers various updates to Microsoft Edge, including configurations, feature rollouts, and experiments [1]:
- **Configurations** aim to ensure the product's health, security, and privacy compliance [1].
These settings are uniform for all users, based on their platforms and channels, and can enable or disable features
as necessary [1].
- **Controlled Feature Rollout (CFR)** gradually introduces a new feature to a portion of the user base [1].
- **Experiments** test new features and functionalities within Microsoft Edge that are still under development [1].
These features are not visible to all users and are activated or deactivated through experiment flags [1].
By blocking communication with ECS, this script prevents Microsoft Edge from receiving updates related to these payloads [1].
It enhances user privacy by limiting exposure to experimental features and configurations that may collect data or alter
the browsing experience without the user's explicit consent.
### Blocked Hosts
The blocked hosts are:
- `config.edge.skype.com` [2]
[1]: https://web.archive.org/web/20240219203636/https://learn.microsoft.com/en-us/deployedge/edge-configuration-and-experiments "Microsoft Edge configurations and experimentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240217204251/https://www.michaelhorowitz.com/Windows10.spying.onsettings.php "Windows 10 spies on your use of System Settings | www.michaelhorowitz.com"
call:
function: BlockViaHostsFile
parameters:
domain: config.edge.skype.com
-
name: Block Photos app sync hosts
recommend: strict
docs: |-
This script blocks connections to hosts the Photos app uses to download configuration files and interact with the shared
infrastructure of the Office 365 portal, including browser-based Office applications [1] [2].
> **Caution**: This script may affect the Photos app's ability to download configuration files and connect to Office 365 [1] [2],
> potentially impacting its functionality.
### Blocked Hosts
The blocked hosts are:
- `evoke-windowsservices-tas.msedge.net` [1] [2]
[1]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
call:
function: BlockViaHostsFile
parameters:
domain: evoke-windowsservices-tas.msedge.net
-
name: Block OneNote Live Tile hosts
recommend: strict # refactor-with-variables: Same • live tiles
docs: |-
This script blocks the communication used by OneNote Live Tile [1].
It enhances privacy by preventing OneNote from retrieving live data updates [1], which might include user-specific content
or usage patterns.
**Live Tiles**, a feature within UWP apps, automatically collect and display updated information
directly on the Start menu, without opening the app [2].
The Live Tiles feature, once available on Windows 8.1 and 10 [3], has been replaced by the
**Widgets** feature in Windows 11 [4].
> **Caution**: This script could lead to broader implications beyond the Live Tile functionality.
> It may affect OneNote's overall performance and features, such as the ability to use stickers add-ins and access certain assets
> within the Office suite [5]. This could potentially hinder the user experience by limiting the functionality of OneNote's dynamic
> content and integrations.
### Blocked Hosts
The blocked hosts are:
- `cdn.onenote.net` [1]
[1]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240502092842/https://learn.microsoft.com/en-us/archive/msdn-magazine/2017/april/uwp-apps-develop-hosted-web-apps-for-uwp#getting-started "UWP Apps - Develop Hosted Web Apps for UWP | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240502095239/https://answers.microsoft.com/en-us/windows/forum/all/live-tiles-what-are-they/71084023-f50b-4531-973d-3ba03d2c0d44 "Live Tiles, what are they? - Microsoft Community | answers.microsoft.com"
[4]: https://web.archive.org/web/20240502093116/https://www.microsoft.com/en-ca/windows/windows-11-specifications "Windows 11 Specs and System Requirements | Microsoft | www.microsoft.com"
[5]: https://web.archive.org/web/20240219212903/https://macadmins.software/docs/Network_Traffic.pdf "Microsoft Word - Network_Traffic.docx | macadmins.software"
call:
function: BlockViaHostsFile
parameters:
domain: cdn.onenote.net
-
name: Block Weather Live Tile hosts
recommend: strict # refactor-with-variables: Same • live tiles
docs: |-
This script blocks the communication used by Weather app [1] [2] and its Live Tile feature [3].
**Live Tiles**, a feature within UWP apps, automatically collect and display updated information
directly on the Start menu, without opening the app [4].
The Live Tiles feature, once available on Windows 8.1 and 10 [5], has been replaced by the
**Widgets** feature in Windows 11 [6].
> **Caution:** This script breaks Weather app [1] [2] and its tile [3].
### Blocked Hosts
The blocked hosts are:
- `tile-service.weather.microsoft.com` [1] [2]
[1]: https://web.archive.org/web/20240217185950/https://learn.microsoft.com/en-us/windows/privacy/windows-11-endpoints-non-enterprise-editions "Windows 11 connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240217185904/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints "Connection endpoints for Windows 11 Enterprise - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240219205201/https://learn.microsoft.com/en-us/windows/privacy/windows-endpoints-2004-non-enterprise-editions "Windows 10, version 2004, connection endpoints for non-Enterprise editions - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240502092842/https://learn.microsoft.com/en-us/archive/msdn-magazine/2017/april/uwp-apps-develop-hosted-web-apps-for-uwp#getting-started "UWP Apps - Develop Hosted Web Apps for UWP | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240502095239/https://answers.microsoft.com/en-us/windows/forum/all/live-tiles-what-are-they/71084023-f50b-4531-973d-3ba03d2c0d44 "Live Tiles, what are they? - Microsoft Community | answers.microsoft.com"
[6]: https://web.archive.org/web/20240502093116/https://www.microsoft.com/en-ca/windows/windows-11-specifications "Windows 11 Specs and System Requirements | Microsoft | www.microsoft.com"
call:
function: BlockViaHostsFile
parameters:
domain: tile-service.weather.microsoft.com
-
category: Privacy over security
children:
-
category: Disable Microsoft Defender
docs: |-
This category offers scripts to disable Windows security components known as *Microsoft Defender*.
Although designed to protect you, these features may compromise your privacy and decrease computer performance.
Privacy concerns include:
- Sending personal data to Microsoft for analysis [1] [2] [3].
- The labeling of efforts to block telemetry (data collection by Microsoft) as security threats [4] [5].
- The incorrect flagging of privacy-enhancing scripts from privacy.sexy as malicious software [6].
Turning off Microsoft Defender improves your computer's speed by freeing up system resources [7].
However, disabling these features could result in:
- Potential program malfunctions [8], as these security features are integral to Windows [9].
- Lowered defenses against malware and other online threats.
These scripts target only the Defender features built into Windows and do not impact other Defender services available
with Microsoft 365 subscriptions [10] [11].
> **Caution**:
> These scripts **may reduce your security** and **cause issues with software** relying on them.
> Consider an alternative security solutions to maintain protection.
[1]: https://web.archive.org/web/20240409170914/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Cloud protection and Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240409170815/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide "Microsoft Defender for Endpoint data storage and privacy | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement "Microsoft Privacy Statement Microsoft privacy | privacy.microsoft.com"
[4]: https://web.archive.org/web/20240409170735/https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/ "Windows 10: HOSTS file blocking telemetry is now flagged as a risk | www.bleepingcomputer.com"
[5]: https://web.archive.org/web/20240409171701/https://www.zdnet.com/article/windows-10-telemetry-secrets/ "Windows 10 telemetry secrets: Where, when, and why Microsoft collects your data | ZDNET | www.zdnet.com"
[6]: https://web.archive.org/web/20240409171415/https://github.com/undergroundwires/privacy.sexy/issues/296#issuecomment-1858704482 "Recent Windows 11 Security Update marks \"privacy-script\" as Virus or unwanted Software [BUG]: · Issue #296 · undergroundwires/privacy.sexy · GitHub | github.com"
[7]: https://web.archive.org/web/20240409171447/https://support.microsoft.com/en-us/windows/turn-off-defender-antivirus-protection-in-windows-security-99e6004f-c54c-8509-773c-a4d776b77960 "Turn off Defender antivirus protection in Windows Security - Microsoft Support"
[8]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240409171217/https://borncity.com/win/2023/10/17/windows-10-11-microsoft-defender-can-no-longer-be-disabled/ "Windows 10/11: Microsoft Defender can no longer be disabled | Born's Tech and Windows World | borncity.com"
[10]: https://web.archive.org/web/20240409164749/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com"
[11]: https://web.archive.org/web/20240409171421/https://learn.microsoft.com/en-us/defender/ "Microsoft Defender products and services | Microsoft Learn"
# See defender status: Get-MpComputerStatus
children:
-
category: Disable Defender data collection
docs: |-
This category features scripts designed to reduce or eliminate data collection by Defender.
Disabling these features enhances privacy by limiting the information shared with Microsoft.
Although Microsoft Defender offers security benefits, it also collects data for analysis,
service improvement, and threat detection.
However, this data collection may raise privacy concerns for users.
The scripts in this category allow you to:
1. Minimize the data sent to Microsoft about your system and Defender usage.
2. Reduce potential exposure of your files and system information.
3. Limit Microsoft's ability to track your security-related activities.
Potential impacts of disabling data collection:
1. Reduce Microsoft's ability to detect new threats quickly
2. Limit the effectiveness of cloud-based protection features
3. Potentially impact Microsoft's ability to improve Defender based on real-world data
> **Caution**: This change enhances privacy but may reduce overall system security.
children:
-
category: Disable Defender Antivirus cloud protection
docs: |-
This category contains scripts that disable or limit Microsoft Defender's cloud-based protection features.
Microsoft Defender's cloud protection is also known as Microsoft MAPS (Microsoft Active Protection Service) [1] [2] [3]
or Microsoft SpyNet [2] [3].
It is an online community that helps detect and prevent the spread of malware [3].
These features automatically collect data and send it to Microsoft [3].
They leverage user data to identify potentially malicious programs, sharing details such as file information, IP address,
computer identification, and system/browser information [1] [3].
The collected data may include sensitive personal information [3].
The scripts in this category aim to:
1. Reduce the amount of data sent to Microsoft about your system and Defender usage.
2. Limit potential exposure of your files and system information.
3. Decrease Microsoft's ability to track your security-related activities.
Disabling these cloud protection features may:
- Enhance privacy by limiting data shared with Microsoft.
- Improve system performance by reducing background data collection and transmission.
- Increase control over what runs on your device.
However, it's important to note that these changes may also:
- Reduce Defender's ability to detect new or complex threats quickly.
- Limit the effectiveness of real-time protection updates.
- Impact Microsoft's ability to improve Defender based on real-world data.
These scripts are recommended for users who prioritize privacy over potential security benefits
from Microsoft's cloud-based analysis.
> **Caution**: This change enhances privacy but may reduce overall system security.
[1]: https://web.archive.org/web/20240728212840/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj618314(v=ws.11) "Manage Privacy: Windows Defender and Resulting Internet Communication | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240728212907/https://learn.microsoft.com/en-us/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide "Turn on cloud protection in Microsoft Defender Antivirus - Microsoft Defender for Endpoint | Microsoft Learn | ://learn.microsoft.com"
children:
-
name: Disable Defender "Block at First Sight" feature
recommend: strict # Part of MAPS/SypNet/Cloud Protection that sends personal data to Microsoft
docs: |- # refactor-with-variables: Same • Security/Privacy Trade-off Caution
This script disables the "Block at first sight" feature in Microsoft Defender Antivirus.
Block at first sight is a threat protection feature that quickly detects and blocks new malware [1].
When Microsoft Defender Antivirus encounters a suspicious file it can't identify, it consults its cloud protection backend [1].
The cloud backend uses heuristics, machine learning, and automated analysis to identify malicious files [1].
This back-end is part of **Cloud Protection** [1].
It is also known as **Microsoft Active Protection Service (MAPS)** [1] [2] [3] or **SpyNet** [2].
This feature is enabled by default [4], depending on other configurations [1] [2].
The feature is included in both **Defender Antivirus** and **Defender for Endpoint** [1].
Automatically sending files to Microsoft's cloud [1] [3] raises significant privacy concerns.
This script improves your privacy by preventing automatic file uploads to Microsoft.
It may also improve system performance by reducing background network activity.
However, disabling this feature may reduce your device and network protection levels [1] [3].
The Defense Information Systems Agency (DISA) recommends keeping this feature enabled for additional security [3].
This script configures the option by:
- Using the Defender CLI to set the `DisableBlockAtFirstSeen` preference [4].
- Configuring `HKLM\Software\Microsoft\Windows Defender\SpyNet!DisableBlockAtFirstSeen` to mimic the CLI.
Tests indicate that the CLI sets this registry key.
- Setting the registry key `HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet!DisableBlockAtFirstSeen`
to configure the group policy [2] [3].
> **Caution**: This change enhances privacy but may reduce overall system security.
[1]: https://web.archive.org/web/20240728153741/https://learn.microsoft.com/en-us/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide "Enable block at first sight to detect malware in seconds - Microsoft Defender for Endpoint | Microsoft Learn"
[2]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableroutinelytakingaction "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240728160331/https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75163 "Windows Defender AV must be configured to check in real time with MAPS before content is run or accessed. | www.stigviewer.com"
[4]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableblockatfirstseen "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetMpPreference
parameters:
property: DisableBlockAtFirstSeen # Status: Get-MpPreference | Select-Object -Property DisableBlockAtFirstSeen
value: $True # Set: Set-MpPreference -Force -DisableBlockAtFirstSeen $True
default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableBlockAtFirstSeen | Set-MpPreference -Force -DisableBlockAtFirstSeen $False
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet
valueName: DisableBlockAtFirstSeen
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValueAsTrustedInstaller
# Without TrustedInstaller: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 21H2)
parameters:
keyPath: HKLM\Software\Microsoft\Windows Defender\SpyNet
valueName: DisableBlockAtFirstSeen
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Defender "Extended Cloud Check" feature
recommend: strict # Part of MAPS/SypNet/Cloud Protection that sends personal data to Microsoft
docs: |- # refactor-with-variables: Same • Security/Privacy Trade-off Caution
This script disables the extended cloud check feature in Microsoft Defender Antivirus by reducing its timeout.
The extended cloud check allows Defender to block a suspicious file for up to 60 seconds while it is
scanned in the cloud to verify its safety [1] [2].
This script reduces the extended cloud check timeout to 0, effectively disabling the feature.
This maintains the standard (default) time, which is 10 seconds [1] [2] [3].
This feature is part of **Microsoft Defender Antivirus** [1] [2].
It is part of Microsoft MAPS [1] [2], also known as SpyNet [4] or Microsoft Active Protection Service [4].
This feature sends your data, including personal information, to Microsoft [4].
Disabling this feature enhances privacy by limiting the amount of data sent to Microsoft's cloud for analysis.
may also improve system performance by reducing the waiting time for cloud-based file analysis.
However, this change comes with a security trade-off.
Disabling the extended cloud check may reduce Defender's ability to detect and block new or complex malware
requiring thorough cloud-based analysis.
This script configures the settings by:
- Using the Defender CLI to set the `CloudExtendedTimeout` preference [3].
- Configuring `HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine!MpBafsExtendedTimeout` to mimic the CLI.
Tests show that the CLI sets this registry key.
- Setting the registry key `HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!MpBafsExtendedTimeout`
to configure the group policy [1].
> **Caution**: This change enhances privacy but may reduce overall system security.
[1]: https://web.archive.org/web/20240728164134/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpBafsExtendedTimeout "Configure extended cloud check | admx.help"
[2]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#cloudextendedtimeout "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-cloudextendedtimeout "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetMpPreference
parameters:
property: CloudExtendedTimeout # Status: Get-MpPreference | Select-Object -Property CloudExtendedTimeout
value: "'50'" # Set: Set-MpPreference -Force -CloudExtendedTimeout '50'
default: $False # Default: 0 | Set-MpPreference -Force -CloudExtendedTimeout '0'
setDefaultOnWindows11: 'true' # `Remove-MpPreference` sets it to 0 instead 1 (OS default) in Windows 11
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine
valueName: MpBafsExtendedTimeout
dataType: REG_DWORD
data: "50"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine
valueName: MpBafsExtendedTimeout
dataType: REG_DWORD
data: "50"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Defender aggressive cloud protection
recommend: strict # Part of MAPS/SypNet/Cloud Protection that sends personal data to Microsoft
docs: |- # refactor-with-variables: Same • Security/Privacy Trade-off Caution
This script disables the aggressive cloud protection setting in Microsoft Defender Antivirus.
**Cloud protection** delivers faster protection to devices compared to traditional security intelligence updates [4].
It works on different aggressiveness levels in blocking and scanning suspicious files [1] [3].
This feature applies to both **Microsoft Defender Antivirus** [1] [2] [3] [4] and **Microsoft Defender for Endpoint** [4].
By default, the protection level is unconfigured [1] [3] [4].
This default state provides the least protection [4].
This script explicitly configures the setting to ensure aggressive options are disabled.
Disabling this feature:
- Enhances privacy by limiting *cloud protection*, which sends personal data to Microsoft [5].
- Increases user control over what runs on their device [4].
- May improve system performance by optimizing scan performance [4].
The script configures this setting by:
- Using the Defender CLI to set the `CloudBlockLevel` preference [2].
- Configuring `HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine!MpCloudBlockLevel` to mimic the CLI.
Tests show that the CLI sets this registry key.
- Setting the registry key `HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!MpCloudBlockLevel`
to configure the group policy [1].
> **Caution**: This change enhances privacy but may reduce overall system security.
[1]: https://web.archive.org/web/20240728172058/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpCloudBlockLevel "Select cloud protection level | admx.help"
[2]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-cloudblocklevel "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#cloudblocklevel "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240728172042/https://learn.microsoft.com/en-us/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus "Specify the cloud protection level for Microsoft Defender Antivirus - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetMpPreference
parameters:
property: CloudBlockLevel # Status: Get-MpPreference | Select-Object -Property CloudBlockLevel
value: "'0'" # Set: Set-MpPreference -Force -CloudBlockLevel '0'
default: "'2'" # Default: 0 on Windows 10 Pro (≥ 22H2) | `2` on Windows 11 Pro (≥ 23H2) | Set-MpPreference -Force -CloudBlockLevel '2'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine
valueName: MpCloudBlockLevel
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine
valueName: MpCloudBlockLevel
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Defender cloud-based notifications
recommend: strict # Part of MAPS/SypNet/Cloud Protection that sends personal data to Microsoft
docs: |- # refactor-with-variables: Same • Security/Privacy Trade-off Caution
This script disables notifications that can turn off security intelligence in Microsoft Defender.
This script prevents the antimalware service from receiving notifications to disable individual
security intelligence [1] [2] [3].
*Security intelligence* is updated information that helps antivirus software detect and protect against
the latest threats, working with cloud-based protection [4].
The *antimalware service*, also known as Microsoft Defender Antivirus, is essential to both Microsoft Defender
and Microsoft Defender for Endpoint [5].
By default, Microsoft uses these notifications to disable security intelligence that may cause false positives [1] [2] [3].
This functionality is provided by Microsoft MAPS (Microsoft Active Protection Service) [1] [2] [3].
MAPS was previously known as Microsoft SpyNet [3] and is recently referred to as Cloud Protection [6].
It operates by collecting potentially sensitive personal data [6].
Disabling these notifications limits Cloud Protection functionality, which inherently shares data with Microsoft [6].
You also maintain more control over your system's security settings.
However, this may reduce the accuracy of threat detection, possibly leading to more false positives.
This script configures the following registry keys:
- `HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SignatureDisableNotification` [1] [3]
- `HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates!SignatureDisableNotification` [2]
> **Caution**: This change enhances privacy but may reduce overall system security.
[1]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_signaturedisablenotification "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240728184043/https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::signature_updates_signaturedisablenotification "Allow notifications to disable definitions based reports to Microsoft Active Protection Service (MAPS). | admx.help"
[3]: https://web.archive.org/web/20240728184102/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureDisableNotification "Allow notifications to disable security intelligence based reports to Microsoft MAPS | admx.help"
[4]: https://web.archive.org/web/20240728184605/https://www.microsoft.com/en-us/wdsi/defenderupdates "Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence | www.microsoft.com"
[5]: https://web.archive.org/web/20240728184012/https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows "Microsoft Defender Antivirus in Windows Overview - Microsoft Defender for Endpoint | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: SignatureDisableNotification
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates
valueName: SignatureDisableNotification
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Defender cloud protection
recommend: strict # Part of MAPS/SypNet/Cloud Protection that sends personal data to Microsoft
docs: |- # refactor-with-variables: Same • Security/Privacy Trade-off Caution
This script disables Microsoft Defender's cloud protection.
Cloud protection is also known as Microsoft MAPS (Microsoft Active Protection Service) [1] [2].
It is an online community that helps users address potential threats and prevent new malicious software [1] [2] [3] [4].
Participation in the community is often called *SpyNet membership* [5] [6] or simply *membership* [1] [2] [3].
When Defender detects unclassified software or changes, it shows how other members responded to the alert [6].
Your participation helps Microsoft and others investigate potential threats [6].
Cloud protection automatically collects and sends information about software, user behavior,
and system data [1] [2] [7].
In some cases, it may transmit sensitive personal information to Microsoft [1] [2] [7].
This feature is off by default on most systems [1] [2] [3] [6] [7], but enabled on some editions, like
Windows on Azure.
Disabling cloud protection enhances privacy by preventing the automatic sharing of potentially sensitive data with Microsoft.
While DISA initially recommended disabling cloud protection [5], they later encouraged enabling it for additional security [8].
However, CIS continues to recommend deactivation in high-security settings for enhanced privacy [7].
This script prioritizes privacy by disabling the feature.
Disabling cloud protection may also improve system performance by reducing background data collection and transmission.
However, this may reduce protection against new threats by limiting Defender's access to community insights and
real-time updates.
This script configures the following settings:
- Using the Defender CLI to set the `MAPSReporting` preference [3] [4].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!SpynetReporting`
to configure the Group Policy (GPO) setting [1] [2] [5] [6] [7].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!LocalSettingOverrideSpynetReporting`
to consistently apply the desired Group Policy (GPO) setting [7] [9].
- `HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet!SpynetReporting`:
This registry key is undocumented but present in recent versions of Windows.
Tests show that changing this value via the CLI also alters the registry value.
> **Caution**: This change enhances privacy but may reduce overall system security.
[1]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#spynetreporting "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-mapsreporting "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#mapsreporting "MSFT_MpPreference - powershell.one | powershell.one"
[5]: https://web.archive.org/web/20240728200604/https://www.stigviewer.com/stig/windows_7/2012-07-02/finding/V-15713 "Turn off Windows Defender SpyNet reporting. | www.stigviewer.com"
[6]: https://web.archive.org/web/20240728200732/https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting "Configure Microsoft SpyNet Reporting | admx.help"
[7]: https://web.archive.org/web/20240722105035/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Windows_10_Enterprise_Release_21H1_Benchmark_v1_11_0.pdf "18.9.45.3.2 | CIS Microsoft Windows 10 Enterprise (Release 21H1 or older) Benchmark | paper.bobylive.com"
[8]: https://web.archive.org/web/20240728201806/https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75167 "Windows Defender AV must be configured to join Microsoft MAPS. | www.stigviewer.com"
[9]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#spynet_localsettingoverridespynetreporting "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
# 0: Disabled, 1: Basic, 2: Advanced (default)
-
function: SetMpPreference
parameters:
property: MAPSReporting # Status: Get-MpPreference | Select-Object -Property MAPSReporting
value: "'0'" # Set: Set-MpPreference -Force -MAPSReporting 0
# Default value `2` is observed on Azure VMs (URN: MicrosoftWindowsDesktop:*)
default: "'2'" # Default: 2 (Advanced) | Remove-MpPreference -Force -MAPSReporting | Set-MpPreference -Force -MAPSReporting 2
-
function: SetRegistryValueAsTrustedInstaller
# Without TrustedInstaller: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 21H2)
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet
valueName: SpyNetReporting
dataType: REG_DWORD
data: "0"
# Default value `2` is observed on Azure VMs (URN: MicrosoftWindowsDesktop:*)
dataOnRevert: "2" # Default value: `2` on Windows 10 Pro (≥ 22H2) | `2` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
valueName: LocalSettingOverrideSpynetReporting
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
valueName: SpynetReporting
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Defender automatic file submission to Microsoft
recommend: strict # Part of MAPS/SypNet/Cloud Protection that sends personal data to Microsoft
docs: |- # refactor-with-variables: Same • Security/Privacy Trade-off Caution
This script disables Defender's automatic submission of file samples to Microsoft for analysis.
By default, Defender automatically sends 'safe' file samples to Microsoft for analysis [1] [2].
This action is part of Microsoft's Advanced Protection Service (MAPS) [1] [2].
Previously, this service was known as Microsoft SpyNet [1] [2].
It is now referred to as **cloud protection** [3].
This automatic collection and submission can include your personal information [3].
This script sets the sample submission setting to "Never send" (value `2`), preventing any automatic
file submissions [1] [2] [4] [5].
This enhances privacy by stopping the automatic sharing of potentially sensitive file data with Microsoft.
It also improves system performance by reducing background data transfers.
However, this change may reduce Defender's ability to detect new threats, as it relies
on sample submissions to improve its detection capabilities.
The Defense Information Systems Agency (DISA) recommends against disabling sample submission [3].
This script configures the following settings:
- Using the Defender CLI to set the `SubmitSamplesConsent` preference [3] [4].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent`
to configure the Group Policy (GPO) setting [1] [2].
- `HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent`:
This registry key is undocumented but present in recent versions of Windows.
Tests show that changing this value via the CLI also alters the registry value.
> **Caution**: This change enhances privacy but may reduce overall system security.
[1]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#submitsamplesconsent "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240728192845/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SubmitSamplesConsent "Send file samples when further analysis is required"
[3]: https://web.archive.org/web/20240728193037/https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75207 "Windows Defender AV must be configured to only send safe samples for MAPS telemetry. | stigviewer.com"
[4]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-submitsamplesconsent "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#submitsamplesconsent "MSFT_MpPreference - powershell.one | powershell.one"
[6]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
# 0 = 'Always Prompt', 1 = 'Send safe samples automatically' (default), 2 = 'Never send', 3 = 'Send all samples automatically'
-
function: SetMpPreference
parameters:
property: SubmitSamplesConsent # Status: Get-MpPreference | Select-Object -Property SubmitSamplesConsent
value: "'2'" # Set: Set-MpPreference -Force -SubmitSamplesConsent 2
default: "'1'" # Default: 1 (Send safe samples automatically) | Remove-MpPreference -Force -SubmitSamplesConsent | Set-MpPreference -Force -SubmitSamplesConsent 1
setDefaultOnWindows11: 'true' # `Remove-MpPreference` sets it to 0 instead 1 (OS default) in Windows 11
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
valueName: SubmitSamplesConsent
dataType: REG_DWORD
data: "2"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValueAsTrustedInstaller
# Without TrustedInstaller: ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 21H2)
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet
valueName: SubmitSamplesConsent
dataType: REG_DWORD
data: "2"
dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Disable Defender real-time security intelligence updates
recommend: strict # Part of MAPS/SypNet/Cloud Protection that sends personal data to Microsoft
docs: |- # refactor-with-variables: Same • Security/Privacy Trade-off Caution
This script disables the real-time security intelligence updates in Defender.
Real-time security intelligence updates are part of Microsoft Active Protection Service (MAPS) [1] [2].
MAPS is also known as Microsoft SpyNet or cloud protection [3].
This service collects and sends personal data and other information to Microsoft [3].
When enabled, if Defender encounters an unknown file and MAPS has new intelligence on a threat involving that file,
it immediately receives the latest security updates [1] [2].
By default, these updates are enabled [1] [2].
This script disables them.
Disabling this feature may enhance your privacy by reducing data sent to Microsoft.
It may also slightly improve system performance by reducing background network activity and processing.
However, this change may reduce your system's security by delaying the receipt of new threat
information.
Defender will still receive regular updates, but not in real-time.
This script configures the
`HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!RealtimeSignatureDelivery` registry key [1] [2].
> **Caution**: This change enhances privacy but may reduce overall system security.
[1]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#signatureupdate_realtimesignaturedelivery "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240728205238/https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::signature_updates_realtimesignaturedelivery "Allow real-time definition updates based on reports to Microsoft Active Protection Service (MAPS) | admx.help"
[3]: https://web.archive.org/web/20240314122554/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowcloudprotection "Defender Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: RealtimeSignatureDelivery
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Malicious Software Reporting Tool" diagnostic data
recommend: strict # Does not contribute to security
docs: |- # refactor-with-variables: Same • Security/Privacy Trade-off Caution
This script disables the diagnostic data sent by Microsoft's Malicious Software Removal Tool (MSRT) [1].
Starting from its version 5.39 in August 2016, MSRT was observed to transmit a "Heartbeat Report" to Microsoft
every time it operated [2].
This happens even when the Customer Experience Improvement Program (CEIP) is turned off, and even if
"DiagTrack" is not installed on the computer [2].
Such a report can be confirmed by viewing the MRT log located at `%windir%\debug\mrt.log` [2].
This configures `HKLM\SOFTWARE\Policies\Microsoft\MRT!DontReportInfectionInformation` registry key
to halt this data sharing with Microsoft [1] [2].
[1]: https://web.archive.org/web/20231009135123/https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection "Disable Malicious Software Reporting tool diagnostic data | admx.help"
[2]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody | www.askwoody.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\MRT
valueName: DontReportInfectionInformation
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Defender Watson event reporting
recommend: strict # Does not contribute to security
docs: |-
This script prevents Microsoft Defender from sending Watson events to Microsoft.
Watson events are automatically sent reports to Microsoft when a program or service crashes or fails [1].
By default, these reports are sent automatically [1] [2] [3].
Disabling Watson events enhances privacy by preventing the automatic submission
of potentially sensitive information about system crashes and failures [1].
This practice is recommended by the Center for Internet Security (CIS) for additional privacy
and security [1].
After running this script, Microsoft will no longer receive automatic Watson event reports [1] [2] [3].
This change improves privacy but may limit Microsoft's ability to diagnose and fix system issues.
This script modifies the following registry keys:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting!DisableGenericRePorts` [1] [2] [3]
- `HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Reporting!DisableGenericRePorts` [4]
[1]: https://web.archive.org/web/20240722105035/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Windows_10_Enterprise_Release_21H1_Benchmark_v1_11_0.pdf "18.9.45.10.1 | CIS Microsoft Windows 10 Enterprise (Release 21H1 or older) Benchmark | paper.bobylive.com"
[2]: https://web.archive.org/web/20240728211352/https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::reporting_disablegenericreports "Configure Watson events | admx.help"
[3]: https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#reporting_disablegenericreports "ADMX_MicrosoftDefenderAntivirus Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240610133846/https://support.microsoft.com/en-us/topic/february-2015-anti-malware-platform-update-for-endpoint-protection-clients-937df5f6-cf2c-9fe0-507b-40137cbecf88 "February 2015 anti-malware platform update for Endpoint Protection clients - Microsoft Support | support.microsoft.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting
valueName: DisableGenericRePorts
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting
valueName: DisableGenericRePorts
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Microsoft Defender firewall
docs: |-
This category provides scripts to disable the Microsoft Defender Firewall.
This firewall serves as a security gate for your computer.
It controls network traffic to and from a computer [1] [2] [3] [4] [5].
It blocks all incoming traffic by default and allows outgoing traffic [1].
It enables users to block connections [1] [3] [5] [6] [7].
For enhanced security, users can require a VPN for all connections with IPSec rules [1] [3] [7].
This can protect your computer from unauthorized access [1] [4] [6] [8].
Microsoft has renamed the firewall several times to reflect branding changes:
1. **Internet Connection Firewall** initially [3].
2. **Windows Firewall** with the release of Windows XP Service Pack 2 [3].
3. **Windows Defender Firewall** starting with Windows 10 build 1709 (September 2017) [4] [5].
4. **Microsoft Defender Firewall** from Windows 10 version 2004 onwards [5] [6].
5. **Windows Firewall** again in 2023 [9].
Considerations:
- Malware or unauthorized users can bypass it if they gain direct access to the computer [10].
- Default firewall settings often provide limited security unless properly configured [10].
This is the case for most users.
- The firewall is enabled by default [1] [2] [4] [5].
It still operates in the background when turned off [7].
This can compromise privacy.
- Firewall logs detail user behavior [11].
They fall under [Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement).
This allows Microsoft to access and analyze these logs to study your behavior.
Turning off this firewall may optimize system performance by reducing background tasks [7].
It enhances privacy by preventing the collection of firewall logs [11].
However, this could increase security risks by exposing your system to more threats [1] [4] [6] [8].
> **Caution**:
> Turning off the Microsoft Defender Firewall **may reduce your security**.
> Consider an alternative security solution to maintain protection.
[1]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240408093812/https://support.microsoft.com/en-us/topic/getting-started-with-microsoft-defender-9df0cb0f-4866-4433-9cbc-f83e5cf77693 "Getting started with Microsoft Defender - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20041020065757/http://support.microsoft.com/kb/875357 "Troubleshooting Windows Firewall settings in Windows XP Service Pack 2 | support.microsoft.com"
[4]: https://web.archive.org/web/20240408093959/https://microsoft.fandom.com/wiki/Windows_Firewall "Windows Firewall | Microsoft Wiki | Fandom | microsoft.fandom.com"
[5]: https://web.archive.org/web/20240408094033/https://www.tenforums.com/tutorials/70699-how-turn-off-microsoft-defender-firewall-windows-10-a.html "How to Turn On or Off Microsoft Defender Firewall in Windows 10 | Tutorials | www.tenforums.com"
[6]: https://web.archive.org/web/20240408094038/https://support.microsoft.com/en-us/windows/turn-microsoft-defender-firewall-on-or-off-ec0844f7-aebd-0583-67fe-601ecf5d774f "Turn Microsoft Defender Firewall on or off - Microsoft Support | support.microsoft.com"
[7]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20240408094004/https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-defender-firewall-windows "Enable Windows Defender Firewall | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240408093851/https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#microsoft-defender-firewall-profiles-are-renamed-to-windows-firewall "What's new in Microsoft Intune | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240408101037/https://softwareg.com.au/blogs/internet-security/what-is-a-major-weakness-with-a-network-host-based-firewall "What Is A Major Weakness With A Network Host-Based Firewall | softwareg.com.au"
[11]: https://web.archive.org/web/20240409085528/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune "Configure Windows Firewall logging - Windows Security | Microsoft Learn | learn.microsoft.com"
children:
-
category: Disable Microsoft Defender Firewall services and drivers
docs: |-
This section contains scripts to disable the essential services and drivers of Microsoft Defender Firewall.
Microsoft Defender Firewall uses services and drivers to operate.
Services run background tasks, while drivers help hardware and software communicate.
Even with the firewall disabled in settings, its services and drivers continue running [1],
potentially monitoring network traffic and consuming resources.
These scripts directly disable these components, bypassing standard Windows settings and their limitations.
Disabling these firewall services and drivers can enhance privacy by preventing potential network traffic monitoring by Microsoft.
Additionally, it may improve system performance by freeing up system resources otherwise consumed by these components.
However, this can pose security risks and disrupt other software.
Microsoft Defender Firewall blocks unauthorized network access to protect against malicious attacks [2].
Disabling it can leave your system vulnerable to such threats.
Additionally, this could affect software relying on the firewall [1].
> **Caution**: These scripts **may reduce your security** and **cause issues with software** relying on the firewall [1].
[1]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com"
children:
-
name: >-
Disable "Windows Defender Firewall Authorization Driver" service
(breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL)
docs: |- # refactor-with-variables: Same • Firewall Service Caution
This script disables the **Windows Defender Firewall Authorization Driver** service.
This service is a kernel mode driver crucial for inspecting network traffic entering and exiting your computer [1] [2].
Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic.
It also improves system performance by decreasing background resource consumption.
The driver is identified by the file `mpsdrv.sys` [1] [2] [3].
This file is a component of **Microsoft Protection Service** [3].
This service encompasses the **Windows Defender Firewall** (`mpssvc`) [4] [5].
Disabling this driver disables **Windows Defender Firewall** [1] [2].
This action can significantly increase security risks [6].
Restart your computer after running this script to ensure all changes take effect [7].
> **Caution**: Disabling this service causes problems with software that depends on it [8] such as:
> - Prevents **Microsoft Store** app downloads [9] [10], impacting **winget** CLI functionality [11].
> - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [8].
> - Disables **Windows Sandbox** [7] [12], an isolated environment for safely running applications [13].
> - Disables **Docker** [14], a platform for developing and running applications in isolated environments [15].
> - Disables **Windows Subsystem for Linux (WSL)** [14], which lets Linux programs run directly on Windows [16].
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Manual |
| Windows 11 (≥ 23H2) | 🟢 Running | Manual |
[1]: https://web.archive.org/web/20240314091039/https://batcmd.com/windows/10/services/mpsdrv/ "Windows Defender Firewall Authorization Driver - Windows 10 Service - batcmd.com | batcmd.com"
[2]: https://web.archive.org/web/20240406223537/https://revertservice.com/10/mpsdrv/ "Windows Defender Firewall Authorization Driver (mpsdrv) Service Defaults in Windows 10 | revertservice.com"
[3]: https://web.archive.org/web/20240406223542/https://www.file.net/process/mpsdrv.sys.html "mpsdrv.sys Windows process - What is it? | www.file.net"
[4]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io"
[5]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com"
[6]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com"
[7]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy"
[8]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy"
[10]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? Walker News | www.walkernews.net"
[11]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com"
[12]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy"
[13]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com"
[14]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy"
[15]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com"
[16]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com"
[17]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com"
call:
-
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters:
serviceName: mpsdrv # Check: (Get-Service -Name 'mpsdrv').StartType
defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\drivers\mpsdrv.sys'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
function: ShowComputerRestartSuggestion
-
name: >-
Disable "Windows Defender Firewall" service
(breaks Microsoft Store, `netsh advfirewall`, winget, Windows Sandbox, Docker, WSL)
docs: |- # refactor-with-variables: Same • Firewall Service Caution
This script disables the **Windows Defender Firewall** service (identified as `MpsSvc` [1] [2] [3] [4]).
This component acts as a gatekeeper for your computer, filtering incoming and outgoing network traffic based on
established security rules [1] [5] to prevent unauthorized access [3] [4].
This service runs the firewall component of Windows [4].
It starts automatically [3] and runs the `%WINDIR%\System32\MPSSVC.dll` driver [3].
This file is also referred to as **Microsoft Protection Service** [6].
Beyond firewall functionality, it plays an important role in **Windows Service Hardening** to protect Windows services
[7] [8]. It also enforces **network isolation** in virtualized environments [7] [9].
Disabling this service can enhance privacy by reducing Microsoft's capability to monitor and analyze your network traffic.
It also improves system performance by decreasing background resource consumption.
However, it may expose the system to substantial security threats [10].
This risk is partly mitigated by boot-time filters that are triggered to protect the computer during startup or when the
firewall service stops unexpectedly [2].
Restart your computer after running this script to ensure all changes take effect [11].
> **Caution**: Disabling this service causes problems with software that depends on it [12] such as:
> - Prevents **Microsoft Store** app downloads (error code `0x80073D0A` [7] [13]), impacting **winget** CLI functionality [14].
> - Disables **`netsh advfirewall`** commands, used for Windows Firewall management [15].
> - Disables **Windows Sandbox** [11] [16], an isolated environment for safely running applications [17].
> - Disables **Docker** [18], a platform for developing and running applications in isolated environments [19].
> - Disables **Windows Subsystem for Linux (WSL)** [18], which lets Linux programs run directly on Windows [20].
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Automatic |
| Windows 11 (≥ 23H2) | 🟢 Running | Automatic |
[1]: https://web.archive.org/web/20231206185904/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd349801%28v=ws.10%29 "Windows Firewall Service | learn.microsoft.com"
[2]: https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx "Stopping the Windows Authenticating Firewall Service and the boot time policy - Microsoft Enterprise Networking Team - Site Home - TechNet Blogs | blogs.technet.com"
[3]: https://web.archive.org/web/20231122132143/https://batcmd.com/windows/10/services/mpssvc/ "Windows Defender Firewall - Windows 10 Service - batcmd.com | batcmd.com"
[4]: https://web.archive.org/web/20240406233529/https://en.wikipedia.org/wiki/Windows_Firewall "Windows Firewall - Wikipedia | wikipedia.org"
[5]: https://web.archive.org/web/20240406233704/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/ "Windows Firewall overview - Windows Security | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20231122132150/https://strontic.github.io/xcyclopedia/library/MPSSVC.dll-AA441F7C99AAACBA2538E90D7693637A.html "MPSSVC.dll | Microsoft Protection Service | STRONTIC | strontic.github.io"
[7]: https://web.archive.org/web/20200620033533/https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/ "How To Fix Windows Store App Update Error Code 0x80073D0A? Walker News | www.walkernews.net"
[8]: https://web.archive.org/web/20240406232832/https://techcommunity.microsoft.com/t5/ask-the-performance-team/ws2008-windows-service-hardening/ba-p/372702 "WS2008: Windows Service Hardening - Microsoft Community Hub | techcommunity.microsoft."
[9]: https://web.archive.org/web/20240406232844/https://learn.microsoft.com/en-us/virtualization/windowscontainers/container-networking/network-isolation-security "Network isolation and security | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx "Basic Firewall Policy Design | technet.microsoft.com"
[11]: https://web.archive.org/web/20240526095128/https://github.com/undergroundwires/privacy.sexy/issues/364 "[BUG]: FYI : Disable \"Windows Defender Firewall\" service also break Windows Sandbox. · Issue #364 · undergroundwires/privacy.sexy"
[12]: https://web.archive.org/web/20240326143148/https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell#disable-windows-firewall "Manage Windows Firewall with the command line - Windows Security | Microsoft Learn | learn.microsoft.com"
[13]: https://web.archive.org/web/20240406224105/https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791 "[BUG][help wanted]: Cannot enable Windows Defender · Issue #104 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy"
[14]: https://web.archive.org/web/20240406223635/https://github.com/undergroundwires/privacy.sexy/issues/142 "[BUG]: \"Standard\" profile limits Winget CLI Functionality · Issue #142 · undergroundwires/privacy.sexy · GitHub | github.com"
[15]: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior "Use netsh advfirewall firewall context - Windows Server | Microsoft Learn | learn.microsoft.com"
[16]: https://web.archive.org/web/20240526095212/https://github.com/undergroundwires/privacy.sexy/issues/115 "[BUG]: I broke my Windows Sandbox and I'd like it back · Issue #115 · undergroundwires/privacy.sexy"
[17]: https://web.archive.org/web/20240526110752/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview "Windows Sandbox - Windows Security | Microsoft Learn | learn.microsoft.com"
[18]: https://web.archive.org/web/20240526095244/https://github.com/undergroundwires/privacy.sexy/issues/152 "[BUG]: Docker / wsl2 fails to start after using script · Issue #152 · undergroundwires/privacy.sexy"
[19]: https://web.archive.org/web/20240526110733/https://docs.docker.com/get-started/overview/ "Docker overview | Docker Docs | docs.docker.com"
[20]: https://web.archive.org/web/20240526110720/https://learn.microsoft.com/en-us/windows/wsl/about "What is Windows Subsystem for Linux | Microsoft Learn | learn.microsoft.com"
call:
-
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters:
serviceName: MpsSvc # Check: (Get-Service -Name 'MpsSvc').StartType
defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\mpssvc.dll'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
function: ShowComputerRestartSuggestion
-
name: Disable firewall via command-line utility
# ❗️ Following must be enabled and in running state:
# - mpsdrv ("Windows Defender Firewall Authorization Driver")
# - bfe (Base Filtering Engine)
# - mpssvc ("Windows Defender Firewall")
# If the dependent services are not running, the script fails with:
# "An error occurred while attempting to contact the "Windows Defender Firewall" service. Make sure that the service is running and try your request again."
# Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc
docs: https://web.archive.org/web/20240314125017/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
call:
function: RunPowerShell
parameters:
code: |-
if(!(Get-Command 'netsh' -ErrorAction Ignore)) {
throw '"netsh" does not exist, is system installed correctly?'
}
$message=netsh advfirewall set allprofiles state off 2>&1
if($?) {
Write-Host "Successfully disabled firewall."
} else {
if($message -like '*Firewall service*') {
Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?'
} else {
throw "Cannot disable: $message"
}
}
revertCode: |-
if(!(Get-Command 'netsh' -ErrorAction Ignore)) {
throw '"netsh" does not exist, is system installed correctly?'
}
$message=netsh advfirewall set allprofiles state on 2>&1
if($?) {
Write-Host "Successfully enabled firewall."
} else {
if($message -like '*Firewall service*') {
Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?'
} else {
throw "Cannot enable: $message"
}
}
-
name: Disable Firewall via registry # Lower-level, good in case command-line utility is not available/functioning
docs:
- https://web.archive.org/web/20240314124804/https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
valueName: EnableFirewall
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile
valueName: EnableFirewall
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile
valueName: EnableFirewall
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
valueName: EnableFirewall
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
valueName: EnableFirewall
dataType: REG_DWORD
data: "0"
dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
valueName: EnableFirewall
dataType: REG_DWORD
data: "0"
dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
valueName: EnableFirewall
dataType: REG_DWORD
data: "0"
dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile
valueName: EnableFirewall
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Firewall & network protection" section in "Windows Security"
docs: |-
This script hides the "Firewall & network protection" section in the "Windows Security" interface. Previously, this interface was
called "Windows Defender Security Center" [1].
The "Firewall & network protection" section provides details about the device's firewalls and network connections [2]. It shows the status
of both the Windows Defender Firewall and any other third-party firewalls [2]. However, after using this script, users will no longer see
this section in the "Windows Security" interface [3].
This script sets the `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection!UILockdown" registry
key to hide the Firewall and network protection area [3].
[1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn"
[2]: https://web.archive.org/web/20231013154106/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection "Firewall and network protection in Windows Security - Windows Security | Microsoft Learn"
[3]: https://web.archive.org/web/20231013154312/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disablenetworkui "WindowsDefenderSecurityCenter Policy CSP - Windows Client Management | Microsoft Learn"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection
valueName: UILockdown
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Microsoft Defender Antivirus # Deprecated since Windows 10 version 1903
docs:
- https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
valueName: DisableAntiSpyware
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Defender features
# Status: Get-MpPreference
children:
-
name: Disable Potentially Unwanted Application (PUA) feature # Already disabled as default
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147
- https://web.archive.org/web/20240314124740/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide
- https://web.archive.org/web/20160410000519/https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/
- https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
call:
-
function: SetMpPreference
parameters:
# 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode'
property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection
value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0
default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0
-
function: SetRegistryValue # For legacy versions: Windows 10 v1809 and Windows Server 2019
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine
valueName: MpEnablePus
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue # For newer Windows versions
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender
valueName: PUAProtection
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Tamper Protection
docs: |-
This script disables Tamper Protection in Microsoft Defender Antivirus.
Tamper Protection is a security feature that blocks unauthorized changes to key Microsoft Defender Antivirus settings [1] [2].
These settings include real-time protection [1] [2], behavior monitoring [2], and cloud-delivered protection [1].
By default, Tamper Protection is enabled [1].
It is available in all editions of Windows since Windows 10, version 1903 [3].
Disabling Tamper Protection may increase privacy and control over your system by allowing you to:
- Change protected Microsoft Defender Antivirus settings to enhance privacy [1] [3]
- Disable Microsoft Defender Antivirus entirely [1] [3] to increase privacy
- Improve system performance by adjusting or disabling certain security features
However, turning off Tamper Protection may reduce your system's security by:
- Making your device more vulnerable to malware that attempts to disable security features
- Allowing potentially harmful changes to important security settings
With Tamper Protection enabled, users can modify protected settings through the Windows Security app [1].
Disabling Tamper Protection allows changes through scripts and third-party apps such as privacy.sexy [1].
### Technical Details
This script modifies the following registry keys:
- `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtection` [4] [5] [6].
- `HKLM\SOFTWARE\Microsoft\Windows Defender\Features!TamperProtectionSource` [7]
These keys interact with the `MpClient.dll` library within Microsoft Defender Antivirus [8].
The script sets values to replicate changes made through the Windows Security interface [5].
Tests reveal the following values for various Windows versions:
| Key | Opearting System | Default | After toggling ON | After toggling OFF |
| --- | ------- | ------- | -------------------- | --------------------- |
| `TamperProtection` | Windows 10 Pro (>= 22H2) | 1 | 5 [4] [6] | 4 [4] [6] [7] |
| `TamperProtection` | Windows 11 Pro (>= 23H2) | 1 | 5 [4] [5] | 4 [4] [5] |
| `TamperProtectionSource` | Windows 10 Pro (>= 22H2) | No value | No value | No value (Or 2 [7]) |
| `TamperProtectionSource` | Windows 11 Pro (>= 23H2) | 5 | 2 | 2 |
`TamperProtectionSource` value `2` means that the tamper protection is based on signatures.
Other recorded values in various installations include `ATP` [9], `Service Init` [10], `Intune` [11],
and `E5 transition` [12].
However, these values lack official public documentation [13].
To check the current Tamper Protection source, use this command:
```batchfile
wmic /namespace:\\root\microsoft\windows\defender path MSFT_MpComputerStatus get /format:list | findstr "TamperProtectionSource"
````
Or this PowerShell command:
```ps1
Get-MpComputerStatus | Select-Object -ExpandProperty TamperProtectionSource
```
[1]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support"
[2]: https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configurationtamperprotection "Defender CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240314125156/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware "DisableAntiSpyware | Microsoft Learn"
[4]: https://web.archive.org/web/20240725101722/https://www.alteredsecurity.com/post/disabling-tamper-protection-and-other-defender-mde-components?ref=news.risky.biz "Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components | www.alteredsecurity.com"
[5]: https://web.archive.org/web/20240523053136/https://www.elevenforum.com/t/turn-on-or-off-tamper-protection-for-microsoft-defender-antivirus-in-windows-11.3973/ "Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[6]: https://web.archive.org/web/20240725111337/https://www.ghacks.net/2019/10/14/microsoft-enables-tamper-protection-on-windows-10-for-all-home-users/ "Microsoft enables Tamper Protection on Windows 10 for all Home users - gHacks Tech News | ghacks.net"
[7]: https://web.archive.org/web/20240725111606/https://wirediver.com/disable-windows-defender-in-powershell/ "Disable Windows Defender in powershell - a script to finally get rid of itWireDiver | wirediver.com"
[8]: https://github.com/privacysexy-forks/10_0_22623_1020/blob/0225ce2c6d74641e63613c0a57c5c6ebea2df4d8/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings#L4520-L4521 "10_0_22623_1020/C/Windows/WinSxS/wow64_windows-defender-service_31bf3856ad364e35_10.0.22621.1_none_319098d47eeb862c/MpClient.dll.strings at 0225ce2c6d74641e63613c0a57c5c6ebea2df4d8 · privacysexy-forks/10_0_22623_1020 | github.com"
[9]: https://web.archive.org/web/20240725111557/https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-validate-defender-protection-and-additional-troubleshooting-part6/ "Validate Defender for Endpoint protection and additional troubleshooting | jeffreyappel.nl"
[10]: https://web.archive.org/web/20240725111814/https://blog.51sec.org/2022/03/microsoft-defender-for-endpoint.html "Microsoft Defender for Endpoint Configurations and Training Resources - NETSEC | blog.51sec.org"
[11]: https://github.com/privacysexy-forks/ClientInspectorV2/blob/main/README.md "ClientInspectorV2/README.md at main · privacysexy-forks/ClientInspectorV2 | github.com"
[12]: https://web.archive.org/web/20240725111617/https://learn.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=windowsserver2022-ps "Get-MpComputerStatus (Defender) | Microsoft Learn | learn.microsoft.com"
[13]: https://web.archive.org/web/20240725111550/https://247tech.co.uk/intune-disables-tamper-protection-by-default/ "Intune disables Tamper Protection by default 247 TECH | 247tech.co.uk"
call:
-
function: SetRegistryValueAsTrustedInstaller
# Without TrustedInstaller: ✅ Windows 10 Pro (20H2) | ❌ Windows 10 Pro (≥ 22H2) | ❌ Windows 11 Pro (≥ 21H2)
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features
valueName: "TamperProtection"
dataType: REG_DWORD
data: "4"
dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValueAsTrustedInstaller
# Without TrustedInstaller: ✅ Windows 10 Pro (>= 20H2) | ✅ Windows 11 Pro (>= 23H2)
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\Features
valueName: "TamperProtectionSource"
dataType: REG_DWORD
data: "2"
dataOnRevert: "5" # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
-
name: Disable file hash computation feature # Added in Windows 10, version 2004
docs:
- https://web.archive.org/web/20240314124546/https://learn.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation
- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine
valueName: EnableFileHashComputation
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable "Windows Defender Exploit Guard"
docs: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
children:
-
name: Disable prevention of users and apps from accessing dangerous websites
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
valueName: EnableNetworkProtection
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable controlled folder access
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
- https://web.archive.org/web/20240314124339/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access
valueName: EnableControlledFolderAccess
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable network inspection system features
children:
-
name: Disable protocol recognition
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS
valueName: DisableProtocolRecognition
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable definition retirement
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS
valueName: DisableSignatureRetirement
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Minimize rate of detection events
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS
valueName: ThrottleDetectionEventsRate
dataType: REG_DWORD
data: "10000000"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable real-time protection
children:
-
name: Disable real-time monitoring
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring
call: # Enabled by default (DisableRealtimeMonitoring is false)
-
function: SetMpPreference
parameters:
property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring
value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True
# ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
valueName: DisableRealtimeMonitoring
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable intrusion prevention system (IPS)
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem
call:
-
function: SetMpPreference
parameters:
property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem
value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True
# ❌ Windows 11 and Windows 10: Does not fail but does not change the value
default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False
# ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
valueName: DisableIntrusionPreventionSystem
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Information Protection Control (IPC)
docs: https://web.archive.org/web/20231207105520/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
valueName: DisableInformationProtectionControl
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Defender monitoring of behavior
children:
-
name: Disable behavior monitoring
docs:
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring
call:
-
function: SetMpPreference
parameters:
property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring
value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True
# ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
valueName: DisableBehaviorMonitoring
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable sending raw write notifications to behavior monitoring
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
valueName: DisableRawWriteNotification
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable monitoring of downloads and attachments in Defender
children:
-
name: Disable scanning of all downloaded files and attachments
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection
call:
-
function: SetMpPreference
parameters:
property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection
value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True
# ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected
default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
valueName: DisableIOAVProtection
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable scanning files larger than 1 KB (minimum possible)
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
valueName: IOAVMaxSize
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Defender monitoring of file and program activity
children:
-
name: Disable file and program activity monitoring
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
valueName: DisableWindowsSpotlightFeatures
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable bidirectional scan for incoming and outgoing file and program activities
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection
call:
# 0='Both': bi-directional (full on-access, default)
# 1='Incoming': scan only incoming (disable on-open)
# 2='Outcoming': scan only outgoing (disable on-close)
-
function: SetMpPreference
parameters:
property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection
value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1
default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
valueName: RealTimeScanDirection
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable real-time protection process scanning
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
valueName: DisableScanOnRealtimeEnable
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Defender remediation
children:
-
name: Disable routine remediation
docs:
- https://web.archive.org/web/20240314124159/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#disableroutinelytakingaction
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender
valueName: DisableRoutinelyTakingAction
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable running scheduled auto-remediation
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday
call:
# 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Remediation
valueName: Scan_ScheduleDay
dataType: REG_DWORD
data: "8"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay
value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8
default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0
-
name: Disable remediation actions
docs:
- https://web.archive.org/web/20240314124221/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
# None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10
call: # Not using ThreatIdDefaultAction as it requires known threat IDs
-
function: SetMpPreference
# https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction
parameters:
property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction
# Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value):
# `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`.
# E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed.
# Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction`
value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9
# Default: 0 (none)
# Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction`
# works on both Windows 10 and Windows 11
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats
valueName: Threats_ThreatSeverityDefaultAction
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction
valueName: "5"
dataType: REG_SZ
data: "9"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction
valueName: "4"
dataType: REG_SZ
data: "9"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction
valueName: "3"
dataType: REG_SZ
data: "9"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction
valueName: "2"
dataType: REG_SZ
data: "9"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction
valueName: "1"
dataType: REG_SZ
data: "9"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Enable automatically purging items from quarantine folder
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay
call:
# Values:
# Default: 90 on both Windows 10 21H1 and Windows 11 21H2
# Minimum: 1
# 0 means indefinitely
-
function: SetMpPreference
parameters:
property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay
value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1
default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90
setDefaultOnWindows11: 'true' # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine
valueName: PurgeItemsAfterDelay
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable always running antimalware service
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender
valueName: ServiceKeepAlive
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# - # Too good to disable
# category: Disable Microsoft Defender "Device Guard" and "Credential Guard"
# docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419
# children:
# -
# name: Disable LSA protection (disabled by default)
# docs:
# - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
# - https://itm4n.github.io/lsass-runasppl/
# - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# call:
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
# valueName: LsaCfgFlags
# dataType: REG_DWORD
# data: '0'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\Software\Policies\Microsoft\Windows\DeviceGuard
# valueName: LsaCfgFlags
# dataType: REG_DWORD
# data: '0'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# -
# name: Disable virtualization-based security (disabled by default)
# docs:
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
# call:
# # Virtualization features
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard
# valueName: EnableVirtualizationBasedSecurity
# dataType: REG_DWORD
# data: '0'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard
# valueName: RequirePlatformSecurityFeatures
# dataType: REG_DWORD
# data: '0'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# # Lock:
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard
# valueName: Locked
# dataType: REG_DWORD
# data: '0'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard
# valueName: NoLock
# dataType: REG_DWORD
# data: '1'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# # HypervisorEnforcedCodeIntegrity:
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard
# valueName: HypervisorEnforcedCodeIntegrity
# dataType: REG_DWORD
# data: '0'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
# valueName: Enabled
# dataType: REG_DWORD
# data: '0'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
# valueName: Locked
# dataType: REG_DWORD
# data: '0'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# -
# name: Disable System Guard Secure Launch
# docs:
# - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection
# - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch
# call:
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
# valueName: ConfigureSystemGuardLaunch
# dataType: REG_DWORD
# data: '2'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard
# valueName: Enabled
# dataType: REG_DWORD
# data: '0'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# -
# name: Disable Windows Defender Application Control Code Integrity Policy
# docs:
# - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# call:
# -
# function: SetRegistryValue
# parameters:
# keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
# valueName: DeployConfigCIPolicy
# dataType: REG_DWORD
# data: '0'
# deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
# -
# function: DeleteFiles
# parameters:
# fileGlob: '%WINDIR%\System32\CodeIntegrity\SIPolicy.p7b'
-
name: Disable auto-exclusions
docs:
- https://web.archive.org/web/20231027190409/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions
call:
-
function: SetMpPreference
parameters:
property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions
value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True
default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False
setDefaultOnWindows11: 'true' # `Remove-MpPreference` has no affect (does not change the value) in Windows 11
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
valueName: DisableAutoExclusions
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Defender scans
children:
-
category: Disable scan actions
children:
-
name: Disable signature verification before scanning # Default configuration
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan
call:
-
function: SetMpPreference
parameters:
property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan
value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False
default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: CheckForSignaturesBeforeRunningScan
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable creation of daily system restore points # Default behavior
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint
call:
-
function: SetMpPreference
parameters:
property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint
value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True
default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableRestorePoint
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Minimize retention time for files in scan history
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay
call: # Default is 15, minimum is 0 which means never removing items
-
function: SetMpPreference
parameters:
property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay
value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1
default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: PurgeItemsAfterDelay
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable catch-up scans
children:
-
name: Maximize days until mandatory catch-up scan
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup
# Default and minimum is 2, maximum is 20
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: MissedScheduledScanCountBeforeCatchup
dataType: REG_DWORD
data: '20'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable catch-up full scans # Disabled by default
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan
call:
-
function: SetMpPreference
parameters:
property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan
value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True
default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableCatchupFullScan
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable catch-up quick scans
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan
call:
-
function: SetMpPreference
parameters:
property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan
value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True
default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableCatchupQuickScan
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Defender scan options
children:
-
name: Disable scan heuristics
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableHeuristics
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable intensive CPU usage during Defender scans
children:
-
name: Minimize CPU usage during scans
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor
call:
# Default: 50, minimum 1
-
function: SetMpPreference
parameters:
property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor
value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1
default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: AvgCPULoadFactor
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Minimize CPU usage during idle scans
docs:
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
call:
-
function: SetMpPreference
parameters:
property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans
value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False
default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableCpuThrottleOnIdleScans
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable scanning when not idle # Default OS setting
docs:
- https://web.archive.org/web/20231206191436/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled
call:
-
function: SetMpPreference
parameters:
property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled
value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True
default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: ScanOnlyIfIdle
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable scheduled anti-malware scanner (MRT)
docs: |-
This script disables the scheduled scans by the Malicious Software Removal Tool (MSRT) provided by Microsoft.
Starting from version 5.39 in August 2016, MSRT sends a "Heartbeat Report" to Microsoft every time it runs [1]. This behavior occurs even if certain user
preferences like the Customer Experience Improvement Program (CEIP) are turned off or if "DiagTrack" is not on the computer [1]. A record of this "Successfully
Submitted Heartbeat Report" can be checked in the MRT log, found at `%windir%\debug\mrt.log` [1].
By using this script, users enhance their privacy by preventing such automatic data transmissions to Microsoft.
[1]: https://web.archive.org/web/20231009134353/https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/ "Telemetry from the Malicious Software Removal Tool @ AskWoody"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\MRT
valueName: DontOfferThroughWUAU
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Minimize scanned areas
children:
-
name: Disable e-mail scanning # Disabled by default
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning
call:
-
function: SetMpPreference
parameters:
property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning
value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False
default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableEmailScanning
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable script scanning
docs:
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning
call:
function: SetMpPreference
parameters:
property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning
value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True
# ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False
-
name: Disable reparse point scanning
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableReparsePointScanning
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable scanning mapped network drives during full scan
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableScanningMappedNetworkDrivesForFullScan
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan
value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False
default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True
-
name: Disable network file scanning
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableScanningNetworkFiles
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles
value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True
default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False
-
name: Disable scanning packed executables
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisablePackedExeScanning
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable scanning archive files
children:
-
name: Disable Defender archive file scanning
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableArchiveScanning
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning
value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True
default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False
-
name: Minimize scanning depth of archive files
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: ArchiveMaxDepth
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Minimize file size for scanning archive files
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: ArchiveMaxSize
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable scanning removable drives
docs:
# Disabled by default
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: DisableRemovableDriveScanning
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning
value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False
default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True
-
category: Disable auto-scans
children:
-
name: Disable scheduled scans
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay
- https://web.archive.org/web/20240314122526/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday
call:
# Options are:
# 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday',
# 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: ScheduleDay
dataType: REG_DWORD
data: '8'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay
value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8'
default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0'
-
name: Disable randomizing scheduled task times
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender
valueName: RandomizeScheduleTaskTimes
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes
value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False
default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True
-
name: Disable scheduled full-scans
docs:
- https://web.archive.org/web/20240314122452/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters
call:
# Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan'
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: ScanParameters
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters
value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1'
default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1'
setDefaultOnWindows11: 'true' # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11
-
name: Minimize daily quick scan frequency
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Scan
valueName: QuickScanInterval
dataType: REG_DWORD
data: '24'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable scanning after security intelligence (signature) update
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: DisableScanOnUpdate
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Defender updates
children:
-
category: Disable Defender Security Intelligence (signature) updates
children:
-
name: Disable forced security intelligence (signature) updates from Microsoft Update
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: ForceUpdateFromMU
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable security intelligence (signature) updates when running on battery power
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: DisableScheduledSignatureUpdateOnBattery
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable startup check for latest virus and spyware security intelligence (signature)
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: UpdateOnStartUp
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable catch-up security intelligence (signature) updates # default is one day
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval
call:
# Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: SignatureUpdateCatchupInterval
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval
value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0'
default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1'
-
name: Minimize spyware security intelligence (signature) updates # default is one day, recommended is 7 days
# Maximize period when spyware security intelligence (signature) is considered up-to-dates
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: ASSignatureDue
dataType: REG_DWORD
data: '4294967295'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Minimize virus security intelligence (signature) updates # default is one day, recommended is 7 days
# Maximize period when virus security intelligence (signature) is considered up-to-date
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: AVSignatureDue
dataType: REG_DWORD
data: '4294967295'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable security intelligence (signature) update on startup
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: DisableUpdateOnStartupWithoutEngine
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine
value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True
default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False
-
name: Disable automatic checks for security intelligence (signature) updates # Already disabled by default
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday
call:
# Options:
# 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday'
# 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: ScheduleDay
dataType: REG_DWORD
data: '8'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay
value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8'
default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8'
-
name: Minimize checks for security intelligence (signature) updates
docs:
- https://web.archive.org/web/20240314122335/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval
call:
# Valid values range from 1 (every hour) to 24 (once per day).
# If not specified (0), parameter, Microsoft Defender checks at the default interval
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: SignatureUpdateInterval
dataType: REG_DWORD
data: '24'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetMpPreference
parameters:
property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval
value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24'
default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0'
-
category: Disable alternate definition updates
children:
-
name: Disable definition updates via WSUS and Microsoft Malware Protection Center
docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: CheckAlternateHttpLocation
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable definition updates through both WSUS and Windows Update
docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates
valueName: CheckAlternateDownloadLocation
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Minimize Defender updates to completed gradual release cycles
docs:
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
call:
function: SetMpPreference
parameters:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease
value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True
default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease
-
name: Minimize Defender engine updates to completed release cycles
docs:
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
call:
function: SetMpPreference
parameters:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel
value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad'
# Valid values:
# 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged'
# ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'"
-
name: Minimize Defender platform updates to completed release cycles
docs:
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
call:
function: SetMpPreference
parameters:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel
value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad'
# Valid values:
# 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged'
# ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'"
-
name: Minimize Defender definition updates to completed gradual release cycles
docs:
# Managing with MpPreference module:
- https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
call:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
function: SetMpPreference
parameters:
property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel
# Its former name was "SignaturesUpdatesChannel"
value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad'
# 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged'
# ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'"
-
category: Disable Microsoft Defender reporting
children:
-
name: Disable Microsoft Defender logging
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger
valueName: Start
dataType: REG_DWORD
data: "0"
dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger
valueName: Start
dataType: REG_DWORD
data: "0"
dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Disable Microsoft Defender ETW provider (Windows Event Logs)
docs:
- https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/
- https://web.archive.org/web/20240314124054/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational
valueName: Enabled
dataType: REG_DWORD
data: "0"
dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC
valueName: Enabled
dataType: REG_DWORD
data: "0"
dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Minimize Windows software trace preprocessor (WPP Software Tracing)
docs:
- https://web.archive.org/web/20240314123926/https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting
valueName: WppTracingLevel
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable auditing events in Microsoft Defender Application Guard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig
- https://web.archive.org/web/20240314123716/https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\AppHVSI
valueName: AuditApplicationGuard
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Defender user interface
children:
-
name: Remove "Windows Security" system tray icon
docs: |-
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray
valueName: HideSystray
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Remove "Scan with Microsoft Defender" from context menu
docs: |-
This script removes the **Scan with Microsoft Defender** option from the right-click context menu.
This script enhances user privacy by limiting engagement with Microsoft Defender's data collection processes.
Defender may collect data during scans and at regular intervals, which some users may find unnecessary or unwanted.
Removing this option only affects the context menu appearance and does not disable Microsoft Defender or its other functions.
> **Caution**: This may reduce system security by making it less convenient to perform on-demand scans of specific files or folders.
### Technical Details
The script functions by altering specific registry keys that correspond to the Defender context menu option.
It specifically targets the CLSID `{09A47860-11B0-4DA5-AFA5-26D86198A780}`, which is associated with this option [1] [2].
The script alters keys in the `HKLM\Software\Classes` branch, which automatically reflects in the `HKCR` (HKEY_CLASSES_ROOT) view [3].
The deletion of this key effectively removes the **Scan with Microsoft Defender** option from the context menu.
This feature is provided by `shellext.dll` file located in Defender's program files [1].
[1]: https://web.archive.org/web/20231124215149/https://strontic.github.io/xcyclopedia/library/clsid_09A47860-11B0-4DA5-AFA5-26D86198A780.html "CLSID 09A47860-11B0-4DA5-AFA5-26D86198A780 | (C:\Program Files\Windows Defender\shellext.dll) | STRONTIC | strontic.github.io"
[2]: https://web.archive.org/web/20231124215202/https://www.shouldiblockit.com/shellext.dll-d9ed4e24723880f608c62e2e00430bdd.aspx "shellext.dll - Should I Block It? (MD5 d9ed4e24723880f608c62e2e00430bdd) | www.shouldiblockit.com"
[3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com"
call:
-
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32'
valueName: (Default)
# Default values:
# Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name '(Default)'
# Windows 10 (≥ 22H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ)
# Windows 11 (≥ 23H2) : C:\Program Files\Windows Defender\shellext.dll (REG_SZ)
dataTypeOnRevert: REG_SZ
dataOnRevert: '%ProgramFiles%\Windows Defender\shellext.dll'
-
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32'
valueName: ThreadingModel
# Default values:
# Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32' -Name 'ThreadingModel'
# Windows 10 (≥ 22H2) : Apartment (REG_SZ)
# Windows 11 (≥ 23H2) : Apartment (REG_SZ)
dataTypeOnRevert: REG_SZ
dataOnRevert: 'Apartment'
-
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP'
valueName: (Default)
# Default values:
# Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP' -Name '(Default)'
# Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ)
# Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ)
dataTypeOnRevert: REG_SZ
dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}'
-
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP'
valueName: (Default)
# Default values:
# Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP' -Name '(Default)'
# Windows 10 (≥ 22H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ)
# Windows 11 (≥ 23H2) : {09A47860-11B0-4DA5-AFA5-26D86198A780} (REG_SZ)
dataTypeOnRevert: REG_SZ
dataOnRevert: '{09A47860-11B0-4DA5-AFA5-26D86198A780}'
-
name: Remove "Windows Security" icon from taskbar
docs: |-
This script removes the "Windows Security" icon from the system tray. "Windows Security" is an interface introduced in Windows 10, version 1703
and was originally named "Windows Defender Security Center" [1].
The icon in the system tray is controlled by the `SecurityHealthSystray.exe` file [2] [3].
The script modifies the registry to stop this file from running on startup, effectively removing the icon. It specifically removes
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run!SecurityHealth`. This key exists in modern versions of Windows (tested since Windows 11 22H2
and Windows 10 22H2) with default value of `%WINDIR%\system32\SecurityHealthSystray.exe`.
[1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn"
[2]: https://web.archive.org/web/20231013155101/https://www.file.net/process/securityhealthsystray.exe.html "SecurityHealthSystray.exe Windows process - What is it?"
[3]: https://web.archive.org/web/20231013155434/https://strontic.github.io/xcyclopedia/library/SecurityHealthSystray.exe-783C99AFD4C2AE6950FA5694389D2CFA.html "SecurityHealthSystray.exe | Windows Security notification icon | STRONTIC | strontic.github.io"
call:
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
valueName: SecurityHealth
# Default values:
# Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealth'
# Windows 10 (≥ 22H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ)
# Windows 11 (≥ 23H2) : C:\Windows\system32\SecurityHealthSystray.exe (REG_SZ)
dataTypeOnRevert: REG_EXPAND_SZ
dataOnRevert: '%WINDIR%\system32\SecurityHealthSystray.exe'
-
name: Disable Microsoft Defender Antimalware (AM) user interface
docs: |-
This script ensures that the Antimalware User Interface (AM UI) remains concealed from users [1], essentially
preventing user interactions with the Microsoft Defender Antivirus interface.
Several reasons to hide the antivirus interface:
1. **Reduced data sharing**: Whether you're using Defender or disabling it for an alternative solution, minimizing
its visible interactions can potentially limit the extent of user data shared with Microsoft. Many users feel more
in control of their data when they aren't constantly reminded of a running security service.
2. **Minimized Interruptions**: By hiding the interface, you can prevent users from starting and pausing scans.
Eliminating the interface means users aren't prompted or nudged to make selections which might unknowingly share
more data. This not only keeps the user experience neat but also minimizes accidental data sharing chances.
3. **Reduced notifications**: With the headless UI mode enabled in Windows 10 (version 1703 and newer), Microsoft Defender
Antivirus notifications are hidden, ensuring users aren't overwhelmed with security notifications [2]. This can contribute to
a cleaner, less interrupted user experience. By reducing these notifications, the system lessens the chances of users inadvertently
triggering options that might share data.
4. **Restricting access**: In earlier versions of Windows 10, activating this mode not only hides the Defender client interface
but also restricts users from accessing it [2]. If a user attempts to open the interface, they are met with a warning, indicating that
access has been restricted by the system administrator [2].
The script achieves this by making a specific change in the Windows Registry. Specifically, it adds a value named "UILockdown" in the
`HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration` registry path, setting its value to `1` [1].
[1]: https://web.archive.org/web/20230810164814/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown "Enable headless UI mode"
[2]: https://web.archive.org/web/20230810164835/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide "Hide the Microsoft Defender Antivirus interface | Microsoft Learn"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration
valueName: UILockdown
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable non-administrator access to threat history
docs: |-
This script disables privacy mode for Defender scans, limiting threat history access to administrators.
By default, privacy mode is enabled [1].
When active, it restricts the display of spyware and potentially dangerous programs to administrators only,
instead of all users on the computer [2].
It blocks non-administrators from viewing threat history [1].
This is a legacy setting that only affects older versions of Microsoft Defender Antivirus [1].
It has no impact on current platforms [1].
Limiting threat history to administrators has both benefits and drawbacks.
It improves security and privacy by limiting access to sensitive threat information.
However, it may reduce transparency and hinder security efforts for users without admin access who need this data.
The script configures:
1. `DisablePrivacyMode` Defender preference using Command Line Interface (CLI) [1] [3].
It sets the value to `$True`, effectively disabling privacy mode [1].
2. `HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration!DisablePrivacyMode` registry value [2].
This undocumented registry key has been verified to work on older Windows versions by the community [2].
[1]: https://web.archive.org/web/20240314124716/https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disableprivacymode "Set-MpPreference (Defender) | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240725094236/https://www.win7help.ru/manual/reestr-windows/soft/ "Софт | Секреты Windows 7 | www.win7help.ru"
[3]: https://web.archive.org/web/20231207105608/https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode "MSFT_MpPreference - powershell.one | powershell.one"
call:
-
function: SetMpPreference
parameters:
property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode
value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True
default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False
-
function: SetRegistryValueAsTrustedInstaller
# Without TrustedInstaller: ❌ Windows 10 Pro (>= 20H2) | ❌ Windows 11 Pro (>= 23H2)
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration
valueName: "DisablePrivacyMode"
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable sections in "Windows Security"
docs: |-
This category provides scripts that let you disable specific sections of the "Windows Security" interface. This interface was introduced in
Windows 10, version 1703 and was previously known as "Windows Defender Security Center" [1].
"Windows Security" has various sections, and each can be turned off individually [1]. If all sections are disabled, the interface will display
in a restricted mode [1].
[1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn"
children:
-
name: Disable "Virus and threat protection" section in "Windows Security"
docs: |-
- [Virus and threat protection in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161059/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection)
- [Hide the Virus and threat protection area | admx.help](https://web.archive.org/web/20231013161208/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection
valueName: UILockdown
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Ransomware data recovery" section in "Windows Security"
docs: |-
[Hide the Ransomware data recovery area | admx.help](https://web.archive.org/web/20231013161249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection
valueName: HideRansomwareRecovery
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Family options" section in "Windows Security"
docs: |-
- [Family options in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161356/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options)
- [Hide the Family options area | admx.help](https://web.archive.org/web/20231013161503/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options
valueName: UILockdown
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Device performance and health" section in "Windows Security"
docs: |-
- [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161703/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health)
- [Hide the Device performance and health area | admx.help](https://web.archive.org/web/20231013161748/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health
valueName: UILockdown
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Account protection" section in "Windows Security"
docs: |-
- [Device & performance health in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161536/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection)
- [Hide the Account protection area | admx.help](https://web.archive.org/web/20231013161621/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection
valueName: UILockdown
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "App and browser control" section in "Windows Security"
docs: |-
- [App & browser control in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161813/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control)
- [Hide the App and browser protection area | admx.help](https://web.archive.org/web/20231013161834/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection
valueName: UILockdown
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable device security sections
children:
-
name: Disable "Device security" section in "Windows Security"
docs: |-
- [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security)
- [Hide the Device security area | admx.help](https://web.archive.org/web/20231013161956/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security
valueName: UILockdown
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Clear TPM" button in "Windows Security"
docs: |-
- [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#disable-the-clear-tpm-button)
- [Disable the Clear TPM button | admx.help](https://web.archive.org/web/20231013162124/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security
valueName: DisableClearTpmButton
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Secure boot" button in "Windows Security"
docs: |-
[Hide the Secure boot area | admx.help](https://web.archive.org/web/20231013162210/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security
valueName: HideSecureBoot
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Security processor (TPM) troubleshooter" page in "Windows Security"
docs: |-
[Hide the Security processor (TPM) troubleshooter page | admx.help](https://web.archive.org/web/20231013162249/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security
valueName: HideTPMTroubleshooting
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "TPM Firmware Update" recommendation in "Windows Security"
docs: |-
- [Device security in Windows Security - Windows Security | Microsoft Learn](https://web.archive.org/web/20231013161928/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security#hide-the-tpm-firmware-update-recommendation)
- [Hide the TPM Firmware Update recommendation | admx.help](https://web.archive.org/web/20231013162327/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning)
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security
valueName: DisableTpmFirmwareUpdateWarning
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable Defender notifications
children:
-
category: Disable Windows Security notifications
docs: https://web.archive.org/web/20240314130605/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications
children:
-
name: Disable all Defender notifications
docs:
- https://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications
valueName: DisableNotifications
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
valueName: DisableNotifications
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable non-critical Defender notifications
docs:
- http://web.archive.org/web/20240314122250/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#disableenhancednotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
valueName: DisableEnhancedNotifications
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications
valueName: DisableEnhancedNotifications
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting
valueName: DisableEnhancedNotifications
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable notifications from Windows Action Center for security and maintenance # For Windows 10 build 1607 and above
docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance
valueName: Enabled
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable all Defender Antivirus notifications
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration
valueName: Notification_Suppress
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration
valueName: Notification_Suppress
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Defender reboot notifications
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration
valueName: SuppressRebootNotification
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable OS components for Defender # Hackers way of disabling Defender
children:
-
category: Disable Defender scheduled tasks
children:
-
name: Disable "ExploitGuard MDM policy Refresh" task
docs: |-
This script disables the "ExploitGuard MDM policy Refresh" scheduled task.
The task is originally described in the Task Scheduler as: "Task for applying changes to the machine's Exploit Protection settings".
Windows Defender Exploit Guard is a security feature in Windows, designed to prevent potential intrusions [1].
It encompasses various components such as "Attack Surface Reduction (ASR)", "Network protection", "Controlled folder access", and "Exploit protection" [1].
Specifically, the "ExploitGuard MDM policy Refresh" task is in charge of refreshing the Exploit Guard policy settings through Mobile Device Management (MDM) policies [2].
MDM offers a method to remotely adjust the ExploitGuard settings on a device [2].
Microsoft rolled out the Exploit Guard feature starting from Windows 10 version 1709 [3] [4].
Notably, the National Security Agency (NSA) in the USA has recommended the use of this feature for enhanced security [3].
### Overview of default task statuses
`\Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231020130741/https://www.microsoft.com/en-us/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ "Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware | Microsoft Security Blog"
[2]: https://web.archive.org/web/20231020130744/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide#mdm "Turn on exploit protection to help mitigate against attacks | Microsoft Learn"
[3]: https://web.archive.org/web/20231020130723/https://media.defense.gov/2019/Jul/16/2002158052/-1/-1/0/CSI-WINDOWS-10-FOR-ENTERPRISE-SECURITY-BENEFITS-OF-TIMELY-ADOPTION.PDF "Windows 10 for Enterprises Security Benefits of Timely Adoption | nist.gov"
[4]: https://web.archive.org/web/20231020130731/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy "Windows Defender Exploit Guard policy - Configuration Manager | Microsoft Learn"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\ExploitGuard\' -TaskName 'ExploitGuard MDM policy Refresh'
taskPathPattern: \Microsoft\Windows\ExploitGuard\
taskNamePattern: ExploitGuard MDM policy Refresh
-
name: Disable "Windows Defender Cache Maintenance" task
docs: |-
This script disables the "Windows Defender Cache Maintenance" scheduled task.
The task is scheduled to periodically maintain the cache used by Microsoft Defender Antivirus [1].
It runs the command `C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCacheMaintenance` [1].
The `MpCmdRun.exe` is a command-line tool used to perform various Microsoft Defender Antivirus functions [2].
Cache maintenance involves managing temporary files that Microsoft Defender is either scanning or has quarantined [3]
Disabling this task prevents the system from automatically clearing the Defender cache [3].
This is particularly useful if you want to ensure that files are not removed from quarantine or the cache without your explicit action.
Disabling this task is reported to optimize system boot speed [4] but it could potentially lead to increased storage use by temporary files.
### Overview of default task statuses
`\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231102111550/http://windows.fyicenter.com/4439_Windows_Defender_Cache_Maintenance_Scheduled_Task_on_Windows_8.html '"Windows Defender Cache Maintenance" Scheduled Task on Windows 8 | windows.fyicenter.com'
[2]: https://web.archive.org/web/20231102111626/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide "Use the command line to manage Microsoft Defender Antivirus | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com"
[4]: https://web.archive.org/web/20231102111645/https://discussions.citrix.com/topic/417772-very-slow-boot-times/ "Very slow boot times - Provisioning Server for Datacenters - Discussions | discussions.citrix.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cache Maintenance'
taskPathPattern: \Microsoft\Windows\Windows Defender\
taskNamePattern: Windows Defender Cache Maintenance
-
name: Disable "Windows Defender Cleanup" task
docs: |-
This script disables the "Windows Defender Cleanup" scheduled task.
This task is used by Defender to remove unnecessary files, such as corrupted or quarantined items [1].
The task is described in the Task Scheduler as "Periodic cleanup task" [2] [3].
This task executes the following command:
`C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdCleanup` [2] [3].
### Overview of default task statuses
`\Microsoft\Windows\Windows Defender\Windows Defender Cleanup`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231103171411/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com"
[2]: https://web.archive.org/web/20231103171352/http://windows.fyicenter.com/4440_Windows_Defender_Cleanup_Scheduled_Task_on_Windows_8.html '"Windows Defender Cleanup" Scheduled Task on Windows 8 | windows.fyicenter.com'
[3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Cleanup'
taskPathPattern: \Microsoft\Windows\Windows Defender\
taskNamePattern: Windows Defender Cleanup
-
name: Disable "Windows Defender Scheduled Scan" task
docs: |-
This script disables the "Windows Defender Scheduled Scan" scheduled task.
This scheduled task is responsible for performing automatic regular scans [1] [2].
By disabling this task, users can control the scheduling and frequency of antivirus scans, according to their needs, thus balancing
security with system resource management [1] [2].
The task is known as "Periodic scan task" in the Task Scheduler [1] [3] [4].
It executes the following command:
`C:\Program Files\Windows Defender\MpCmdRun.exe Scan -ScheduleJob -ScanTrigger 55` [3] [4].
### Overview of default task statuses
`\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231103171744/https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d "Schedule a scan in Microsoft Defender Antivirus - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20231103171802/https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963 "Stay protected with Windows Security - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com"
[4]: https://web.archive.org/web/20231103171825/http://windows.fyicenter.com/4441_Windows_Defender_Scheduled_Scan_Scheduled_Task_on_Windows_8.html '"Windows Defender Scheduled Scan" Scheduled Task on Windows 8 | windows.fyicenter.com'
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Scheduled Scan'
taskPathPattern: \Microsoft\Windows\Windows Defender\
taskNamePattern: Windows Defender Scheduled Scan
-
name: Disable "Windows Defender Verification" task
docs: |-
This script disables the "Windows Defender Verification" scheduled task.
This task checks for issues with Defender, such as update problems or system file errors [1].
It is also linked to the creation of daily system restore points [2].
Disabling this task can prevent unnecessary system slowdowns and restore point creation, conserving disk space and system resources.
It improves privacy by reducing the system state data stored on the device.
The task is known as "Periodic verification task" in the Task Scheduler [3] [4].
It executes the following command:
`C:\Program Files\Windows Defender\MpCmdRun.exe -IdleTask -TaskName WdVerification` [3] [4].
### Overview of default task statuses
`\Microsoft\Windows\Windows Defender\Windows Defender Verification`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231102111205/https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae "win10 windows defender schedulable tasks - what does each do? - Microsoft Community | answers.microsoft.com"
[2]: https://web.archive.org/web/20231103172413/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426 "Windows Defender / System Restore Points - Microsoft Community | answers.microsoft.com"
[3]: https://web.archive.org/web/20231103171350/https://www.herdprotect.com/mpcmdrun.exe-bb31a13a0eeecfab745d4aa221ee222d5021e9d8.aspx "Malware scan of MpCmdRun.exe (Microsoft Malware Protection) bb31a13a0eeecfab745d4aa221ee222d5021e9d8 - herdProtect | herdprotect.com"
[4]: https://web.archive.org/web/20231103172432/http://windows.fyicenter.com/4442_Windows_Defender_Verification_Scheduled_Task_on_Windows_8.html '"Windows Defender Verification" Scheduled Task on Windows 8 | windows.fyicenter.com'
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\Windows Defender\' -TaskName 'Windows Defender Verification'
taskPathPattern: \Microsoft\Windows\Windows Defender\
taskNamePattern: Windows Defender Verification
-
category: Disable Defender services and drivers
# Windows Defender services are protected, requiring escalated methods to disable them:
# 1. Try `DisableService` first, as this is the standard method recommended for disabling services.
# 2. Try `DisableServiceInRegistry` if the first attempt fails due to access errors.
# 3. Try `DisableServiceInRegistryAsTrustedInstaller` as last effort.
children:
-
name: Disable "Microsoft Defender Antivirus Service"
# ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender
# E.g. `Set-MpPreference -Force -MAPSReporting 0` throws:
# `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.`
# `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference`
docs: |-
https://web.archive.org/web/20240314091238/https://batcmd.com/windows/10/services/windefend/
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Automatic |
| Windows 11 (≥ 23H2) | 🟢 Running | Automatic |
call:
-
# Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
function: DisableServiceInRegistryAsTrustedInstaller
parameters:
serviceName: WinDefend # Check: (Get-Service -Name 'WinDefend').StartType
defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual
# - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2
# function: SoftDeleteFiles
# parameters:
# fileGlob: '%PROGRAMFILES%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ...
# grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
category: Disable Defender kernel-level drivers
children:
# - Skipping wdnsfltr ("Windows Defender Network Stream Filter Driver") as it's Windows 1709 only
-
name: Disable "Microsoft Defender Antivirus Network Inspection System Driver" service
docs: |-
https://web.archive.org/web/20240314062056/https://batcmd.com/windows/10/services/wdnisdrv/
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
call:
# Excluding:
# - `%SYSTEMROOT%\System32\drivers\wd\WdNisDrv.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2
-
# Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
function: DisableServiceInRegistryAsTrustedInstaller
parameters:
serviceName: WdNisDrv # Check: (Get-Service -Name 'WdNisDrv').StartType
defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual
waitForDependentServicesOnStop: 'true' # Or it fails, `Microsoft Defender Antivirus Network Inspection Service (WdNisSvc)` depends on this
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\drivers\WdNisDrv.sys'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Microsoft Defender Antivirus Mini-Filter Driver" service
docs: |-
- https://web.archive.org/web/20240314091638/https://n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/
- https://web.archive.org/web/20240314062047/https://batcmd.com/windows/10/services/wdfilter/
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Boot |
| Windows 11 (≥ 23H2) | 🟢 Running | Boot |
call:
# Excluding:
# - `%SYSTEMROOT%\System32\drivers\wd\WdFilter.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2
-
# Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
function: DisableServiceInRegistryAsTrustedInstaller
parameters:
serviceName: WdFilter # Check: (Get-Service -Name 'WdFilter').StartType
defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual
# notStoppable: true # See `sc queryex WdFilter`, tested since Windows 10 22H2, Windows 11 22H2.
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\drivers\WdFilter.sys'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Microsoft Defender Antivirus Boot Driver" service
docs: |-
https://web.archive.org/web/20240314062057/https://batcmd.com/windows/10/services/wdboot/
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Boot |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Boot |
call:
# Excluding:
# - `%SYSTEMROOT%\System32\drivers\wd\WdBoot.sys`: Missing on Windows since Windows 10 22H2 and Windows 11 22H2
-
# Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
function: DisableServiceInRegistryAsTrustedInstaller
parameters:
serviceName: WdBoot # Check: (Get-Service -Name 'WdBoot').StartType
defaultStartupMode: Boot # Allowed values: Boot | System | Automatic | Manual
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\drivers\WdBoot.sys'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Microsoft Defender Antivirus Network Inspection" service
docs: |-
- https://web.archive.org/web/20240314091310/https://batcmd.com/windows/10/services/wdnissvc/
- https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
call:
-
# Windows 10 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
function: DisableServiceInRegistryAsTrustedInstaller
parameters:
serviceName: WdNisSvc # Check: (Get-Service -Name 'WdNisSvc').StartType
defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual
# - # ❌ "Access is denied" when renaming file, cannot grant permissions (Attempted to perform an unauthorized operation) since Windows 10 22H2 and Windows 11 22H2
# function: SoftDeleteFiles
# parameters:
# fileGlob: '%PROGRAMFILES%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ...
# grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Windows Defender Advanced Threat Protection Service" service
docs: |-
https://web.archive.org/web/20240314091443/https://batcmd.com/windows/10/services/sense/
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
call:
-
function: DisableServiceInRegistry
# Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
parameters:
serviceName: Sense # Check: (Get-Service -Name 'Sense').StartType
defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual
-
function: SoftDeleteFiles
parameters:
fileGlob: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\MsSense.exe'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
name: Disable "Windows Security Service" service
docs: |-
This script disables the "Windows Security Service", also known as `SecurityHealthService` or "Windows Security Health Service" [1].
This service provides unified device protection and health information [2] [3].
It was introduced as part of the "Windows Security" interface in Windows 10, version 1703 and earlier named "Windows Defender Security Center" [2].
Even though the service is related to Microsoft Defender [4], disabling it does not turn off Microsoft Defender Antivirus [1].
By default, Windows manually starts this service [2], but it is observed to run automatically in Windows 10 and 11.
The "Windows Security" interface relies on the "Windows Security Service" which further depends on the "Windows Security Center Service" (`wscsvc`) [1].
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
[1]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center "Windows Security - Windows Security | Microsoft Learn"
[2]: https://web.archive.org/web/20231013160338/http://batcmd.com/windows/10/services/securityhealthservice/ "Windows Security Service - Windows 10 Service - batcmd.com"
[3]: https://web.archive.org/web/20231013160352/https://strontic.github.io/xcyclopedia/library/SecurityHealthService.exe-96BE970B2CB0BB0A86D8F74C1A3F8596.html "SecurityHealthService.exe | Windows Security Health Service | STRONTIC | strontic.github.io"
[4]: https://web.archive.org/web/20231013160458/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#notes-about-protection-states
call:
-
# Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (22H2): ❌ `DisableService` | ❌ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
function: DisableServiceInRegistryAsTrustedInstaller
parameters:
serviceName: SecurityHealthService # Check: (Get-Service -Name 'SecurityHealthService').StartType
defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\SecurityHealthService.exe'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
-
category: Disable SmartScreen
docs: |- # refactor-with-variables: • SmartScreen Caution
This category focuses on disabling the SmartScreen and its features and components.
SmartScreen is known also as "Windows SmartScreen" [1], "Windows Defender SmartScreen" [2], "Microsoft Defender SmartScreen" [3],
"Phishing Filter" [4], and "SmartScreen Filter" [4].
It protects users from phishing attacks, malware websites, and potentially harmful downloads by assessing webpage safety and
comparing sites and downloads against lists of known threats [3].
However, it also sends URLs and file information to Microsoft servers [4], which raises significant privacy concerns.
Disabling SmartScreen through this category can enhance your privacy by stopping these data transmissions [5].
However, be aware that this action may compromise your security by removing the protections that SmartScreen provides
against malicious sites and downloads.
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240709105008/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings "Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings - Windows Security | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240708201144/https://strontic.github.io/xcyclopedia/library/smartscreen.exe-B75FA41284409A6134BF824BEAE59B4E.html "smartscreen.exe | Windows Defender SmartScreen | STRONTIC | strontic.github.io"
[3]: https://web.archive.org/web/20240709105002/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ "Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240709102216/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 "Turn on SmartScreen Filter scan | admx.help"
[5]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
children:
-
category: Disable SmartScreen for apps and files
docs: |- # refactor-with-variables: • SmartScreen Caution
This category includes scripts to disable SmartScreen for apps and files.
SmartScreen is a security feature that checks the reputation of apps and files you download or run [1] [2].
It's part of Windows' reputation-based protection system [1] [2] [3].
Key points about SmartScreen for apps and files:
- It blocks unrecognized apps and files that may be potentially harmful [2] [3].
- It performs reputation checks on downloaded programs and their digital signatures [1].
- If an app, file, or digital signature has an established good reputation, users don't see warnings [1].
- Items without a reputation are flagged as higher risk, prompting a warning to the user [1].
Disabling this feature can:
- Enhance privacy by reducing data sent to Microsoft for reputation checks [4].
- Improve system performance by eliminating background scanning and processing.
- Give users more freedom to run apps and files without interference.
However, disabling SmartScreen may also:
- Reduce protection against malware, potentially harmful applications, and suspicious files.
- Increase the risk of running malicious software unknowingly.
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240709105002/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/#benefits-of-microsoft-defender-smartscreen "Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240709114232/https://support.microsoft.com/en-us/windows/app-browser-control-in-windows-security-8f68fb65-ebb4-3cfb-4bd7-ef0f376f3dc3 "App & browser control in Windows Security - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240724111947/https://support.microsoft.com/en-us/windows/reputation-based-protection-8d24aede-e932-4bc4-8bc6-6ccaf4d7b058 "Reputation-based protection - Microsoft Support | support.microsoft.com"
[4]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
children:
-
name: Disable SmartScreen checks for apps and files
docs: |- # refactor-with-variables: • SmartScreen Caution
This script disables the SmartScreen checks for apps and files.
SmartScreen protects users by warning them before running potentially malicious programs downloaded from the internet [1].
This warning appears as a dialog box before you run an unrecognized or known malicious app downloaded from the internet [1].
These checks are part of SmartScreen's *reputation-based protection* [2].
This feature is enabled by default [1].
Microsoft collects data about the files and programs you run when this feature is enabled [1] [3].
This script stops SmartScreen from alerting you about potentially malicious apps and files [1] [2] [4] [5].
It enhances privacy by stopping data collection required for SmartScreen checks.
Microsoft suggests disabling it to manage connections and protect your privacy [6].
The CIS Center for Internet Security mentions the potential privacy impact of keeping this feature enabled due to Microsoft data collection [3].
This script also boosts system performance by reducing the overhead of SmartScreen checks.
This gives users more freedom to choose applications and download files.
However, this change may increase the risk of downloading harmful apps and files by reducing safety checks.
Authorities like DISA [7] and the CIS Center for Internet Security [3] recommend keeping it enabled as a security measure.
This script configures the following registry keys:
- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer!SmartScreenEnabled` [4] [5] [8]:
This action simulates the action of turning off SmartScreen via the Windows user interface to change user settings [4] [5].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!EnableSmartScreen` [1] [3] [6] [7] [9]:
Sets Group Policy Object (GPO) to enforce this setting and prevent users from changing it [1].
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240709110302/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#enablesmartscreeninshell "SmartScreen Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240709114232/https://support.microsoft.com/en-us/windows/app-browser-control-in-windows-security-8f68fb65-ebb4-3cfb-4bd7-ef0f376f3dc3 "App & browser control in Windows Security - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240721083325/https://www.cisecurity.org/-/jssmedia/Project/cisecurity/cisecurity/data/media/files/uploads/2017/04/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v220.pdf "CIS Microsoft Windows Server 2012 R2 Benchmark | cisecurity.org"
[4]: https://web.archive.org/web/20240709113919/https://www.elevenforum.com/t/enable-or-disable-microsoft-defender-smartscreen-check-apps-and-files-from-web-in-windows-11.5731/ "Enable or Disable Microsoft Defender SmartScreen Check Apps and Files from Web in Windows 11 Tutorial | Windows 11 Forum | elevenforum.com"
[5]: https://web.archive.org/web/20240709114219/https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/ "How To Change The SmartScreen Filter Settings In Windows 10 | www.technobezz.com"
[6]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5187 "10_0_19045_2251/C/Windows/System32/smartscreen.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 · GitHub | github.com"
[7]: https://web.archive.org/web/20240721083748/https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685 "The Windows Defender SmartScreen for Explorer must be enabled. | www.stigviewer.com"
[8]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5181C51-L5181C66 "10_0_19045_2251/C/Windows/System32/smartscreen.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 · GitHub | github.com"
[9]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
valueName: SmartScreenEnabled
dataType: REG_SZ
data: 'Off'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer
valueName: SmartScreenEnabled
dataType: REG_SZ
data: 'Off'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System
valueName: EnableSmartScreen
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Enable SmartScreen warning dismissal for apps
docs: |- # refactor-with-variables: • SmartScreen Caution
This script disables SmartScreen app blocking, allowing apps to bypass its warnings.
SmartScreen is a security feature that protects users by displaying warnings before running potentially harmful programs [1] [2] [3] [4].
These warnings help prevent the execution of suspicious applications [1] [2].
This feature is enabled by default on Windows [1].
SmartScreen sends data to Microsoft about the files and applications run on the system [1] [3].
This raises privacy concerns because it involves collecting user behavior data.
The Center for Internet Security (CIS) mentions disabling it for additional privacy [3].
Disabling SmartScreen can improve system performance by reducing the processing overhead.
However, this may decrease system security by reducing protection against malicious software and phishing attacks.
Authorities like DISA [4] and CIS [3] recommend keeping SmartScreen enabled and blocking suspicious apps as a security best practice.
SmartScreen has two configurations:
- **Warn and prevent bypass:**
The user cannot ignore the warnings, and SmartScreen will repeat the warnings for subsequent attempts to run the app [1] [2].
- **Warn:**
SmartScreen initially warns the user about a suspicious app but allows the user to override the warning and run the app [1] [2].
It will not issue further warnings for that app if the user chooses to proceed [1] [2].
This script modifies the `HKLM\SOFTWARE\Policies\Microsoft\Windows\System!ShellSmartScreenLevel` registry key to enable bypass
through the **Warn** option [1] [2] [3].
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240709110302/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#enablesmartscreeninshell "SmartScreen Policy CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20240713204839/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen "Configure Windows Defender SmartScreen | admx.help"
[3]: https://web.archive.org/web/20240722105035/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Windows_10_Enterprise_Release_21H1_Benchmark_v1_11_0.pdf "18.9.81.1.1 | CIS Microsoft Windows 10 Enterprise (Release 21H1 or older) Benchmark | paper.bobylive.com"
[4]: https://web.archive.org/web/20240713204739/https://www.stigviewer.com/stig/microsoft_windows_11/2023-09-29/finding/V-253395 "The Microsoft Defender SmartScreen for Explorer must be enabled. | www.stigviewer.com"
[5]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5188C44-L5188C65 "10_0_19045_2251/C/Windows/System32/smartscreen.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 · GitHub | github.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System
valueName: ShellSmartScreenLevel
dataType: REG_SZ
data: Warn # Block: Prevent app from running | Warn: Notify user but allow continuation.
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable SmartScreen for Store apps
docs: |- # refactor-with-variables: • SmartScreen Caution
This category includes scripts to disable SmartScreen for Microsoft Store apps.
SmartScreen for Microsoft Store apps is a security feature that:
- Checks content used by Microsoft Store apps [1].
- Can restrict app installations to only those from the Microsoft Store [2].
- Scans web content (URLs) accessed by Microsoft Store apps [1] [3].
It's part of Windows' broader **Reputation-based protection** system [1].
Disabling this feature can:
- Enhance privacy by reducing data sent to Microsoft for content and app checks [3].
- Improve system performance by eliminating background scanning and processing.
- Give users more freedom to install and run apps from various sources without interference [2].
However, disabling SmartScreen for Store apps may also:
- Reduce protection against malware and potentially harmful applications.
- Increase the risk of running malicious software unknowingly.
- Allow Microsoft Store apps to access potentially dangerous web content without warning.
This category provides options to customize various aspects of SmartScreen's behavior for Store apps, balancing
between security, privacy, and user freedom.
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240724111947/https://support.microsoft.com/en-us/windows/reputation-based-protection-8d24aede-e932-4bc4-8bc6-6ccaf4d7b058 "Reputation-based protection - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20240709110302/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#enableappinstallcontrol "SmartScreen Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general "Manage connections from Windows operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
children:
-
name: Disable SmartScreen "App Install Control" feature
docs: |- # refactor-with-variables: • SmartScreen Caution
This script disables the "App Install Control" feature of SmartScreen.
This feature restricts app installations exclusively to those from the Microsoft Store [1] [2].
It displays "The app you're trying to install isn't a Microsoft-verified app" message
during app installation [3].
By default, this feature is turned off [1] [2].
Disabling SmartScreen automatically deactivates it as well [1] [2].
This script explicitly deactivates the feature to guarantee it remains disabled.
Once disabled, SmartScreen permits users to install apps from any source, including the Internet [1] [2].
Disabling this feature enhances your privacy by limiting the data transmitted about your activities and behavior [4].
It also improves system performance by removing the need for continuous monitoring and evaluation of app sources,
which can reduce CPU and memory usage.
However, this also introduces a security risk by potentially permitting the installation of malicious apps.
The script specifically modifies the following registry keys to enforce these settings:
- `HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen!ConfigureAppInstallControlEnabled` [1] [2] [4]
- `HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen!ConfigureAppInstallControl` [4] [5]
- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer!AicEnabled` [3] [5] [6] [7]
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240709110302/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen#enableappinstallcontrol "SmartScreen Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240709110349/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl "Configure App Install Control | admx.help"
[3]: https://web.archive.org/web/20240713100611/https://answers.microsoft.com/en-us/windows/forum/all/i-am-having-issues-changing-my-app-recommendation/16b00c35-05fc-44bc-9e78-e9452cf8d862 "I am Having Issues Changing My App Recommendation Settings - Microsoft Community | answers.microsoft.com"
[4]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[5]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5182 "10_0_19045_2251/C/Windows/System32/smartscreen.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 · GitHub | github.com"
[6]: https://web.archive.org/web/20240724195837/https://www.elevenforum.com/t/choose-where-to-get-apps-in-windows-11.7370/ "Choose where to get apps in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[7]: https://web.archive.org/web/20240713101028/https://bugzilla.mozilla.org/show_bug.cgi?id=1659157 "1659157 - Add telemetry to track Win 10 installs in related to the system's MSFT verified app setting. | bugzilla.mozilla.org"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen
valueName: ConfigureAppInstall
dataType: REG_SZ
data: Anywhere
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen
valueName: ConfigureAppInstallControlEnabled
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
valueName: AicEnabled
dataType: REG_SZ
data: 'Anywhere'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable SmartScreen web content checking for Store apps
docs: |- # refactor-with-variables: • SmartScreen Caution
This script disables the web content checking feature of SmartScreen for Microsoft Store apps.
SmartScreen scans web content (URLs) accessed by Microsoft Store apps to enhance security [1] [2].
SmartScreen is enabled by default [2].
Initially, this feature was known as *SmartScreen Filter* for Microsoft Store apps [3].
Later, it was renamed to "SmartScreen for Microsoft Store apps" [2].
It is part of SmartScreen's reputation-based protection [2] [3] [4].
Disabling this feature enhances your privacy by reducing data shared with Microsoft.
Microsoft acknowledges that turning off this feature limits the data transmitted about your activities and behavior [1].
It can also improve system performance by reducing web content processing overhead.
However, there is a trade-off between privacy and security:
- Increased Privacy: Less data shared with Microsoft.
- Decreased Security: Less protection against phishing and malware.
The Polish Government advises turning this feature off to prioritize privacy over security [5].
This script modifies the following Windows registry keys:
- `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost!EnableWebContentEvaluation`: [1] [2] [3] [4] [5] [6] [7]
This key modifies the user interface setting [1] [3].
- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost!EnableWebContentEvaluation` [4] [6] [7]
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppHost!EnableWebContentEvaluation` [3] [6]
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[2]: https://web.archive.org/web/20240724093008/https://www.anoopcnair.com/smartscreen-for-microsoft-store-apps-windows-11/ "Enable Disable Defender SmartScreen For Microsoft Store Apps In Windows 11 HTMD Blog | www.anoopcnair.com"
[3]: https://web.archive.org/web/20240724093046/https://www.thewindowsclub.com/enable-or-disable-smartscreen-filter-for-microsoft-store-apps "Enable or Disable SmartScreen for Microsoft Store apps | www.thewindowsclub.com"
[4]: https://web.archive.org/web/20240724093031/https://r-pufky.github.io/docs/operating-systems/windows/10/20H2/security/app-and-browser-control/reputation-based-protection-setttings.html "3.1. Reputation-based protection settings — Generic service & computer documentation. documentation | r-pufky.github.io"
[5]: https://web.archive.org/web/20231011231107/https://plid.obywatel.gov.pl/wp-content/uploads/2014/08/Wymagania-dla-stacji-koncowych-SRP-v-5-0.pdf "WYMAGANIA - dla stacji roboczych stanowisk obsługi dla użytkowników końcowych SRP | plid.obywatel.gov.pl"
[6]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/urlmon.dll.strings "10_0_22622_601/C/Windows/System32/urlmon.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 | github.com"
[7]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5180 "10_0_19045_2251/C/Windows/System32/smartscreen.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 · GitHub | github.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
valueName: EnableWebContentEvaluation
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
valueName: Enabled
dataType: REG_DWORD
data: "0"
dataOnRevert: "1" # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppHost
valueName: EnableWebContentEvaluation
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Enable SmartScreen warning dismissal for Store apps
docs: |- # refactor-with-variables: • SmartScreen Caution
This script allows users to bypass SmartScreen warnings for Microsoft Store apps.
SmartScreen is a security feature that filters web content accessed by Microsoft Store apps [1] [2].
By default, SmartScreen allows users to bypass its warnings [1] [3].
This script keeps the default setting.
Enabling SmartScreen bypass may enhance privacy by reducing data shared with Microsoft.
It increases user control over security checks and may improve system
performance by removing an additional security check.
However, this reduces protection against malicious content, potentially exposing users to security risks.
### Technical Details
This script modifies these Windows registry keys:
- `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost!PreventOverride` [1] [2] [4] [5]
- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost!PreventOverride` [4] [5]
These keys, although not officially documented, interact with the SmartScreen executable (`smartscreen.exe`) [3].
Community reports confirm their role in controlling SmartScreen for Store apps [1] [2] [4].
Setting `PreventOverride` to `0` allows users to bypass SmartScreen warnings [3].
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240724102538/https://www.elevenforum.com/t/enable-or-disable-microsoft-defender-smartscreen-for-microsoft-store-apps-in-windows-11.5736/ "Enable or Disable Microsoft Defender SmartScreen for Microsoft Store Apps in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[2]: https://web.archive.org/web/20240724102525/https://www.tenforums.com/tutorials/81139-turn-off-smartscreen-microsoft-store-apps-windows-10-a.html "Turn On or Off SmartScreen for Microsoft Store Apps in Windows 10 | Tutorials | tenforums.com"
[3]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies#prevent-bypassing-windows-defender-smartscreen-prompts-for-sites "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240724093031/https://r-pufky.github.io/docs/operating-systems/windows/10/20H2/security/app-and-browser-control/reputation-based-protection-setttings.html "3.1. Reputation-based protection settings — Generic service & computer documentation. documentation | r-pufky.github.io"
[5]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5181C51-L5181C66 "10_0_19045_2251/C/Windows/System32/smartscreen.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 · GitHub | github.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
valueName: PreventOverride
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost
valueName: PreventOverride
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable SmartScreen in Microsoft browsers
docs: |- # refactor-with-variables: • SmartScreen Caution
This category provides scripts to disable SmartScreen in Microsoft browsers.
SmartScreen is a security feature in Edge.
When you visit websites or download files, SmartScreen checks the reputation of the URL or file [1].
If SmartScreen determines that the site or file is malicious, it blocks access or download [1].
SmartScreen is enabled by default in Microsoft Edge [1].
SmartScreen feature raises privacy concerns because it sends unhashed URLs, downloaded files, applications being run, IP addresses,
and the user's Security Identifier (SID) to Microsoft [1] [2] [3].
This data transmission can potentially allow the company to track browsing history and user activities.
The transmission of full file paths and download URLs can expose a significant amount of sensitive and private information about a
user's system and network structure.
The combination of these data points could enable Microsoft to build a comprehensive profile of user activities and behavior.
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240623123514/https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#smartscreen "Microsoft Edge Privacy Whitepaper - Microsoft Edge Developer documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624121703/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-potentially-unwanted-apps "Use Microsoft Edge to protect against potentially unwanted applications | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240624143449/https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ "Windows 10 SmartScreen Sends URLs and App Names to Microsoft | www.bleepingcomputer.com"
children:
-
name: Disable Edge SmartScreen
docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy • SmartScreen Caution
This script disables the SmartScreen feature in Edge.
SmartScreen warns against potential phishing scams and malicious software [1] [2] [3].
By default, Microsoft Defender SmartScreen is active, but users can opt out [1] [2].
Once you run this script, Microsoft Defender SmartScreen will be turned off [1] [2].
Disabling this feature reduces potential privacy risks by preventing data sharing.
This may also improve system performance by reducing processing workload.
While disabling this feature increases user autonomy and privacy, it may reduce your security.
Authorities like DISA [2] and the CIS Center for Internet Security [3] discourage disabling it as a security best practice.
Disabling may allow access to potentially malicious websites and software [2] [3].
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1] [2].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
Changing this policy does not require restarting the browser to take effect [1].
This script configures the `SmartScreenEnabled` policy [1] [2] [3].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
> - Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreenenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624143208/https://www.stigviewer.com/stig/microsoft_edge/2021-02-16/finding/V-235763 "Microsoft Defender SmartScreen must be enabled. | www.stigviewer.com"
[3]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: SmartScreenEnabled # Edge ≥ 77
dwordData: '0'
-
name: Disable Edge SmartScreen for potentially unwanted apps
docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • Performance + Privacy • SmartScreen Caution
This script disables Edge's SmartScreen feature that targets potentially unwanted applications (PUAs).
Edge's SmartScreen PUA feature aims to protect against adware, coin miners, bundleware, and other
low-reputation software [1] [2] [3].
This feature warns users about potentially harmful applications [1] [2] [3].
This feature is off by default [2].
This script keeps the feature inactive, preventing automatic or unintended activations.
Disabling this feature reduces potential privacy risks by preventing data sharing.
This may also improve system performance by reducing processing workload.
However, enabling it can boost your security by blocking the installation of apps that could harm your system [3].
Authorities like DISA [2] and the CIS Center for Internet Security [3] encourage
enabling it as a security best practice.
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1] [2].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
This script configures the `SmartScreenPuaEnabled` policy [1] [2] [3].
Changing this policy does not require restarting the browser to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
> - Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreenpuaenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624121549/https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled "Configure Microsoft Defender SmartScreen to block potentially unwanted apps | admx.help"
[3]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: SmartScreenPuaEnabled # Edge ≥ 80
dwordData: '0'
-
name: Enable Edge SmartScreen warning dismissal
docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • SmartScreen Caution
This script allows users to bypass SmartScreen warnings in Edge.
Edge's SmartScreen shows warnings about potentially malicious websites [1] [2] [3].
By default [1] [2], users can override SmartScreen warnings and visit the site [1].
This script maintains this option, enhancing privacy by minimizing data sent to Microsoft.
Maintaining this option in its default state reduces potential privacy risks by limiting data sharing with Microsoft.
This may also improve system performance by reducing processing workload.
While keeping this setting disabled may increase user autonomy and privacy, it may reduce security
by allowing access to potentially malicious websites [2] [3].
Authorities like CIS Center for Internet Security [2] and DISA [3] recommend enabling it as a security best practice.
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
This script configures the `PreventSmartScreenPromptOverride` policy [1] [2] [3].
Changing this policy does not require restarting the browser to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - This locks settings and prevents them from being changed on the settings page.
> - Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#preventsmartscreenpromptoverride "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
[3]: https://web.archive.org/web/20240624152821/https://www.stigviewer.com/stig/microsoft_edge/2021-06-23/finding/V-235720 "Bypassing Microsoft Defender SmartScreen prompts for sites must be disabled. | www.stigviewer.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: PreventSmartScreenPromptOverride # Edge ≥ 77
dwordData: '0'
-
name: Enable Edge SmartScreen warning dismissal for files
docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • SmartScreen Caution
This script allows users to bypass Edge SmartScreen warnings when downloading files.
Microsoft Defender SmartScreen warns users about potentially unsafe downloads [1] [2] [3].
By default, users can bypass Microsoft Defender SmartScreen warnings and complete unverified downloads [1] [2].
This script maintains the default option, enabling users to bypass SmartScreen warnings if chosen.
This script allows users to override these warnings.
This enhances user privacy by reducing the amount of data sent to Microsoft for file scanning.
However, this may reduce security as it allows the completion of potentially harmful, unverified downloads.
Restricting downloads to verified sources significantly lowers the risk of acquiring viruses, spyware, or other malicious software [3].
Authorities like The Defense Information Systems Agency (DISA) [2] and The Center of Internet Security (CIS) [3] advise
against bypassing SmartScreen due to security concerns.
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
This script configures the `PreventSmartScreenPromptOverrideForFiles` policy [1] [2] [3].
Changing this policy does not require restarting the browser to take effect [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#preventsmartscreenpromptoverrideforfiles "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240712112844/https://www.stigviewer.com/stig/microsoft_edge/2021-11-19/finding/V-235721 "Bypassing of Microsoft Defender SmartScreen warnings about downloads must be disabled. | www.stigviewer.com"
[3]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: PreventSmartScreenPromptOverrideForFiles # Edge ≥ 77
dwordData: '0'
-
name: Disable Edge SmartScreen DNS requests
recommend: strict # Recommended by CIS
docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • SmartScreen Caution
This script stops Microsoft Defender SmartScreen from making DNS requests.
By default [1] [2], Microsoft Defender SmartScreen sends DNS requests [1] [2] to identify
potentially harmful websites, like those involved in phishing or malware [2] [3].
Disabling DNS requests stops SmartScreen from obtaining IP addresses [1] [2],
which enhances privacy by reducing IP data sharing.
This script also improves security by reducing dependence on DNS servers.
Disabling DNS requests mitigates a security risk: if DNS fails to resolve a website,
the browser cannot isolate it through Web Isolation [2] [3].
The Center for Internet Security (CIS) recommends this action for its security benefits [2].
Additionally, disabling DNS requests can improve system performance by reducing processing workload.
However, this change may reduce IP-based protections [1] [2], posing a security trade-off.
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [2] [3].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
This script configures the `SmartScreenDnsRequestsEnabled` policy [1].
Changes will take effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - Disabling SmartScreen may reduce your protection against phishing and malware.
> - Disabling DNS requests may prevent the browser from blocking harmful sites by not checking their IP addresses.
[1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreendnsrequestsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240712102959/https://www.syxsense.com/syxsense-securityarticles/cis_benchmarks_(ms_edge)/syx-1038-12753.html "Microsoft Defender SmartScreen DNS Requests Enabled (CIS LEVEL 1 MS Edge) | www.syxsense.com"
[3]: https://web.archive.org/web/20240712103006/https://knowledge.broadcom.com/external/article/200948/unable-to-isolate-websites-in-edge-brows.html "Unable to Isolate websites in Edge browser | knowledge.broadcom.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: SmartScreenDnsRequestsEnabled # Edge ≥ 97
dwordData: '0'
-
name: Disable Edge SmartScreen checks on downloads from trusted sources
docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • SmartScreen Caution
This script lets you configure whether Microsoft Defender SmartScreen checks download reputation from a trusted source [1].
Edge determines a trusted source by checking its Internet zone [1].
If the source comes from the local system, intranet, or trusted sites zone, then the download
is considered trusted and safe [1].
By default, if you do not run this script, Microsoft Defender SmartScreen checks the download's reputation regardless of source [1].
Once you run this script, Microsoft Defender SmartScreen doesn't check the download's reputation when downloading from a trusted source [1].
This increases your privacy by removing the need to send data to Microsoft about downloaded files.
It can also increase your performance by removing the processing need for the check.
However, it may reduce your security against malicious software [2].
CIS (Center of Internet Security) discourage this script and recommend allowing the checks [2].
This increases security because SmartScreen can verify that downloads are from a trusted source will
downloading an infected package to their machine [2].
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [1].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
This script configures the `SmartScreenForTrustedDownloadsEnabled` policy [1] [2].
Changes will take effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreenfortrusteddownloadsenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240625064922/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_Edge_Benchmark_v1_0_0.pdf "CIS Microsoft Edge Benchmark v1.0.0 | paper.bobylive.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: SmartScreenForTrustedDownloadsEnabled # Edge ≥ 78
dwordData: '0'
-
name: Disable outdated Edge SmartScreen library update
docs: |- # refactor-with-variables: • Chromium Policy Caution • Active Directory only • SmartScreen Caution
This script prevents specific versions of Microsoft Edge from updating to the newer SmartScreen library.
This script reverts Microsoft Edge to the previous SmartScreen library, used before version 103 [1] [2].
It blocks Edge from loading the new SmartScreen library (`libSmartScreenN`),
which is responsible for checking site URLs and application downloads [1].
By running this script, Edge will utilize the older library (`libSmartScreen`).
This script is effective only for Microsoft Edge versions 95 to 107 [1].
It does not function on versions older than 95, which always use the older library [1].
Similarly, versions newer than 107 always utilize the newer library [1] [2].
Disabling the updated SmartScreen library can increase privacy by limiting data collection but may reduce
security as it bypasses the latest updates that combat phishing and malware.
This script may improve system performance since some users have reported slowdowns with the new
library [3]; these issues have probably already been resolved as the library has matured.
This script applies only to Windows devices within a Microsoft Active Directory domain or managed in similar way [2] [3].
It is effective only on computers under organizational management, such as those in workplaces or schools.
It's not applicable to personal computers that are not managed by an organization.
This script configures the `NewSmartScreenLibraryEnabled` policy [1] [2].
Changes will take effect after restarting the browser [1].
> **Caution**:
> - This will display the message "Your browser is managed by your organization" on the settings page.
> - Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240314103512/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#newsmartscreenlibraryenabled "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240714085347/https://blogs.windows.com/msedgedev/2022/09/29/more-reliable-web-defense/ "More reliable web defense - Microsoft Edge Blog | blogs.windows.com"
[3]: https://web.archive.org/web/20240714090327/https://answers.microsoft.com/en-us/microsoftedge/forum/all/new-smartscreen-library-kills-edge/33ed19a4-ff7d-4939-8e0c-015eab7b0ae9 "\"New SmartScreen library\" kills Edge - Microsoft Community | answers.microsoft.com"
call:
function: SetEdgePolicyViaRegistry
parameters:
valueName: NewSmartScreenLibraryEnabled # Edge ≥ 95 and ≤ 107
dwordData: '0'
-
name: Disable Edge (Legacy) SmartScreen
docs: |- # refactor-with-variables: Same • Edge (Legacy) only • SmartScreen Caution
This script disables the SmartScreen feature in Edge (Legacy).
Edge (Legacy) uses the Windows Defender SmartScreen by default to protect users from phishing scams and malicious software [1] [2].
This feature is enabled by default and cannot be turned off by users [2].
This script disables SmartScreen and prevents users from turning it back on [2].
As a result, users will not receive alerts about potential threats [2].
Disabling this feature reduces potential privacy risks by preventing data sharing.
This may also improve system performance by reducing processing workload.
While enabling this setting may increase user autonomy and privacy, it reduces security [1].
Users should be cautious and understand the risks involved.
This script configures the `EnabledV9` policy [1] [2] [3].
This script only applies to Edge (Legacy) and does not impact newer versions of Edge.
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240624152134/https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63713 "The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. | www.stigviewer.com"
[2]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies#configure-windows-defender-smartscreen "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com"
[3]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5173 "10_0_19045_2251/C/Windows/System32/smartscreen.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 · GitHub | github.com"
call:
function: SetLegacyEdgePolicyViaRegistry
parameters:
policySubkey: PhishingFilter
valueName: EnabledV9
dwordData: "0"
-
name: Enable Edge (Legacy) SmartScreen warning dismissal
docs: |- # refactor-with-variables: Same • Performance + Privacy • Edge (Legacy) only • SmartScreen Caution
This script allows users to bypass SmartScreen warnings in Edge (Legacy).
Edge (Legacy) features a SmartScreen filter that warns users about potentially malicious websites and file downloads [1].
By default, this feature allows users to ignore these warnings and proceed to download files [1].
This script keeps this option, enhancing user privacy by minimizing data sent to Microsoft.
Disabling this feature reduces potential privacy risks by preventing data sharing.
This may also improve system performance by reducing processing workload.
While enabling this setting may increase user autonomy and privacy, it reduces security by allowing downloads from
potentially malicious sources [2].
Users should be cautious and understand the risks involved.
This script configures the `PreventOverride` policy [1] [2] [3].
This script only applies to Edge (Legacy) and does not impact newer versions of Edge.
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies#configure-windows-defender-smartscreen "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240624140451/https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-63699 "Users must not be allowed to ignore SmartScreen filter warnings for malicious websites in Microsoft Edge. | www.stigviewer.com"
[3]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/smartscreen.exe.strings#L5174C163-L5174C178 "10_0_19045_2251/C/Windows/System32/smartscreen.exe.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 · GitHub | github.com"
call:
function: SetLegacyEdgePolicyViaRegistry
parameters:
policySubkey: PhishingFilter
valueName: PreventOverride
dwordData: "0"
-
name: Disable outdated Internet Explorer SmartScreen
docs: |- # refactor-with-variables: • SmartScreen Caution
This script disables SmartScreen in outdated versions of Internet Explorer.
SmartScreen is also known as the *Phishing Filter* [1] [2] or *SmartScreen Filter* [2] [3].
It protects users by identifying and blocking malicious web content [2] [3].
Disabling this feature enhances your privacy by preventing the collection of data related to your browsing habits.
It can also increase system performance by reducing the computational overhead required to scan and evaluate web content.
However, this may also lower your security, as it makes the browser more vulnerable to malicious sites and downloads [3].
Internet Explorer is no longer supported and has been replaced by Microsoft Edge on recent versions of Windows [1].
However, this script remains relevant for older versions where Internet Explorer is still operational.
The script modifies the `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\<ZoneNumber>\2301` registry key [1] [2] [3].
Each zone in the registry represents a different security level [1]:
| Security Zone | Meaning |
|---------------|-------------------------|
| `0` | My Computer |
| `1` | Local Intranet Zone |
| `2` | Trusted Sites Zone |
| `3` | Internet Zone |
| `4` | Restricted Sites Zone |
Disabling SmartScreen is achieved by setting the value of `2301` to `3` [2].
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240709095151/https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries "IE security zones registry entries for advanced users - Browsers | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240709102216/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9 "Turn on SmartScreen Filter scan | admx.help"
[3]: https://web.archive.org/web/20240709102226/https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-06-08/finding/V-64719 "Turn on SmartScreen Filter scan option for the Internet Zone must be enabled. | www.stigviewer.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
valueName: '2301'
dataType: REG_DWORD
data: '3' # 0: Enable | 3: Disable
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
valueName: '2301'
dataType: REG_DWORD
data: '3' # 0: Enable | 3: Disable
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
valueName: '2301'
dataType: REG_DWORD
data: '3' # 0: Enable | 3: Disable
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
valueName: '2301'
dataType: REG_DWORD
data: '3' # 0: Enable | 3: Disable
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
valueName: '2301'
dataType: REG_DWORD
data: '3' # 0: Enable | 3: Disable
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable outdated Internet Explorer SmartScreen Filter component
docs: |- # refactor-with-variables: • SmartScreen Caution
This script disables the outdated Internet Explorer SmartScreen filter by safely removing the `ieapfltr.dll` file.
The `ieapfltr.dll` file is also known as Microsoft SmartScreen Filter [1].
It is mainly used by Internet Explorer [2].
Despite the official end of support for Internet Explorer 11 on June 15, 2022 [3],
some systems may still have this component.
Benefits:
- **Privacy improvement**:
By disabling the SmartScreen functionality that monitors user behavior,
this script enhances your privacy.
- **Security enhancement**:
It reduces the attack surface by removing unused components, aligning with
security best practices.
- **System performance**:
It may improve system performance by removing unnecessary components.
Trade-offs:
- **Reduced security**:
The absence of SmartScreen may decrease protection against malware and phishing.
- **Browser Functionality**:
If Internet Explorer is still in use, disabling the SmartScreen filter
may lead to errors, particularly with security features like phishing protection.
- **System stability**:
Internet Explorer components are integrated into Windows.
Some Windows features and third-party applications may depend on these components.
Removing the `ieapfltr.dll` file may lead to stability issues in applications that depend
on it, even if Internet Explorer is not actively used.
File locations:
| File path | Windows 11 (23H2) | Windows 10 (22H2) |
|-----------|-----------------------------|-----------------------------|
| `%WINDIR%\System32\ieapfltr.dll` [4] | ❌ Missing | ❌ Missing |
| `%WINDIR%\SysWOW64\ieapfltr.dll` [1] | ✅ Yes | ✅ Exists |
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240715082726/https://strontic.github.io/xcyclopedia/library/ieapfltr.dll-AA14BA778D11D244316DA63EEB040D92.html "ieapfltr.dll | Microsoft SmartScreen Filter | STRONTIC | strontic.github.io"
[2]: https://web.archive.org/web/20240715082546/https://support.microsoft.com/en-us/topic/ms09-034-cumulative-security-update-for-internet-explorer-5d8e79bc-4b42-fa92-313d-d39c7b112521 "MS09-034: Cumulative security update for Internet Explorer - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240715082553/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge#what-is-the-lifecycle-policy-for-internet-explorer- "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240715083231/https://strontic.github.io/xcyclopedia/library/clsid_3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30.html "CLSID 3BC4EE9F-1FC1-44DB-81FA-AD94DEC7AF30 | CLSID_AppRep | STRONTIC | strontic.github.io"
call:
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\ieapfltr.dll'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\SysWOW64\ieapfltr.dll'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
category: Disable SmartScreen system components
docs: |-
This category includes scripts that disable SmartScreen system components.
SmartScreen is a security feature in Windows that helps protect your device from
potentially harmful applications, files, and websites [1].
Its components run in the background as part of the operating system.
Disabling these components may:
- Improve privacy by reducing data collection used for SmartScreen functionality [2].
- Increase system performance by eliminating background processes.
- Enhance security by removing potential attack surfaces.
However, there are risks to consider:
- Reduced protection against malicious software and phishing attempts.
- Potential impact on Windows system integrity.
These scripts modify core system components.
Consider your personal risk tolerance and needs before applying these changes.
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240709105002/https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/ "Microsoft Defender SmartScreen overview - Windows Security | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen "Manage connections from Windows operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
children:
-
name: Disable SmartScreen process
docs: |- # refactor-with-variables: • SmartScreen Caution
This script stops and prevents the `smartscreen.exe` from running.
This process is officially known as *Windows Defender SmartScreen* [1] [2].
It manages the SmartScreen functionality [3] [4].
Its executable is located at `%WINDIR%\System32\smartscreen.exe` [1] [2] [4] [5].
Disabling SmartScreen improves your privacy because it stops outbound network connections
that transmit your data [5].
This process runs in the background even when SmartScreen is disabled [3].
It also improves system performance by reducing CPU usage [6].
However, disabling SmartScreen process can compromise your security by disabling its protective features.
Additionally, if SmartScreen remains partially enabled after the process is disabled,
it may impair the functionality of Microsoft Store apps [3] [5].
This script will:
- **Terminate the process**:
Stops the `smartscreen.exe` process to prevent it from running.
- **Remove the executable**:
Safely deletes the `smartscreen.exe` file from the system to prevent it from restarting.
> **Caution**:
> - Disabling SmartScreen may reduce your protection against phishing and malware.
> - Disabling this process may prevent Microsoft Store apps from loading.
[1]: https://web.archive.org/web/20240708200821/https://www.file.net/process/smartscreen.exe.html "smartscreen.exe Windows process - What is it? | www.file.net"
[2]: https://web.archive.org/web/20240708201144/https://strontic.github.io/xcyclopedia/library/smartscreen.exe-B75FA41284409A6134BF824BEAE59B4E.html "smartscreen.exe | Windows Defender SmartScreen | STRONTIC | strontic.github.io"
[3]: https://web.archive.org/web/20240709102724/https://www.howtogeek.com/320711/what-is-smartscreen-and-why-is-it-running-on-my-pc/ "What Is \"SmartScreen\" and Why Is It Running on My PC? | www.howtogeek.com"
[4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io"
[5]: https://web.archive.org/web/20240708201153/https://answers.microsoft.com/en-us/windows/forum/all/block-apps-from-accessing-internet-by-default/44a235ce-c9a5-4612-998b-a4c100da93df "Block apps from accessing internet by default... - Microsoft Community | answers.microsoft.com"
[6]: https://web.archive.org/web/20240708200833/https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-smartscreen-using-lots-of-cpu/b795d47a-3f92-44b9-bbbc-c4439e932fc3 "Windows Defender Smartscreen Using Lots of CPU - Microsoft Community | answers.microsoft.com"
call:
-
function: TerminateAndBlockExecution
parameters:
executableNameWithExtension: smartscreen.exe
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\smartscreen.exe'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
name: Disable SmartScreen libraries
docs: |-
This script disables essential SmartScreen libraries, limiting their functionality and preventing
their use by other programs.
A *library* is a set of code and resources that help programs operate.
A *DLL (Dynamic Link Library)* contains code and data that multiple programs can use simultaneously.
Disabling these libraries stops SmartScreen operations across applications.
This enhances your privacy by eliminating SmartScreen data collection.
It improves security by reducing the system's attack surface.
It may also improve system performance by freeing up system resources.
However, turning off these libraries may lower your system's defenses against malware and phishing,
as it stops the identification and blocking of potentially unsafe content.
This script targets and disables the following specific SmartScreen libraries critical to their operations:
- `smartscreen.dll`:
This DLL enables core SmartScreen functionality [1].
It manages essential SmartScreen tasks, such as performing security checks and evaluating the
safety and reputation of files, applications, and web content [2] [3].
- `smartscreenps.dll`:
This DLL supports SmartScreen functionality [4].
It facilitates SmartScreen's critical functions, including component management, registration, and
lifecycle within a COM framework [5] [6].
File locations:
| File path | Windows 11 (23H2) | Windows 10 (22H2) |
|-----------|-----------------------------|-----------------------------|
| `%WINDIR%\System32\smartscreen.dll` [2] | ✅ Exists | ❌ Missing |
| `%WINDIR%\SysWOW64\smartscreen.dll` [3] | ✅ Exists | ❌ Missing |
| `%WINDIR%\System32\smartscreenps.dll` [4] [5] | ✅ Exists | ✅ Exists |
| `%WINDIR%\SysWOW64\smartscreenps.dll` [6] [7] | ✅ Exists | ✅ Exists |
[1]: https://github.com/privacysexy-forks/10_0_22621_870/blob/8b13bab6a49d9d04990dfd78de7b39eb815dcddc/C/Windows/System32/smartscreen.exe.strings#L1090 "10_0_22621_870/C/Windows/System32/smartscreen.exe.strings at 8b13bab6a49d9d04990dfd78de7b39eb815dcddc · privacysexy-forks/10_0_22621_870 · GitHub | github.com"
[2]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreen.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreen.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com"
[3]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreen.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreen.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com"
[4]: https://web.archive.org/web/20240715084553/https://strontic.github.io/xcyclopedia/library/clsid_a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d.html "CLSID a463fcb9-6b1c-4e0d-a80b-a2ca7999e25d | SmartScreen | STRONTIC | strontic.github.io"
[5]: https://github.com/privacysexy-forks/10_0_22621_1028/blob/3e002a687dbcd05bebe48401714021cf670c5bd8/C/Windows/System32/smartscreenps.dll.coff#L5 "10_0_22621_1028/C/Windows/System32/smartscreenps.dll.coff at 3e002a687dbcd05bebe48401714021cf670c5bd8 · privacysexy-forks/10_0_22621_1028 · GitHub | github.com"
[6]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/SysWOW64/smartscreenps.dll.coff#L5 "10_0_22622_601/C/Windows/SysWOW64/smartscreenps.dll.coff at c598035e1a6627384d646140fe9e4d234b36b11d · privacysexy-forks/10_0_22622_601 · GitHub | github.com"
[7]: https://web.archive.org/web/20240715092131/https://strontic.github.io/xcyclopedia/library/smartscreenps.dll-9C77057727E91884AA2AE5D6A85F90C5.html "smartscreenps.dll | SmartScreenPS | STRONTIC | strontic.github.io"
call:
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\smartscreen.dll'
grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\smartscreenps.dll'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\SysWOW64\smartscreen.dll'
grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\SysWOW64\smartscreenps.dll'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
name: Disable outdated SmartScreen settings interface
docs: |- # refactor-with-variables: • SmartScreen Caution
This script disables the SmartScreen settings interface in older Windows versions.
It specifically targets and soft-deletes the `SmartScreenSettings.exe` file [1] [2] [3] [4].
Found only in older Windows versions [3] [4], including Windows 8 [3].
Based on tests, this file does not exist in newer versions such as Windows 11 Pro (23H2)
or Windows 10 Pro (22H2) and beyond.
The `SmartScreenSettings.exe` is a user interface component [1] [2] that displays settings
for the SmartScreen filter [3] [4].
Removing this component may enhance privacy by eliminating the possibility to modify
SmartScreen settings, which could otherwise be used to re-enable this monitoring feature [3] [4].
It also optimizes system performance by removing this obsolete component.
However, disabling this feature could reduce security by limiting your system's protection against
phishing and malware.
It is located at the following paths:
- `%WINDIR%\System32\SmartScreenSettings.exe` [1] [4]
- `%WINDIR%\SysWOW64\SmartScreenSettings.exe` [2]
> **Caution**: Disabling SmartScreen may reduce your protection against phishing and malware.
[1]: https://web.archive.org/web/20240714203112/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-43D69652F91822C4A0873884B829DD0A.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io"
[2]: https://web.archive.org/save/https://strontic.github.io/xcyclopedia/library/SmartScreenSettings.exe-6B2EA6F8937B573372304CAE5F829A4D.html "SmartScreenSettings.exe | SmartScreenSettings | STRONTIC | strontic.github.io"
[3]: https://web.archive.org/web/20111013123233/https://techtrickz.com/how-to/enable-or-disable-windows-8-smartscreen-feature-how-to/ "Disable Windows 8 SmartScreen Feature | techtrickz.com"
[4]: https://web.archive.org/web/20240714203245/https://www.thewindowsclub.com/windows-smartscreen-cant-reached-right-now "Windows SmartScreen can't be reached right now | www.thewindowsclub.com"
call:
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\System32\SmartScreenSettings.exe'
grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\SysWOW64\SmartScreenSettings.exe'
grantPermissions: 'true' # Does not exist on Windows 10 since 22H2 | Does not exist on Windows 11 since 23H2
-
category: Disable automatic updates
docs: |-
Disabling automatic updates is often considered counterintuitive when it comes to securing your system. However, there are substantial arguments
to consider this option if you're privacy-centric:
1. **Patching and Pre-Approval**: Manual control over update deployment allows for pre-emptive approval of patches. This strategy is useful
in environments requiring the highest level of security. For instance, military agencies frequently employ air-gapped systems that mandate
careful review of each update to mitigate risks such as potential backdoors or data leaks. Similarly, financial institutions often
resort to staged rollouts of updates, subjecting them to an in-depth analysis of their implications on security and privacy before broad
implementation.
2. **Telemetry and Data Transmission**: Automatic updates often come embedded with telemetry data collection mechanisms. Disabling these
updates facilitates granular control over the data transmitted back to Microsoft servers. Thus, the decision to disable automatic updates
allows you to control the timing and nature of information relayed to these servers.
3. **Peer-to-Peer Data Exposure**: Windows employs a Peer-to-Peer (P2P) approach to facilitate update distribution, which can
reveal your IP address and some system details to peer systems [1].
4. **Configurational integrity**: Updates have the capacity to change pre-configured settings without explicit user consent. This could
result in unintended alteration of your privacy settings, leaving you exposed until you realize the change.
> **Caution**: While controlling updates enhances your privacy, it can leave your system vulnerable to unpatched exploits.
Ensure that you manually review and apply updates on a regular basis. You're essentially trading off some security for a heightened level of
privacy.
[1]: https://web.archive.org/web/20230905120220/https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq "Delivery Optimization Frequently Asked Questions - Windows Deployment | Microsoft Learn"
children:
-
name: Disable Automatic Updates (AU) feature
docs: |-
This script deactivates the Automatic Updates feature in Windows. By disabling Automatic Updates,
you gain control over when your system is updated, which may be preferable in specific
privacy-sensitive environments.
The script changes a specific setting in your computer's registry, with a key called `NoAutoUpdate`, which has
two possible states [1] [2]:
- `0`: Automatic Updates are enabled.
- `1`: Automatic Updates are disabled.
By default, Windows comes with Automatic Updates enabled, meaning the `NoAutoUpdate` is set to `0` [3].
Running this script will set `NoAutoUpdate` to `1`, turning off Automatic Updates [1] [2] [3].
In doing so, you prevent your computer from automatically receiving updates, which is a feature
that could be considered intrusive or unwanted in some privacy-conscious settings.
It configure your computer to not automatically download and install updates without your explicit permission.
[1]: https://web.archive.org/web/20230807165936/https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 "Configure Automatic Updates in a NonActive Directory Environment | Microsoft Learn"
[2]: https://web.archive.org/web/20221001051250/https://support.microsoft.com/en-us/topic/incorrect-automatic-updates-notification-is-received-even-though-au-options-are-disabled-in-windows-8-1-and-windows-server-2012-r2-18b4b73a-3910-9408-809c-7eaad0e1fbc7 "Incorrect Automatic Updates notification is received even though AU options are disabled in Windows 8.1 and Windows Server 2012 R2 - Microsoft Support"
[3]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
valueName: Enabled
dataType: REG_DWORD
data: "1"
dataOnRevert: "0" # Default value: `0` on Windows 10 Pro (≥ 21H2) | `0` on Windows 11 Pro (≥ 21H2)
-
name: Disable automatic installation of Windows updates without user consent
docs: |-
This script changes how your Windows computer handles automatic updates by modifying the `AUOptions` registry key.
After running this script, your computer will notify you before downloading any updates [1] [2] [3].
In the default setup, your Windows system is configured to download and install updates automatically without notifying you [4].
This means that new updates could be installed on your system without your explicit approval.
By forcing Windows to notify you before downloading updates, this script hands back control over your system to you.
This feature enhances your privacy and minimizes risks because you get to manually review and approve each update before it's installed.
To explain the technical aspect, the `AUOptions` registry key is a setting stored under
`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` in your computer's registry [1] [3].
A value of `2` for `AUOptions` means that you will be notified before any updates are downloaded and installed [1] [2].
On older versions of Windows, setting this key to `1` would prevent the system from even checking for updates [5].
However, starting from Windows 10, the key `1` has a different meaning [2][3].
Running this script doesn't disable updates; it just ensures that you are informed and have the final say on
whether to download them or not.
[1]: https://web.archive.org/web/20230807165936/https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 "Configure Automatic Updates in a NonActive Directory Environment | Microsoft Learn"
[2]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn"
[3]: https://web.archive.org/web/20230815051303/https://learn.microsoft.com/en-us/windows/deployment/update/waas-restart#registry-keys-used-to-manage-restart "Manage device restarts after updates - Windows Deployment | Microsoft Learn"
[4]: https://web.archive.org/web/20230826081345/https://learn.microsoft.com/en-US/troubleshoot/windows-client/deployment/update-windows-update-agent "Update Windows Update Agent to latest version - Windows Client | Microsoft Learn"
[5]: https://web.archive.org/web/20221001051250/https://support.microsoft.com/en-us/topic/incorrect-automatic-updates-notification-is-received-even-though-au-options-are-disabled-in-windows-8-1-and-windows-server-2012-r2-18b4b73a-3910-9408-809c-7eaad0e1fbc7 "Incorrect Automatic Updates notification is received even though AU options are disabled in Windows 8.1 and Windows Server 2012 R2 - Microsoft Support"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
valueName: AUOptions
dataType: REG_DWORD
data: "2"
dataOnRevert: "4" # Default value: `4` on Windows 10 Pro (≥ 21H2) | `0` on Windows 11 Pro (≥ 21H2)
-
name: Disable automatic daily installation of Windows updates
docs: |-
This script stops Windows from automatically installing updates every day. By doing so, you gain control over when update
happen on your computer [1] [2].
By default, Windows is set to automatically update every day [2]. Having control over the update timing allows you to review
what is being changed, thereby protecting your privacy and enhancing your system's security.
Technically, what the script does is remove a specific setting in the computer's system registry, the `ScheduledInstallDay` key
from `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` [1] [2].
Disabling the scheduled install day ensures that updates won't be forcibly applied on a specific day of the week.
[1]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn"
[2]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstallday "Update Policy CSP - Windows Client Management | Microsoft Learn"
call:
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
valueName: ScheduledInstallDay
# Default values:
# Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Name 'ScheduledInstallDay'
# Windows 10 (≥ 20H2) : Missing
# Windows 11 (≥ 23H2) : Missing
deleteOnRevert: 'true'
-
name: Disable scheduled automatic updates
docs: |-
This script turns off the automatic installation of Windows updates that are set to occur at a specific time.
By doing this, you take back control over when your computer updates itself [1] [2] [3].
The default behavior is to install updates at 3 AM [3].
Windows updates can be important for system security, but automatic installation could occur at inconvenient times and may even
restart your computer without prior warning. This could interrupt your tasks and may send data about your system to external servers.
By disabling the automatic scheduled installation time, you can manually control when updates are installed [3], ensuring that you're
aware of any changes to your system.
The script works by removing a specific registry key called `ScheduledInstallTime` under
`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU` [2] [3]. This is the system setting that controls the scheduled update time.
[1]: https://web.archive.org/web/20230813094618/https://learn.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152 "Configure Automatic Updates in a NonActive Directory Environment | Microsoft Learn"
[2]: https://web.archive.org/web/20230711172555/https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry "Manage additional Windows Update settings - Windows Deployment | Microsoft Learn"
[3]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#scheduledinstalltime "Update Policy CSP - Windows Client Management | Microsoft Learn"
call:
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
valueName: ScheduledInstallTime
# Default values:
# Check : Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' -Name 'ScheduledInstallTime'
# Windows 10 (≥ 20H2) : Missing
# Windows 11 (≥ 23H2) : Missing
deleteOnRevert: 'true'
-
category: Disable Windows update services
docs: |-
The scripts in this category offer users the ability to control Windows services related to system updates.
These services manage how and when your system receives updates from Microsoft. By limiting or disabling these services,
users can decide when to update their system, reducing unexpected changes. Moreover, a system with fewer running
services uses fewer resources, which can improve overall performance.
Disabling these update services is also a privacy measure. Some updates can change privacy settings or add features that
collect user data. By controlling update services, users can review and approve any changes before they take effect.
> **Caution**: Disabling Windows update services may lead to missed critical security patches and feature updates.
> Consider the balance between maintaining privacy and ensuring system security and stability.
children:
# Tips:
# - Related services can be seen in `%WINDIR%\WaaS\services` folder.
# Excluding:
# - Background Intelligent Transfer Service (BITS): Not exclusive to disabling automatic Windows updates, may break third-party apps
# - Delivery Optimization (DoSvc): Not exclusive to disabling automatic Windows updates, breaks Microsoft Store downloads.
# - Windows Remediation Service (sedsvc): Seems to exist in legacy versions on Windows, does not exist since Windows 10 22H2 and Windows 11 23H2
-
name: Disable "Windows Update" (`wuauserv`) service
docs: |-
This script turns off the Windows Update service, which is technically known as Windows Update Agent [1] [2].
By disabling this service, the automatic detection, download, and installation of updates for both Windows and other
installed programs are halted [3] [4].
Update can often come bundled with changes that could affect your privacy settings or introduce features that collect
more of your data. Taking control of when and how updates are applied provides you with the opportunity to review any changes
before they take effect.
By default, the service is enabled and set to start up manually [5].
If you disable this service, you won't be able to use the Windows Update feature for automatic updates [5]. Additionally,
other software on your computer won't be able to access the functionalities provided by the Windows Update Agent,
commonly known as WUA API [5].
> **Caution:** This script stops Windows Update Agent's ability to check for and manage system updates. This means your system
> won't automatically receive important updates, which could leave it vulnerable to specific security risks and performance issues
> over time.
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
[1]: https://web.archive.org/web/20230902020255/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/additional-resources-for-windows-update "Additional resources for Windows Update - Windows Client | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231027190503/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/troubleshoot-software-update-scan-failures "Troubleshoot software update scan failures - Configuration Manager | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20230905120348/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/windows-devices-fail-boot-after-installing-kb4041676-kb4041691 "Windows devices may fail to boot after installing October 10 version of KB 4041676 or 4041691 that contained a publishing issue - Windows Client | Microsoft Learn"
[4]: https://web.archive.org/web/20230905120345/https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-servicing "Patching Server Core | Microsoft Learn"
[5]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
call:
function: DisableService
parameters:
serviceName: wuauserv # Check: (Get-Service -Name 'wuauserv').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable "Update Orchestrator Service" (`UsoSvc`)
docs: |-
This script disables the Update Orchestrator Service, also known as "Update Orchestrator Service for Windows Update" [1].
This service is in charge of managing the download and installation of Windows updates [1] [2].
By default, the service is enabled and set to start up manually [1].
While updates can be crucial for the security of your system, this service can sometimes install them without your approval.
This lack of control can pose risks to your privacy, as data might be sent from your system without your knowledge.
Windows updates relies on this service [1] [3].
If stopped, your devices will not be able to download and install latest updates [1].
Turning off this service can affect the update process and might cause issues like freezing during update scanning [3].
> **Caution**: This script directly affects the orchestration and scheduling of Windows updates. This can lead to
> irregularities in receiving updates, potentially causing delays or failures in obtaining critical security patches and
> feature updates specific to Windows functionalities.
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🟢 Running | Automatic |
| Windows 11 (≥ 23H2) | 🟢 Running | Automatic |
[1]: https://web.archive.org/web/20231004161147/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server "Security guidelines for system services in Windows Server 2016 | Microsoft Learn"
[2]: https://web.archive.org/web/20230905120348/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/windows-devices-fail-boot-after-installing-kb4041676-kb4041691 "Windows devices may fail to boot after installing October 10 version of KB 4041676 or 4041691 that contained a publishing issue - Windows Client | Microsoft Learn"
[3]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
call:
function: DisableService
parameters:
serviceName: UsoSvc # Check: (Get-Service -Name 'UsoSvc').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable "Windows Update Medic Service" (`WaaSMedicSvc`)
docs: |-
This script disables the Windows Update Medic Service. This service runs quietly in the background [1],
making sure that parts related to Windows updates are working as they should [1] [2].
This service can undo any adjustments you've made to your Windows Update settings without your consent.
For example, it can re-enable automatic Windows updates [3].
That can interfere if you've tailored these settings for better privacy or security.
By default, the service is enabled and its startup setting is set to manual [4] [5]. It executes
`%SYSTEMROOT%\System32\WaaSMedicSvc.dll` [5], known as "WaasMedic Service Dll" [6]. It stores remediation
configuration such as registry keys, tasks and services at `%WINDIR%\WaaS\` folder [7] [8] [9].
Other related files include:
| Path | Description | Windows 10 22H2 | Windows 11 23H2 |
| ---- |:-----------:|:---------------:|:---------------:|
| `%SYSTEMROOT%\System32\WaaSMedicAgent.exe` | WaasMedic Agent Exe | ✅ Exists | ❌ Missing |
| `%SYSTEMROOT%\System32\WaaSMedicCapsule.dll` | WaasMedic Capsule Exe | ✅ Exists | ❌ Missing |
| `%SYSTEMROOT%\System32\WaaSMedicPS.dll` | WaaS Medic Proxy Stub library | ✅ Exists | ✅ Exists |
| `%SYSTEMROOT%\System32\WaaSAssessment.dll` | WaaS Assessment | ✅ Exists | ✅ Exists |
| `%SYSTEMROOT%\System32\Windows.Internal.WaaSMedicDocked.dll` | WaaS Assessment | ❌ Missing | ✅ Exists |
| `%WINDIR%\UUS\amd64\WaaSMedicSvcImpl.dll` | WaaS Assessment | ❌ Missing | ✅ Exists |
> **Caution:** While this script provides greater control over Windows Update operations and enhances user
> privacy by limiting unsolicited data transmission to Microsoft, it's important to be aware of the potential
> impacts on system stability and update integrity. Disabling the Windows Update Medic Service prevents the
> self-healing capability of Windows Updates, favoring the maintenance of user-defined update preferences.
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
[1]: https://web.archive.org/web/20230905120805/https://support.microsoft.com/en-us/topic/kb5005322-some-devices-cannot-install-new-updates-after-installing-kb5003214-may-25-2021-and-kb5003690-june-21-2021-66edf7cf-5d3c-401f-bd32-49865343144f "KB5005322—Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021) - Microsoft Support"
[2]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
[3]: https://github.com/undergroundwires/privacy.sexy/issues/252 "Disable automatic Updates · Issue #252 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy"
[4]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
[5]: https://web.archive.org/web/20231129202405/https://batcmd.com/windows/10/services/waasmedicsvc/ "Windows Update Medic Service - Windows 10 Service | batcmd.com"
[6]: https://web.archive.org/web/20231129202715/https://strontic.github.io/xcyclopedia/library/WaaSMedicSvc.dll-4064770B860EF19D55B9DAE32F1B300A.html "WaaSMedicSvc.dll | WaasMedic Service Dll | STRONTIC | strontic.github.io"
[7]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1821728182 "[BUG]: Windows automatically re-enables Update after 4-5 days · Issue #272 · undergroundwires/privacy.sexy | github.com/undergroundwires"
[8]: https://web.archive.org/web/20231127032408/https://www.acepace.net/2019-03-29-upfc/ "What the bleep is UPFC.exe? | www.acepace.net"
[9]: https://web.archive.org/web/20231129203543/https://call4cloud.nl/2022/03/before-we-wipe/ "KB5011487 | KB5011493 | 2022-03 | Windows.old wipe Issue | call4cloud.nl"
call:
-
# Windows 10 (21H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 10 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (21H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (22H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
# Windows 11 (23H2): ❌ `DisableService` | ✅ `DisableServiceInRegistry` | ✅ `DisableServiceInRegistryAsTrustedInstaller`
function: DisableServiceInRegistry
parameters:
serviceName: WaaSMedicSvc # Check: (Get-Service -Name 'WaaSMedicSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\WaaSMedicSvc.dll'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
function: TerminateAndBlockExecution
parameters:
executableNameWithExtension: WaaSMedicAgent.exe
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\WaaSMedicAgent.exe'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔍 Missing on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\WaaSMedicCapsule.dll'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔍 Missing on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\WaaSMedicPS.dll'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\WaaSAssessment.dll'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\Windows.Internal.WaaSMedicDocked.dll'
grantPermissions: 'true' # 🔍 Missing on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\UUS\amd64\WaaSMedicSvcImpl.dll'
grantPermissions: 'true' # 🔍 Missing on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
-
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\WaaS\*' # Includes `services` and `tasks` folders that defines the desired state configuration on remediation.
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
recurse: 'true'
-
name: Disable automatically enabling Windows Update Medic Service
recommend: strict
docs: |-
This script disables the `upfc.exe` process, preventing it from automatically re-enabling Windows updates [5].
`upfc.exe` is found at `%SYSTEMROOT%\System32\upfc.exe` [1] [2].
This executable is identified by Microsoft as "Updateability From SCM" [1] [2].
SCM refers to the "Service Control Manager (SCM)", a special system process also known as `services.exe` [3].
`upfc.exe` is automatically launched by SCM during system startup [4].
It is part of the Windows Update self-healing mechanism [1].
It recovers Windows Update Medic Service (`WaaSMedicSvc`) once disabled [1] [5].
`upfc.exe` operates early in the boot process and performs several functions [1]:
1. It checks the details of the `WaaSMedicSvc` against a configuration file, ensuring the service's settings match those listed [1].
2. If discrepancies are found, such as invalid registry settings, `upfc.exe` recreates the service according to the XML configuration file [1].
However, `upfc.exe` also sends data about its operations to Microsoft [1] [5], including details about discrepancies found and any corrective
actions taken [1] [5]. This data is part of the telemetry Microsoft collects [1], which raises privacy concerns.
This script will skip some of its disabling logic on older Windows versions due to community reports of disabling this service causing
BSOD (blue screen of death) [5] [6].
> **Caution:** By disabling `upfc.exe`, this script enhances user privacy by stopping the automatic sending of operational data to Microsoft.
> However, it's important to note that this might impact the integrity and security of the Windows Update process. Users should weigh the
> privacy benefits against potential security risks before using this script.
[1]: https://web.archive.org/web/20231127032408/https://www.acepace.net/2019-03-29-upfc/ "What the bleep is UPFC.exe? | www.acepace.net"
[2]: https://web.archive.org/web/20231127032440/https://strontic.github.io/xcyclopedia/library/upfc.exe-299EA296575CCB9D2C1A779062535D5C.html "upfc.exe | Updateability From SCM | STRONTIC | strontic.github.io"
[3]: https://en.wikipedia.org/w/index.php?title=Service_Control_Manager&oldid=1063455957 "Service Control Manager - Wikipedia | en.wikipedia.org"
[4]: https://web.archive.org/web/20231129135553/https://blogs.windows.com/windows-insider/2018/07/31/announcing-windows-server-2019-insider-preview-build-17723/ "Announcing Windows Server 2019 Insider Preview Build 17723 | Windows Insider Blog | blogs.windows.com"
[5]: https://github.com/undergroundwires/privacy.sexy/issues/272 "[BUG]: Windows automatically re-enables Update after 4-5 days · Issue #272 · undergroundwires/privacy.sexy | github.com/undergroundwires"
[6]: https://web.archive.org/web/20231129135227/https://www.tenforums.com/windows-updates-activation/104945-stop-windows-10-updates-properly-completely-25.html "Stop Windows 10 Updates Properly and Completely Solved - Page 25 - Windows 10 Forums | www.tenforums.com"
call:
-
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMROOT%\System32\upfc.exe'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 23H2
beforeIteration: |- # Skip Windows versions older than Windows 10 22H2 (build number 19045) to avoid reported blue screen issues.
$osVersion = [System.Environment]::OSVersion.Version
function Test-IsBeforeWin10Version22H2 { ($osVersion.Major -lt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -lt 19045)) }
if (Test-IsBeforeWin10Version22H2) {
Write-Warning 'Skipping the removal of upfc.exe on systems older Windows versions to prevent possible system crashes or errors.'
exit 0
}
-
function: TerminateAndBlockExecution
parameters:
executableNameWithExtension: upfc.exe
-
category: Disable Windows update scheduled tasks
docs: |-
This category includes scripts to disable scheduled tasks that are associated with the automatic functioning of the Windows Update service.
These tasks are responsible for various background update-related activities such as checking for updates, downloading, and installing them
in the background without user intervention.
Disabling these tasks grants users more control over when and how updates are applied. This approach is often preferred by those wishing to
manually manage updates or avoid unanticipated system modifications without consent, and it is considered a best practice in high-security
environments where precise control over updates is crucial. However, it's important to exercise caution with these changes. Disabling automatic
updates can lead to missed critical security patches and feature updates, potentially leaving the system vulnerable.
To view all the scheduled tasks related to Windows Update, you can use the following PowerShell command:
```powershell
@('\Microsoft\Windows\UpdateOrchestrator\*', '\Microsoft\Windows\WindowsUpdate\*', '\Microsoft\Windows\WaaSMedic\*', '\Microsoft\Windows\InstallService\*') `
| ForEach-Object { Get-ScheduledTask -TaskName '*' -TaskPath $_ -ErrorAction SilentlyContinue } `
| ForEach-Object { Write-Host "$($_.TaskPath)$($_.TaskName)" }
```
children:
-
name: Disable "RestoreDevice" task
docs: |-
This script disables the "RestoreDevice" scheduled task.
This task is involved in restoring device settings or drivers as part of update processes.
### Overview of default task statuses
`\Microsoft\Windows\InstallService\RestoreDevice`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
| Windows 11 23H2 | 🟢 Ready |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'RestoreDevice'
taskPathPattern: \Microsoft\Windows\InstallService\
taskNamePattern: RestoreDevice
-
name: Disable "ScanForUpdates" task
docs: |-
This script disables the "ScanForUpdates" scheduled task.
This task is responsible for performing update scans.
Microsoft officially documents this task as part of the Windows updates process [1].
Microsoft suggests disabling this task as a measure to reduce data collection and improve performance [2].
This recommendation is also supported by Citrix for optimization purposes [3].
### Overview of default task statuses
`\Microsoft\Windows\InstallService\ScanForUpdates`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231111173058/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#re-enable-windows-update "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231111173043/https://www.citrix.com/blogs/2021/02/17/tm-citrix-optimizer-2-8-whats-new/ "Citrix Optimizer 2.8 Whats new - Citrix Blogs | www.citrix.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'ScanForUpdates'
taskPathPattern: \Microsoft\Windows\InstallService\
taskNamePattern: ScanForUpdates
-
name: Disable "ScanForUpdatesAsUser" task
docs: |-
This script disables the "ScanForUpdatesAsUser" scheduled task.
This task is responsible for performing update scans under user-specific contexts.
Microsoft officially documents this task as part of the Windows updates process [1].
Microsoft suggests disabling this task as a measure to reduce data collection and improve performance [2].
This recommendation is also supported by Citrix for optimization purposes [3].
### Overview of default task statuses
`\Microsoft\Windows\InstallService\ScanForUpdatesAsUser`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231111173058/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#re-enable-windows-update "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231111173043/https://www.citrix.com/blogs/2021/02/17/tm-citrix-optimizer-2-8-whats-new/ "Citrix Optimizer 2.8 Whats new - Citrix Blogs | www.citrix.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'ScanForUpdatesAsUser'
taskPathPattern: \Microsoft\Windows\InstallService\
taskNamePattern: ScanForUpdatesAsUser
-
name: Disable "SmartRetry" task
docs: |-
This script disables the "SmartRetry" scheduled task.
This task handles the automatic retrying of failed updates, attempting to redownload or reinstall updates
that didn't install successfully on the first try.
Microsoft officially documents this task as part of the Windows updates process [1].
Microsoft suggests disabling this task as a measure to reduce data collection and improve performance [2].
This recommendation is also supported by Citrix for optimization purposes [3].
### Overview of default task statuses
`\Microsoft\Windows\InstallService\SmartRetry`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231111172942/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement "ApplicationManagement Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231111173043/https://www.citrix.com/blogs/2021/02/17/tm-citrix-optimizer-2-8-whats-new/ "Citrix Optimizer 2.8 Whats new - Citrix Blogs | www.citrix.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'SmartRetry'
taskPathPattern: \Microsoft\Windows\InstallService\
taskNamePattern: SmartRetry
-
name: Disable "WakeUpAndContinueUpdates" task
docs: |-
This script disables the "WakeUpAndContinueUpdates" scheduled task.
This task is responsible for waking the computer from sleep to continue or complete pending updates.
### Overview of default task statuses
`\Microsoft\Windows\InstallService\WakeUpAndContinueUpdates`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🔴 Disabled |
| Windows 11 22H2 | 🔴 Disabled |
| Windows 11 23H2 | 🔴 Disabled |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'WakeUpAndContinueUpdates'
taskPathPattern: \Microsoft\Windows\InstallService\
taskNamePattern: WakeUpAndContinueUpdates
disableOnRevert: 'true'
-
name: Disable "WakeUpAndScanForUpdates" task
docs: |-
This script disables the "WakeUpAndScanForUpdates" scheduled task.
This task is responsible for waking up the system at scheduled times to check for Windows updates.
### Overview of default task statuses
`\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🔴 Disabled |
| Windows 11 22H2 | 🔴 Disabled |
| Windows 11 23H2 | 🔴 Disabled |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\InstallService\' -TaskName 'WakeUpAndScanForUpdates'
taskPathPattern: \Microsoft\Windows\InstallService\
taskNamePattern: WakeUpAndScanForUpdates
disableOnRevert: 'true'
-
name: Disable "Scheduled Start" task
docs: |-
This script disables the "Scheduled Start" scheduled task.
This task initiates the Windows Update service at predetermined times or under specific conditions to perform tasks like
checking for and installing updates.
According to the Task Scheduler, this task initiates the Windows Update service for scheduled operations like scans [1].
It executes `%SYSTEMROOT%\System32\sc.exe start wuauserv` [1].
### Overview of default task statuses
`\Microsoft\Windows\WindowsUpdate\Scheduled Start`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231111172839/http://windows.fyicenter.com/4451_Scheduled_Start_Scheduled_Task_on_Windows_8.html '"Scheduled Start" Scheduled Task on Windows 8 | windows.fyicenter.com'
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\WindowsUpdate\' -TaskName 'Scheduled Start'
taskPathPattern: \Microsoft\Windows\WindowsUpdate\
taskNamePattern: Scheduled Start
-
name: Disable "Report policies" task
docs: |
This script disables the "Report policies" scheduled task.
This task might be responsible for reporting policy-related information to Windows Update or other system management tools.
According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe ReportPolicies`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\Report policies`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Report policies'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Report policies
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2]
-
name: Disable "Schedule Maintenance Work" task
docs: |-
This script disables the "Schedule Maintenance Work" scheduled task.
This task is responsible for performing maintenance activities related to Windows Update, such as cleanup operations or
preparation steps for update installations.
According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartMaintenanceWork`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🔴 Disabled |
| Windows 11 22H2 | 🔴 Disabled |
| Windows 11 23H2 | 🔴 Disabled |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Maintenance Work'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Schedule Maintenance Work
disableOnRevert: 'true'
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2]
-
name: Disable "Schedule Scan" task
docs: |-
This script disables the "Schedule Scan" scheduled task.
This task responsible for periodically scanning for Windows updates.
According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartScan`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\Schedule Scan`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Scan'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Schedule Scan
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2]
-
name: Disable "Schedule Scan Static Task" task
docs: |-
This script disables the "Schedule Scan Static Task" scheduled task.
This task is responsible for running update scans at static, predefined intervals.
According to the Task Scheduler, this task conducts a scheduled Windows Update scan.
It executes `%SYSTEMROOT%\System32\UsoClient.exe StartScan`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Scan Static Task'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Schedule Scan Static Task
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2]
-
name: Disable "Schedule Wake To Work" task
docs: |-
This script disables the "Schedule Wake To Work" scheduled task.
This task is responsible for waking the computer from sleep or low-power mode to perform Windows updates.
According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartWork`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🔴 Disabled |
| Windows 11 22H2 | 🔴 Disabled |
| Windows 11 23H2 | 🔴 Disabled |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Wake To Work'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Schedule Wake To Work
disableOnRevert: 'true'
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2]
-
name: Disable "Schedule Work" task
docs: |-
This script disables the "Schedule Work" scheduled task.
This task is responsible for scheduling and initiating Windows updates processes at predetermined times.
According to the Task Scheduler, this task executes `%SYSTEMROOT%\System32\UsoClient.exe StartWork`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\Schedule Work`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🔴 Disabled |
| Windows 11 22H2 | 🔴 Disabled |
| Windows 11 23H2 | 🔴 Disabled |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Schedule Work'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Schedule Work
disableOnRevert: 'true'
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2]
-
name: Disable "UpdateModelTask" task
docs: |-
This script disables the "UpdateModelTask Work" scheduled task.
This task is responsible for updating Machine Learning (ML) models related to Windows Updates.
According to the Task Scheduler, its purpose is to update ML models and it
executes `%SYSTEMROOT%\System32\UsoClient.exe StartModelUpdates`.
Microsoft suggests disabling it for performance optimization and reduced data collection [1].
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟡 N/A (missing) |
| Windows 11 23H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'UpdateModelTask'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: UpdateModelTask
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2]
-
name: Disable "Start Oobe Expedite Work" task
docs: |-
This script disables the "Start Oobe Expedite Work" scheduled task.
This task is responsible for performing tasks related to the "out-of-box experience" (OOBE) in Windows, such as
updating system settings, applications, or features soon after a system update or initial setup.
According to the Task Scheduler, its purpose is to perform a scheduled Windows Update scan.
It executes `%SYSTEMROOT%\System32\UsoClient.exe StartWork`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'Start Oobe Expedite Work'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Start Oobe Expedite Work
grantPermissions: 'true' # 🔒 No permissions, Tested since [≥ Windows 11 22H2]
-
name: Disable "StartOobeAppsScan_LicenseAccepted" task
docs: |-
This script disables the "StartOobeAppsScan_LicenseAccepted" scheduled task.
This task is responsible for initiating a scan of applications as part of the OOBE process, after a
license agreement is accepted, verifying that apps are up-to-date.
According to the Task Scheduler, its purpose is to perform a scheduled Windows Update scan.
It executes `%SYSTEMROOT%\System32\UsoClient.exe StartOobeAppsScan`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'StartOobeAppsScan_LicenseAccepted'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: StartOobeAppsScan_LicenseAccepted
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 11 22H2]
-
name: Disable "StartOobeAppsScan_OobeAppReady" task
docs: |-
This script disables the "StartOobeAppsScan_OobeAppReady" scheduled task.
This task is responsible for scanning applications during the OOBE phase, verifying that
apps are ready for use after system updates.
According to the Task Scheduler, it performs a scheduled Windows Update scan.
It executes `%SYSTEMROOT%\System32\UsoClient.exe StartOobeAppsScan`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_OobeAppReady`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'StartOobeAppsScan_OobeAppReady'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: StartOobeAppsScan_OobeAppReady
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 11 22H2]
-
name: Disable "StartOobeAppsScanAfterUpdate" task
docs: |-
This script disables the "StartOobeAppsScanAfterUpdate" scheduled task.
This task is responsible for scanning applications following a system update, as part of the OOBE process,
to verify that all applications are compatible with the new update.
According to the Task Scheduler, it performs a scheduled Windows Update scan.
It executes `%SYSTEMROOT%\System32\UsoClient.exe StartOobeAppsScanAfterUpdate`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'StartOobeAppsScanAfterUpdate'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: StartOobeAppsScanAfterUpdate
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 11 22H2]
-
name: Disable "USO_UxBroker" task
docs: |-
This script disables the "USO_UxBroker" scheduled task.
This task is related to the User Experience (UX) Broker process in Windows, managing user notifications or interactions
required after an update.
According to the Task Scheduler, this task is responsible for triggering a system reboot following update installations.
It executes `%SYSTEMROOT%\System32\MusNotification.exe`.
Disabling this task is recommended to reduce data collection and enhance system performance [1].
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'USO_UxBroker'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: USO_UxBroker
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2]
-
name: Disable "UUS Failover Task" task
docs: |-
This script disables the "UUS Failover Task" scheduled task.
This task is responsible for the failover mechanism for updates, designed to handle scenarios where a primary
update process fails or encounters issues.
According to the Task Scheduler, this task is responsible for performing a scheduled Windows Update scan.
It executes `%SYSTEMROOT%\System32\UsoClient.exe HandleUusFailoverSignal`.
### Overview of default task statuses
`\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\UpdateOrchestrator\' -TaskName 'UUS Failover Task'
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: UUS Failover Task
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 11 22H2]
-
name: Disable "PerformRemediation" task
docs: |-
This script disables the "PerformRemediation" scheduled task.
This task is responsible for performing remediation or recovery actions for update-related services, ensuring that these services
are running in a supported configuration, particularly after updates.
According to the Task Scheduler, this task aids in recovering update-related services to a supported configuration.
This task restarts Windows Update Medic Service (`WaaSMedicSvc`), even if it is disabled manually [1].
Microsoft suggests disabling this task to minimize data collection and optimize performance [2].
### Overview of default task statuses
`\Microsoft\Windows\WaaSMedic\PerformRemediation`:
| OS Version | Default status |
| ---------------- | ------ |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
| Windows 11 23H2 | 🟢 Ready |
[1]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days · Issue #272 · undergroundwires/privacy.sexy | github.com/undergroundwires"
[2]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#scheduled-tasks "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com"
call:
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\Microsoft\Windows\WaaSMedic\' -TaskName 'PerformRemediation'
taskPathPattern: \Microsoft\Windows\WaaSMedic\
taskNamePattern: PerformRemediation
grantPermissions: 'true' # 🔒 No permissions, tested since [≥ Windows 10 22H2] [≥ Windows 11 22H2]
-
name: Disable outdated Windows Update tasks
docs: |-
This script disables older scheduled tasks associated with Windows updates, which are no longer present in
Windows versions since Windows 10 22H2 and Windows 11 22H2.
The script is compatible with Windows 10 and newer versions, skipping any missing tasks on recent systems.
These tasks are linked to specific system files and are involved in various update processes, such as downloading and installing updates,
rebooting after updates, and more.
Disabling these tasks can help reduce unnecessary system activity and potentially enhance privacy by limiting background update operations.
### Overview of older Windows Update tasks
| Task path | Related system file |
| --------- | ------- |
| `\Microsoft\Windows\UpdateOrchestrator\AC Power Download` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\AC Power Install` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Backup Scan` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Battery Saver Deferred Install` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Driver Install` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Maintenance Install` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults` | `MusNotification.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval` | `MusNotification.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Policy Install` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Reboot` | `MusNotification.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Reboot_AC` | `MusNotification.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery` | `MusNotification.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Refresh Settings` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Resume On Boot` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Schedule Retry Scan` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\USO_Broker_Display` | `MusNotification.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display` | `MusNotification.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot` | `MusNotification.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Idle Start` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start` | `UsoClient.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant` | `UpdateAssistant.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantAllUsersRun` | `UpdateAssistant.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun` | `UpdateAssistant.exe` |
| `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun` | `UpdateAssistant.exe` |
| `\Microsoft\Windows\WindowsUpdate\AUScheduledInstall` | `wuaueng.dll` |
| `\Microsoft\Windows\WindowsUpdate\AUSessionConnect` | `wuaueng.dll` |
| `\Microsoft\Windows\WindowsUpdate\Automatic App Update` | `wuautoappupdate.dll` |
| `\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler` | `PLUGscheduler.exe` |
| `\Microsoft\Windows\WindowsUpdate\Scheduled Start With Network` | `wuauserv` (via `sc`) |
| `\Microsoft\Windows\WindowsUpdate\sih` | `SIHClient.exe` |
| `\Microsoft\Windows\WindowsUpdate\sihboot` | `SIHClient.exe` |
| `\Microsoft\Windows\WindowsUpdate\sihpostreboot` | `SIHClient.exe` |
call:
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: AC Power Download
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: AC Power Install
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Backup Scan
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Battery Saver Deferred Install
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Driver Install
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Maintenance Install
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: MusUx_LogonUpdateResults
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: MusUx_UpdateInterval
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Policy Install
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Reboot
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Reboot_AC
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Reboot_Battery
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Refresh Settings
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Resume On Boot
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Schedule Retry Scan
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: StartOobeAppsScan
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: USO_Broker_Display
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: USO_UxBroker_Display
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: USO_UxBroker_ReadyToReboot
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Universal Orchestrator Start
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: Universal Orchestrator Idle Start
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: UpdateAssistant
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: UpdateAssistantAllUsersRun
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: UpdateAssistantCalendarRun
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\UpdateOrchestrator\
taskNamePattern: UpdateAssistantWakeupRun
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\WindowsUpdate\
taskNamePattern: AUScheduledInstall
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\WindowsUpdate\
taskNamePattern: AUSessionConnect
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\WindowsUpdate\
taskNamePattern: Automatic App Update
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\WindowsUpdate\RUXIM\
taskNamePattern: PLUGScheduler
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\WindowsUpdate\
taskNamePattern: Scheduled Start With Network
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\WindowsUpdate\
taskNamePattern: sih
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\WindowsUpdate\
taskNamePattern: sihboot
-
function: DisableScheduledTask
parameters:
taskPathPattern: \Microsoft\Windows\WindowsUpdate\
taskNamePattern: sihpostreboot
-
category: Maximize auto-update duration
docs: |-
This category includes scripts designed to extend the intervals between automatic updates.
These scripts provide users with greater control over the timing of system updates.
By adjusting the schedule of these updates, users can minimize interruptions and potential system instability associated with frequent updates.
> **Caution**: Postponing updates can delay critical security fixes and feature enhancements,
> increasing potential security risks for your computer.
children:
-
name: Maximize update pause duration
docs: |- # refactor-with-variables: • Security Update Postpone Caution
This script maximizes the pause duration for system updates via the settings interface.
It postpones both feature and quality updates in Windows 10 and Windows 11.
This is particularly useful for those preferring fewer interruptions from regular updates.
By default, the following registry keys are absent in Windows 10 and Windows 11 and are added only when updates are
paused through the user interface [1]:
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseFeatureUpdatesStartTime`
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseFeatureUpdatesEndTime`
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseQualityUpdatesStartTime`
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseQualityUpdatesEndTime`
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseUpdatesStartTime` (set only in Windows 11 22H2 and later)
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings!PauseUpdatesExpiryTime`
This method has been tested and verified on Windows 10 from version 22H2 and Windows 11 from version 23H2 onwards.
To ensure functional integrity, all these keys must be added together.
While beneficial for Windows Home users [1], note that Group Policy Object (GPO) settings might override these changes.
> **Caution**: This script postpones critical security updates, increasing potential security risks for your computer.
[1]: https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1772602388 "[BUG]: Windows automatically re-enables Update after 4-5 days · Issue #272 · undergroundwires/privacy.sexy | github.com/undergroundwires"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
valueName: PauseFeatureUpdatesStartTime
dataType: REG_SZ
data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ')
evaluateDataAsPowerShell: 'true'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
valueName: PauseFeatureUpdatesEndTime
dataType: REG_SZ
data: '2963-01-17T00:00:00Z'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
valueName: PauseQualityUpdatesStartTime
dataType: REG_SZ
data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ')
evaluateDataAsPowerShell: 'true'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
valueName: PauseQualityUpdatesEndTime
dataType: REG_SZ
data: '2963-01-17T00:00:00Z'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
valueName: PauseUpdatesStartTime
dataType: REG_SZ
data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ')
evaluateDataAsPowerShell: 'true'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
valueName: PauseUpdatesExpiryTime
dataType: REG_SZ
data: '2963-01-17T00:00:00Z'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Maximize feature update duration (disables resuming updates from settings)
docs: |- # refactor-with-variables: • Security Update Postpone Caution
This script provides control over when and how often Windows feature updates and preview builds occur.
These updates bring major changes to the operating system, affecting functionality and user privacy [1] [2].
Key aspects of Windows feature updates include:
- Protecting against behavioral issues [1].
- Adding new features [1].
> **Caution**:
> - This script postpones critical security updates, increasing potential security risks for your computer.
> - This script disables the option to resume updates through the settings interface.
> The update settings will display "Your organization paused some updates for this device", and you won't be able
> to resume them there.
### Registry keys
The script modifies various Group Policy (GPO), state, and Mobile Device Management (MDM) keys.
Group Policy (GPO) keys:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!Pause`:
Used for pausing updates in older Windows 10 versions [5].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdates`:
Obsolete key that only applies to Windows 10 version 1607 [5].
Setting value `1` pauses feature updates and leaving absent or setting another value does not [5].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdatesStartTime`:
Sets the start date for pausing feature updates [3].
It is specified in a date format (yyyy-mm-dd, e.g., 2018-10-28) [4].
This key supersedes the now-obsolete Windows 10 ver!sion 1607 key: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdates` [5].
This setting has been available since Windows 10 1703 [4].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseFeatureUpdatesPeriodInDays`:
Specifies the pause duration for feature updates [6].
The range is from 0 (default) to 365 days [6].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferFeatureUpdates`:
Enables pausing of feature updates and activates `PauseFeatureUpdatesPeriodInDays` [5].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferFeatureUpdatesPeriodInDays`:
Allows pausing of feature updates for a specified number of days [4] [5] [7].
It ranges from 0 to 365 days [5] [7].
This key supersedes the now-obsolete Windows 10 version 1511 key: `HKLM\Policies\Microsoft\Windows\WindowsUpdate!DeferUpgradePeriod` [4] [5].
State keys:
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedFeatureStatus`:
Shows the current status of feature update pause [5].
`0` means feature updates not paused, `1` means feature updates paused, `2` means feature updates have auto-resumed after being paused [5].
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!DeferFeatureUpdates`
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!FeatureUpdatesPaused`
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedFeatureDate`:
Records the date when feature updates were paused [5].
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!PauseFeatureUpdatesStartTime`
MDM (PolicyManager) keys:
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause!value`:
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates!value`:
Manages pausing of feature updates for Windows 10, version 1607 or later [4].
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime!value`:
Specifies the start time for pausing feature updates [3] [4].
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays!value`:
Sets the deferral period for feature updates [4].
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates!value`:
Determines the deadline for automatic feature update installation [4].
The maximum value is limited to 30 days [4].
[1]: https://web.archive.org/web/20231209161721/https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview "Windows feature updates overview - Windows Deployment | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231214085615/https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb "Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231209161509/https://learn.microsoft.com/en-us/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004 "Required diagnostic events and fields for Windows 10 (versions 22H2, 21H2, 21H1, 20H2, and 2004) - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update "Update Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20231206151045/https://learn.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb "Configure Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20231209161617/https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-settings "Windows Update settings you can manage with Intune Update Ring policies for Windows 10/11 devices. | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20231209161658/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DeferFeatureUpdates "Select when Preview Builds and Feature Updates are received | admx.help"
call:
# Note: Policy state keys (HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy) are not needed to be modified,
# but just modified for extra robustness.
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: Pause
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: PauseFeatureUpdates
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: PauseFeatureUpdatesStartTime
dataType: REG_SZ
data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ')
evaluateDataAsPowerShell: 'true'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: PauseFeatureUpdatesPeriodInDays
dataType: REG_DWORD
data: '365'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: DeferFeatureUpdates
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: DeferFeatureUpdatesPeriodInDays
dataType: REG_DWORD
data: '365'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # State
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings
valueName: PausedFeatureStatus
dataType: REG_DWORD
data: '1'
dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
- # State
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
valueName: DeferFeatureUpdates
dataType: REG_DWORD
data: '1'
dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
- # State
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
valueName: FeatureUpdatesPaused
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # State
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings
valueName: PausedFeatureDate
dataType: REG_SZ
data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ')
evaluateDataAsPowerShell: 'true'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # MDM (PolicyManager)
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause
valueName: value
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # MDM (PolicyManager)
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
valueName: value
dataType: REG_DWORD
data: '1'
dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
- # MDM (PolicyManager)
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime
valueName: value
dataType: REG_SZ
data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ')
evaluateDataAsPowerShell: 'true'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # MDM (PolicyManager)
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays
valueName: value
dataType: REG_DWORD
data: '365'
dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
- # MDM (PolicyManager)
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates
valueName: value
dataType: REG_DWORD
data: '30'
dataOnRevert: '7' # Default value: `7` on Windows 10 Pro (≥ 22H2) | `7` on Windows 11 Pro (≥ 23H2)
-
name: Maximize quality update duration (disables resuming updates from settings)
docs: |- # refactor-with-variables: • Security Update Postpone Caution
This script extends the time between mandatory quality updates, which include security patches [1] [2].
Delaying these updates helps prevent frequent system reboots and disruptions, aiding productivity
in professional and critical settings.
> **Caution**:
> - This script postpones critical security updates, increasing potential security risks for your computer.
> - This script disables the option to resume updates through the settings interface.
> The update settings will display "Your organization paused some updates for this device", and you won't be able
> to resume them there.
### Registry keys
The script modifies various Group Policy (GPO), state, and Mobile Device Management (MDM) keys.
Group Policy (GPO) keys:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!Pause`:
Defers updates and upgrades in earlier versions of Windows 10 (1511) [3].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseQualityUpdates`:
Pauses quality updates for up to 35 days, or until the setting is reversed [3] [4].
This setting has been available since Windows 10 1607 [3].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseQualityUpdatesStartTime`:
Sets the start date for pausing quality updates [3] [4].
This setting is available since Windows 10 1703, and it activates `PauseQualityUpdates key` [3].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferQualityUpdates`:
Defers quality updates for up to 30 days [3] [4].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferQualityUpdatesPeriodInDays`:
Specifies the deferral period for quality updates, up to 30 [4] [5] or 35 [3] days.
This setting has been available since Windows 10 1607 [3] [4], and it activates `DeferQualityUpdates` key [3].
State keys:
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedQualityStatus`:
Indicates if quality updates are currently paused, with `0` as not paused [3].
By default, this key is set to `0`, indicating no pause since Windows 10 22H2 and Windows 11 23H2.
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings!PausedQualityDate`:
Indicates the date when the pause of quality updates was initiated [3].
This key is used to disable auto-updates [6].
By default, this key is not present on Windows [6].
- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState!DeferQualityUpdates`:
Indicates whether quality updates have been paused.
This key is used to disable auto-updates [6].
By default, this key is set to `0`, indicating no pause [6].
Mobile Device Management (MDM) keys:
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause!value`:
MDM for Windows 10, version 1511 [3].
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates!value`:
Manages pausing of quality updates for Windows 10 1607 and later [3].
The default value is `0`, indicating no pause since Windows 10 22H2 and Windows 11 23H2.
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime!value`:
Sets the start time for pausing quality updates for Windows 10 1703 and later [3].
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays!value`:
Determines the deferral period for quality updates for Windows 10 1607 and later [3].
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates!value`:
Sets the deadline for automatic installation of quality updates for Windows 10 1903 and later, up to 30 days [4].
By default, this key is set to `7` [4], indicating seven days deadline before updates are enforced.
[1]: https://web.archive.org/web/20231214091439/https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview "Windows quality updates overview with Autopatch groups experience - Windows Deployment | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231214085615/https://learn.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb "Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231206151045/https://learn.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb#pause-quality-updates "Configure Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update "Update Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[5]: https://archive.ph/2023.12.14-092501/https://github.com/MicrosoftDocs/IntuneDocs/blob/main/intune/protect/windows-update-settings.md "IntuneDocs/intune/protect/windows-update-settings.md at main · MicrosoftDocs/IntuneDocs | github.com"
[6]: https://web.archive.org/web/20231111173058/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#re-enable-windows-update "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn | learn.microsoft.com"
call:
# Note: Policy state keys (HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy) are not needed to be modified,
# but just modified for extra robustness.
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: Pause
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: PauseQualityUpdates
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
minimumWindowsVersion: 'Windows10-1607'
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: PauseQualityUpdatesStartTime
dataType: REG_SZ
data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ')
evaluateDataAsPowerShell: 'true'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: DeferQualityUpdates
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # GPO
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: DeferQualityUpdatesPeriodInDays
dataType: REG_DWORD
data: "30"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # State
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings
valueName: PausedQualityStatus
dataType: REG_DWORD
data: "1"
dataOnRevert: "0" # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
- # State
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings
valueName: PausedQualityDate
dataType: REG_SZ
data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ')
evaluateDataAsPowerShell: 'true'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # State
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState
valueName: DeferQualityUpdates
dataType: REG_DWORD
data: "1"
dataOnRevert: "0" # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
- # MDM (PolicyManager)
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause
valueName: value
dataType: REG_DWORD
data: '1'
dataOnRevert: '0' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # MDM (PolicyManager)
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates
valueName: value
dataType: REG_DWORD
data: '1'
dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
minimumWindowsVersion: 'Windows10-1607'
- # MDM (PolicyManager)
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime
valueName: value
dataType: REG_SZ
data: (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ')
evaluateDataAsPowerShell: 'true'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # MDM (PolicyManager)
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays
valueName: value
dataType: REG_DWORD
data: '30' # Set to lower of conflicting Microsoft docs stating maximum 30 and 35 to ensure validity
dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
minimumWindowsVersion: 'Windows10-1607'
- # MDM (PolicyManager)
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates
valueName: value
dataType: REG_DWORD
data: '30' # Set to lower of conflicting Microsoft docs stating maximum 30 and 35 to ensure validity
dataOnRevert: '7' # Default value: `7` on Windows 10 Pro (≥ 22H2) | `7` on Windows 11 Pro (≥ 23H2)
-
name: Maximize update duration on older Windows versions
docs: |- # refactor-with-variables: • Security Update Postpone Caution
This script extends the time between updates and upgrades, but only works on older Windows versions
(version 1511 and earlier) [1] [2].
> **Caution**:
> - This script postpones critical security updates, increasing potential security risks for your computer.
> - This script has no effect on newer Windows versions and will not make the intended changes.
The script modifies the following keys:
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade!value`:
Sets the device to a more predictable update schedule [1].
- `HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpdate!value`:
Pauses quality updates [1].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpdate`:
Determines the delay period for updates [1].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpgrade`:
Determines the delay period for upgrades [1].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpdatePeriod` [1].
Pauses upgrades for up to 4 weeks [2] [3].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!DeferUpgradePeriod` [1] [2] [3].
Pauses upgrades for up to 8 months [2] [3].
Supported values range from 0 to 8 [2] [3], representing the number of months to defer upgrades [2].
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate!PauseDeferrals`:
Pauses updates and upgrades for up to 5 weeks [2] [3].
[1]: https://web.archive.org/web/20231206151045/https://learn.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb "Configure Windows Update for Business - Windows Deployment | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20230708165017/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update "Update Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231209170224/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DeferUpgrade "Defer Upgrades and Updates | admx.help"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: DeferUpdate
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: DeferUpgrade
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: DeferUpdatePeriod
dataType: REG_DWORD
data: '4'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: DeferUpgradePeriod
dataType: REG_DWORD
data: '8'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
valueName: PauseDeferrals
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpdate
valueName: value
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade
valueName: value
dataType: REG_DWORD
data: '1'
dataOnRevert: '0' # Default value: `0` on Windows 10 Pro (≥ 22H2) | `0` on Windows 11 Pro (≥ 23H2)
-
category: Configure how downloaded files are handled
docs: |-
These scripts configures Attachment Manager included in Windows that takes further actions for
files that you receive or download such as storing classification metadata and notifying other software [1].
[1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com"
children:
-
name: Disable saving of zone information in downloaded files
docs: |-
This script disables marking file attachments by using their zone information.
The default behavior is for Windows to mark file attachments with their zone information [1].
The zone information of the origin describe whether the file was downloaded from internet,
intranet, local, or restricted zone [1].
It is used by Attachment Manager that is included in Windows to help protect the computer from
unsafe attachments that can be received with e-mail message or downloaded from Internet [2].
If the Attachment Manager identifies an attachment that might be unsafe, it prevents you from
opening the file, or it warns you before you open the file [2].
Preventing this information to be saved:
- Increases privacy by no longer leaking information of source.
- Decreases security by preventing Windows to determine risks and take risk-based actions [1].
By not preserving the zone information, Windows cannot make proper risk assessments [3].
Disabling it has **Significant** criticality as the configuration introduces additional attack
surface according to US government [4].
The Attachment Manager feature warns users when opening or executing files which are marked as
being from an untrusted source, unless/until the file's zone information has been removed via
the "Unblock" button on the file's properties or via a separate tool such as
[Microsoft Sysinternals Streams](https://web.archive.org/web/20240314125039/https://learn.microsoft.com/en-us/sysinternals/downloads/streams) [4].
It is configured using `SaveZoneInformation` value in
`\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4].
The value is this setting is confusing, according to Microsoft documentation
`1` turns it on [2] [3], `2` turns it off [2] [3]. However, according to STIG V-63841, `1` disables
saving zone information and `2` enables it [3]. According to my tests, the STIG interprets it right
and `1` disables this function off.
In clean Windows 10 and 11 installations, this key by default is missing for both `HKCU` and `HKLM`.
[1]: https://www.stigviewer.com/stig/windows_10/2019-09-25/finding/V-63841 "Zone information must be preserved when saving attachments. | stigviewer.com"
[2]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com"
[3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_MarkZoneOnSavedAtttachments "Do not preserve zone information in file attachments | admx.help"
[4]: https://web.archive.org/web/20230102223412/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments
valueName: SaveZoneInformation
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable notifications to antivirus programs for downloaded files
docs: |-
Prevents Windows from calling the registered antivirus programs when file attachments are opened [1] [2].
Windows registered antivirus programs for downloaded files from Internet or through e-mail attachments [1].
If multiple programs are registered, they will all be notified [1] [3].
This is disabled by default, so even if you do not configure run this script, Windows does not call the registered
antivirus programs when file attachments are opened [1].
If it is enabled, Windows blocks file from being opened when antivirus program fails [1]. It is the recommended setting
by Microsoft [1].
Preventing calling antivirus:
- Increases privacy by not sharing your file data proactively with installed antiviruses.
- Decreases by detecting and mitigating potential malicious software. Disabling it has **Moderate**
criticality as it is not an appropriate antivirus configuration according to US government [4].
An updated antivirus program must be installed for this policy setting to function properly [4].
It is configured using `ScanWithAntiVirus` value in
`\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\` registry subkey [1] [2] [3] [4].
`3` enables the scans [1] [2] [3], `1` disables it [1] [3], and `2` leaves it optional [1].
In clean Windows 10 and 11 installations, this key by default comes with `3` value in
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus`,
and key is missing for `HKCU`.
[1]: https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 "Information about the Attachment Manager in Microsoft Windows | support.microsoft.com"
[2]: https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-09-02/finding/V-14270 "The system will notify antivirus when file attachments are opened. | stigviewer.com"
[3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AttachmentManager::AM_CallIOfficeAntiVirus "Notify antivirus programs when opening attachments | admx.help"
[4]: https://web.archive.org/web/20230102223412/https://www.irs.gov/pub/irs-utl/safeguards-scsem-win-11-v1-1-033122.xlsx "Windows 11 SafeGuards | irs.gov"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments
valueName: ScanWithAntiVirus
dataType: REG_DWORD
data: '1'
dataOnRevert: '3' # Default value: `3` on Windows 10 Pro (≥ 22H2) | `3` on Windows 11 Pro (≥ 23H2)
-
name: Remove "Windows Security" app (`SecHealthUI`) (breaks Windows Security user interface)
docs: |-
This script removes the "Windows Security" app [1], known as `SecHealthUI` [2] [3].
This app serves as the interface for Windows Security [2], helping users monitor and manage their computer's security [4].
It provides alerts and guidance on vulnerabilities through the Action Center [4].
However, uninstalling the "Windows Security" app has significant implications:
- It may increase vulnerability to threats by no longer alerting users about security issues or communicating updates through the Action Center [4].
- Disabling its interface can hinder the effective management of security settings, including tamper protection [5].
Despite these risks, removing the app can enhance privacy in several ways:
- **Less personal data collection**: Reduces the collection and display of personal and system data such as threats [6], limiting information used to analyze user behavior.
- **More control over security settings**: Encourages managing security settings programmatically, reducing accidental misconfigurations and unauthorized access.
- **Decreased notifications and alerts**: Reduces the number of notifications that may expose sensitive information.
- **User choice in security tools**: Offers freedom to choose alternative privacy-focused security measures.
- **Increased anonymity**: By uninstalling the app, users reduce the amount of data shared under the terms of
[Microsoft's privacy policy](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement),
which allows Microsoft to collect and share data with external entities when the app is in use.
This app comes pre-installed on certain versions of Windows [7] [8].
The package is named `Microsoft.Windows.SecHealthUI` on Windows 10 and `Microsoft.SecHealthUI` on Windows 11 [1] [2].
It operates independently from individual Defender features [9] and is updated separately from the operating system [10].
Uninstalling it does not disable Microsoft Defender Antivirus or Firewall [11],
and Windows will continue sending security notifications unless disabled separately [12].
> **Caution**: Uninstalling "Windows Security" app can expose your system to threats and limit your ability to configure
> security settings. It should only be done with a full understanding of the consequences.
### Overview of default preinstallation
`Microsoft.Windows.SecHealthUI`:
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
`Microsoft.SecHealthUI`:
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006113851/https://support.microsoft.com/en-us/topic/windows-security-update-a6ac7d2e-b1bf-44c0-a028-41720a242da3 "Windows Security Update - Microsoft Support"
[2]: https://github.com/undergroundwires/privacy.sexy/issues/195 "[BUG]: Uninstalling the SecHealthUI fails, despite the app being installed. · Issue #195 · undergroundwires/privacy.sexy"
[3]: https://web.archive.org/web/20231006113903/https://download.microsoft.com/download/e/1/0/e10a6884-2e7a-4d80-ac2f-884c39a2a1b2/5001337.csv "Services CSV file | microsoft.com"
[4]: https://web.archive.org/web/20231006113932/https://learn.microsoft.com/en-us/windows/win32/devnotes/windows-security-center "The Windows Security app - Win32 apps | Microsoft Learn"
[5]: https://web.archive.org/web/20231006115719/https://support.microsoft.com/en-us/windows/prevent-changes-to-security-settings-with-tamper-protection-31d51aaa-645d-408e-6ce7-8d7f8e593f87 "Prevent changes to security settings with Tamper Protection - Microsoft Support"
[6]: https://web.archive.org/web/20231006115719/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide "Microsoft Defender Antivirus in Windows | Microsoft Learn"
[7]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[8]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[9]: https://web.archive.org/web/20231013153902/https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center#how-windows-security-works-with-windows-security-features "Windows Security - Windows Security | Microsoft Learn"
[10]: https://web.archive.org/web/20231006115836/https://support.microsoft.com/en-us/topic/kb5020779-the-vulnerable-driver-blocklist-after-the-october-2022-preview-release-3fcbe13a-6013-4118-b584-fcfbc6a09936 "KB5020779 The vulnerable driver blocklist after the October 2022 preview release - Microsoft Support"
[11]: https://web.archive.org/web/20231006115845/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-worldwide "Microsoft Defender Antivirus in the Windows Security app | Microsoft Learn"
[12]: https://web.archive.org/web/20231006115826/https://support.microsoft.com/en-us/windows/windows-security-notifications-6a59ce6a-e1e0-4795-b080-ba92d49644b2 "Windows Security notifications - Microsoft Support"
call:
-
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.SecHealthUI # Get-AppxPackage Microsoft.Windows.SecHealthUI
publisherId: cw5n1h2txyewy
-
function: UninstallNonRemovableStoreApp
# Notes:
# - Although not a system app, this app is flagged as 'NonRemovable'.
# Therefore, `UninstallNonRemovableStoreApp` is preferred over `UninstallStoreApp`.
# - Attempts to remove the app installation files lead to permission errors, even with file ACLs permissions granted.
# Therefore, `UninstallNonRemovableStoreApp` is preferred over `UninstallNonRemovableStoreAppWithCleanup`.
parameters:
packageName: Microsoft.SecHealthUI # Get-AppxPackage Microsoft.SecHealthUI
publisherId: 8wekyb3d8bbwe
-
category: UI for privacy
children:
-
name: Disable lock screen app notifications
recommend: standard
docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System
valueName: DisableLockScreenAppNotifications
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Disable online content in File Explorer
children:
-
name: Disable online tips
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanel::AllowOnlineTips
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\System
valueName: AllowOnlineTips
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Internet File Association" service
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseInternetOpenWith_2
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
valueName: NoInternetOpenWith
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Order Prints" picture task
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellRemoveOrderPrints_2
- https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000042
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
valueName: NoOnlinePrintsWizard
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable "Publish to Web" option for files and folders
recommend: standard
docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-14255
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
valueName: NoPublishingWizard
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable provider list downloads for wizards
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63621
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
valueName: NoWebServices
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Secure recent document lists
children:
-
name: Disable history of recently opened documents
recommend: strict
docs: https://web.archive.org/web/20231207105611/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
valueName: NoRecentDocsHistory
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # `0` by default on Windows 10 (22H2 and above) | Missing by default on Windows 11 (23H2 and above)
-
name: Clear recently opened document history upon exit
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
valueName: ClearRecentDocsOnExit
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Live Tiles push notifications
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Notifications::NoTileNotification
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications
valueName: NoTileApplicationNotification
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable the "Look For An App In The Store" option
recommend: standard
docs:
- https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000030
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseStoreOpenWith_1
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer
valueName: NoUseStoreOpenWith
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable the display of recently used files in Quick Access
recommend: strict
docs:
- https://matthewhill.uk/windows/group-policy-disable-recent-files-frequent-folder-explorer/ # ShowRecent
- https://web.archive.org/web/20231206191753/https://www.howto-connect.com/delete-recent-frequent-from-file-explorer-on-windows-10/ # 3134ef9c-6b18-4996-ad04-ed5912e00eb5
- https://web.archive.org/web/20240314130140/https://learn.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry # Wow6432Node
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
valueName: ShowRecent
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 19H1) and Windows 11 Pro (≥ 23H2)
- # For x86 systems
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}'
valueName: (Default)
dataTypeOnRevert: REG_SZ
dataOnRevert: 'Recent Files Folder' # Default value: `Recent Files Folder` on Windows 10 Pro (≥ 19H1) | `Recent Files Folder` on Windows 11 Pro (≥ 23H2)
- # For x64 systems (using `Wow6432Node`)
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}'
valueName: (Default)
dataTypeOnRevert: REG_SZ
dataOnRevert: 'Recent Files Folder' # Default value: `Recent Files Folder` on Windows 10 Pro (≥ 19H1) | `Recent Files Folder` on Windows 11 Pro (≥ 23H2)
-
name: Disable sync provider notifications
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
valueName: ShowSyncProviderNotifications
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Disable hibernation for faster startup and to avoid sensitive data storage
docs: |-
This script commands your system to deactivate the hibernation feature. Hibernate is a power-saving state that saves your current work and turns
off the computer [1]. When your computer hibernates, it saves the contents of its RAM to your hard disk and powers off the machine [2]. Upon starting
again, your computer can restore all the open programs and documents from your hard disk to its RAM [1].
If hibernation mode is enabled, sensitive data stored in RAM are be written to disk [2]. The memory can contain private data, passwords, keys and so
on. This could be accessed by malicious software or people with physical access to the computer. By disabling hibernation, this script reduces the risk
of such potential privacy breaches.
It configures hibernate by using `powercfg` command line tool [3].
[1]: https://web.archive.org/web/20230806164910/https://support.microsoft.com/en-us/windows/shut-down-sleep-or-hibernate-your-pc-2941d165-7d0a-a5e8-c5ad-8c972e8e6eff
[2]: https://web.archive.org/web/20230712211259/https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/system-sleeping-states
[3]: https://web.archive.org/web/20230806165041/https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
code: powercfg -h off
revertCode: powercfg -h on
-
name: Enable camera on/off OSD notifications
docs:
- https://web.archive.org/web/20240314130237/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-coremmres-nophysicalcameraled
- https://archive.ph/2024.03.14-100859/https://www.reddit.com/r/Surface/comments/88nyln/the_webcamled_took_anyone_it_apart/dwm64p5/?rdt=41039
- https://web.archive.org/web/20231206191715/https://answers.microsoft.com/en-us/windows/forum/all/enable-osd-notification-for-webcam/caf1fff4-78d3-4b93-905b-ef657097a44e
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
valueName: NoPhysicalCameraLED
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Remove folders from This PC in File Explorer
docs: |- # refactor-with-variables: Same • Quick Access Productivity
This category includes scripts to hide specific folders from **This PC** in **File Explorer**
and other file selection dialogs on Windows systems.
It enhances privacy by hiding personal folders from common Windows interfaces.
This prevents accidental exposure of sensitive information when sharing your screen
or allowing others to use your computer.
Removing folders may change how you access them if you often use **This PC** or file dialogs.
You can still reach these folders through direct paths or shortcuts.
These scripts are not applicable to Windows 11, as it does not display user folders
such as *Documents*, *Pictures*, and *Music* in **This PC** by default [1].
> **Caution**: This action enhances privacy but may require extra steps for access.
### Folder Identifier Reference
These items are known to Windows by their IDs [2]:
| Name | Internal Name | Folder GUID |
|-------------|-------------|---------|
| Network | `NetworkFolder` | `D20BEEC4-5CA8-4905-AE3B-BF251EA09B53` |
| This PC | `ComputerFolder` | `0AC0837C-BBF8-452A-850D-79D08E667CA7` |
| Internet | `InternetFolder` | `4D9F7874-4E0C-4904-967B-40B0D20C3E4B` |
| Control Panel | `ControlPanelFolder` | `82A74AEB-AEB4-465C-A014-D097EE346D63` |
| Printers | `PrintersFolder` | `76FC4E2D-D6AD-4519-A663-37BD56068185` |
| Sync Center | `SyncManagerFolder` | `43668BF8-C14E-49B2-97C9-747784D784B7` |
| Sync Setup | `SyncSetupFolder` | `0F214138-B1D3-4A90-BBA9-27CBC0C5389A` |
| Conflicts | `ConflictFolder` | `4BFEFB45-347D-4006-A5BE-AC0CB0567192` |
| Sync Results | `SyncResultsFolder` | `289A9A43-BE44-4057-A41B-587A76D7E7F9` |
| Recycle Bin | `RecycleBinFolder` | `B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC` |
| Connections | `ConnectionsFolder` | `6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD` |
| Fonts | `Fonts` | `FD228CB7-AE11-4AE3-864C-16F3910AB8FE` |
| Desktop | `Desktop` | `B4BFCC3A-DB2C-424C-B029-7FE99A87C641` |
| Startup | `Startup` | `B97D20BB-F46A-4C97-BA10-5E3608430854` |
| Programs | `Programs` | `A77F5D77-2E2B-44C3-A6A2-ABA601054A51` |
| Start Menu | `StartMenu` | `625B53C3-AB48-4EC1-BA1F-A1EF4146FC19` |
| Recent | `Recent` | `AE50C081-EBD2-438A-8655-8A092E34987A` |
| SendTo | `SendTo` | `8983036C-27C0-404B-8F08-102D10DCFD74` |
| Documents | `Documents` | `FDD39AD0-238F-46AF-ADB4-6C85480369C7` |
| Favorites | `Favorites` | `1777F761-68AD-4D8A-87BD-30B759FA33DD` |
| Network Shortcuts | `NetHood` | `C5ABBF53-E17F-4121-8900-86626FC2C973` |
| Printer Shortcuts | `PrintHood` | `9274BD8D-CFD1-41C3-B35E-B13F55A758F4` |
| Templates | `Templates` | `A63293E8-664E-48DB-A079-DF759E0509F7` |
| Common Startup | `CommonStartup` | `82A5EA35-D9CD-47C5-9629-E15D2F714E6E` |
| Common Programs | `CommonPrograms` | `0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8` |
| Common Start Menu | `CommonStartMenu` | `A4115719-D62E-491D-AA7C-E74B8BE3B067` |
| Public Desktop | `PublicDesktop` | `C4AA340D-F20F-4863-AFEF-F87EF2E6BA25` |
| ProgramData | `ProgramData` | `62AB5D82-FDC1-4DC3-A9DD-070D1D495D97` |
| Common Templates | `CommonTemplates` | `B94237E7-57AC-4347-9151-B08C6C32D1F7` |
| Public Documents | `PublicDocuments` | `ED4824AF-DCE4-45A8-81E2-FC7965083634` |
| Roaming | `RoamingAppData` | `3EB685DB-65F9-4CF6-A03A-E3EF65729F3D` |
| Local | `LocalAppData` | `F1B32785-6FBA-4FCF-9D55-7B8E7F157091` |
| LocalLow | `LocalAppDataLow` | `A520A1A4-1780-4FF6-BD18-167343C5AF16` |
| Internet Cache | `InternetCache` | `352481E8-33BE-4251-BA85-6007CAEDCF9D` |
| Cookies | `Cookies` | `2B0F765D-C0E9-4171-908E-08A611B84FF6` |
| History | `History` | `D9DC8A3B-B784-432E-A781-5A1130A75963` |
| System | `System` | `1AC14E77-02E7-4E5D-B744-2EB1AE5198B7` |
| System32 | `SystemX86` | `D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27` |
| Windows | `Windows` | `F38BF404-1D43-42F2-9305-67DE0B28FC23` |
| Profile | `Profile` | `5E6C858F-0E22-4760-9AFE-EA3317B67173` |
| Pictures | `Pictures` | `33E28130-4E1E-4676-835A-98395C3BC3BB` |
| Program Files (x86) | `ProgramFilesX86` | `7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E` |
| Common Files (x86) | `ProgramFilesCommonX86` | `DE974D24-D9C6-4D3E-BF91-F4455120B917` |
| Program Files (x64) | `ProgramFilesX64` | `6D809377-6AF0-444B-8957-A3773F02200E` |
| Common Files (x64) | `ProgramFilesCommonX64` | `6365D5A7-0F0D-45E5-87F6-0DA56B6A4F7D` |
| Program Files | `ProgramFiles` | `905E63B6-C1BF-494E-B29C-65B732D3D21A` |
| Program Files (Common) | `ProgramFilesCommon` | `F7F1ED05-9F6D-47A2-AAAE-29D317C6F066` |
| User Program Files | `UserProgramFiles` | `5CD7AEE2-2219-4A67-B85D-6C9CE15660CB` |
| User Common Files | `UserProgramFilesCommon` | `BCBD3057-CA5C-4622-B42D-BC56DB0AE516` |
| Administrative Tools | `AdminTools` | `724EF170-A42D-4FEF-9F26-B60E846FBA4F` |
| Common Administrative Tools | `CommonAdminTools` | `D0384E7D-BAC3-4797-8F14-CBA229B392B5` |
| Music | `Music` | `4BD8D571-6D19-48D3-BE97-422220080E43` |
| Videos | `Videos` | `18989B1D-99B5-455B-841C-AB7C74E4DDFC` |
| Ringtones | `Ringtones` | `C870044B-F49E-4126-A9C3-B52A1FF411E8` |
| Public Pictures | `PublicPictures` | `B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5` |
| Public Music | `PublicMusic` | `3214FAB5-9757-4298-BB61-92A9DEAA44FF` |
| Public Videos | `PublicVideos` | `2400183A-6185-49FB-A2D8-4A392A602BA3` |
| Public Ringtones | `PublicRingtones` | `E555AB60-153B-4D17-9F04-A5FE99FC15EC` |
| Resource Directory | `ResourceDir` | `8AD10C31-2ADB-4296-A8F7-E4701232C972` |
| Localized Resources | `LocalizedResourcesDir` | `2A00375E-224C-49DE-B8D1-440DF7EF3DDC` |
| OEM Links | `CommonOEMLinks` | `C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D` |
| CD Burning | `CDBurning` | `9E52AB10-F80D-49DF-ACB8-4330F5687855` |
| User Profiles | `UserProfiles` | `0762D272-C50A-4BB0-A382-697DCD729B80` |
| Playlists | `Playlists` | `DE92C1C7-837F-4F69-A3BB-86E631204A23` |
| Sample Playlists | `SamplePlaylists` | `15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5` |
| Sample Music | `SampleMusic` | `B250C668-F57D-4EE1-A63C-290EE7D1AA1F` |
| Sample Pictures | `SamplePictures` | `C4900540-2379-4C75-844B-64E6FAF8716B` |
| Sample Videos | `SampleVideos` | `859EAD94-2E85-48AD-A71A-0969CB56A6CD` |
| Photo Albums | `PhotoAlbums` | `69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C` |
| Public | `Public` | `DFDF76A2-C82A-4D63-906A-5644AC457385` |
| Programs and Features | `ChangeRemovePrograms` | `DF7266AC-9274-4867-8D55-3BD661DE872D` |
| App Updates | `AppUpdates` | `A305CE99-F527-492B-8B1A-7E76FA98D6E4` |
| Get Programs | `AddNewPrograms` | `DE61D971-5EBC-4F02-A3A9-6C82895E5C04` |
| Downloads | `Downloads` | `374DE290-123F-4565-9164-39C4925E467B` |
| Public Downloads | `PublicDownloads` | `3D644C9B-1FB8-4F30-9B45-F670235F79C0` |
| Saved Searches | `SavedSearches` | `7D1D3A04-DEBB-4115-95CF-2F29DA2920DA` |
| Quick Launch | `QuickLaunch` | `52A4F021-7B75-48A9-9F6B-4B87A210BC8F` |
| Contacts | `Contacts` | `56784854-C6CB-462B-8169-88E350ACB882` |
| Gadgets | `SidebarParts` | `A75D362E-50FC-4FB7-AC2C-A8BEAA314493` |
| Default Gadgets | `SidebarDefaultParts` | `7B396E54-9EC5-4300-BE0A-2482EBAE1A26` |
| Public Game Tasks | `PublicGameTasks` | `DEBF2536-E1A8-4C59-B6A2-414586476AEA` |
| Game Tasks | `GameTasks` | `054FAE61-4DD8-4787-80B6-090220C4B700` |
| Saved Games | `SavedGames` | `4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4` |
| Games | `Games` | `CAC52C1A-B53D-4EDC-92D7-6B2E8AC19434` |
| Search MAPI | `SEARCH_MAPI` | `98EC0E18-2098-4D44-8644-66979315A281` |
| Search CSC | `SEARCH_CSC` | `EE32E446-31CA-4ABA-814F-A5EBD2FD6D5E` |
| Links | `Links` | `BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968` |
| User Files | `UsersFiles` | `F3CE0F7C-4901-4ACC-8648-D5D44B04EF8F` |
| User Libraries | `UsersLibraries` | `A302545D-DEFF-464B-ABE8-61C8648D939B` |
| Search Home | `SearchHome` | `190337D1-B8CA-4121-A639-6D472D16972A` |
| Original Images | `OriginalImages` | `2C36C0AA-5812-4B87-BFD0-4CD0DFB19B39` |
| Documents Library | `DocumentsLibrary` | `7B0DB17D-9CD2-4A93-9733-46CC89022E7C` |
| Music Library | `MusicLibrary` | `2112AB0A-C86A-4FFE-A368-0DE96E47012E` |
| Pictures Library | `PicturesLibrary` | `A990AE9F-A03B-4E80-94BC-9912D7504104` |
| Videos Library | `VideosLibrary` | `491E922F-5643-4AF4-A7EB-4E7A138D8174` |
| Recorded TV Library | `RecordedTVLibrary` | `1A6FDBA2-F42D-4358-A798-B74D745926C5` |
| HomeGroup | `HomeGroup` | `52528A6B-B9E3-4ADD-B60D-588C2DBA842D` |
| HomeGroup Current User | `HomeGroupCurrentUser` | `9B74B6A3-0DFD-4F11-9E78-5F7800F2E772` |
| Device Metadata Store | `DeviceMetadataStore` | `5CE4A5E9-E4EB-479D-B89F-130C02886155` |
| Libraries | `Libraries` | `1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE` |
| Public Libraries | `PublicLibraries` | `48DAF80B-E6CF-4F4E-B800-0E69D84EE384` |
| User Pinned | `UserPinned` | `9E3995AB-1F9C-4F13-B827-48B24B6C7174` |
| Implicit App Shortcuts | `ImplicitAppShortcuts` | `BCB5256F-79F6-4CEE-B725-DC34E402FD46` |
| Account Pictures | `AccountPictures` | `008CA0B1-55B4-4C56-B8A8-4DE4B299D3BE` |
| Public User Tiles | `PublicUserTiles` | `0482AF6C-08F1-4C34-8C90-E17EC98B1E17` |
| Apps | `AppsFolder` | `1E87508D-89C2-42F0-8A7E-645A0F50CA58` |
| All Programs | `StartMenuAllPrograms` | `F26305EF-6948-40B9-B255-81453D09C785` |
| Common Start Menu Places | `CommonStartMenuPlaces` | `A440879F-87A0-4F7D-B700-0207B966194A` |
| Application Shortcuts | `ApplicationShortcuts` | `A3918781-E5F2-4890-B3D9-A7E54332328C` |
| Roaming Tiles | `RoamingTiles` | `00BCFC5A-ED94-4E48-96A1-3F6217F21990` |
| Roamed Tile Images | `RoamedTileImages` | `AAA8D5A5-F1D6-4259-BAA8-78E7EF60835E` |
| Screenshots | `Screenshots` | `B7BEDE81-DF94-4682-A7D8-57A52620B86F` |
| Camera Roll | `CameraRoll` | `AB5FB87B-7CE2-4F83-915D-550846C9537B` |
| OneDrive | `OneDrive` | `A52BBA46-E9E1-435F-B3D9-28DAA648C0F6` |
| OneDrive Documents | `SkyDriveDocuments` | `24D89E24-2F19-4534-9DDE-6A6671FBB8FE` |
| OneDrive Pictures | `SkyDrivePictures` | `339719B5-8C47-4894-94C2-D8F77ADD44A6` |
| OneDrive Music | `SkyDriveMusic` | `C3F2459E-80D6-45DC-BFEF-1F769F2BE730` |
| OneDrive Camera Roll | `SkyDriveCameraRoll` | `767E6811-49CB-4273-87C2-20F355E1085B` |
| Search History | `SearchHistory` | `0D4C3DB6-03A3-462F-A0E6-08924C41B5D4` |
| Search Templates | `SearchTemplates` | `7E636BFE-DFA9-4D5E-B456-D7B39851D8A9` |
| Camera Roll Library | `CameraRollLibrary` | `2B20DF75-1EDA-4039-8097-38798227D5B7` |
| Saved Pictures | `SavedPictures` | `3B193882-D3AD-4EAB-965A-69829D1FB59F` |
| Saved Pictures Library | `SavedPicturesLibrary` | `E25B5812-BE88-4BD9-94B0-29233477B6C3` |
| Retail Demo | `RetailDemo` | `12D4C69E-24AD-4923-BE19-31321C43A767` |
| Device | `Device` | `1C2AC1DC-4358-4B6C-9733-AF21156576F0` |
| Development Files | `DevelopmentFiles` | `DBE8E08E-3053-4BBC-B183-2A7B2B191E59` |
| 3D Objects | `Objects3D` | `31C0DD25-9439-4F12-BF41-7FF4EDA38722` |
| Captures | `AppCaptures` | `EDC0FE71-98D8-4F4A-B920-C8DC133CB165` |
| Local Documents | `LocalDocuments` | `F42EE2D3-909F-4907-8871-4C22FC0BF756` |
| Local Pictures | `LocalPictures` | `0DDD015D-B06C-45D5-8C4C-F59713854639` |
| Local Videos | `LocalVideos` | `35286A68-3C57-41A1-BBB1-0EAE73D76C95` |
| Local Music | `LocalMusic` | `A0C69A99-21C8-4671-8703-7934162FCF1D` |
| Local Downloads | `LocalDownloads` | `7D83EE9B-2244-4E70-B1F5-5393042AF1E4` |
| Recorded Calls | `RecordedCalls` | `2F8B40C2-83ED-48EE-B383-A1F157EC6F9A` |
| All App Mods | `AllAppMods` | `7AD67899-66AF-43BA-9156-6AAD42E6C596` |
| Current App Mods | `CurrentAppMods` | `3DB40B20-2A30-4DBE-917E-771DD21DD099` |
| AppData Desktop | `AppDataDesktop` | `B2C5E279-7ADD-439F-B28C-C41FE1BBF672` |
| AppData Documents | `AppDataDocuments` | `7BE16610-1F7F-44AC-BFF0-83E15F2FFCA1` |
| AppData Favorites | `AppDataFavorites` | `7CFBEFBC-DE1F-45AA-B843-A542AC536CC9` |
| AppData ProgramData | `AppDataProgramData` | `559D40A3-A036-40FA-AF61-84CB430A4D34` |
| Local Storage | `LocalStorage` | `B3EB08D3-A1F3-496B-865A-42B536CDA0EC` |
### Folder Class Identifier (CLSID) Reference
Certain special folders within Windows are identified by unique strings called CLSIDs [3].
They include:
| Name | Internal Name | GUID |
|---------|---------------|------|
| Desktop | `CLSID_ThisPCDesktopRegFolder` | `B4BFCC3A-DB2C-424C-B029-7FE99A87C641` |
| Music | `CLSID_ThisPCMyMusicRegFolder` | `1CF1260C-4DD0-4ebb-811F-33C572699FDE` |
| Downloads | `CLSID_ThisPCDownloadsRegFolder` | `374DE290-123F-4565-9164-39C4925E467B` |
| Pictures | `CLSID_ThisPCMyPicturesRegFolder` | `3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA` |
| Videos | `CLSID_ThisPCMyVideosRegFolder` | `A0953C92-50DC-43bf-BE83-3742FED03C9C` |
| Documents | `CLSID_ThisPCDocumentsRegFolder` | `A8CDFF1C-4878-43be-B5FD-F8091C1C60D0` |
| Local Downloads | `CLSID_ThisPCLocalDownloadsRegFolder` | `088e3905-0323-4b02-9826-5d99428e115f` |
| Local Pictures | `CLSID_ThisPCLocalPicturesRegFolder` | `24ad3ad4-a569-4530-98e1-ab02f9417aa8` |
| Local Music | `CLSID_ThisPCLocalMusicRegFolder` | `3dfdf296-dbec-4fb4-81d1-6a3438bcf4de` |
| Local Videos | `CLSID_ThisPCLocalVideosRegFolder` | `f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a` |
| Local Documents | `CLSID_ThisPCLocalDocumentsRegFolder` | `d3162b92-9365-467a-956b-92703aca08af` |
These CLSIDs can be inspected by running the following command.
The command displays their internal name as the default value on Windows 11 but not on Windows 10:
```powershell
$registryPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace"
$subkeys = Get-ChildItem -Path $registryPath
foreach ($key in $subkeys) {
# Get the key name (GUID)
$keyName = $key.PSChildName
# Get the (Default) value
$defaultValue = (Get-ItemProperty -Path $key.PSPath -Name "(default)" -ErrorAction Ignore)."(default)"
# Output the results
Write-Output "Key: $keyName"
Write-Output "Default Value: $defaultValue"
Write-Output "------------------------"
}
```
You can open a folder with CLSID using the following command:
```batchfile
start shell:::{CLSID}
```
[1]: https://web.archive.org/web/20240729151344/https://blogs.windows.com/windows-insider/2022/06/09/announcing-windows-11-insider-preview-build-25136/ "Announcing Windows 11 Insider Preview Build 25136 | Windows Insider Blog | blogs.windows.com"
[2]: https://web.archive.org/web/20240803200324/https://github.com/privacysexy-forks/wdkmetadata/blob/99192741981aa7b7dc7db4aca3401f5d20496c91/generation/WDK/IdlHeaders/um/KnownFolders.h "wdkmetadata/generation/WDK/IdlHeaders/um/KnownFolders.h at 99192741981aa7b7dc7db4aca3401f5d20496c91 · privacysexy-forks/wdkmetadata · GitHub | github.com"
[3]: https://archive.ph/2023.07.18-200525/https://www.autohotkey.com/docs/v1/misc/CLSID-List.htm "CLSID List (Windows Class Identifiers) | AutoHotkey v1 | autohotkey.com"
children:
-
name: Remove "Desktop" folder from This PC in File Explorer
docs: |- # refactor-with-variables: Same • Quick Access Productivity
This script hides the **Desktop** folder from **This PC** in **File Explorer**.
It improves privacy by hiding desktop contents, which often include personal files,
shortcuts, and temporary items.
This reduces the risk of accidentally revealing sensitive information when using
file dialogs.
However, this may impact your workflow if you frequently access desktop items this way.
The desktop remains visible and accessible by minimizing windows or using **File Explorer**.
This script hides the folder using these identifiers:
- Folder ID `B4BFCC3A-DB2C-424C-B029-7FE99A87C641` [1].
- CLSID `B4BFCC3A-DB2C-424C-B029-7FE99A87C641` [2].
On Windows 11, this script aligns with the system's default settings, as user folders
in **This PC** are hidden by default [3].
> **Caution**: This action enhances privacy but may require extra steps for access.
[1]: https://web.archive.org/web/20240803200324/https://github.com/privacysexy-forks/wdkmetadata/blob/99192741981aa7b7dc7db4aca3401f5d20496c91/generation/WDK/IdlHeaders/um/KnownFolders.h "wdkmetadata/generation/WDK/IdlHeaders/um/KnownFolders.h at 99192741981aa7b7dc7db4aca3401f5d20496c91 · privacysexy-forks/wdkmetadata · GitHub | github.com"
[2]: https://web.archive.org/web/20240118234902/https://www.elevenforum.com/t/add-or-remove-folders-under-this-pc-in-file-explorer-in-windows-11.7122/ "Add or Remove Folders under This PC in File Explorer in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[3]: https://web.archive.org/web/20240729151344/https://blogs.windows.com/windows-insider/2022/06/09/announcing-windows-11-insider-preview-build-25136/ "Announcing Windows 11 Insider Preview Build 25136 | Windows Insider Blog | blogs.windows.com"
call:
-
function: HideExplorerThisPCFolderViaGuid
parameters:
folderId: 'B4BFCC3A-DB2C-424C-B029-7FE99A87C641'
# Check default: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag /v "ThisPCPolicy"
hideOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
folderClsid: 'B4BFCC3A-DB2C-424C-B029-7FE99A87C641' # CLSID_ThisPCDesktopRegFolder
-
name: Remove "Documents" folder from This PC in File Explorer
docs: |- # refactor-with-variables: Same • Quick Access Productivity
This script hides the **Documents** folder from **This PC** in **File Explorer**.
It enhances privacy by hiding the **Documents** folder, which often contains personal and
sensitive files.
This action reduces the risk of accidental exposure of private information during common
file operations or when others briefly access your computer.
This change may disrupt your workflow if you often access files in the **Documents** folder
via these interfaces.
You can still access the **Documents** folder directly in **File Explorer** or via
application-specific **Open** and **Save** dialogs that do not use **This PC**.
This script hides the folder using these identifiers:
- Folder ID `f42ee2d3-909f-4907-8871-4c22fc0bf756` [1].
- CLSID `A8CDFF1C-4878-43be-B5FD-F8091C1C60D0` [2] [3].
- CLSID `d3162b92-9365-467a-956b-92703aca08af` [2].
On Windows 11, this script aligns with the system's default settings, as user folders
in **This PC** are hidden by default [4].
> **Caution**: This action enhances privacy but may require extra steps for access.
[1]: https://web.archive.org/web/20240803200324/https://github.com/privacysexy-forks/wdkmetadata/blob/99192741981aa7b7dc7db4aca3401f5d20496c91/generation/WDK/IdlHeaders/um/KnownFolders.h "wdkmetadata/generation/WDK/IdlHeaders/um/KnownFolders.h at 99192741981aa7b7dc7db4aca3401f5d20496c91 · privacysexy-forks/wdkmetadata · GitHub | github.com"
[2]: https://web.archive.org/web/20240118234902/https://www.elevenforum.com/t/add-or-remove-folders-under-this-pc-in-file-explorer-in-windows-11.7122/ "Add or Remove Folders under This PC in File Explorer in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[3]: https://web.archive.org/web/20240729215209/https://marslo.github.io/ibook/cheatsheet/windows/clsid.html "clsid · ibook | marslo.github.io"
[4]: https://web.archive.org/web/20240729151344/https://blogs.windows.com/windows-insider/2022/06/09/announcing-windows-11-insider-preview-build-25136/ "Announcing Windows 11 Insider Preview Build 25136 | Windows Insider Blog | blogs.windows.com"
call:
-
function: HideExplorerThisPCFolderViaGuid
parameters:
folderId: 'f42ee2d3-909f-4907-8871-4c22fc0bf756'
# Check default: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag /v "ThisPCPolicy"
showOnRevert: 'true' # Shown by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}
folderClsid: 'A8CDFF1C-4878-43be-B5FD-F8091C1C60D0' # CLSID_ThisPCDocumentsRegFolder
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{d3162b92-9365-467a-956b-92703aca08af}
folderClsid: 'd3162b92-9365-467a-956b-92703aca08af' # CLSID_ThisPCLocalDocumentsRegFolder
-
name: Remove "Downloads" folder from This PC in File Explorer
docs: |- # refactor-with-variables: Same • Quick Access Productivity
This script hides the **Downloads** folder from **This PC** in **File Explorer**.
It enhances privacy by concealing your downloaded files from casual view, potentially
including sensitive documents, personal data, or temporary items.
This reduces the risk of unintentional exposure of potentially private information when
using common file dialogs.
However, this may affect your workflow if you frequently access downloaded
files through these interfaces. The **Downloads** folder remains accessible
through direct navigation in **File Explorer** or web browsers.
This script hides the folder using these identifiers:
- Folder ID `7d83ee9b-2244-4e70-b1f5-5393042af1e4` [1].
- CLSID `088e3905-0323-4b02-9826-5d99428e115f` [2].
- CLSID `374DE290-123F-4565-9164-39C4925E467B` [3].
On Windows 11, this script aligns with the system's default settings, as user folders
in **This PC** are hidden by default [4].
> **Caution**: This action enhances privacy but may require extra steps for access.
[1]: https://web.archive.org/web/20240803200324/https://github.com/privacysexy-forks/wdkmetadata/blob/99192741981aa7b7dc7db4aca3401f5d20496c91/generation/WDK/IdlHeaders/um/KnownFolders.h "wdkmetadata/generation/WDK/IdlHeaders/um/KnownFolders.h at 99192741981aa7b7dc7db4aca3401f5d20496c91 · privacysexy-forks/wdkmetadata · GitHub | github.com"
[2]: https://web.archive.org/web/20240118234902/https://www.elevenforum.com/t/add-or-remove-folders-under-this-pc-in-file-explorer-in-windows-11.7122/ "Add or Remove Folders under This PC in File Explorer in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[3]: https://web.archive.org/web/20240729215209/https://marslo.github.io/ibook/cheatsheet/windows/clsid.html "clsid · ibook | marslo.github.io"
[4]: https://web.archive.org/web/20240729151344/https://blogs.windows.com/windows-insider/2022/06/09/announcing-windows-11-insider-preview-build-25136/ "Announcing Windows 11 Insider Preview Build 25136 | Windows Insider Blog | blogs.windows.com"
call:
-
function: HideExplorerThisPCFolderViaGuid
parameters:
folderId: '7d83ee9b-2244-4e70-b1f5-5393042af1e4'
# Check default: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag /v "ThisPCPolicy"
showOnRevert: 'true' # Shown by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{088e3905-0323-4b02-9826-5d99428e115f}
folderClsid: '088e3905-0323-4b02-9826-5d99428e115f' # CLSID_ThisPCLocalDownloadsRegFolder
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{374DE290-123F-4565-9164-39C4925E467B}
folderClsid: '374DE290-123F-4565-9164-39C4925E467B' # CLSID_ThisPCDownloadsRegFolder
-
name: Remove "Videos"folder from This PC in File Explorer
docs: |- # refactor-with-variables: Same • Quick Access Productivity
This script hides the **Videos** folder from **This PC** in **File Explorer**.
It enhances privacy by hiding your video collection, which may contain personal or sensitive content.
This reduces the risk of inadvertently exposing private videos when using common file dialogs.
However, this change may affect your workflow if you frequently access video files through these interfaces.
You can still access the **Videos** folder directly in **File Explorer** or via media applications.
This script hides the folder using these identifiers:
- Folder ID `35286a68-3c57-41a1-bbb1-0eae73d76c95` [1].
- CLSID `f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a` [2].
- CLSID `A0953C92-50DC-43bf-BE83-3742FED03C9C` [3].
On Windows 11, this script aligns with the system's default settings, as user folders
in **This PC** are hidden by default [4].
> **Caution**: This action enhances privacy but may require extra steps for access.
[1]: https://web.archive.org/web/20240803200324/https://github.com/privacysexy-forks/wdkmetadata/blob/99192741981aa7b7dc7db4aca3401f5d20496c91/generation/WDK/IdlHeaders/um/KnownFolders.h "wdkmetadata/generation/WDK/IdlHeaders/um/KnownFolders.h at 99192741981aa7b7dc7db4aca3401f5d20496c91 · privacysexy-forks/wdkmetadata · GitHub | github.com"
[2]: https://web.archive.org/web/20240118234902/https://www.elevenforum.com/t/add-or-remove-folders-under-this-pc-in-file-explorer-in-windows-11.7122/ "Add or Remove Folders under This PC in File Explorer in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[3]: https://web.archive.org/web/20240729215209/https://marslo.github.io/ibook/cheatsheet/windows/clsid.html "clsid · ibook | marslo.github.io"
[4]: https://web.archive.org/web/20240729151344/https://blogs.windows.com/windows-insider/2022/06/09/announcing-windows-11-insider-preview-build-25136/ "Announcing Windows 11 Insider Preview Build 25136 | Windows Insider Blog | blogs.windows.com"
call:
-
function: HideExplorerThisPCFolderViaGuid
parameters:
folderId: '35286a68-3c57-41a1-bbb1-0eae73d76c95'
# Check default: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag /v "ThisPCPolicy"
showOnRevert: 'true' # Shown by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}
folderClsid: 'f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a' # CLSID_ThisPCLocalVideosRegFolder
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{A0953C92-50DC-43bf-BE83-3742FED03C9C}
folderClsid: 'A0953C92-50DC-43bf-BE83-3742FED03C9C' # CLSID_ThisPCMyVideosRegFolder
-
name: Remove "Music" folder from This PC in File Explorer
docs: |- # refactor-with-variables: Same • Quick Access Productivity
This script hides the **Music** folder from **This PC** in **File Explorer**.
It improves privacy by hiding your music collection, which may reflect
personal tastes or contain sensitive audio files. This reduces the risk
of unintentional exposure of private audio content when using common
file dialogs.
However, this may affect your workflow if you frequently access music
files through these interfaces. The **Music** folder remains accessible
through direct navigation in **File Explorer** or media players.
This script hides the folder using these identifiers:
- Folder ID `a0c69a99-21c8-4671-8703-7934162fcf1d` [1].
- CLSID `3dfdf296-dbec-4fb4-81d1-6a3438bcf4de` [2].
- CLSID `1CF1260C-4DD0-4ebb-811F-33C572699FDE` [2] [3].
On Windows 11, this script aligns with the system's default settings, as user folders
in **This PC** are hidden by default [4].
> **Caution**: This action enhances privacy but may require extra steps for access.
[1]: https://web.archive.org/web/20240803200324/https://github.com/privacysexy-forks/wdkmetadata/blob/99192741981aa7b7dc7db4aca3401f5d20496c91/generation/WDK/IdlHeaders/um/KnownFolders.h "wdkmetadata/generation/WDK/IdlHeaders/um/KnownFolders.h at 99192741981aa7b7dc7db4aca3401f5d20496c91 · privacysexy-forks/wdkmetadata · GitHub | github.com"
[2]: https://web.archive.org/web/20240118234902/https://www.elevenforum.com/t/add-or-remove-folders-under-this-pc-in-file-explorer-in-windows-11.7122/ "Add or Remove Folders under This PC in File Explorer in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[3]: https://web.archive.org/web/20240729215209/https://marslo.github.io/ibook/cheatsheet/windows/clsid.html "clsid · ibook | marslo.github.io"
[4]: https://web.archive.org/web/20240729151344/https://blogs.windows.com/windows-insider/2022/06/09/announcing-windows-11-insider-preview-build-25136/ "Announcing Windows 11 Insider Preview Build 25136 | Windows Insider Blog | blogs.windows.com"
call:
-
function: HideExplorerThisPCFolderViaGuid
parameters:
folderId: 'a0c69a99-21c8-4671-8703-7934162fcf1d'
# Check default: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag /v "ThisPCPolicy"
showOnRevert: 'true' # Shown by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}
folderClsid: '3dfdf296-dbec-4fb4-81d1-6a3438bcf4de' # CLSID_ThisPCLocalMusicRegFolder
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{1CF1260C-4DD0-4ebb-811F-33C572699FDE}
folderClsid: '1CF1260C-4DD0-4ebb-811F-33C572699FDE' # CLSID_ThisPCMyMusicRegFolder
-
name: Remove "Pictures" folder from This PC in File Explorer
docs: |- # refactor-with-variables: Same • Quick Access Productivity
This script hides the **Pictures** folder from **This PC** in **File Explorer**.
It enhances privacy by concealing your image collection, which may include personal
or sensitive photos.
This reduces the risk of accidentally revealing private images in common file dialogs.
However, it may impact your workflow if you frequently access picture files through
these interfaces.
The **Pictures** folder remains accessible via direct navigation in **File Explorer**
or image viewing applications.
This script hides the folder using these identifiers:
- Folder ID `0ddd015d-b06c-45d5-8c4c-f59713854639` [1].
- CLSID `24ad3ad4-a569-4530-98e1-ab02f9417aa8` [2].
- CLSID `3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA` [3].
On Windows 11, this script aligns with the system's default settings, as user folders
in **This PC** are hidden by default [4].
> **Caution**: This action enhances privacy but may require extra steps for access.
[1]: https://web.archive.org/web/20240803200324/https://github.com/privacysexy-forks/wdkmetadata/blob/99192741981aa7b7dc7db4aca3401f5d20496c91/generation/WDK/IdlHeaders/um/KnownFolders.h "wdkmetadata/generation/WDK/IdlHeaders/um/KnownFolders.h at 99192741981aa7b7dc7db4aca3401f5d20496c91 · privacysexy-forks/wdkmetadata · GitHub | github.com"
[2]: https://web.archive.org/web/20240118234902/https://www.elevenforum.com/t/add-or-remove-folders-under-this-pc-in-file-explorer-in-windows-11.7122/ "Add or Remove Folders under This PC in File Explorer in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[3]: https://web.archive.org/web/20240729215209/https://marslo.github.io/ibook/cheatsheet/windows/clsid.html "clsid · ibook | marslo.github.io"
[4]: https://web.archive.org/web/20240729151344/https://blogs.windows.com/windows-insider/2022/06/09/announcing-windows-11-insider-preview-build-25136/ "Announcing Windows 11 Insider Preview Build 25136 | Windows Insider Blog | blogs.windows.com"
call:
-
function: HideExplorerThisPCFolderViaGuid
parameters:
folderId: '0ddd015d-b06c-45d5-8c4c-f59713854639'
# Check default: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag /v "ThisPCPolicy"
showOnRevert: 'true' # Shown by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{24ad3ad4-a569-4530-98e1-ab02f9417aa8}
folderClsid: '24ad3ad4-a569-4530-98e1-ab02f9417aa8' # CLSID_ThisPCLocalPicturesRegFolder
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}
folderClsid: '3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA' # CLSID_ThisPCMyPicturesRegFolder
-
name: Remove outdated "3D Objects" folder from This PC in File Explorer
docs: |- # refactor-with-variables: Same • Quick Access Productivity
This script hides the **3D Objects** folder from **This PC** in **File Explorer**.
This script improves privacy as this folder may contain personal projects or designs.
This action reduces the risk of unintentional sharing of potentially sensitive 3D
models or related files.
Microsoft removed this folder in Windows 10 Build 21322 and later versions [1].
If you often use the **3D Objects** folder, this change may affect your workflow.
The folder remains accessible through direct navigation in **File Explorer**.
This script hides the folder using these identifiers:
- Folder ID `31C0DD25-9439-4F12-BF41-7FF4EDA38722` [2].
- CLSID `0DB7E03F-FC29-4DC6-9020-FF41B59E513A` [3] [4].
On Windows 11, this script aligns with the system's default settings, as user folders
in **This PC** are hidden by default [5].
> **Caution**: This action enhances privacy but may require extra steps for access.
[1]: https://web.archive.org/web/20240729214345/https://blogs.windows.com/windows-insider/2021/02/24/announcing-windows-10-insider-preview-build-21322/ "Announcing Windows 10 Insider Preview Build 21322 | Windows Insider Blog | blogs.windows.com"
[2]: https://web.archive.org/web/20240803200324/https://github.com/privacysexy-forks/wdkmetadata/blob/99192741981aa7b7dc7db4aca3401f5d20496c91/generation/WDK/IdlHeaders/um/KnownFolders.h "wdkmetadata/generation/WDK/IdlHeaders/um/KnownFolders.h at 99192741981aa7b7dc7db4aca3401f5d20496c91 · privacysexy-forks/wdkmetadata · GitHub | github.com"
[3]: https://web.archive.org/web/20240225155108/https://www.winhelponline.com/blog/remove-3d-objects-folder-pc-windows-10/ "Remove 3D Objects Folder from This PC in Windows 10 » Winhelponline | www.winhelponline.com"
[4]: https://web.archive.org/web/20240118234902/https://www.elevenforum.com/t/add-or-remove-folders-under-this-pc-in-file-explorer-in-windows-11.7122/ "Add or Remove Folders under This PC in File Explorer in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[5]: https://web.archive.org/web/20240729151344/https://blogs.windows.com/windows-insider/2022/06/09/announcing-windows-11-insider-preview-build-25136/ "Announcing Windows 11 Insider Preview Build 25136 | Windows Insider Blog | blogs.windows.com"
call:
-
function: HideExplorerThisPCFolderViaGuid
parameters:
folderId: '31C0DD25-9439-4F12-BF41-7FF4EDA38722'
# Check default: reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag /v "ThisPCPolicy"
hideOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: HideExplorerThisPCFolderViaClsid
parameters:
# Check: start shell:::{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}
folderClsid: '0DB7E03F-FC29-4DC6-9020-FF41B59E513A'
-
name: Disable app usage tracking
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableMFUTracking
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Policies\Microsoft\Windows\EdgeUI
valueName: DisableMFUTracking
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable recent apps
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableRecentApps
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Policies\Microsoft\Windows\EdgeUI
valueName: DisableRecentApps
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable backtracking
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::TurnOffBackstack
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Policies\Microsoft\Windows\EdgeUI
valueName: TurnOffBackstack
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Remove bloatware
children:
-
category: Remove Windows apps
docs: |-
This category covers the uninstallation of Windows apps.
Windows apps were introduced with Windows 8 and are typically acquired and installed through the Store app [1].
Many of these apps come pre-installed on Windows by default [1].
Uninstalling unused or unwanted apps contributes to privacy by reducing potential data collection points and minimizing your digital footprint.
The applications are categorized as:
- **Installed**: Included with the OS installation [1] [2]. They are stored in the `C:\Program Files\WindowsApps\{PackageFullName}` directory [1].
- **Provisioned**: Added when you log in with a new user account for the first time [1] [2] [3].
They are located in `C:\Program Files\WindowsApps\{PackageFullName}` [1].
Following PowerShell command can be used to view all provisioned apps:
`Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName, PublisherId` [3].
- **System apps**: Integral components of Windows [1] [2].
This category does not target framework apps. Framework apps are packages that get installed automatically if another application requires them [2]. If there are
applications depending on these framework packages, you cannot delete the framework app individually [2]. However, if you remove those dependent applications, the
associated framework package will be deleted [4]. To list all framework apps, you can use the following command:
`Get-AppxPackage | Where-Object { $_.IsFramework -eq $true } | Select-Object -ExpandProperty Name`.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231003110200/https://learn.microsoft.com/en-us/windows/uwp/monetize/install-the-microsoft-advertising-libraries "Install the Microsoft Advertising SDK - Microsoft Store | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://github.com/undergroundwires/privacy.sexy/issues/200 "[BUG]: Microsoft Advertising app removal failure · Issue #200 · undergroundwires/privacy.sexy"
children:
# 💡 Good information for development:
# - Find out package name from store ID: https://archive.ph/2023.10.20-135401/https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn
# ❗ Excluded apps with justifications:
# - `Microsoft.Windows.ShellExperienceHost`: "Start app", required for different setting windows such as WiFi and battery panes in action bar.
# - `Windows.immersivecontrolpanel` : "Settings app", required for settings view.
# - Framework apps:
# Excluded apps:
# Microsoft.UI.Xaml.CBS, Microsoft.NET.Native.Framework.2.2, Microsoft.NET.Native.Runtime.2.2, Microsoft.VCLibs.140.00.UWPDesktop, Microsoft.UI.Xaml.2.7
# Microsoft.VCLibs.140.00, Microsoft.UI.Xaml.2.4, Microsoft.WindowsAppRuntime.CBS, Microsoft.WindowsAppRuntime.1.2, Microsoft.UI.Xaml.2.0, Microsoft.Advertising.Xaml
# Microsoft.NET.Native.Framework.1.7, Microsoft.NET.Native.Runtime.1.7-
# List out framework packages:
# Get-AppxPackage | Where-Object { $_.IsFramework -eq $true } | Select-Object -ExpandProperty Name
-
name: Remove "App Connector" app
recommend: strict
docs: |-
This script uninstalls the "App Connector" Windows app.
The App Connector app accesses elements like your location, camera, contacts, and calendars [1] [2] [3].
This raises some concerns about user privacy [2].
In simpler terms, the App Connector acts as a bridge, facilitating communication
between Microsoft services and other apps over the Internet [2] [4] [5]. It's primarily aimed at developers, enabling them to connect with
Microsoft cloud services, such as Azure, or with other internet-based applications [4]. It's essentially a means to allow services to interact with tools
like Microsoft Power Automate, Microsoft Power Apps, and Azure Logic Apps [4]. Common services that can be connected using this include Salesforce,
Office 365, Twitter, Dropbox, and Google services [4].
To secure these connections, connectors typically use OAuth or usernames and passwords [5].
This app comes pre-installed on certain versions of Windows [6]. It was last seen on Windows 10 1511.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20231009125830/https://indiaplus.in/app-connector/ "What Is An App Connector: Windows 10 | indiaplus.in"
[2]: https://web.archive.org/web/20231009125808/https://answers.microsoft.com/en-us/windows/forum/all/windows-10-app-connector-and-windows-shell/975e590b-1258-4552-b50f-f8e20e9aa285?page=2 "Windows 10 app connector and Windows Shell Experience - Microsoft Community"
[4]: https://web.archive.org/web/20231009125723/https://learn.microsoft.com/en-us/connectors/connectors "Power Platform connectors overview | Microsoft Learn"
[3]: https://web.archive.org/web/20231009125714/https://www.howtogeek.com/247661/nobody-knows-what-windows-10s-app-connector-is-and-microsoft-wont-explain-it/ "Nobody Knows What Windows 10's App Connector Is, and Microsoft Won't Explain It | howtogeek.com"
[5]: https://web.archive.org/web/20150502190718/https://azure.microsoft.com/en-us/documentation/articles/app-service-logic-data-connectors/ "Microsoft Azure API Apps Data Connectors | API Apps microservice | azure.microsoft.com"
[6]: https://web.archive.org/web/20230929130219/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004#delete-the-payload-of-uwp-apps "Optimizing Windows 10, Build 2004, for a Virtual Desktop role | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Appconnector # Get-AppxPackage Microsoft.Appconnector
publisherId: 8wekyb3d8bbwe
-
category: Remove 3D modeling apps
docs: |-
This category provides scripts for uninstalling pre-installed 3D modeling applications from Windows.
3D modeling applications allow users to create, visualize, and manipulate three-dimensional objects in a virtual space.
They are particularly useful for designers, artists, and professionals who need to create 3D designs for various purposes.
These apps, while useful for certain users, might not be required by everyone, thus providing the option to uninstall them.
children:
-
name: Remove insecure "Print 3D" app
recommend: standard # Deprecated application with known security vulnerabilities; removal does not impact essential system functionality
docs: |-
This script uninstalls the "Print 3D" application.
This app enhances 3D printing by supporting network printers, optimizing settings, and rendering objects realistically [1].
However, this app poses certain risks.
The application can access the Internet, home or work networksm and your 3D objects [1].
It has known serious security vulnerabilities such as "Remote Code Execution Vulnerability" [2].
These vulnerabilities allow attackers to remotely execute malicious code on your system.
This app is no longer supported [3], and Microsoft does not plan to issue patches [2].
Removing this app mitigates security risks, enhances privacy by reducing data exposure,
and frees up system resources, potentially improving performance.
Microsoft has deprecated the "Print 3D" app in favor of the "Microsoft 3D Builder" app [3].
It is recommended to upgrade to this newer application for ongoing support and features.
This script removes both the legacy `Windows.Print3D` and the current `Microsoft.Print3D` packages from your system.
`Windows.Print3D` package name is changed to `Microsoft.Print3D` since Windows 1903 [4].
See also: [Microsoft Store Page](https://web.archive.org/web/20211207041221/https://www.microsoft.com/en-us/p/print-3d/9pbpch085s3s?activetab=pivot:overviewtab)
### Overview of default preinstallation
`Microsoft.Print3D`:
This app comes pre-installed on certain versions of Windows [4] [5] [6] [7].
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
`Windows.Print3D`:
This app comes pre-installed on certain versions of Windows [4] [5] [8].
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20231003172322/https://apps.microsoft.com/store/detail/3d-builder/9WZDNCRFJ3T6?hl=en-us "3D Builder - Microsoft Store Apps | apps.microsoft.com"
[2]: https://archive.ph/2024.05.20-104104/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23378 "CVE-2023-23378 - Security Update Guide - Microsoft - Print 3D Remote Code Execution Vulnerability | msrc.microsoft.com"
[3]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240520104135/https://github.com/MicrosoftDocs/windows-itpro-docs/pull/4153#issuecomment-519160643 "Provisioned Apps list + System Apps list for Windows 10 1903 by RAJU2529 · Pull Request #4153 · MicrosoftDocs/windows-itpro-docs | github.com"
[5]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[6]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[7]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
[8]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
-
function: UninstallStoreApp
parameters:
packageName: Microsoft.Print3D # Get-AppxPackage Microsoft.Print3D
publisherId: 8wekyb3d8bbwe
-
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Windows.Print3D # Get-AppxPackage Windows.Print3D
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft 3D Builder" app
docs: |-
This script uninstalls the "Microsoft 3D Builder" app.
Microsoft 3D Builder offers tools for creating, viewing, and printing 3D objects [1].
It supports editing various 3D file types with features like material rendering, texture layering,
and includes tools to prepare models for 3D printing [1].
This app succeeded the older "Print 3D" app as the default 3D printing software starting with the Windows 10 version 19H1 [2].
This application uses your webcam, microphone, and internet connection [1], posing privacy risks due to potential data exposure.
Uninstalling this app reduces privacy risks, frees up system resources, and minimizes the attack surface, thereby enhancing security.
See also: [Microsoft Store Page](https://archive.ph/2024.05.23-070639/https://apps.microsoft.com/detail/9wzdncrfj3t6?hl=en-us&gl=US)
### Overview of default preinstallation
This app comes pre-installed on certain versions of Windows [3] [4] [5].
Since the Windows 10 version 1709, it has not been installed by default [6].
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://archive.ph/2024.05.23-070639/https://apps.microsoft.com/detail/9wzdncrfj3t6?hl=en-us&gl=US "3D Builder - Microsoft Store Apps | apps.microsoft.com"
[2]: https://web.archive.org/web/20240403064138/https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features "Deprecated features in the Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[5]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
[6]: https://web.archive.org/web/20240520103449/https://learn.microsoft.com/en-us/windows/whats-new/removed-features "Features and functionality removed in Windows client - What's new in Windows | Microsoft Learn | learn.microsoft.com"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.3DBuilder # Get-AppxPackage Microsoft.3DBuilder
publisherId: 8wekyb3d8bbwe
-
name: Remove "3D Viewer" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003172807/https://apps.microsoft.com/store/detail/3d-viewer/9NBLGGH42THS?hl=en-us)
It's also known as "Microsoft 3D Viewer" [1].
This app comes pre-installed on certain versions of Windows [2] [3] [4]. It was added in Windows 10, version 1703 [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Microsoft3DViewer # Get-AppxPackage Microsoft.Microsoft3DViewer
publisherId: 8wekyb3d8bbwe
-
category: Remove MSN (Bing) apps
docs: |-
This category includes scripts to uninstall MSN (sometimes branded as "Bing" or just "Microsoft") applications from Windows.
MSN apps come bundled with Windows and provide users with information from various domains such as weather, sports, news,
and finance. While they offer easy access to curated content right from the desktop, not all users find them essential.
If users prefer other sources or tools for this information, they might wish to uninstall these default apps to declutter their system.
children:
-
name: Remove "MSN Weather" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003173207/https://apps.microsoft.com/store/detail/msn-weather/9WZDNCRFJ3Q2?hl=en-us)
It's also known as just "Weather" app [1], or previously known as "Bing Weather" [2].
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingWeather # Get-AppxPackage Microsoft.BingWeather
publisherId: 8wekyb3d8bbwe
-
name: Remove "MSN Sports" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20221204144111/https://apps.microsoft.com/store/detail/msn-sports/9WZDNCRFHVH4?hl=en-us&gl=us)
It's also known as just "Sports" app [1].
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingSports # Get-AppxPackage Microsoft.BingSports
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft News" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003194608/https://apps.microsoft.com/store/detail/microsoft-news/9WZDNCRFHVFW?hl=en-us)
It's also known as just "News" app [1].
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingNews # Get-AppxPackage Microsoft.BingNews
publisherId: 8wekyb3d8bbwe
-
name: Remove "MSN Money" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003195625/https://apps.microsoft.com/store/detail/msn-money/9WZDNCRFHV4V)
It's also known as just "Money" app [1].
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingFinance # Get-AppxPackage Microsoft.BingFinance
publisherId: 8wekyb3d8bbwe
-
name: Remove "Cortana" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003195834/https://apps.microsoft.com/store/detail/cortana/9NFFX4SZZ23L)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.549981C3F5F10 # Get-AppxPackage Microsoft.549981C3F5F10
publisherId: 8wekyb3d8bbwe
-
name: Remove "App Installer" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003200344/https://apps.microsoft.com/store/detail/app-installer/9NBLGGH4NNS1)
It's also known as "Desktop App Installer" app [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.DesktopAppInstaller # Get-AppxPackage Microsoft.DesktopAppInstaller
publisherId: 8wekyb3d8bbwe
-
name: Remove "Get Help" app (breaks built-in troubleshooting)
docs: |-
This script removes the "Get Help" app.
This app comes pre-installed on certain versions of Windows [1] [2] [3].
"Get Help" is an application designed to assist users with Windows-related issues [4]. It offers solutions through
troubleshooters, instant answers, and Microsoft support articles. It connects users with Microsoft support agents
and the Microsoft community for personalized assistance [4].
Removing "Get Help" not only supports a minimalist system approach but also helps reduce potential data collection.
Typically, support tools like "Get Help" gather diagnostic data and user interactions, which are used to improve service and
provide tailored support. By uninstalling this app, users can enhance their privacy by reducing their digital footprint.
However, removing "Get Help" disrupts some system support functionalities. For instance, the built-in internet
troubleshooting feature will cease to function [5]. Attempts to diagnose network problems from the system tray will result in
an error message, indicating the absence of an application to manage the troubleshooting process [5].
The script also affects system-generated URLs such as `ms-contact-support://oem/<Manufacturer>`, which direct to OEM-specific
support services [6]. Post-removal, users will need to identify alternative support options for system troubleshooting.
See also: [Microsoft Store Page](https://web.archive.org/web/20231003200627/https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T)
> **Caution:** Removing the "Get Help" app limits access to Windows' built-in support resources and troubleshooting tools.
> This action may hinder your ability to receive direct assistance from Microsoft and utilize automatic problem-solving features for system issues.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231003200627/https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T "Get Help - Microsoft Store Apps | apps.microsoft.com"
[5]: https://github.com/undergroundwires/privacy.sexy/issues/280 '[BUG]: Removing "Get Help" breaks internet troubleshooting · Issue #280 · undergroundwires/privacy.sexy | github.com/undergroundwires'
[6]: https://web.archive.org/web/20231106214139/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-get-help-app "Customize the Get Help app | Microsoft Learn | learn.microsoft.com"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.GetHelp # Get-AppxPackage Microsoft.GetHelp
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Tips" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003200952/https://apps.microsoft.com/store/detail/microsoft-tips/9WZDNCRDTBJJ)
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Getstarted # Get-AppxPackage Microsoft.Getstarted
publisherId: 8wekyb3d8bbwe
-
category: Remove extension apps
docs: |-
This category contains scripts to uninstall extension apps.
Extension apps are add-ons that enhance functionality related to media, images, and other software capabilities.
Many of these extensions come pre-installed on some Windows versions [1].
While they can be helpful, not everyone needs them.
Unused extensions can present security risks due to potential critical vulnerabilities [2] [3].
A critical vulnerability is a serious security risk that could allow attackers to gain full control of your system.
This risk is heightened because extensions usually have extensive access to the system.
By using these scripts, you can remove unnecessary extensions to improve your computer's security and lower the risk
of cyber attacks, a proactive measure for security and privacy.
> **Caution:** Uninstalling extensions could affect certain features, such as media playback or image processing.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231230081051/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-80307/Microsoft-Hevc-Video-Extensions.html "Microsoft Hevc Video Extensions : Security vulnerabilities, CVEs | cvedetails.com"
[3]: https://web.archive.org/web/20231231094958/https://www.opencve.io/cve?vendor=microsoft&product=raw_image_extension "Microsoft - Raw Image Extension CVE - OpenCVE | www.opencve.io"
children:
-
name: Remove "HEIF Image Extensions" app
docs: |-
This script uninstalls the "HEIF Image Extensions" app.
The HEIF Image Extension lets Windows devices read and write files in the High Efficiency Image File (HEIF) format,
commonly with `.heic` or `.heif` extensions [1].
This app contains high severity vulnerabilities in certain versions [2].
A high vulnerability is a serious security risk that could allow attackers to gain full control of your system.
Removing this app will improve your system's security and reduce the risk of these threats.
This app comes pre-installed on certain versions of Windows [3] [4].
[Microsoft Store Page](https://web.archive.org/web/20231003201158/https://apps.microsoft.com/store/detail/heif-image-extensions/9PMMSR1CGPWG)
> **Caution:** Removing this app could impact your ability to view and manage high-efficiency image files in `.heic` or `.heif` formats.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231003201158/https://apps.microsoft.com/store/detail/heif-image-extensions/9PMMSR1CGPWG "HEIF Image Extensions - Microsoft Store Apps | apps.microsoft.com"
[2]: https://web.archive.org/web/20231231101743/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-88754/Microsoft-Heif-Image-Extension.html "Microsoft Heif Image Extension : Security vulnerabilities, CVEs | cvedetails.com"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.HEIFImageExtension # Get-AppxPackage Microsoft.HEIFImageExtension
publisherId: 8wekyb3d8bbwe
-
name: Remove "VP9 Video Extensions" app
docs: |-
This script uninstalls the "VP9 Video Extensions" app.
The "VP9 Video Extensions" app facilitates the playback of VP9 video format, widely used for internet streaming,
across various video applications on Windows [1]. The app leverages hardware capabilities on newer devices for
enhanced performance and offers software support where such hardware is absent [1].
This app contains high severity vulnerabilities in certain versions [2].
A high vulnerability is a serious security risk that could allow attackers to gain full control of your system.
Removing this app will improve your system's security and reduce the risk of these threats.
This app comes pre-installed on certain versions of Windows [3] [4].
[Microsoft Store Page](https://web.archive.org/web/20231003201732/https://apps.microsoft.com/store/detail/vp9-video-extensions/9N4D0MSMP0PT)
> **Caution:** Removing this app could impact your ability to play VP9 video content, widely used in internet streaming.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231003201732/https://apps.microsoft.com/store/detail/vp9-video-extensions/9N4D0MSMP0PT "VP9 Video Extensions - Microsoft Apps | apps.microsoft.com"
[2]: https://web.archive.org/web/20231231101046/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-82475/version_id-637349/Microsoft-Vp9-Video-Extensions--.html "Microsoft Vp9 Video Extensions version - : Security vulnerabilities, CVEs | cvedetails.com"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.VP9VideoExtensions # Get-AppxPackage Microsoft.VP9VideoExtensions
publisherId: 8wekyb3d8bbwe
-
name: Remove "Web Media Extensions" app
docs: |-
This script uninstalls the "Web Media Extensions" app.
"Web Media Extensions" package enhances Microsoft Edge and Windows by supporting open source formats commonly used on the web [1].
It enables native playback of media in OGG format and content encoded with Vorbis or Theora codecs [1].
This app contains high severity vulnerabilities in certain versions [2].
A high vulnerability is a serious security risk that could allow attackers to gain full control of your system.
Removing this app will improve your system's security and reduce the risk of these threats.
This app comes pre-installed on certain versions of Windows [3] [4].
[Microsoft Store Page](https://archive.ph/2023.12.31-102721/https://apps.microsoft.com/detail/9N5TDP8VCMHS?hl=en-us&gl=US)
> **Caution:** Removing this app may limit playback of media in OGG format or content encoded with Vorbis or Theora codecs.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://archive.ph/2023.12.31-102721/https://apps.microsoft.com/detail/9N5TDP8VCMHS?hl=en-us&gl=US "Web Media Extensions - Microsoft Apps | apps.microsoft.com"
[2]: https://web.archive.org/web/20231231101609/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-94822/Microsoft-Web-Media-Extensions.html "Microsoft Web Media Extensions : Security vulnerabilities, CVEs | cvedetails.com"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WebMediaExtensions # Get-AppxPackage Microsoft.WebMediaExtensions
publisherId: 8wekyb3d8bbwe
-
name: Remove "Webp Image Extensions" app
docs: |-
This script uninstalls the "Webp Image Extensions" app.
The "Webp Image Extensions" app allows Microsoft Edge browser to display WebP images [1].
WebP is an advanced image format offering efficient compression to support smaller, high-quality images on the web [1].
This app contains vulnerabilities in certain versions [2].
Removing this app will improve your system's security and reduce the risk of these threats.
This app comes pre-installed on certain versions of Windows [3] [4].
[Microsoft Store Page](https://web.archive.org/web/20231003202310/https://apps.microsoft.com/store/detail/webp-image-extensions/9PG2DK419DRG)
> **Caution:** Removing this app may affect your ability to view WebP images in the Microsoft Edge browser and other applications.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231003202310/https://apps.microsoft.com/store/detail/webp-image-extensions/9PG2DK419DRG "Webp Image Extensions - Microsoft Store Apps | apps.microsoft.com"
[2]: https://web.archive.org/web/20231231095646/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-88755/Microsoft-Webp-Image-Extension.html "Microsoft Webp Image Extension : Security vulnerabilities, CVEs | cvedetails.com"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WebpImageExtension # Get-AppxPackage Microsoft.WebpImageExtension
publisherId: 8wekyb3d8bbwe
-
name: Remove "HEVC Video Extensions" app
docs: |-
This script uninstalls the "HEVC Video Extensions" app.
The app is designed to extend the capability of Windows to play and produce HEVC (High Efficiency Video Coding)
encoded video content, which is key for high-quality video formats like 4K and Ultra HD [1].
The app utilizes hardware features in newer devices to enhance video quality [1]. However, for devices lacking hardware support,
the app provides software support, although the performance might vary based on video resolution and PC capabilities [1].
It also includes the H265 codec, essential for HEVC video processing [2].
This app contains critical severity vulnerabilities in certain versions [3].
A critical vulnerability is a serious security risk that could allow attackers to gain full control of your system.
Removing this app will improve your system's security and reduce the risk of these threats.
This app comes pre-installed on certain versions of Windows [4].
[Microsoft Store Page](https://archive.ph/2023.12.30-072158/https://apps.microsoft.com/detail/9NMZLZ57R3T7?hl=en-us&gl=US)
> **Caution:** Removing this app could impact your ability to handle HEVC-encoded content.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://archive.ph/2023.12.30-072158/https://apps.microsoft.com/detail/9NMZLZ57R3T7?hl=en-us&gl=US "HEVC Video Extensions - Microsoft Apps | apps.microsoft.com"
[2]: https://web.archive.org/web/20231230073622/https://learn.microsoft.com/en-us/azure/remote-rendering/resources/troubleshoot#h265-codec-not-available "Troubleshoot - Azure Remote Rendering | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231230081051/https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-80307/Microsoft-Hevc-Video-Extensions.html "Microsoft Hevc Video Extensions : Security vulnerabilities, CVEs | cvedetails.com"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.HEVCVideoExtension # Get-AppxPackage Microsoft.HEVCVideoExtension
publisherId: 8wekyb3d8bbwe
-
name: Remove "Raw Image Extension" app
docs: |-
This script uninstalls the "Raw Image Extension" app.
This app enables viewing support for raw file formats from digital cameras directly in Windows File
Explorer and the Photos app [1]. It utilizes the [libraw](https://www.libraw.org/) open source project for this functionality [1].
This app contains critical severity vulnerabilities in certain versions [2].
A critical vulnerability is a serious security risk that could allow attackers to gain full control of your system.
Removing this app will improve your system's security and reduce the risk of these threats.
[Microsoft Store Page](https://archive.ph/2023.12.30-072308/https://apps.microsoft.com/detail/9NCTDW2W1BH8?hl=en-US&gl=US)
> **Caution:** Uninstalling this app may limit your ability to view and handle raw images from digital cameras.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://archive.ph/2023.12.30-072308/https://apps.microsoft.com/detail/9NCTDW2W1BH8?hl=en-US&gl=US "Raw Image Extension - Microsoft Apps | apps.microsoft.com"
[2]: https://web.archive.org/web/20231231094958/https://www.opencve.io/cve?vendor=microsoft&product=raw_image_extension "Microsoft - Raw Image Extension CVE - OpenCVE | www.opencve.io"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.RawImageExtension # Get-AppxPackage Microsoft.RawImageExtension
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Messaging" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003202812/https://apps.microsoft.com/store/detail/microsoft-messaging/9WZDNCRFJBQ6)
It's also known as just "Messaging" [1] or "Skype Video" [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Messaging # Get-AppxPackage Microsoft.Messaging
publisherId: 8wekyb3d8bbwe
-
name: Remove "Mixed Reality Portal" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003202910/https://apps.microsoft.com/store/detail/mixed-reality-portal/9NG1H8B3ZC7M)
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MixedReality.Portal # Get-AppxPackage Microsoft.MixedReality.Portal
publisherId: 8wekyb3d8bbwe
-
category: Remove Microsoft Office apps
docs: |-
This category focuses on scripts that help uninstall select Microsoft Office apps that may come pre-installed with Windows.
Microsoft Office suite is a popular productivity suite, providing tools for a wide range of tasks like document creation,
note-taking, and interactive presentation development. However, while many of these apps like Word, Excel, and PowerPoint are
commonly used, some other apps like My Office, OneNote, and Sway might not be essential for all users. Especially, if users have
other preferred tools or the web versions suit their needs better.
children:
-
name: Remove "Microsoft 365 (Office)" app
recommend: standard
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-113623/https://apps.microsoft.com/detail/microsoft-365-(office)/9WZDNCRD29V9?hl=en-us&gl=SE)
It's formerly known as just "Office" app [1] [2].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MicrosoftOfficeHub # Get-AppxPackage Microsoft.MicrosoftOfficeHub
publisherId: 8wekyb3d8bbwe
-
name: Remove "OneNote" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003203445/https://apps.microsoft.com/store/detail/onenote/9WZDNCRFHVJL)
This app was previously known as "OneNote for Windows 10" [1] [2].
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Office.OneNote # Get-AppxPackage Microsoft.Office.OneNote
publisherId: 8wekyb3d8bbwe
-
name: Remove "Sway" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003204225/https://apps.microsoft.com/store/detail/sway/9WZDNCRD2G0J?hl=en-us)
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Office.Sway # Get-AppxPackage Microsoft.Office.Sway
publisherId: 8wekyb3d8bbwe
-
name: Remove "Feedback Hub" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231003210719/https://apps.microsoft.com/store/detail/feedback-hub/9NBLGGH4R32N)
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsFeedbackHub # Get-AppxPackage Microsoft.WindowsFeedbackHub
publisherId: 8wekyb3d8bbwe
-
name: Remove "Windows Alarms and Clock" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004092407/https://apps.microsoft.com/store/detail/windows-clock/9WZDNCRFJ3PR)
This app was previously named "Windows Alarms & Clock" [1] [2].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsAlarms # Get-AppxPackage Microsoft.WindowsAlarms
publisherId: 8wekyb3d8bbwe
-
name: Remove "Windows Camera" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004092455/https://apps.microsoft.com/store/detail/windows-camera/9WZDNCRFJBBG)
It's also known as just "Camera" [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsCamera # Get-AppxPackage Microsoft.WindowsCamera
publisherId: 8wekyb3d8bbwe
-
name: Remove "Paint 3D" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004092446/https://apps.microsoft.com/store/detail/paint-3d/9NBLGGH5FV99)
This app comes pre-installed on certain versions of Windows [1] [2] [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MSPaint # Get-AppxPackage Microsoft.MSPaint
publisherId: 8wekyb3d8bbwe
-
name: Remove "Windows Maps" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004092559/https://apps.microsoft.com/store/detail/windows-maps/9WZDNCRDTBVB)
It is also known as just "Maps" [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsMaps # Get-AppxPackage Microsoft.WindowsMaps
publisherId: 8wekyb3d8bbwe
-
name: Remove "Minecraft for Windows" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004092835/https://apps.microsoft.com/store/detail/minecraft-for-windows/9nblggh2jhxj)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MinecraftUWP # Get-AppxPackage Microsoft.MinecraftUWP
publisherId: 8wekyb3d8bbwe
-
category: Remove Microsoft Store apps
docs: |-
This category houses scripts dedicated to uninstalling specific applications related to the Microsoft Store.
As the digital storefront for Microsoft, the Microsoft Store is a hub for apps, games, movies, and other content.
While it provides a convenient method of obtaining software, some users might wish to uninstall or disable it for
reasons like performance optimization or data privacy concerns.
As always, when disabling or uninstalling core system apps, it is crucial to be informed of the potential repercussions
and act carefully.
children:
-
name: Remove "Microsoft Store" app
docs: |-
This script aims to uninstall the Microsoft Store app (also known as Store [1]).
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
Microsoft has mentioned that it doesn't officially support the uninstallation of this app [4] [5]. Removing it might lead to unwanted
effects [5].
The Microsoft Store is subject to the data collection policies laid out in the Windows privacy statement [6]. It can collect diagnostic
data about your device, its settings, and capabilities [7]. This data is sent to Microsoft and can include unique identifiers, potentially
allowing Microsoft to recognize a user and their device [7]. Additionally, the data can offer insights into your device's settings,
capabilities, health, visited websites, device activity (or usage), and, the memory state of your device [7]. Sometimes, this might
inadvertently include parts of a file you are using [7].
From a security perspective, the Microsoft Store increases potential risks, as it has known vulnerabilities [8].
To address privacy and security concerns, it might be beneficial to disable the Microsoft Store and explore alternative methods for
software package management. However, considering the official stance from Microsoft on uninstallation, it's important to understand that
this action might affect some core functionalities of the operating system.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20231004094641/https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/pre-installed-microsoft-store-app-removed-logon "Pre-installed Microsoft Store app is removed at first Windows logon - Windows Client | Microsoft Learn"
[3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[5]: https://web.archive.org/web/20231004093559/https://learn.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/cannot-remove-uninstall-or-reinstall-microsoft-store-app "Can't remove, uninstall, or reinstall Microsoft Store app - Windows Client | Microsoft Learn"
[6]: https://web.archive.org/web/20231004094058/https://github.com/microsoft/winget-cli/issues/179#issuecomment-631183527 "Please include ability to opt out of telemetry and clear documentation on how to opt out · Issue #179 · microsoft/winget-cli · GitHub"
[7]: https://web.archive.org/web/20231004094657/https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319#ID0EDF "Diagnostics, feedback, and privacy in Windows - Microsoft Support"
[8]: https://web.archive.org/web/20231004100105/https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=microsoft+store&queryType=phrase&search_type=all&isCpeNameSearch=false "Search: Microsoft Store | NVD - Results | nist.gov"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsStore # Get-AppxPackage Microsoft.WindowsStore
publisherId: 8wekyb3d8bbwe
-
name: Remove "Store Purchase" app
docs: |-
This script uninstalls the "Store Purchase" app.
The Store Purchase app is linked with the purchase feature in the Store app, allowing users to view their purchase history without needing to open a separate
website [1]. This app is not well-documented officially by Microsoft.
This app comes pre-installed on certain Windows versions [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231004133326/https://social.technet.microsoft.com/Forums/exchange/en-US/24b1088d-0fc5-4a82-8015-c9c964532603/store-purchase-app?forum=win10itproapps "Store Purchase App | social.technet.microsoft.com"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.StorePurchaseApp # Get-AppxPackage Microsoft.StorePurchaseApp
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft People" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004105428/https://apps.microsoft.com/store/detail/microsoft-people/9NBLGGH10PG8)
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.People # Get-AppxPackage Microsoft.People
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Pay" app
docs: |-
This script uninstalls the Microsoft Pay app. Microsoft Pay, previously known as "Microsoft Wallet" [1] [2] [3], is a
cloud-based payment and wallet technology provided by Microsoft [2]. This system enables users to make payments through
Microsoft Pay on websites, within Universal Windows Platform (UWP) apps, and through Microsoft Bot Framework bots [4].
The primary function of Microsoft Pay is to facilitate payments using banks and credit cards [3]. The app integrates with
the Microsoft Edge browser [5] and stores card data [4].
This app comes pre-installed on certain versions of Windows [1] [6] [7] [8] [9].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20240217204237/https://learn.microsoft.com/en-us/windows/privacy/manage-windows-1903-endpoints "Connection endpoints for Windows 10 Enterprise, version 1903 - Windows Privacy | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20231004112830/https://blogs.windows.com/windows-insider/2016/06/21/microsoft-wallet-with-tap-to-pay-is-now-available-for-windows-insiders/ "Microsoft Wallet with tap to pay is now available for Windows Insiders | Windows Insider Blog"
[3]: https://web.archive.org/web/20180216173337/http://www.microsoft.com/wallet/ "Microsoft Wallet: Digital Wallet for Secure Mobile Payments"
[4]: https://web.archive.org/web/20230609124956/https://stripe.com/docs/microsoft-pay "Microsoft Pay | Stripe Documentation"
[5]: https://web.archive.org/web/20231004112732/https://support.microsoft.com/en-us/microsoft-edge/features-currently-not-available-in-the-new-microsoft-edge-4307f116-8184-0c59-dcb4-3c55e00f70bf "Features currently not available in the new Microsoft Edge - Microsoft Support"
[6]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[7]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[8]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[9]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Wallet # Get-AppxPackage Microsoft.Wallet
publisherId: 8wekyb3d8bbwe
-
name: Remove "Mobile Plans" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004142628/https://apps.microsoft.com/store/detail/mobile-plans/9NBLGGH5PNB1)
This app comes pre-installed on certain versions of Windows [1] [2] [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.OneConnect # Get-AppxPackage Microsoft.OneConnect
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Solitaire Collection" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20230609084501/https://apps.microsoft.com/store/detail/microsoft-solitaire-collection/9wzdncrfhwd2)
This app comes pre-installed on certain versions of Windows [1] [2] [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MicrosoftSolitaireCollection # Get-AppxPackage Microsoft.MicrosoftSolitaireCollection
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Sticky Notes" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20230806145300/https://apps.microsoft.com/store/detail/microsoft-sticky-notes/9NBLGGH4QGHW)
This app comes pre-installed on certain versions of Windows [1] [2] [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MicrosoftStickyNotes # Get-AppxPackage Microsoft.MicrosoftStickyNotes
publisherId: 8wekyb3d8bbwe
-
category: Remove Xbox apps
docs: |-
This category contains scripts designed to uninstall specific Windows apps related to Xbox.
Uninstalling these apps may enhance system performance and privacy, as fewer apps are running in the background, accessing personal data or utilizing system resources.
If you're not using these services or apps, it might be beneficial to disable them for a cleaner and more privacy-focused user experience.
children:
-
name: Remove "Xbox Console Companion" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004143830/https://apps.microsoft.com/store/detail/xbox-console-companion/9WZDNCRFJBD8)
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
It's part of Microsoft Game Development Kit (GDK) [5].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
[5]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxApp # Get-AppxPackage Microsoft.XboxApp
publisherId: 8wekyb3d8bbwe
-
name: Remove "Xbox Live in-game experience" app
recommend: standard
docs: |-
This script uninstalls the "Xbox Live in-game experience" app [1].
This application provides TCUI functionality [1]. Title-callable UI (TCUI) is a feature that allows game code to invoke pre-defined
user interface displays [2].
This app comes pre-installed on certain versions of Windows [1] [3] [4].
It's part of Microsoft Game Development Kit (GDK) [5].
Uninstalling this script can contribute to user privacy by removing unnecessary apps that may have predefined interfaces linked with
Xbox Live, minimizing potential data interactions with the system.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231004144304/https://github.com/MicrosoftDocs/xbox-live-docs/blob/docs/xbox-live-docs-pr/features/general/tcui/live-tcui-overview.md "xbox-live-docs/xbox-live-docs-pr/features/general/tcui/live-tcui-overview.md at docs · MicrosoftDocs/xbox-live-docs · GitHub"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
[5]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Xbox.TCUI # Get-AppxPackage Microsoft.Xbox.TCUI
publisherId: 8wekyb3d8bbwe
-
name: Remove "Xbox Game Bar" app
recommend: standard
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004144844/https://apps.microsoft.com/store/detail/xbox-game-bar/9NZKPSTSNW4P)
This app comes pre-installed on certain versions of Windows [1] [2].
It's part of Microsoft Game Development Kit (GDK) [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxGamingOverlay # Get-AppxPackage Microsoft.XboxGamingOverlay
publisherId: 8wekyb3d8bbwe
-
name: Remove "Xbox Game Bar Plugin" app
recommend: standard
docs: |-
It's part of Microsoft Game Development Kit (GDK) [1].
This app comes pre-installed on certain versions of Windows [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231004145519/https://learn.microsoft.com/pt-pt/gaming/gdk/_content/gc/networking/overviews/tools/fiddler-pc "Fiddler on Windows PC - Microsoft Game Development Kit | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxGameOverlay # Get-AppxPackage Microsoft.XboxGameOverlay
publisherId: 8wekyb3d8bbwe
-
name: Remove "Xbox Identity Provider" app (breaks Xbox sign-in)
recommend: strict
docs: |-
This script uninstalls the "Xbox Identity Provider" app.
This app enables your PC games to connect to Xbox Live [1].
Its removal can help prevent personal gaming data from being shared with Microsoft's servers.
Running this script will impact:
- Xbox sign-in for certain games, making it impossible to log in [2] [3] [4].
- Log-in functionality for Xbox Game Pass, leading to errors and inability to access games [5] [6].
- Log-in to the Xbox app itself [2] [4] [7] [8].
Common errors caused by the absence of this app include:
- "We tried to sign you in to your Microsoft Account, but something went wrong" [6].
- "You are not signed in to Xbox Live" [6].
- "We couldn't sign you in to Xbox Live. User Interaction is required for Authentication" [6].
- "We can't sign you in right now. Try again later. (`0x406`)" [7] [8].
This app comes pre-installed on certain versions of Windows [9] [10] [11] [12].
See also: [Microsoft Store Page](https://web.archive.org/web/20231004150131/https://apps.microsoft.com/store/detail/xbox-identity-provider/9WZDNCRD1HKW)
> **Caution:** Removing this app disrupts Xbox sign-in for games and services that require it,
> including Xbox Game Pass. Ensure you understand the impact on your gaming experience before proceeding.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231004150131/https://apps.microsoft.com/store/detail/xbox-identity-provider/9WZDNCRD1HKW "Xbox Identity Provider - Microsoft Store Apps | apps.microsoft.com"
[2]: https://github.com/undergroundwires/privacy.sexy/issues/79 "[BUG]: Xbox sign in not working · Issue #79 · undergroundwires/privacy.sexy | github.com"
[3]: https://github.com/undergroundwires/privacy.sexy/issues/181 "[BUG]: Standard Privacy Script mess with some online games · Issue #181 · undergroundwires/privacy.sexy | github.com"
[4]: https://web.archive.org/web/20240803173827/https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy | github.com"
[5]: https://web.archive.org/web/20231206171549/https://www.reddit.com/r/theouterworlds/comments/dn73hf/xbox_game_pass_for_pc_problem_you_are_not_signed/?rdt=43601 "Xbox Game Pass for PC Problem: You are not signed in to Xbox Live. Cloud Saves are unavailable. : r/theouterworlds | reddit.com"
[6]: https://web.archive.org/web/20231206171559/https://bestgamingtips.com/fix-xbox-identity-provider-not-working/ "Xbox Live Identity Provider Not Working | Fix | bestgamingtips.com"
[7]: https://web.archive.org/web/20231206171520/https://answers.microsoft.com/en-us/windows/forum/all/xbox-app-error-0x406/09dc12db-97ee-4907-89b8-3a2b7ebe1507?page=13 "Page 13 | Xbox App Error 0x406 - Microsoft Community | answers.microsoft.com"
[8]: https://web.archive.org/web/20231206172303/https://windowsreport.com/xbox-sign-in-error-0x406/ "How to fix Xbox sign in error 0x406 | windowsreport.com"
[9]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[10]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[11]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[12]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxIdentityProvider # Get-AppxPackage Microsoft.XboxIdentityProvider
publisherId: 8wekyb3d8bbwe
-
name: Remove "Xbox Speech To Text Overlay" app
recommend: standard
docs: |-
This script uninstalls the "Xbox Speech To Text Overlay" app.
The app offers a speech-to-text feature for certain Xbox games. Specifically, it turns spoken words during a party chat into text which then
appears on the game screen [1]. This function is also termed as "game and chat transcription", and is compatible with games that support this feature [2].
The removal of this app can help in reclaiming system resources and enhancing user privacy, as it would reduce the number of tools with potential voice
data access. After uninstalling, the speech-to-text functionality in supported Xbox games may no longer be available.
This app comes pre-installed on certain versions of Windows [3] [4] [5].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231004150708/https://news.xbox.com/en-us/2021/06/15/june-2021-xbox-update/ "June Xbox Update: Party Chat Accessibility, Xbox App Official Posts, and More - Xbox Wire"
[2]: https://web.archive.org/web/20231004151225/https://support.xbox.com/en-US/help/account-profile/accessibility/use-game-chat-transcription "Use game and chat transcription on Xbox and Windows devices | Xbox Support"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[5]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxSpeechToTextOverlay # Get-AppxPackage Microsoft.XboxSpeechToTextOverlay
publisherId: 8wekyb3d8bbwe
-
name: Remove "Mail and Calendar" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231004175316/https://apps.microsoft.com/store/detail/mail-and-calendar/9WZDNCRFHVQM)
It's previously known as "Outlook Calendar and Mail" app [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: microsoft.windowscommunicationsapps # Get-AppxPackage microsoft.windowscommunicationsapps
publisherId: 8wekyb3d8bbwe
-
name: Remove "Windows Media Player" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231005124745/https://apps.microsoft.com/store/detail/windows-media-player/9WZDNCRFJ3PT)
This app was previously known as "Groove Music" [1] [2] [3].
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.ZuneMusic # Get-AppxPackage Microsoft.ZuneMusic
publisherId: 8wekyb3d8bbwe
-
name: Remove "Movies & TV" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231005124924/https://apps.microsoft.com/store/detail/movies-tv/9WZDNCRFJ3P2)
It's also known as "Movies and TV" app [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.ZuneVideo # Get-AppxPackage Microsoft.ZuneVideo
publisherId: 8wekyb3d8bbwe
-
name: Remove "Windows Calculator" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.06-182013/https://apps.microsoft.com/detail/windows-calculator/9WZDNCRFHVN5?hl=en-us&gl=JP)
It's also known as just "Calculator" [1].
This app comes pre-installed on certain versions of Windows [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsCalculator # Get-AppxPackage Microsoft.WindowsCalculator
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Photos" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.06-182550/https://apps.microsoft.com/detail/microsoft-photos/9WZDNCRFJBH4?hl=en-us&gl=CZ)
It's also known as just "Photos" apps [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Windows.Photos # Get-AppxPackage Microsoft.Windows.Photos
publisherId: 8wekyb3d8bbwe
-
name: Remove "Skype" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.06-182613/https://apps.microsoft.com/detail/9WZDNCRFJ364?hl=en-us&gl=US)
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.SkypeApp # Get-AppxPackage Microsoft.SkypeApp
publisherId: kzf8qxf38zg5c
-
name: Remove "GroupMe" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.06-182707/https://apps.microsoft.com/detail/groupme/9NBLGGH5Z4F2?hl=en-us&gl=SE)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.GroupMe10 # Get-AppxPackage Microsoft.GroupMe10
publisherId: kzf8qxf38zg5c
-
name: Remove "Windows Sound Recorder" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.06-182722/https://apps.microsoft.com/detail/windows-sound-recorder/9WZDNCRFHWKN?hl=en-us&gl=SE)
This app is also known as "Voice recorder" [1] or "Windows Voice Recorder" [2] [3].
This app comes pre-installed on certain versions of Windows [1] [2] [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231230073627/https://learn.microsoft.com/en-us/windows/application-management/remove-provisioned-apps-during-update "Keep removed apps from returning during an update - Windows Application Management | Microsoft Learn"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsSoundRecorder # Get-AppxPackage Microsoft.WindowsSoundRecorder
publisherId: 8wekyb3d8bbwe
-
category: Remove Phone apps
docs: |-
This category features scripts for managing Windows apps related to smartphones.
These scripts are for apps that connect smartphones to Windows, including dialer and other phone-related apps, even those that are outdated or replaced.
The scripts aim to let users control whether these apps stay or go, improving their control over personal settings.
These applications may pose privacy concerns due to their data sharing and synchronization capabilities.
Removing these apps improves privacy by stopping unwanted data sharing with Microsoft and reducing security risks.
This also improves system performance by reducing process count.
> **Caution:** Removal might affect smartphone integration features.
> Ensure you understand the implications and have alternative solutions if you rely on these features for your daily tasks.
children:
# Excluding:
# - `Microsoft.Windows.Phone`:
# Although occasionally mentioned in online scripts, there's no verifiable evidence of this package.
# References like "Windows Phone" (an operating system, not an app) and "Windows Phone Connector" (an app exclusively for macOS)
# suggest a mix-up with unrelated products.
-
name: Remove "Phone Companion" app # Deprecated in newer Windows
recommend: standard # Deprecated, impact on modern systems would be minimal
docs: |-
This script removes the "Phone Companion" app.
This app is also known as *Microsoft Phone Companion* [1] or, technically, `Microsoft.WindowsPhone` [2].
This integrates Windows PCs with mobile devices (Android, iPhone, and iPad) [1].
It enabled synchronization of music, photos, Word documents, and Cortana reminders across devices [1].
It provided setup instructions and syncing tips [1].
The app enabled users to check their device's battery and storage status and transfer files [1].
It supported Windows, Android, and iOS devices [1].
This app has been absent in Windows versions since October 2018, replaced by the *Phone Link* app [3].
Removing this app enhances privacy and system performance.
> **Caution:** Removal may impact device synchronization on older Windows versions reliant on this app's unique features.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20161230070534/https://www.microsoft.com/en-us/store/p/microsoft-phone-companion/9wzdncrfj3pm "Microsoft Phone Companion Windows Apps on Microsoft Store | web.archive.org"
[2]: https://web.archive.org/web/20240323103312/https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfj3pm/applockerdata "Microsoft.WindowsPhone | bspmts.mp.microsoft.com API | | bspmts.mp.microsoft.com"
[3]: https://web.archive.org/web/20231006204400/https://support.microsoft.com/en-us/topic/introducing-microsoft-phone-link-and-link-to-windows-2e4bb4c0-f99a-4464-92a8-5264c7c39734 "Introducing Microsoft Phone Link and Link to Windows - Microsoft Support"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsPhone # Get-AppxPackage Microsoft.WindowsPhone
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Phone" app # Windows 10 Mobile app, deprecated in newer Windows
recommend: standard # Deprecated, impact on modern systems would be minimal
docs: |-
This script removes the "Microsoft Phone" app.
This app is known as *Phone (dialer)* [1], *Microsoft Phone* [2], or `Microsoft.CommsPhone` [3].
This app enabled voice and video calls over cellular networks or Wi-Fi on Windows 10 Mobile [2].
It offered smart contact search, voicemail management, call recording, and call blocking [2].
This app comes pre-installed on certain versions of Windows [1] [4].
Windows 10 Mobile has reached end of support and is an outdated operating system [5].
Removing outdated and unsupported apps improves privacy and performance.
> **Caution:** If you are using a device still running on Windows 10 Mobile, uninstalling this app will remove your ability to make or receive phone
> calls, manage voicemail, or block unwanted calls directly from your device.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20240324180612/https://www.microsoft.com/en-us/p/microsoft-phone/9wzdncrdtbwp?activetab=pivot:overviewtab "Get Microsoft Phone - Microsoft Store | www.microsoft.com"
[3]: https://web.archive.org/web/20240324180601/https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrdtbwp/applockerdata "Microsoft.CommsPhone | bspmts.mp.microsoft.com API | | bspmts.mp.microsoft.com"
[4]: https://web.archive.org/web/20190420022129/https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile "Product IDs in Windows 10 Mobile (Windows 10) | Microsoft Docs | docs.microsoft.com"
[5]: https://web.archive.org/web/20240325084146/https://support.microsoft.com/en-us/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5 "Windows 10 Mobile End of Support: FAQ - Microsoft Support | support.microsoft.com"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.CommsPhone # Get-AppxPackage Microsoft.CommsPhone
publisherId: 8wekyb3d8bbwe
-
name: Remove "Phone Link" app
recommend: strict
docs: |-
This script removes the "Phone Link" app.
Known technically as `Microsoft.YourPhone` [1] [2] [3],
previously *Your Phone* [2] [3] [4] [5] [6] and *Your Phone Companion* [4].
The app links your phone and Windows PC.
It allows you to share and manage content and communications across devices [5] [7] [8].
The app lets you text, make calls, use mobile apps, get notifications, and transfer files over Wi-Fi [5] [7] [8].
Launched in October 2018 as *Your Phone* and *Your Phone Companion* [4],
it was rebranded to *Microsoft Phone Link* in March 2022 [4] [9].
Originally developed for Android [8], through collaboration between Microsoft and Samsung [8],
it has extended support to iOS devices since April 26, 2023 [10].
Privacy concerns arise from personal data handling, unencrypted data transfer, and potential misuse:
- **No End-to-End Encryption:**
It is not end-to-end encrypted, raising doubts about data privacy and security during transfers [11].
- **Microsoft personal data collection:**
Personal data, including text messages, clipboard contents, photos, and notifications, are collected by Microsoft [6].
Microsoft confirms it stores and processes such data [6].
- **Malicious Usage**:
Misuse of the app, such as setting it up on a victim's phone to monitor communications without consent [12] [13], increases data leakage risks.
- **Lack of Privacy Transparency:**
The Microsoft Privacy Statement does not explicitly clarify that personal data is relayed through its servers, leading to possible
misconceptions about data handling [6] [14].
Microsoft's approach to privacy is criticized for lacking transparency [6] [11].
- **Sensitive Information Exposure:**
Data exposed to Microsoft, or can be received by an attacker can include sensitive information such as the content of private messages, security
codes from authentication apps, caller identities, and more [6] [12].
This can contain personal, financial, or security-related data [6] [12].
- **Diagnostic Data Collection:**
The app collects diagnostic data, including potentially sensitive information about app usage [6].
- **Account Takeover:**
The app could be used in account takeover attempts by intercepting multi-factor authentication notifications [12].
- **Attack vector surface on Android:**
Android devices face more potential attack vectors than iOS devices due to internet-based connectivity [12].
This app comes pre-installed on certain versions of Windows [2] [3].
> **Caution:** Its absence may affect your workflow if you rely on its features for daily tasks.
> Consider [KDE Connect](https://kdeconnect.kde.org/) for similar, privacy-friendly features.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20240324181147/https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9NMPJ99VJBWV/applockerdata "Microsoft.YourPhone | bspmts.mp.microsoft.com API | | bspmts.mp.microsoft.com"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231006204400/https://support.microsoft.com/en-us/topic/introducing-microsoft-phone-link-and-link-to-windows-2e4bb4c0-f99a-4464-92a8-5264c7c39734 "Introducing Microsoft Phone Link and Link to Windows - Microsoft Support"
[5]: https://archive.ph/2024.03.24-181742/https://github.com/microsoftdocs/windows-insider/blob/public/wip/apps/your-phone.md "windows-insider/wip/apps/your-phone.md at public · MicrosoftDocs/windows-insider | github.com"
[6]: https://web.archive.org/web/20240325075627/https://www.ctrl.blog/entry/microsoft-phone-link-privacy.html "Phone Link relays your personal data through Microsoft servers | Ctrl blog | ctrl.blog"
[7]: https://archive.ph/2023.10.06-204308/https://apps.microsoft.com/detail/phone-link/9NMPJ99VJBWV?hl=en-us&gl=us "Phone Link - Microsoft Apps | apps.microsoft.com"
[8]: https://web.archive.org/web/20240324183306/https://blogs.windows.com/windowsexperience/2020/08/05/microsoft-and-samsung-expand-partnership-empowering-you-across-work-and-play/ "Microsoft and Samsung expand partnership, empowering you across work and play | Windows Experience Blog | blogs.windows.com"
[9]: https://web.archive.org/web/20240324183451/https://www.windowscentral.com/your-phone-renamed-phone-link "Microsoft renames Your Phone to Phone Link, partners with Honor for an expanded experience | Windows Central | windowscentral.com"
[10]: https://web.archive.org/web/20240324184511/https://blogs.windows.com/windowsexperience/2023/04/26/phone-link-for-ios-is-now-rolling-out-to-all-windows-11-customers/ "Phone Link for iOS is now rolling out to all Windows 11 customers | Windows Experience Blog | blogs.windows.com"
[11]: https://web.archive.org/web/20240325080949/https://www.windowscentral.com/software-apps/windows-11/microsofts-phone-link-is-the-best-new-windows-feature-of-the-past-decade "Microsoft's 'Phone Link' is the best new Windows feature of the past decade | Windows Central | www.windowscentral.com"
[12]: https://web.archive.org/web/20240325084649/https://irradiate.com.au/blog/securing-microsoft-phone-link "Navigating Security Challenges in Microsoft's Phone Link for Organization - Irradiate Security | irradiate.com.au"
[13]: https://web.archive.org/web/20240325080335/https://www.foxbusiness.com/technology/windows-11-phone-link-feature-could-exploited-cyberstalkers-spy-iphones-report "Windows 11 Phone Link feature could be exploited by cyberstalkers to spy on iPhones: report | Fox Business | foxbusiness.com"
[14]: https://web.archive.org/web/20230406235344/https://privacy.microsoft.com/en-us/privacystatement#mainyourphonemodule "Microsoft Privacy Statement Microsoft privacy | privacy.microsoft.com"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.YourPhone # Get-AppxPackage Microsoft.YourPhone
publisherId: 8wekyb3d8bbwe
-
name: Remove "Call" app
recommend: strict
docs: |-
This script removes the "Call" application, also known as the *Calling Shell App* [1].
This app enables transferring and managing phone calls from a mobile to a Windows desktop, including playback
through PC speakers [2].
The main executable of this app is `CallingShellApp.exe`, which Microsoft describes as the
"Calling App to host call progress on shell" [3].
The script is safe to use if you don't need your PC to handle phone calls [3].
Removing this app does not affect the core functionalities of Windows.
> **Caution**:
> Removing the "Call" app disables transferring phone calls from a mobile to your PC [2].
### Overview of default preinstallation
This app comes pre-installed on certain versions of Windows [3].
| OS | Version | Existence |
| -- | ------- | --------- |
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://archive.ph/2024.03.25-093648/https://twitter.com/ALumia_Italia/status/1088739425738244096?lang=en 'Aggiornamenti Lumia on X: "Windows Calling Shell App (aka Call) got a new "Store Logo" / X | twitter.com'
[2]: https://web.archive.org/web/20240103144719/https://www.aggiornamentilumia.it/2018/11/05/windows-10-19h1-in-arrivo-una-nuova-applicazione-per-il-mirroring-chiamate-indiscrezione/ "Windows 10 19H1 | In arrivo una nuova applicazione per il mirroring chiamate [Indiscrezione] - Aggiornamenti Lumia | www.aggiornamentilumia.it"
[3]: https://web.archive.org/web/20240103144732/https://strontic.github.io/xcyclopedia/library/CallingShellApp.exe-C5415F104A4060D90CE1675383308A66.html "CallingShellApp.exe | Calling App to host call progress on shell | STRONTIC | strontic.github.io"
call:
function: UninstallNonRemovableStoreApp
parameters:
packageName: Microsoft.Windows.CallingShellApp # Get-AppxPackage Microsoft.Windows.CallingShellApp
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft Remote Desktop" app
docs: |-
[Microsoft Store Page](https://archive.ph/2024.03.14-131853/https://apps.microsoft.com/detail/9wzdncrfj3ps?hl=en-us&gl=US)
It's also known as just "Remote Desktop" [1].
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.RemoteDesktop # Get-AppxPackage Microsoft.RemoteDesktop
publisherId: 8wekyb3d8bbwe
-
name: Remove "Network Speed Test" app
recommend: standard
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.06-205006/https://apps.microsoft.com/detail/9WZDNCRFHX52?hl=en-us&gl=US)
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.NetworkSpeedTest # Get-AppxPackage Microsoft.NetworkSpeedTest
publisherId: 8wekyb3d8bbwe
-
name: 'Remove "Microsoft To Do: Lists, Tasks & Reminders" app'
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.06-205208/https://apps.microsoft.com/detail/9NBLGGH5R558?hl=en-us&gl=US)
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://archive.ph/2021.10.23-200225/https://www.microsoft.com/en-us/d/surface-duo-2/9408kgxp4xjl?activetab=pivot:overviewtab "Surface Duo 2 - Dual-Screen Mobile Productivity - Microsoft Surface | microsoft.com"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Todos # Get-AppxPackage Microsoft.Todos
publisherId: 8wekyb3d8bbwe
-
category: Remove third-party apps
docs: |-
This category provides options to uninstall third-party applications (not developed by Microsoft) that may come preinstalled or be available for
installation on specific Windows versions.
children:
-
name: Remove "Shazam" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-013930/https://apps.microsoft.com/detail/9WZDNCRFJ0QQ?hl=en-us&gl=US)
Shazam Windows app was officially declared end-of-life on February 7, 2017 and is discontinued as Windows app [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20231007013946/https://www.windowscentral.com/shazam-pulls-plug-windows-apps "Shazam pulls the plug on its Windows apps for PC and Mobile | Windows Central"
call:
function: UninstallStoreApp
parameters:
packageName: ShazamEntertainmentLtd.Shazam # Get-AppxPackage ShazamEntertainmentLtd.Shazam
publisherId: pqbynwjfrbcg4
-
category: Remove Candy Crush apps
docs: |-
This category consists of scripts to uninstall the various Candy Crush applications that may come preinstalled
or be available for installation on certain versions of Windows.
children:
-
name: Remove "Candy Crush Saga" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231007015121/https://www.microsoft.com/en-us/p/candy-crush-saga/9nblggh18846)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
call:
function: UninstallStoreApp
parameters:
packageName: king.com.CandyCrushSaga # Get-AppxPackage king.com.CandyCrushSaga
publisherId: kgqvnymyfvs32
-
name: Remove "Candy Crush Soda Saga" app
docs: |-
[Microsoft Store Page](https://web.archive.org/web/20231007015313/https://www.microsoft.com/en-us/p/candy-crush-soda-saga/9nblggh1zrpv)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
call:
function: UninstallStoreApp
parameters:
packageName: king.com.CandyCrushSodaSaga # Get-AppxPackage king.com.CandyCrushSodaSaga
publisherId: kgqvnymyfvs32
-
name: Remove "Flipboard" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-111934/https://apps.microsoft.com/detail/9WZDNCRFJ32Q?hl=en-us&gl=US)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
call:
function: UninstallStoreApp
parameters:
packageName: Flipboard.Flipboard # Get-AppxPackage Flipboard.Flipboard
publisherId: 3f5azkryzdbc4
-
name: Remove "Twitter" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-111953/https://apps.microsoft.com/detail/9WZDNCRFJ140?hl=en-us&gl=US)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
call:
function: UninstallStoreApp
parameters:
packageName: 9E2F88E3.Twitter # Get-AppxPackage 9E2F88E3.Twitter
publisherId: wgeqdkkx372wm
-
name: 'Remove "iHeart: Radio, Music, Podcasts" app'
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-112020/https://apps.microsoft.com/detail/9WZDNCRFJ223?hl=en-us&gl=US)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
call:
function: UninstallStoreApp
parameters:
packageName: ClearChannelRadioDigital.iHeartRadio # Get-AppxPackage ClearChannelRadioDigital.iHeartRadio
publisherId: a76a11dkgb644
-
name: 'Remove "Duolingo - Language Lessons" app'
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-112229/https://apps.microsoft.com/detail/9WZDNCRCV5XN?hl=en-us&gl=US)
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
packageName: D5EA27B7.Duolingo-LearnLanguagesforFree # Get-AppxPackage D5EA27B7.Duolingo-LearnLanguagesforFree
publisherId: yx6k7tf7xvsea
-
name: Remove "Adobe Photoshop Express" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-112247/https://apps.microsoft.com/detail/9WZDNCRFJ27N?hl=en-us&gl=US)
This apps is also known as just "Photoshop Express" [1].
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
packageName: AdobeSystemsIncorporated.AdobePhotoshopExpress # Get-AppxPackage AdobeSystemsIncorporated.AdobePhotoshop
# Official docs is wrong (given as `AdobeSystemIncorporated.AdobePhotoshop`)
publisherId: ynb6jyjzte8ga
-
name: Remove "Pandora" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-112259/https://apps.microsoft.com/detail/9WZDNCRFJ46V?hl=en-us&gl=US)
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
packageName: PandoraMediaInc.29680B314EFC2 # Get-AppxPackage PandoraMediaInc.29680B314EFC2
publisherId: n619g4d5j0fnw
-
name: Remove "Eclipse Manager" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-112311/https://apps.microsoft.com/detail/9WZDNCRDJMH1?hl=en-us&gl=US)
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
packageName: 46928bounde.EclipseManager # Get-AppxPackage 46928bounde.EclipseManager
publisherId: a5h4egax66k6y
-
name: Remove "Code Writer" app
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-112330/https://apps.microsoft.com/detail/9WZDNCRFHZDT?hl=en-us&gl=US)
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallStoreApp
parameters:
packageName: ActiproSoftwareLLC.562882FEEB491 # Get-AppxPackage ActiproSoftwareLLC.562882FEEB491
publisherId: 24pqs290vpjk0
-
name: 'Remove "Spotify - Music and Podcasts" app'
docs: |-
[Microsoft Store Page](https://archive.ph/2023.10.07-112359/https://apps.microsoft.com/detail/9NCBCSZSJRSB?hl=en-us&gl=US)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
call:
function: UninstallStoreApp
parameters:
packageName: SpotifyAB.SpotifyMusic # Get-AppxPackage SpotifyAB.SpotifyMusic
publisherId: zpdnekdrzrea0
-
category: Remove system apps
docs: |-
This category includes scripts for uninstalling default system apps in Windows.
System apps are pre-installed [1] [2] applications located in the `C:\Windows*` directory [1] [2].
These apps are typically found on `C:\Windows\SystemApps\{PackageFamilyName}` or `C:\Windows\{ShortAppName}` folders.
To view all system apps:
1. Open a PowerShell command prompt.
2. Execute the following command: `Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, PublisherId, InstallLocation`
They are integral components of the Windows operating system [1].
However, by removing unnecessary system apps, users can enhance their privacy by reducing potential data
collection points and streamlining their system.
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
children:
-
name: Remove "File Picker" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: 1527c705-839a-4832-9118-54d4Bd6a0c89 # Get-AppxPackage 1527c705-839a-4832-9118-54d4Bd6a0c89
publisherId: cw5n1h2txyewy
-
name: Remove "File Explorer" app
docs: |
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: c5e2524a-ea46-4f67-841f-6a9465d9d515 # Get-AppxPackage c5e2524a-ea46-4f67-841f-6a9465d9d515
publisherId: cw5n1h2txyewy
-
name: Remove "App Resolver UX" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: E2A4F912-2574-4A75-9BB0-0D023378592B # Get-AppxPackage E2A4F912-2574-4A75-9BB0-0D023378592B
publisherId: cw5n1h2txyewy
-
name: Remove "Add Suggested Folders To Library" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE # Get-AppxPackage F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE
publisherId: cw5n1h2txyewy
-
name: Remove "InputApp" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: InputApp # Get-AppxPackage InputApp
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft AAD Broker Plugin" app (breaks Night Light settings, taskbar keyboard selection and Office app authentication)
# recommend: strict (Unrecommended due to too many side-effects)
docs: |-
This script uninstalls the "Microsoft AAD Broker Plugin" app. This app is also referred to as the "Work or school account" or "Broker plug-in" [1].
The primary purpose of this app is to offer login functionality for what used to be Azure Active Directory and is now called Microsoft Entra ID [2].
Users should be aware of the following side-effects before uninstalling:
- For certain Windows versions, uninstalling this app disrupts the keyboard selection in the taskbar [3]. Clicking on the taskbar
language selection icon will not show the selection dialog [3].
- The Night Light feature, which adjusts the colors on your screen to reduce eye strain during the evening and night, will stop
functioning after uninstalling [4]. You can read more about the Night Light feature
[here](https://web.archive.org/web/20231003182409/https://support.microsoft.com/en-us/windows/set-your-display-for-night-time-in-windows-18fe903a-e0a1-8326-4c68-fd23d7aaf136).
- The authentication process for Office apps is affected, preventing users from signing in [5].
Removing this app enhances user privacy by reducing potential data collection by the app. Yet, it's important to weigh
the privacy benefits against the loss of the above functionalities.
This app comes pre-installed on certain versions of Windows [1] [6] [7].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20231003182133/https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id "Microsoft Entra ID (formerly Azure Active Directory) | Microsoft Security"
[3]: https://github.com/undergroundwires/privacy.sexy/issues/24 "The selection of keyboards in the taskbar disappears. · Issue #24 · undergroundwires/privacy.sexy"
[4]: https://github.com/undergroundwires/privacy.sexy/issues/54 "What script disables the night light settings? · Issue #54 · undergroundwires/privacy.sexy"
[5]: https://web.archive.org/web/20231003182528/https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/authentication/automatic-authentication-fails "Authentication automatically fails in Microsoft 365 services - Microsoft 365 | Microsoft Learn"
[6]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[7]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.AAD.BrokerPlugin # Get-AppxPackage Microsoft.AAD.BrokerPlugin
# Official docs point to wrong "Microsoft.AAD.Broker.Plugin"
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft Accounts Control" app
docs: |-
It is also known as "Email and accounts" [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.AccountsControl # Get-AppxPackage Microsoft.AccountsControl
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft Async Text Service" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.AsyncTextService # Get-AppxPackage Microsoft.AsyncTextService
publisherId: 8wekyb3d8bbwe
-
name: Remove "Hello setup UI" app (breaks biometric authentication)
recommend: strict
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
See also: [Discussion about this service on Microsoft forums](https://web.archive.org/web/20231003183050/https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_store-insiderplat_pc/what-is-bio-enrollment-app/53808b5a-8694-4128-a5bd-34e3b954434a)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.BioEnrollment # Get-AppxPackage Microsoft.BioEnrollment
publisherId: cw5n1h2txyewy
-
name: Remove "Credentials Dialog Host" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2] [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.CredDialogHost # Get-AppxPackage Microsoft.CredDialogHost
publisherId: cw5n1h2txyewy
-
name: Remove "EC" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.ECApp # Get-AppxPackage Microsoft.ECApp
publisherId: 8wekyb3d8bbwe
-
name: Remove "Lock" app (shows lock screen)
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
See also: [More information `LockApp.exe` process](https://web.archive.org/web/20231003183213/https://www.getwox.com/what-is-lockapp-exe/)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.LockApp # Get-AppxPackage Microsoft.LockApp
publisherId: cw5n1h2txyewy
-
category: Remove Edge (Legacy)
docs: |-
This category includes scripts to remove Microsoft Edge Legacy. Microsoft introduced the Legacy version based on the EdgeHTML
engine [1] in 2015 [2]. However, as of March 9, 2021, they stopped supporting this version, implying it no longer gets
security updates or patches [1] [2]. Keeping unsupported software on your system can pose security vulnerabilities.
Initially, this version was the default browser on Windows 10 PCs [1]. Due to its tight integration with Windows, a simple uninstall
might not eliminate all related files.
One privacy concern with Microsoft Edge Legacy is how it handles your browsing history. When used, the browser integrates your browsing
history into your device's activity log that is sent to Microsoft [3]. But, even if disabled, the data remains on your device [3].
This local storage of data can be analyzed for your behavior, potentially compromising your privacy.
By utilizing this script, you ensure a comprehensive removal of the browser and its related components, thus enhancing your system's
privacy and security.
[1]: https://web.archive.org/web/20231004084011/https://support.microsoft.com/en-us/microsoft-edge/what-is-microsoft-edge-legacy-3e779e55-4c55-08e6-ecc8-2333768c0fb0 "What is Microsoft Edge Legacy? - Microsoft Support"
[2]: https://web.archive.org/web/20231120102054/https://learn.microsoft.com/en-us/lifecycle/products/microsoft-edge-legacy "Microsoft Edge Legacy - Microsoft Lifecycle | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231008125552/https://support.microsoft.com/en-us/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd "Windows activity history and your privacy - Microsoft Support"
children:
-
name: Remove "Microsoft Edge" app
recommend: strict
docs: |- # refactor-with-variables: Same • Edge (Legacy) only
This script uninstalls the "Microsoft Edge" Windows app.
This app comes pre-installed on certain versions of Windows [1] [2] [3].
As of March 9, 2021, this app stopped receiving any updates or security patches [4]. Such unsupported software can become a security
risk. Furthermore, using this version means your browsing data gets integrated into your device's activity history [5]. Microsoft can
access this data [5] and it remains stored locally, leaving traces of your behavior [5].
Removing this software not only minimizes potential security threats but also improves your privacy by preventing data accumulation.
This script only applies to Edge (Legacy) and does not impact newer versions of Edge.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231004085037/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn"
[5]: https://web.archive.org/web/20231008125552/https://support.microsoft.com/en-us/windows/-windows-activity-history-and-your-privacy-2b279964-44ec-8c2f-e0c2-6779b07d2cbd "Windows activity history and your privacy - Microsoft Support"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.MicrosoftEdge # Get-AppxPackage Microsoft.MicrosoftEdge
publisherId: 8wekyb3d8bbwe
-
name: Remove "Microsoft Edge Dev Tools Client" app
recommend: strict
docs: |-
This script removes the Developer Tools (DevTools) app that was paired with Microsoft Edge Legacy. These tools, now outdated, haven't
received updates for a while [1] [2]. If the main Edge application is uninstalled, these tools lose their relevance and should be removed
as well.
This app comes pre-installed on certain versions of Windows [3] [4].
Getting rid of such outdated software components helps to protect your security. They could have vulnerabilities waiting to be exploited. By uninstalling
them, you're taking a step towards a more secure system.
[More about Edge DevTools](https://web.archive.org/web/20200508053014/https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide)
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231004085037/https://learn.microsoft.com/en-us/lifecycle/faq/internet-explorer-microsoft-edge "Lifecycle FAQ - Internet Explorer and Microsoft Edge | Microsoft Learn"
[2]: https://web.archive.org/web/20231004084959/https://learn.microsoft.com/en-us/archive/microsoft-edge/legacy/developer/ "Legacy Microsoft Edge developer documentation - Legacy Microsoft Edge developer docs | Microsoft Learn"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.MicrosoftEdgeDevToolsClient # Get-AppxPackage Microsoft.MicrosoftEdgeDevToolsClient
publisherId: 8wekyb3d8bbwe
-
category: Remove Edge (Legacy) associations
docs: |-
This category removes file and URL associations from Microsoft Edge Legacy,
to enhance privacy and potentially improve system stability and performance.
Edge Legacy, though outdated, may still have associations on modern Windows versions.
Removing these associations:
- Reduces potential data collection through Edge Legacy
- Prevents accidental use of an outdated browser
- May improve system stability if Edge Legacy is removed
- Can potentially enhance performance by eliminating unnecessary file associations
This category applies only to Edge Legacy and does not affect newer versions of Microsoft Edge.
If Edge Legacy associations remain after uninstallation, certain Windows functionalities may malfunction [1].
Running this category improves system integrity, as standard uninstallation methods often leave these associations.
On modern Windows versions (confirmed by tests since Windows 10 21H2 and Windows 11 21H2), Chromium-based Edge is
associated with most default options (using ProgIDs such as `MSEdgePDF` and `MSEdgeHTM` [2]).
However, some Legacy Edge associations may persist depending on the Windows version.
### Technical Details
Edge Legacy is associated with several ProgIDs, each prefixed with `AppX` [3].
Known ProgIDs include:
- `AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9` [3] [4]
- `AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723` [3] [4]
- `AppXq0fevzme2pys62n3e0fbqa7peapykr8v` [3] [4]
- `AppX90nv6nhay5n6a98fnetv7tpk64pp35es` [3] [4]
- `AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y` [4]
- `AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv` (Edge Holographic [4])
File and URL associations can be found under these registry keys:
- `HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\URLAssociations`
- `HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.MicrosoftEdge_{Version}\MicrosoftEdge\Capabilities\FileAssociations`
Within these registry keys:
- URL associations may include `http`, `https`, `microsoft-edge`, `microsoft-edge-holographic`.
- File associations may include `.htm`, `.html`, `.pdf`, `.svg`.
Not all these associations are present on every Windows system.
The set of registered associations varies depending on Windows version and system configuration.
> **Caution:**
> Removing these associations can affect how certain files and URLs if you rely on Edge (Legacy).
> Remember to set up an alternative browser to handle these file types and protocols.
#### Open With Associations
This category does not modify Open File Associations, as no such associations for Legacy Edge exist on
latest Windows versions (confirmed by tests since Windows 10 19H1 and Windows 11 21H2).
You can verify this by running the following PowerShell script:
```powershell
$legacyEdgeProgIds = @(
'AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9',
'AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723',
'AppXq0fevzme2pys62n3e0fbqa7peapykr8v',
'AppX90nv6nhay5n6a98fnetv7tpk64pp35es',
'AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv'
)
@("Registry::HKLM\Software\Classes", "Registry::HKEY_CURRENT_USER\Software\Classes") |
ForEach-Object {
Get-ChildItem -Path "$_\*\OpenWithProgIds" -ErrorAction SilentlyContinue |
ForEach-Object {
$extension = $_.PSParentPath.Split('\')[-1]
$registryPath = $_.PSPath
$formattedRegistryPath = $_.PSPath -replace '^Microsoft\.PowerShell\.Core\\Registry::', ''
Get-ItemProperty -LiteralPath $registryPath -ErrorAction SilentlyContinue |
ForEach-Object {
$_.PSObject.Properties |
Where-Object { $legacyEdgeProgIds -contains $_.Name } |
ForEach-Object {
$progId = $_.Name;
[PSCustomObject]@{
Extension = $extension
ProgID = $progId
RegistryPath = $formattedRegistryPath
Hive = if ($formattedRegistryPath -match 'HKEY_LOCAL_MACHINE') { 'HKLM' } else { 'HKCU' }
}
}
}
}
} | Sort-Object Extension, ProgID -Unique | Format-Table -AutoSize
```
[1]: https://web.archive.org/web/20240803173827/https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy"
[2]: https://web.archive.org/web/20231001221635/https://learn.microsoft.com/en-us/deployedge/edge-default-browser "Set Microsoft Edge as the default browser on Windows and macOS | Microsoft Learn"
[3]: https://web.archive.org/web/20231001223221/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationdefaults#defaultassociationsconfiguration "ApplicationDefaults Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[4]: https://github.com/privacysexy-forks/10_0_19045_2251/blob/0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf/C/Windows/System32/shell32.dll.strings "10_0_19045_2251/C/Windows/System32/shell32.dll.strings at 0960c766a4fc8eb5a95d47ac4df6c1d35b9324bf · privacysexy-forks/10_0_19045_2251 | github.com"
children:
-
name: Remove Edge (Legacy) application selection associations
recommend: strict
docs: |-
This script removes file and URL associations with Microsoft Edge Legacy (an old version of Edge),
enhancing your privacy and potentially improving system performance.
This script removes Edge Legacy from the default application selection dialog for certain file types and
protocols, preventing it from being easily chosen as the default handler.
Even on newer Windows computers, the old Edge might still be set to open common file types like:
- Web file formats (.htm, .html)
- PDF documents (.pdf)
- Web protocols (http, https)
Removing these connections:
- Reduces potential data collection through Edge Legacy
- Prevents accidental use of an outdated browser
- Improves system stability if Edge Legacy is removed [1]
- Can potentially enhance performance by eliminating unnecessary file associations
This script targets only Edge Legacy, leaving newer versions of Microsoft Edge unaffected.
> **Caution**:
> After running this script, Edge Legacy will no longer appear as a default program option for associated file types and URLs.
> Remember to set an alternative application to handle these.
### Technical Details
The known associations by default are:
| Association | ProgID | Win 10 1903 | Win 10 1909 | Win 10 20H2 | Win 10 21H2 | Win 10 22H2 | Win 11 21H2 | Win 11 22H2 | Win 11 23H2 | Registry Path |
|-------------|--------|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|:--------------|
| .htm | AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |`HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .html | AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .pdf | AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| http | AppXq0fevzme2pys62n3e0fbqa7peapykr8v | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| https | AppX90nv6nhay5n6a98fnetv7tpk64pp35es | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| microsoft-edge | AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| microsoft-edge-holographic | AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| microsoft-edge (HKLM) | AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
Certain associations, like `microsoft-edge` and `microsoft-edge-holographic` URL protocols, may be shared
between legacy and modern Edge versions.
The script removes shared associations only if they are explicitly linked to legacy Edge, preserving functionality
for newer Edge versions.
You can find all registered legacy Edge application selection associations using:
```powershell
$legacyEdgeProgIds = @(
'AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9',
'AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723',
'AppXq0fevzme2pys62n3e0fbqa7peapykr8v',
'AppX90nv6nhay5n6a98fnetv7tpk64pp35es',
'AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y',
'AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv'
)
$registryPaths = @(
'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts',
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts'
)
$results = @()
foreach ($path in $registryPaths) {
$registryItems = Get-Item -Path $path -ErrorAction SilentlyContinue
if ($registryItems) {
$results += $registryItems |
ForEach-Object {
$_.Property | Where-Object {
$key = $_
$legacyEdgeProgIds | Where-Object { $key -match $_ }
} |
ForEach-Object {
$split = $_ -split '_'
[PSCustomObject]@{
ProgID = $split[0]
Association = $split[1]
RegistryPath = $path
}
}
}
}
}
$results | Format-Table -AutoSize
```
[1]: https://web.archive.org/web/20240803173827/https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy"
call:
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default : reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9"
# Availability : ✅ Windows 10 Pro (≥ 1903) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
progId: AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9
associatedFilenameWithExtensionOrUrlProtocol: .htm
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9"
# Availability : ✅ Windows 10 Pro (≥ 1903) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
progId: AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9
associatedFilenameWithExtensionOrUrlProtocol: .html
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723"
# Availability : ✅ Windows 10 Pro (≥ 1903) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
progId: AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723
associatedFilenameWithExtensionOrUrlProtocol: .pdf
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default : reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "AppXq0fevzme2pys62n3e0fbqa7peapykr8v"
# Availability : ✅ Windows 10 Pro (≥ 1903) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
progId: AppXq0fevzme2pys62n3e0fbqa7peapykr8v
associatedFilenameWithExtensionOrUrlProtocol: http
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default : reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "AppX90nv6nhay5n6a98fnetv7tpk64pp35es"
# Availability : ✅ Windows 10 Pro (≥ 1903) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
progId: AppX90nv6nhay5n6a98fnetv7tpk64pp35es
associatedFilenameWithExtensionOrUrlProtocol: https
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default : reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y"
# Availability : ✅ Windows 10 Pro (≥ 1903) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
progId: AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y
associatedFilenameWithExtensionOrUrlProtocol: microsoft-edge
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default : reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv"
# Availability : ✅ Windows 10 Pro (≥ 1903) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
progId: AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv
associatedFilenameWithExtensionOrUrlProtocol: microsoft-edge-holographic
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default : reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y"
# Availability : ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (21H2) | ❌ Windows 11 Pro (≥ 22H2)
registryHive: HKLM
progId: AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y
associatedFilenameWithExtensionOrUrlProtocol: microsoft-edge
minimumWindowsVersion: Windows10-1909
maximumWindowsVersion: Windows11-21H2
-
name: Remove Edge (Legacy) user associations
recommend: strict
docs: |-
This script removes user associations for the legacy Microsoft Edge browser.
Even though these are user defaults, Windows includes Microsoft Edge (Legacy)
as the default browser for some associations on older versions of Windows.
It enhances privacy by preventing the legacy Edge browser from automatically opening
specific file types and URLs.
This helps reduce data collection and tracking by the legacy Edge browser.
If you have removed the legacy Edge browser, this script improves system stability by
removing orphaned file and URL associations.
It may improve system performance by preventing attempts to load non-existent legacy Edge
components when opening associated files or URLs.
The script applies only to Edge (Legacy) and does not affect newer versions of Edge.
It is relevant for older Windows versions, especially Windows 10 Pro 19H1 (1903).
> **Caution:**
> Removing these associations will prompt you to choose a default application the next time you
> open files or URLs previously associated with legacy Edge.
> Remember to set up an alternative browser.
### Technical Details
On modern Windows versions (Windows 10 Pro ≥ 19H2 and Windows 11 Pro ≥ 21H2), there are no
user-chosen associations for Legacy Edge.
These associations were last observed on Windows 10 Pro 19H1 (1903).
They are not present in later Windows versions, with testing confirmed up to Windows 10 Pro 22H2 and Windows 11 Pro 23H2.
The script removes the following associations on Windows 19H1 (1903):
| ProgID | Type | Association | RegistryPath |
| ------ | ---- | ----------- | ------------ |
| AppXq0fevzme2pys62n3e0fbqa7peapykr8v | URL | http | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice` |
| AppX90nv6nhay5n6a98fnetv7tpk64pp35es | URL | https | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice` |
| AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y | URL | microsoft-edge | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice` |
| AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv | URL | microsoft-edge-holographic | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge-holographic\UserChoice` |
| AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9 | File | .htm | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice` |
| AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9 | File | .html | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice` |
| AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723 | File | .pdf | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice` |
To verify these associations, use the following PowerShell script:
```powershell
$legacyEdgeProgIds = @(
'AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9',
'AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723',
'AppXq0fevzme2pys62n3e0fbqa7peapykr8v',
'AppX90nv6nhay5n6a98fnetv7tpk64pp35es',
'AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y',
'AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv'
)
$baseRegistryPaths = @(
'HKCU:\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations',
'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts'
)
$results = @()
foreach ($baseKey in $baseRegistryPaths) {
$subKeys = Get-ChildItem -Path $baseKey -ErrorAction SilentlyContinue
foreach ($subKey in $subKeys) {
$userChoicePath = Join-Path $subKey.PSPath 'UserChoice'
if (-Not (Test-Path $userChoicePath)) {
continue
}
$progId = (Get-ItemProperty -Path $userChoicePath -Name ProgId -ErrorAction SilentlyContinue).ProgId
if ($progId -and ($legacyEdgeProgIds -contains $progId)) {
$formattedRegistryPath = $userChoicePath -replace '^Microsoft\.PowerShell\.Core\\Registry::', ''
$results += [PSCustomObject]@{
ProgID = $progId
Association = $subKey.PSChildName
RegistryPath = $formattedRegistryPath
}
}
}
}
$results | Format-Table -AutoSize
```
call:
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice"
# Availability: ✅ Windows 10 Pro (≤ 1909) | ❌ Windows 10 Pro (≥ 20H2) | ❌ Windows 11 Pro (≥ 21H2)
progId: AppXq0fevzme2pys62n3e0fbqa7peapykr8v
urlProtocol: http
maximumWindowsVersion: Windows10-1903
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice"
# Availability: ✅ Windows 10 Pro (≤ 1909) | ❌ Windows 10 Pro (≥ 20H2) | ❌ Windows 11 Pro (≥ 21H2)
progId: AppX90nv6nhay5n6a98fnetv7tpk64pp35es
urlProtocol: https
maximumWindowsVersion: Windows10-1903
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice"
# Availability: ✅ Windows 10 Pro (≤ 1909) | ❌ Windows 10 Pro (≥ 20H2) | ❌ Windows 11 Pro (≥ 21H2)
progId: AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y
urlProtocol: microsoft-edge
maximumWindowsVersion: Windows10-1903
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge-holographic\UserChoice"
# Availability: ✅ Windows 10 Pro (≤ 1909) | ❌ Windows 10 Pro (≥ 20H2) | ❌ Windows 11 Pro (≥ 21H2)
progId: AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv
urlProtocol: microsoft-edge-holographic
maximumWindowsVersion: Windows10-1903
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice"
# Availability: ✅ Windows 10 Pro (≤ 1909) | ❌ Windows 10 Pro (≥ 20H2) | ❌ Windows 11 Pro (≥ 21H2)
progId: AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9
fileExtensionWithDotPrefix: .htm
maximumWindowsVersion: Windows10-1903
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice"
# Availability: ✅ Windows 10 Pro (≤ 1909) | ❌ Windows 10 Pro (≥ 20H2) | ❌ Windows 11 Pro (≥ 21H2)
progId: AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9
fileExtensionWithDotPrefix: .html
maximumWindowsVersion: Windows10-1903
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice"
# Availability: ✅ Windows 10 Pro (≤ 1909) | ❌ Windows 10 Pro (≥ 20H2) | ❌ Windows 11 Pro (≥ 21H2)
progId: AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723
fileExtensionWithDotPrefix: .pdf
maximumWindowsVersion: Windows10-1903
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
name: Remove "Win32 Web View Host" / "Desktop App Web Viewer" app
recommend: strict
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Win32WebViewHost # Get-AppxPackage Microsoft.Win32WebViewHost
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft PPI Projection" app
docs: |-
[More about Perceptive Pixel](https://en.wikipedia.org/wiki/Perceptive_Pixel)
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
recommend: strict
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.PPIProjection # Get-AppxPackage Microsoft.PPIProjection
publisherId: cw5n1h2txyewy
-
name: Remove "ChxApp" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.Apprep.ChxApp # Get-AppxPackage Microsoft.Windows.Apprep.ChxApp
publisherId: cw5n1h2txyewy
-
name: Remove "Assigned Access Lock App" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.AssignedAccessLockApp # Get-AppxPackage Microsoft.Windows.AssignedAccessLockApp
publisherId: cw5n1h2txyewy
-
name: Remove "Capture Picker" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.CapturePicker # Get-AppxPackage Microsoft.Windows.CapturePicker
publisherId: cw5n1h2txyewy
-
name: Remove "Cloud Experience Host" app (breaks Windows Hello password/PIN sign-in options, and Microsoft cloud/corporate sign in)
# recommend: strict (Unrecommended due to too many side-effects)
docs: |-
This script uninstall the Microsoft Cloud Experience Host service.
This service is required for connecting to corporate domains or Microsoft cloud-based services.
It is also referred to as the "Microsoft account" app [1].
This app comes pre-installed on certain versions of Windows [1] [2] [3].
The Microsoft Cloud Experience Host has several functionalities:
- It is responsible for connecting Microsoft accounts [4] [5].
- It enables corporate login. Cloud Experience Host application comes into action during the joining process of workplace environments or Azure Active Directory (Azure AD) [6]. It renders the experience when collecting company-provided credentials [6]. After enrolling your device with your workplace environment or Azure AD, your organization can manage your PC and collect specific data about you, including your location [6]. The organization may add or remove apps, modify settings, disable certain features, prevent account removal, or even reset your PC [6].
- It manages PIN, Biometric, and Device authentication [7]. This is needed for Windows Hello, which supports authentication through a device, biometric data, or a PIN code [7]. This functionality also assists in joining a machine to Azure AD or an on-premises AD domain [7].
- Lastly, it aids in Out-of-box experience (OOBE) troubleshooting [8]. The OOBE comprises a series of screens such as the license agreement, internet connection, and login [9]. The service helps detect errors occurring during the OOBE flow [8].
While the service does offer these essential functionalities, it also introduces notable privacy considerations.
However, if one decides to uninstall it, they will encounter the following challenges:
- The ability to sign in to Windows using a Microsoft account will be hampered, affecting cloud-based sign-in [10] [11].
- The password and PIN sign-in options located in "Settings > Sign-in Options" will be inaccessible [12].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231007145740/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[5]: https://web.archive.org/web/20231007145741/https://answers.microsoft.com/en-us/windows/forum/all/cant-login-to-microsoft-account-because-of-cloud/0861c72d-3621-45bc-bae0-67d13121f526 "cant login to microsoft account because of cloud experience host - Microsoft Community | answers.microsoft.com"
[6]: https://web.archive.org/web/20231007145756/https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology#cloud-experience-hos "How Windows Hello for Business works - technology and terms - Windows Security | Microsoft Learn"
[7]: https://web.archive.org/web/20231007150204/https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning "How Windows Hello for Business works - Provisioning - Windows Security | Microsoft Learn"
[8]: https://web.archive.org/web/20231007150256/https://learn.microsoft.com/en-us/windows/privacy/required-windows-11-diagnostic-events-and-fields#cloud-experience-host-events "Required diagnostic events and fields for Windows 11, version 21H2 - Windows Privacy | Microsoft Learn"
[9]: https://web.archive.org/web/20231007150258/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe "Customize OOBE | Microsoft Learn"
[10]: https://github.com/undergroundwires/privacy.sexy/issues/99 "Microsoft login procedure is not functional · Issue #99 · undergroundwires/privacy.sexy | github.com"
[11]: https://web.archive.org/web/20240803173827/https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy | github.com"
[12]: https://github.com/undergroundwires/privacy.sexy/issues/67 "[BUG]: Unable to change PIN and Password · Issue #67 · undergroundwires/privacy.sexy | github.com"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.CloudExperienceHost # Get-AppxPackage Microsoft.Windows.CloudExperienceHost
publisherId: cw5n1h2txyewy
-
name: Remove "Content Delivery Manager" app
recommend: strict
docs: |-
This script uninstalls the "Content Delivery Manager" app.
This app provides Windows Spotlight functionality [1], which automatically sets random wallpapers on the lock screen in Windows [2] [3].
The main purpose of this app is to update the Windows experience [1].
To achieve this, the app collects data about interactions with the Windows Spotlight content, such as which content is viewed,
clicked on, or given feedback [1]. It records the content's ID, user actions, and other associated attributes [1]. Additionally, the app
aggregates data about the state of content offers on a device, including the health of user accounts, the health status of the content
delivery, and more specific metrics [1]. The app also keeps track of where the content is displayed, like on the LockScreen or Start menu,
and when [1] [3]. This detailed tracking ensures that Windows stays up-to-date [1]. However, for users who prioritize privacy, understanding
the data this app collects can be vital.
The app comes pre-installed on certain versions of Windows [4] [5].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231007152921/https://learn.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703#content-delivery-manager-events "Windows 10, version 1703 basic diagnostic events and fields (Windows 10) - Windows Privacy | Microsoft Learn"
[2]: https://web.archive.org/web/20230911110727/https://support.microsoft.com/en-us/windows/personalize-your-lock-screen-81dab9b0-35cf-887c-84a0-6de8ef72bea0 "Personalize your lock screen - Microsoft Support"
[3]: https://web.archive.org/web/20230911110748/https://learn.microsoft.com/en-us/windows/configuration/windows-spotlight "Configure Windows Spotlight on the lock screen - Configure Windows | Microsoft Learn"
[4]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[5]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.ContentDeliveryManager # Get-AppxPackage Microsoft.Windows.ContentDeliveryManager
publisherId: cw5n1h2txyewy
-
name: Remove "Search" app (breaks Windows search)
docs: |-
This script removes two specific apps from Windows:
- `Microsoft.Windows.Cortana`: Commonly known as Cortana [1] [2] [3]. This app comes pre-installed on certain versions of Windows [1] [2] [3].
- `Microsoft.Windows.Search`: Introduced in Windows 10 2004, this app took over the role of `Microsoft.Windows.Cortana` to provide search functionality [4].
The executable for this app is `SearchApp.exe`, located at `C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe` [5] [6].
This app powers the Windows search bar [5]. Some community reports have indicated that this app may collect data to display advertisements [7] [8].
Removing these apps contributes to user privacy by eliminating potential data collection points. However, please note that running this script will disfunction
the built-in Windows search functionality. Weigh the trade-off between improved privacy and the loss of search functionality before proceeding.
### Overview of default preinstallation
`Microsoft.Windows.Cortana`:
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
`Microsoft.Windows.Search`:
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20231006175115/https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp "AppLocker CSP - Windows Client Management | Microsoft Learn"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[4]: https://web.archive.org/web/20231007222810/https://answers.microsoft.com/en-us/windows/forum/all/applocker-blocking-windows-search-functionality/5509bfcc-061c-49e0-803d-6dbb1bc6a839 "Applocker Blocking windows search functionality Win 10 - 2004 - Microsoft Community"
[5]: https://web.archive.org/web/20231007222923/https://learn.microsoft.com/en-us/answers/questions/461791/kb5003637-problem-with-windows-search-bar "KB5003637 Problem With Windows Search Bar - Microsoft Q&A"
[6]: https://web.archive.org/web/20231007222844/https://learn.microsoft.com/en-us/answers/questions/842652/unable-to-start-a-dcom-server-microsoftwindows-cli?cid=kerryherger&page=2 "Unable to start a DCOM Server - MicrosoftWindows.Client.CBS_120.2212.4170.0_x64__cw5n1h2txyewy!InputApp as Unavailable/Unavailable. Error 2147942402 (TextInputHost.exe) - Microsoft Q&A"
[7]: https://web.archive.org/web/20231007222907/https://learn.microsoft.com/en-us/answers/questions/175856/windows-10-20h2-searchapp-exe-network-connection "Windows 10 20H2 searchapp.exe - network connection - Microsoft Q&A"
[8]: https://web.archive.org/web/20231007222922/https://learn.microsoft.com/en-us/answers/questions/893937/searchapp-exe-connecting-to-ms-for-no-reason "Searchapp.exe connecting to MS for no reason. - Microsoft Q&A"
call:
-
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.Cortana # Get-AppxPackage Microsoft.Windows.Cortana
publisherId: cw5n1h2txyewy
-
function: UninstallStoreApp
parameters:
packageName: Microsoft.Windows.Search # Get-AppxPackage Microsoft.Windows.Search
publisherId: cw5n1h2txyewy
-
name: Remove "Holographic First Run" app
recommend: standard
docs: |-
The "Windows Holographic First Run" app is a diagnostic tool on Windows, designed for potential users of Microsoft's Hololens, an augmented reality headset [1].
When run, the app scans your computer's hardware to determine its compatibility with the Hololens [1]. It assesses which components meet or exceed the required
specifications, which might offer a subpar experience, and which fail to meet the necessary standards [1]. The app accesses hardware data to ensure that
the users have a system capable of supporting the Hololens [1].
This app is pre-installed in specific Windows versions [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20231003184605/https://www.addictivetips.com/windows-tips/check-pc-windows-holographic-app-requirements/ "Check If Your PC Meets The Windows Holographic App Requirements | addictivetips.com"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.Holographic.FirstRun # Get-AppxPackage Microsoft.Windows.Holographic.FirstRun
publisherId: cw5n1h2txyewy
-
category: Remove Out-of-Box Experience (OOBE) apps
docs: |-
This category focuses on uninstalling specific Out-of-Box Experience (OOBE) apps from Windows devices. OOBE apps are components of the Windows setup process designed to guide
users through initial device setup, establishing settings and preferences, and connecting to networks [1].
[1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details "Windows 10 OOBE screen details | Microsoft Learn"
children:
-
name: Remove "OOBE Network Captive Portal" app
docs: |-
This script uninstall the OOBE Network Captive Portal app. The app is part of the Out-of-Box Experience (OOBE) process in Windows [1]. When users set
up their Windows system for the first time, they encounter the "Let's connect you to a network" screen [1]. This screen precedes the End User License Agreement
(EULA) screen and presents available connection options, including Wi-Fi and Cellular data networks in the vicinity [1]. Some pages during the OOBE are delivered
through a cloud service [1].
The app runs the `OOBENetworkCaptivePortal.exe` file, which is responsible for the Captive Portal Flow during OOBE [2].
This app is pre-installed in specific Windows versions [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details#connect-users-to-the-network "Windows 10 OOBE screen details | Microsoft Learn"
[2]: https://web.archive.org/web/20231007230004/https://strontic.github.io/xcyclopedia/library/OOBENetworkCaptivePortal.exe-0DF57DA84716210304E79A34BF5F4B39.html "OOBENetworkCaptivePortal.exe | OOBE Captive Portal Flow | STRONTIC"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.OOBENetworkCaptivePortal # Get-AppxPackage Microsoft.Windows.OOBENetworkCaptivePortal
# Official docs point to wrong "Microsoft.Windows.OOBENetworkCaptivePort"
publisherId: cw5n1h2txyewy
-
name: Remove "OOBE Network Connection Flow" app
docs: |-
This script uninstalls the "OOBE Network Connection Flow" app from Windows devices. The OOBE (Out-of-Box Experience) Network Connection Flow app assists
users during their initial setup of a Windows device [1]. When setting up, users encounter the "Let's connect you to a network" screen, which lists available
Wi-Fi and Cellular network options [1]. Devices with LTE capabilities and an active SIM card will automatically connect to the Cellular network, but if a Wi-Fi
network is accessible, it will be preferred [1]. To ensure users don't consume excessive data during setup, Windows limits the download to essential updates
when on metered networks [1].
After establishing a network connection, the device starts downloading necessary driver and Windows Zero-Day Patch (ZDP) updates, which are necessary for device
performance and security [1]. Users cannot opt-out of these updates [1]. If a newer Windows version is available and the device qualifies, users will get an option
to download this update at the OOBE's conclusion [1].
The primary process for this app is `OOBENetworkConnectionFlow.exe` [2].
This app comes pre-installed on certain versions of Windows [3] [4].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231007230029/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details "Windows 10 OOBE screen details | Microsoft Learn"
[2]: https://web.archive.org/web/20231007233651/https://strontic.github.io/xcyclopedia/library/OOBENetworkConnectionFlow.exe-823E4DEF469E572C9C3DC2DC332441E1.html "OOBENetworkConnectionFlow.exe | OOBE Network Connection Flow | STRONTIC"
[3]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[4]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.OOBENetworkConnectionFlow # Get-AppxPackage Microsoft.Windows.OOBENetworkConnectionFlow
publisherId: cw5n1h2txyewy
-
name: Remove "Microsoft Family Safety" / "Parental control" app
recommend: standard
docs: |-
This script uninstalls the parental control app for Microsoft Family Safety.
A **parental control** app helps parents regulate the content their children access online, including how long they spend on devices [1].
It provides features such as content filtering, screen time limit enforcement, activity monitoring, contact blocking, and activity reports [1] [2].
**Family Safety**, a specific parental control tool from Microsoft, lets parents monitor and control their children's online activities [3].
It offers the ability to filter unsuitable web content and gives parents insight into the search terms their children use on search engines [3].
One notable function is the "safe search" feature that communicates with search engines to ensure adult material is excluded from search results [3].
However, using Family Safety means Microsoft collects personal details such as names, email addresses, birth dates, and other diagnostic data [4].
There's a privacy concern, especially regarding minors, because the tool actively logs the search terms children enter into search engines [3].
While "safe search" promotes user safety, it communicates settings to various search engine platforms, potentially sharing user preferences and
identifiable information with these third parties [3]. It's also worth noting that certain browsers, like Firefox, require extra measures to
ensure secure connections [3]. Without these measures, there's a risk of user data interception or manipulation.
This app comes pre-installed on certain versions of Windows [5] [6].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231008130535/https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/choosing-a-parental-control-app "Choosing a parental control app that works for you - Microsoft 365"
[2]: https://web.archive.org/web/20231008130516/https://www.microsoft.com/en-us/microsoft-365/family-safety "Microsoft Family Safety—Location Sharing and Screen Time App | Microsoft 365"
[3]: https://web.archive.org/web/20231008130419/https://support.microsoft.com/en-us/topic/family-safety-update-improves-web-filtering-and-activity-reporting-in-windows-8-1-and-windows-rt-8-1-116efe24-0153-9680-0d0c-5f433c677336 "Family Safety update improves web filtering and activity reporting in Windows 8.1 and Windows RT 8.1 - Microsoft Support"
[4]: https://web.archive.org/web/20231008130529/https://support.microsoft.com/en-us/account-billing/family-safety-data-collection-and-privacy-options-3d01b791-e48a-498f-bfa6-97f0d373cd9c "Family Safety data collection and privacy options - Microsoft Support"
[5]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[6]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.ParentalControls # Get-AppxPackage Microsoft.Windows.ParentalControls
publisherId: cw5n1h2txyewy
-
name: Remove "My People" app
recommend: strict
docs: |-
This script uninstalls the "My People" app.
This app is also known as "People Hub" [1] [2] or "Windows My People" [3] [4].
It allows users to pin contacts to the Windows task bar [3].
Additionally, users can drag and drop documents, photos, or videos onto a contact to share them [3].
This app comes pre-installed on certain versions of Windows [1] [2].
Its main operational file is `PeopleExperienceHost.exe`, which can typically be located at
`C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\PeopleExperienceHost.exe` [4]. This process is commonly as "Windows My People" [4].
By uninstalling pre-installed apps like "My People", users can reclaim system resources and potentially enhance privacy by reducing the
number of apps that could access and share their data.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231009112816/https://blogs.windows.com/windowsexperience/2016/10/26/empowering-a-new-wave-of-creativity-with-the-windows-10-creators-update-and-surface-studio/ "Empowering a new wave of creativity with the Windows 10 Creators Update and Surface Studio | Windows Experience Blog"
[4]: https://web.archive.org/web/20231205170517/https://strontic.github.io/xcyclopedia/library/PeopleExperienceHost.exe-4DB57408AA06543E575368FEDC280B4A "PeopleExperienceHost.exe | Windows My People | STRONTIC"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.PeopleExperienceHost # Get-AppxPackage Microsoft.Windows.PeopleExperienceHost
publisherId: cw5n1h2txyewy
-
name: Remove "Pinning Confirmation Dialog" app
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.PinningConfirmationDialog # Get-AppxPackage Microsoft.Windows.PinningConfirmationDialog
publisherId: cw5n1h2txyewy
-
name: Remove "Secondary Tile Experience" app
recommend: strict
docs: |-
This script removes the Second Tile Experience app from your computer. The Second Tile Experience helps in providing a feature in Windows that lets users create quick access shortcuts,
called secondary tiles, to specific content from an app on their Start menu [1]. For example, it might be a shortcut to the weather of a city or a favorite news article. Secondary
tiles act as direct entry points to parts of an app, like displaying real-time updates or leading to a particular feature [1]. While these tiles share some similarities with primary tiles
in terms of showing detailed content and notifications, they differ in a few ways. First, secondary tiles are created based on the user's choice, and they get a prompt from the system asking
for confirmation before pinning [1]. Second, these tiles can be deleted at any time, and this doesn't affect the main app [1].
This app comes pre-installed on certain versions of Windows [2].
From a privacy perspective, it's worth noting that individual secondary tiles might track user behaviors or preferences, which could be a concern for some users.
The purpose of this script is to offer users the option to uninstall this feature if they wish to prioritize their privacy.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20231008120335/https://learn.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/secondary-tiles "Secondary tiles - Windows apps | Microsoft Learn"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.SecondaryTileExperience # Get-AppxPackage Microsoft.Windows.SecondaryTileExperience
publisherId: cw5n1h2txyewy
-
name: Remove "Take a Test" app
recommend: strict
docs: |-
This script uninstalls the "Take a Test" application, also known as "secure assessment browser" [1] [2] [3]. It is a feature in Windows primarily used for online testing
in schools [4]. The purpose of this app is to create a secure environment where students can't access external computer or internet resources while taking a test [4].
It restricts specific activities, like printing, taking screenshots, or opening other apps [4]. The software offers two usage modes: a basic secure mode and a more
stringent "kiosk mode" for vital assessments [4].
Educators and administrators have the flexibility to set various rules using this application [5]. For example, they can determine if the test allows screen monitoring,
if students can get keyboard text suggestions, or if a specific test should auto-launch when the app is started [5]. They can also control printing permissions and determine
which user accounts are permitted to take the test [5].
The app collects data such as the username of the person taking the test and information about the particular tests being taken [5].
This app comes pre-installed on certain versions of Windows [1] [2]. Its technical implementation can be found under the name `SecureAssessmentBrowser.exe` at
`C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessmentBrowser.exe`[3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20231008122256/https://strontic.github.io/xcyclopedia/library/SecureAssessmentBrowser.exe-9997A632135DFB0C53479401E17A7367.html "SecureAssessmentBrowser.exe | Take a Test | STRONTIC"
[4]: https://web.archive.org/web/20231008122321/https://learn.microsoft.com/en-us/education/windows/take-tests-in-windows "Take tests and assessments in Windows - Windows Education | Microsoft Learn"
[5]: https://web.archive.org/web/20231008122328/https://learn.microsoft.com/en-us/windows/client-management/mdm/secureassessment-csp "SecureAssessment CSP - Windows Client Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.Windows.SecureAssessmentBrowser # Get-AppxPackage Microsoft.Windows.SecureAssessmentBrowser
publisherId: cw5n1h2txyewy
-
name: Remove "Windows Feedback" app
recommend: standard
docs: |-
This script removes the "Windows Feedback" app.
Introduced in Windows 1511 (Windows 10 Fall Update) [1], this app allows users to share feedback with
Microsoft, primarily aimed at Windows Insider users [1].
This app comes pre-installed on certain versions of Windows [2].
Removing this app contributes to privacy by eliminating a channel through which user feedback and usage
data might be sent to Microsoft. It's particularly useful for users who prefer to minimize data sharing
with external parties.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20240101111454/https://blogs.windows.com/windows-insider/2015/08/27/windows-10-insider-preview-build-10532-for-pc/ "Windows 10 Insider Preview Build 10532 for PC | Windows Insider Blog | blogs.windows.com"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.WindowsFeedback # Get-AppxPackage Microsoft.WindowsFeedback
publisherId: cw5n1h2txyewy
-
name: Remove "Xbox Game Callable UI" app (breaks Xbox Live games)
recommend: strict
docs: |-
This script uninstalls the "Xbox Game Callable UI" (TCUI) app.
This app acts as an intermediary tool that games can use to bring up common UI elements on the Xbox platform [1].
These displays, consistent with the RS5 Gamebar style, offer functionalities such as profile viewing, game invite sending, people selection,
friend management, achievement viewing, user privilege checking, and navigation to game details, profile customization, user settings, and
storage management [1].
This app comes pre-installed on certain versions of Windows [2] [3].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20200827080253/https://docs.microsoft.com/en-us/gaming/xbox-live/features/general/tcui/live-tcui-overview "Title-callable UI (TCUI) overview - Xbox Live | Microsoft Docs"
[2]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[3]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Microsoft.XboxGameCallableUI # Get-AppxPackage Microsoft.XboxGameCallableUI
publisherId: cw5n1h2txyewy
-
name: Remove "CBS Preview" app
recommend: standard
docs: |-
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Windows.CBSPreview # Get-AppxPackage Windows.CBSPreview
publisherId: cw5n1h2txyewy
-
name: Remove "Contact Support" app
docs: |-
This app comes pre-installed on certain versions of Windows [1].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ❌ |
| Windows 11 | 23H2 | ❌ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Windows.ContactSupport # Get-AppxPackage Windows.ContactSupport
publisherId: cw5n1h2txyewy
-
category: Remove printing user interface
docs: |- # refactor-with-variables: • Printing Caution
This category includes scripts that remove applications providing printing-related user interfaces.
These interfaces manage printing tasks from the desktop environment.
Both system and third-party applications use these interfaces.
Removing these apps benefits users who do not use physical printing or prefer alternative methods.
This can streamline system operations and enhance security by reducing the attack surface.
Additionally, removing these apps enhances your data privacy by preventing unauthorized printing of sensitive documents.
However, removing these essential printing interfaces can disrupt normal printing functions for dependent applications.
Users should assess whether these apps are essential to their workflow before removal.
Do not run these scripts if you rely on the operating system's printing functionality.
> **Caution:**
> This may significantly impair your ability to print.
children:
-
name: Remove "Print Queue" app (breaks printing)
docs: |- # refactor-with-variables: • Printing Caution
This script removes the "Print Queue" app [1] [2] [3],
also known as the *Print Queue Action Center* [1] [2] [3] [4] [5].
This app replaces the older print queue dialog with a modern user interface (UI) [3] [5].
It enables users to view and manage their print jobs, including pausing and resuming them [1] [2].
The app first appeared in an early version of Windows 11 (build 22567.1) [5].
It became fully functional in later updates (starting with build 22572.1) [3].
The Windows 11 22H2 update includes it for general users [6].
To determine if this app is essential for your workflow, launch it from the terminal using the following
command to explore its features before deciding on its removal [1] [2]:
```
explorer.exe shell:appsFolder\Microsoft.Windows.PrintQueueActionCenter_cw5n1h2txyewy!App
```
This app comes pre-installed on certain versions of Windows [4] [2] [5] [3] [6].
Uninstalling this app can improve system performance by reducing background processes.
> **Caution:**
> This may significantly impair your ability to print.
> Be cautious about removing this app if you rely on printing services.
> This app is essential for printing in Windows 11 [1].
> Switching back to older interfaces might not be possible [6].
### Overview of default preinstallation
| OS | Version | Existence |
| -- | ------- | --------- |
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ❌ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20240322115140/https://www.elevenforum.com/t/pause-and-resume-printing-in-windows-11.11913/ "Pause and Resume Printing in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[2]: https://web.archive.org/web/20240322115355/https://blogs.windows.com/windows-insider/2024/01/03/announcing-windows-11-insider-preview-build-26020-canary-channel/ "Announcing Windows 11 Insider Preview Build 26020 (Canary Channel) | Windows Insider Blog | blogs.windows.com"
[3]: https://web.archive.org/web/20240322115428/https://betawiki.net/wiki/Windows_11_build_22572.1 "Windows 11 build 22572.1 - BetaWiki | betawiki.net"
[4]: https://web.archive.org/web/20230610014325/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn | learn.microsoft.com"
[5]: https://web.archive.org/web/20240322115338/https://betawiki.net/wiki/Windows_11_build_22567.1 "Windows 11 build 22567.1 - BetaWiki | betawiki.net"
[6]: https://web.archive.org/web/20240322115646/https://answers.microsoft.com/en-us/windows/forum/all/windows-11-22h2-update-issue-with-printer-queue-in/52c8eb48-a9d1-41c7-9e97-616713bfab81 "Windows 11 22H2 Update Issue with Printer Queue in Lower right hand - Microsoft Community | answers.microsoft.com"
call:
function: UninstallNonRemovableStoreApp
parameters:
packageName: Microsoft.Windows.PrintQueueActionCenter # Get-AppxPackage Microsoft.Windows.PrintQueueActionCenter
publisherId: cw5n1h2txyewy
-
name: Remove "Print UI" app (breaks printing for some apps)
docs: |- # refactor-with-variables: • Printing Caution
This script removes the "Print UI" system application.
This app comes pre-installed on certain versions of Windows [1] [2].
First introduced in early development builds of Windows 10 [3] [4] [5], the "Print UI" app
is crucial for the native printing experience in Windows. When users click the Print button in
apps such as Photos or early versions of Edge browser (before Chromium), this UI is displayed [6] [7].
Since the release of Windows 11 22H2, Microsoft has replaced the legacy print dialog for all
classic apps (like Notepad and WordPad) with this newer interface [8].
To determine if this app is essential for your workflow, launch it from the terminal using the following
command to explore its features before deciding on its removal [3] [4] [5]:
```
explorer.exe shell:AppsFolder\Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog
```
The app is located at `C:\Windows\PrintDialog` [6] [7].
Removing it may enhance system performance and security by reducing unnecessary components and the attack surface.
It's safe to remove if you use applications that have their own printing dialogs or that directly request a
different user interface from the operating system.
However, applications like the Photos app, which depend on hard-coded calls to this UI, may lose printing
functionality if the app is removed [6] [7].
Therefore, it is advisable not to remove this app if you rely on such applications for printing.
> **Caution**:
> This may significantly impair your ability to print.
> Removing this application may disrupt the ability of other apps to initiate printing tasks.
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101233445/https://learn.microsoft.com/en-us/windows/application-management/system-apps-windows-client-os "Get the system apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://web.archive.org/web/20240515081857/https://betawiki.net/wiki/Windows_10_build_10041_(fbl_impressive) "Windows 10 build 10041 (fbl_impressive) - BetaWiki | betawiki.net"
[4]: https://archive.ph/2024.05.15-082810/https://thecollectionbook.info/windows/10/1432 "Microsoft Windows 10, 10.0.9909.0 - The Collection Book | thecollectionbook.info"
[5]: https://archive.ph/2024.05.15-082800/https://www.betaworld.cn/index.php?title=Windows_10:10.0.9909.0.fbl_awesome1501.141213-2119&mobileaction=toggle_view_desktop "Windows 10:10.0.9909.0.fbl_awesome1501.141213-2119 - BetaWorld 百科 | betaworld.cn"
[6]: https://web.archive.org/web/20240515081804/https://github.com/microsoft/microsoft-ui-xaml/issues/2669 "Faulting module name: Windows.UI.Xaml.dll, version: 10.0.18362.815 · Issue #2669 · microsoft/microsoft-ui-xaml | github.com"
[7]: https://web.archive.org/web/20240515081814/https://administrator.de/forum/drucken-aus-microsoft-windows-photos-funktioniert-nicht-3790564489.html "Drucken aus Microsoft.Windows.Photos funktioniert nicht - Administrator | administrator.de"
[8]: https://web.archive.org/web/20240515081823/https://www.winhelponline.com/blog/restore-legacy-print-dialog-windows-11/?expand_article=1 "Restore the Legacy Print Dialog in Windows 11 22H2 » Winhelponline | winhelponline.com"
call:
function: UninstallNonRemovableStoreAppWithCleanup
parameters:
packageName: Windows.PrintDialog # Get-AppxPackage Windows.PrintDialog
publisherId: cw5n1h2txyewy
-
category: Remove OneDrive
docs: |-
Microsoft OneDrive (formerly SkyDrive) is a file hosting service operated by Microsoft [1].
First launched in August 2007, it enables registered users to share and synchronize their files [1].
Data stored on OneDrive is subject to monitoring by Microsoft [2].
There's been reports of Microsoft accessing and altering your personal files when syncing on OneDrive [3] [4].
Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5].
[1]: https://en.wikipedia.org/wiki/OneDrive "OneDrive | Wikipedia"
[2]: https://en.wikipedia.org/w/index.php?title=OneDrive&oldid=1111615560#Privacy_concerns "OneDrive | Privacy concerns | Wikipedia"
[3]: https://web.archive.org/web/20191002180755/https://www.intralinks.com/blog/2014/04/microsoft-onedrive-business-can-alter-files-syncs "Microsoft OneDrive for Business can Alter Your Files as It Syncs | Intralinks"
[4]: https://thehackernews.com/2014/04/microsoft-onedrive-secretly-modifies.html "Microsoft OneDrive Secretly Modifies your BackUp Files | thehackernews.com"
[5]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn"
children:
-
name: Kill OneDrive process
recommend: strict
docs: |-
It stops the execution of OneDrive.
Main OneDrive process is `OneDrive.exe` and it is installed in `<local-app-data>\Microsoft\OneDrive\OneDrive.exe` [1] [2] [3] [4].
[1]: https://web.archive.org/web/20231206192439/https://answers.microsoft.com/en-us/windows/forum/all/onedrive-wont-sync-and-wont-uninstall-so-i-can-re/6182d0a5-e7ea-46bb-a058-c0a4fd5e299a "Onedrive wont sync and wont uninstall so I can re-install the latest - Microsoft Community | answers.microsoft.com"
[2]: https://web.archive.org/web/20231206211723/https://social.technet.microsoft.com/Forums/scriptcenter/en-US/9bd33f03-62dd-4c4f-9d29-970c1016f2f9/better-onedrive-detection-method?forum=configmanagerapps "Better OneDrive detection method | social.technet.microsoft.com"
[3]: https://web.archive.org/web/20231206212821/https://social.msdn.microsoft.com/Forums/en-US/072e3577-d0ff-4950-9e0b-40b037853881/starting-and-stopping-sharepoint-library-sync-with-onedrive "Starting and stopping SharePoint library sync with OneDrive | social.msdn.microsoft.com"
[4]: https://web.archive.org/web/20240314124031/https://learn.microsoft.com/en-us/answers/questions/473995/onedrive-was-previously-disabled-and-now-i-cant-en "OneDrive was previously disabled and now I can't enable it with GPO - Microsoft Q&A | learn.microsoft.com"
call:
function: TerminateRunningProcess
parameters:
executableNameWithExtension: OneDrive.exe
revertExecutablePath: '%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe'
revertExecutableArgs: /background
-
name: Remove OneDrive from startup
recommend: strict
docs: |-
OneDrive starts on every boot in both Windows 10 and 11 by default.
It's started through `OneDrive` `REG_SZ` entry in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` [1].
It is found on both Windows 10 (since 21H2, missing in 20H2) and Windows 11 (since 23H2).
The startup command is `"<local-app-data>\Microsoft\OneDrive\OneDrive.exe" /background` [1].
[1]: https://techcommunity.microsoft.com/t5/azure-virtual-desktop/start-onedrive-when-using-a-remoteapp-in-wvd/m-p/899331 "Re: Start OneDrive when using a RemoteApp in WVD - Page 2 - Microsoft Tech Community | techcommunity.microsoft.com"
call:
function: DeleteRegistryValue
parameters:
keyPath: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
valueName: 'OneDrive'
# Check : Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDrive'
# Windows 10 (≥ 21H2) : "C:\Users\undergroundwires\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background (REG_SZ)
# Windows 11 (≥ 23H2) : "C:\Users\undergroundwires\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background (REG_SZ)
dataTypeOnRevert: REG_SZ
dataOnRevert: '"%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe" /background'
-
name: Remove OneDrive through official installer
docs: |-
This script will call official Microsoft uninstaller that will uninstall the application but residual files will be left.
You won't lose data by uninstalling OneDrive from computer because they will be stored in cloud [1].
Running OneDrive client setup package (`OneDriveSetup.exe`) with the `/uninstall` command line switch uninstalls OneDrive [2] [3].
On Windows 10, the setup package is found on different folders (`System32` or `SysWOW64`) based on the CPU architecture [4].
On Windows 11, the setup package is always inside `System32` regarding of the CPU architecture.
Uninstalling OneDrive is recommended by Microsoft to optimize Windows VDIs [5].
[1]: https://support.microsoft.com/en-us/office/turn-off-disable-or-uninstall-onedrive-f32a17ce-3336-40fe-9c38-6efb09f944b0 "Turn off, disable, or uninstall OneDrive | support.microsoft.com"
[2]: https://web.archive.org/web/20231002162805/https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016#method-2-uninstall-onedriveexe "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn"
[3]: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/lists-and-libraries/cannot-open-onedrive-on-images-using-sysprep#how-to-correctly-deploy-onedrive-via-sysprep "Can't open OneDrive on images using Sysprep - SharePoint | Microsoft Learn"
[4]: https://web.archive.org/web/20231206192414/https://answers.microsoft.com/en-us/windows/forum/all/onedrive-on-windows-11-does-not-appear-in-file/250c679b-9d02-410f-8c8f-41cca112ccfa "OneDrive on Windows 11 - Does Not Appear in File Explorer - Microsoft Community | answers.microsoft.com"
[5]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn"
recommend: strict
code: |-
if exist "%SYSTEMROOT%\System32\OneDriveSetup.exe" (
"%SYSTEMROOT%\System32\OneDriveSetup.exe" /uninstall
) else (
if exist "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" (
"%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" /uninstall
) else (
echo Failed to uninstall, uninstaller could not be found. 1>&2
)
)
revertCode: |-
if exist "%SYSTEMROOT%\System32\OneDriveSetup.exe" (
"%SYSTEMROOT%\System32\OneDriveSetup.exe" /silent
) else (
if exist "%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" (
"%SYSTEMROOT%\SysWOW64\OneDriveSetup.exe" /silent
) else (
echo Failed to install, installer could not be found. 1>&2
)
)
-
name: Remove OneDrive user data and synced folders
recommend: strict
docs: |-
This script deletes the OneDrive directory and all stored data from your profile.
OneDrive usually saves your data in the `%USERPROFILE%\OneDrive` directory [1] [2], also known as the *OneDrive folder*
or *OneDrive root directory* [2].
By default, OneDrive stores user data in folder called *OneDrive* [1].
For multiple accounts, files may be in *OneDrive - Personal* or *OneDrive - CompanyName* folders [1] [3].
OneDrive can synchronize default Windows folders like *Documents*, *Pictures*, *Music*, and *Desktop* [4] [5] [6] [7].
These folders are known as *user shell folders* [6] or *Windows system folders* [7].
Upon synchronization, these folders are moved within the OneDrive user data directory [5] [8].
Users may enable this synchronization unknowingly during Windows setup by choosing *Save files to OneDrive* option [9] [10].
Alternatively, synchronization can be enabled later through OneDrive settings [4]. OneDrive
may also prompt users to *set up protection of important folders* [11], a feature also referred to as *protect your folders* or *Known
Folder Move (KFM)* [11]. Additionally, an organization may move files of their managed computers to OneDrive using methods such as the
*Windows Folder Redirection Group Policy* [8].
This script contains safeguards to protect against unintended consequences:
1. **System Integrity Protection**:
The script verifies if any user shell folders are linked to the OneDrive directory.
This is crucial as redirecting these folders to OneDrive can cause system integrity issues.
For instance, if the *Desktop* folder is redirected to OneDrive, deleting the OneDrive folder could make the *Desktop* inaccessible.
The script stops and warns if any user shell folders are found within OneDrive.
> 💡 Move these folders back to their original locations using the
> `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders` registry key [6] before proceeding.
2. **Data Loss Prevention**:
The script avoids deleting files or non-empty directories to prevent accidental data loss.
> 💡 Manually empty these directories before running the script or opt to delete them afterward if needed.
The OneDrive folder has been confirmed to exist in modern versions of Windows, tested since Windows 11 (since 22H2)
and Windows 10 (since 22H2).
[1]: https://web.archive.org/web/20231025220524/https://support.microsoft.com/en-us/office/sync-onedrive-files-and-folders-3b8246e0-cc3c-4ae7-b4e1-4b4b37d27f68 "Sync OneDrive files and folders - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20220812205500/https://admx.help/?Category=OneDrive&Policy=Microsoft.Policies.OneDriveNGSC::DefaultRootDir "Set the default location for the OneDrive folder | admx.help"
[3]: https://web.archive.org/web/20231025220530/https://support.microsoft.com/en-us/office/sync-files-with-onedrive-in-windows-615391c4-2bd3-4aae-a42a-858262e42a49 "Sync files with OneDrive in Windows | support.microsoft.com"
[4]: https://web.archive.org/web/20231025220541/https://support.microsoft.com/en-us/office/choose-which-onedrive-folders-to-sync-to-your-computer-98b8b011-8b94-419b-aa95-a14ff2415e85 "Choose which OneDrive folders to sync to your computer - Microsoft Support | support.microsoft.com"
[5]: https://web.archive.org/web/20240317200014/https://support.microsoft.com/en-us/office/back-up-your-folders-with-onedrive-d61a7930-a6fb-4b95-b28a-6552e77c3057 "Back up your folders with OneDrive - Microsoft Support | support.microsoft.com"
[6]: https://web.archive.org/web/20231025220843/https://support.microsoft.com/en-us/topic/how-to-redirect-user-shell-folders-to-a-specified-path-by-using-profile-maker-ed6289ae-1f9c-b874-4e8c-20d23ea65b2e "How to redirect user shell folders to a specified path by using Profile Maker - Microsoft Support | support.microsoft.com"
[7]: https://web.archive.org/web/20231025220733/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folders?view=o365-worldwide#windows-system-folders-are-protected-by-default "Protect important folders from ransomware from encrypting your files with controlled folder access | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20231025220852/https://learn.microsoft.com/en-us/sharepoint/redirect-known-folders "Redirect and move Windows known folders to OneDrive - SharePoint in Microsoft 365 | Microsoft Learn | learn.microsoft.com"
[9]: https://web.archive.org/web/20231025220728/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe-in-windows-11 "Customize the Out of Box experience (OOBE) | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20231025220741/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe "Customize OOBE | Microsoft Learn | learn.microsoft.com"
[11]: https://web.archive.org/web/20231025220711/https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/migrate-your-files-to-onedrive-easily-with-known-folder-move/ba-p/207076 "Migrate Your Files to OneDrive Easily with Known Folder Move - Microsoft Community Hub | techcommunity.microsoft.com"
call:
function: DeleteDirectory
parameters:
directoryGlob: '%USERPROFILE%\OneDrive*'
# System Integrity Guard: Verifying user shell folders
# This section checks if any user shell folders are set to the OneDrive directory.
# It ensures the system's integrity by verifying the registry path and entries for user shell folders.
# If any user shell folder is found in OneDrive, a warning is issued, and the script stops to avoid system disruptions.
beforeIteration: |-
$oneDriveUserFolderPattern = [System.Environment]::ExpandEnvironmentVariables('%USERPROFILE%\OneDrive') + '*'
while ($true) { # Loop to control the execution of the subsequent code
try {
$userShellFoldersRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
if (-not (Test-Path $userShellFoldersRegistryPath)) {
Write-Output "Skipping verification: The registry path for user shell folders is missing: `"$userShellFoldersRegistryPath`""
break;
}
$userShellFoldersRegistryKeys = Get-ItemProperty -Path $userShellFoldersRegistryPath
$userShellFoldersEntries = @($userShellFoldersRegistryKeys.PSObject.Properties)
if ($userShellFoldersEntries.Count -eq 0) {
Write-Warning "Skipping verification: No entries found for user shell folders in the registry: `"$userShellFoldersRegistryPath`""
break;
}
Write-Output "Initiating verification: Checking if any of the ${userShellFoldersEntries.Count} user shell folders point to the OneDrive user folder pattern ($oneDriveUserFolderPattern)."
$userShellFoldersInOneDrive = @()
foreach ($registryEntry in $userShellFoldersEntries) {
$userShellFolderName = $registryEntry.Name
$userShellFolderPath = $registryEntry.Value
if (!$userShellFolderPath) {
Write-Output "Skipping: The user shell folder `"$userShellFolderName`" does not have a defined path."
continue
}
$expandedUserShellFolderPath = [System.Environment]::ExpandEnvironmentVariables($userShellFolderPath)
if(-not ($expandedUserShellFolderPath -like $oneDriveUserFolderPattern)) {
continue
}
$userShellFoldersInOneDrive += [PSCustomObject]@{ Name = $userShellFolderName; Path = $expandedUserShellFolderPath }
}
if ($userShellFoldersInOneDrive.Count -gt 0) {
$warningMessage = 'To keep your computer running smoothly, OneDrive user folder will not be deleted.'
$warningMessage += "`nIt's being used by the OS as a user shell directory for the following folders:"
$userShellFoldersInOneDrive.ForEach({
$warningMessage += "`n- $($_.Name): $($_.Path)"
})
Write-Warning $warningMessage
exit 0
}
Write-Output "Successfully verified that none of the $($userShellFoldersEntries.Count) user shell folders point to the OneDrive user folder pattern."
break;
} catch {
Write-Warning "An error occurred during verification of user shell folders. Skipping prevent potential issues. Error: $($_.Exception.Message)"
exit 0
}
}
# Data Loss Prevention Guard: Checking directory contents
# This guard ensures that no file or non-empty directory is accidentally deleted.
# It checks each path; if it's a file or a non-empty directory, the script skips deletion for that path.
# This step is designed to prevent unintended data loss during script execution.
duringIteration: |-
try {
if (Test-Path -Path $path -PathType Leaf) {
Write-Warning "Retaining file `"$path`" to safeguard your data."
continue;
} elseif (Test-Path -Path $path -PathType Container) {
if ((Get-ChildItem "$path" -Recurse | Measure-Object).Count -gt 0) {
Write-Warning "Preserving non-empty folder `"$path`" to protect your files."
continue;
}
}
} catch {
Write-Warning "An error occurred while processing `"$path`". Skipping to protect your data. Error: $($_.Exception.Message)"
continue;
}
-
name: Remove OneDrive installation files and cache
recommend: strict
docs: |-
This script removes OneDrive installation directories, application data, temporary files, and cache.
Identified by the community and confirmed through testing, these folders include:
- `C:\OneDriveTemp`: A location for temporary cache files [1] [3].
- `C:\ProgramData\Microsoft OneDrive` [2]: Stores data used in setting up OneDrive [2] [3].
- `C:\Users\<username>\AppData\Local\Microsoft\OneDrive`: OneDrive installation directory [2] [3] [4].
| Directory | Windows 11 (since 22H2) | Windows 10 (since 22H2) |
| --------- |:-----------------------:|:-----------------------:|
| `%SYSTEMDRIVE%\OneDriveTemp` | ❌ Missing | ❌ Missing |
| `%PROGRAMDATA%\Microsoft OneDrive` | ✅ Exists | ✅ Exists |
| `%LOCALAPPDATA%\Microsoft\OneDrive` | ✅ Exists | ✅ Exists |
[1]: https://web.archive.org/web/20231206213533/https://social.microsoft.com/Forums/en-US/53263a51-856f-4e64-bc0e-a689d4cc5a8b/release-notes-for-1907-build-29711727413?forum=FSLogix "Release Notes for 1907 - build 2.9.7117.27413 | social.microsoft.com"
[2]: https://web.archive.org/web/20231231134443/https://techcommunity.microsoft.com/t5/sharepoint/onedrive-setup-fails-to-complete/m-p/2072446 "OneDrive setup fails to complete - Microsoft Tech Community"
[3]: https://web.archive.org/web/20231231134548/https://answers.microsoft.com/en-us/msoffice/forum/all/why-does-onedrive-act-as-ransomware/288e5940-b92b-493c-91ff-dafd26279bee "Why does OneDrive act as Ransomware? - Microsoft Community"
[4]: https://web.archive.org/web/20231231134612/https://learn.microsoft.com/en-us/sharepoint/install/configure-syncing-with-the-onedrive-sync-app "Configure syncing with the new OneDrive sync app - SharePoint Server | Microsoft Learn | learn.microsoft.com"
call:
-
function: DeleteDirectory
parameters:
directoryGlob: '%LOCALAPPDATA%\Microsoft\OneDrive'
grantPermissions: 'true'
-
function: DeleteDirectory
parameters:
directoryGlob: '%PROGRAMDATA%\Microsoft OneDrive'
-
function: DeleteDirectory
parameters:
directoryGlob: '%SYSTEMDRIVE%\OneDriveTemp'
-
name: Remove OneDrive shortcuts
recommend: strict
docs: |-
This script ensures the removal of all OneDrive shortcuts from your system, even after uninstallation or cleanup.
Erasing these shortcuts improves the security and privacy of your computer system, lessening the potential access points for
unwanted entities.
Moreover, the removal of unused shortcuts results in a more organized and efficient system, enhancing your user experience by
preventing any confusion from dead shortcuts.
Shortcuts that link to OneDrive are stored in various locations, such as:
- `Start Menu\Programs\Microsoft OneDrive.lnk`, `Start Menu\Programs\OneDrive.lnk`, `Links\OneDrive.lnk` [1],
- `ServiceProfiles\LocalService` and `ServiceProfiles\NetworkService` [1]
Below are the tested shortcut file locations on default installation (since Windows 10 22H2 and Windows 11 22H2):
| Path | Windows 11 | Windows 10 |
| ---- |:----------:|:----------:|
| `%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ✅ Exists | ✅ Exists |
| `%USERPROFILE%\Links\OneDrive.lnk` | ❌ Missing | ❌ Missing |
| `%WINDIR%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ❌ Missing | ✅ Exists |
| `%WINDIR%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk` | ❌ Missing | ✅ Exists |
In Windows 10 and higher, additional steps are necessary to delete the OneDrive icon from the navigation pane in Windows
Explorer [2], which is executed by this script.
[1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn"
[2]: https://web.archive.org/web/20231002162805/https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016 "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn"
call:
-
function: RemoveShortcutFiles
parameters:
targetFile: '%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe'
shortcutItems: |-
@{ Revert = $True; Path = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; }
@{ Revert = $False; Path = "$env:USERPROFILE\Links\OneDrive.lnk"; }
@{ Revert = $False; Path = "$env:WINDIR\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; }
@{ Revert = $False; Path = "$env:WINDIR\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"; }
-
function: RunPowerShell
parameters:
code: |-
Set-Location "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace"
Get-ChildItem | ForEach-Object {Get-ItemProperty $_.pspath} | ForEach-Object {
$leftnavNodeName = $_."(default)";
if (($leftnavNodeName -eq "OneDrive") -Or ($leftnavNodeName -eq "OneDrive - Personal")) {
if (Test-Path $_.pspath) {
Write-Host "Deleting $($_.pspath)."
Remove-Item $_.pspath;
}
}
}
-
name: Disable OneDrive usage
recommend: strict
docs: |-
This script prevents [1]:
- Keeping OneDrive files in sync with the cloud.
- Users from automatically uploading photos and videos from the camera roll folder.
- Users from accessing OneDrive from the OneDrive app and file picker.
- Windows Store apps from accessing OneDrive using the WinRT API.
- OneDrive from appearing in the navigation pane in File Explorer.
Setting `DisableFileSyncNGSC` group policy prevents OneDrive from working on both Windows 10 and 11 [1] [2].
Windows 8 uses older `DisableFileSync` key [3].
These policies do not exist by default in clean installations.
[1]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSync "Prevent the usage of OneDrive for file storage | admx.help"
[2]: https://support.microsoft.com/en-us/office/onedrive-won-t-start-0c158fa6-0cd8-4373-98c8-9179e24f10f2 "OneDrive won't start | support.microsoft.com"
[3]: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.OneDrive::PreventOnedriveFileSyncForBlue "Prevent the usage of OneDrive for file storage on Windows 8.1 | admx.help"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive
valueName: DisableFileSyncNGSC
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing key since Windows 10 21H2, Windows 11 21H2
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive
valueName: DisableFileSync
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing key since Windows 10 21H2, Windows 11 21H2
-
name: Disable automatic OneDrive installation
recommend: standard # Microsoft-recommended, low impact, only for Win10 1909
docs: |-
This script prevents OneDrive from automatically reinstalling itself.
OneDrive, Microsoft's cloud storage service, can automatically reinstall itself after being
uninstalled on older Windows 10 versions [1].
This is done through a startup entry that runs `OneDriveSetup.exe`, which silently installs
OneDrive [2] when a user logs in [3].
The script enhances privacy by stopping OneDrive from reinstalling without user consent.
This prevents unwanted data collection and synchronization.
It also boosts system performance by preventing an unnecessary application from running
and using system resources.
Microsoft recommends this method for optimizing Windows [1].
This script deletes the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run!OneDriveSetup`
registry key [1].
It specifically targets Windows 10 version 1909.
Modern versions of Windows 10 (20H2 and later) and Windows 11 do not have this automatic
reinstallation feature.
This script deletes the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run!OneDriveSetup` key [1].
[1]: https://web.archive.org/web/20231002162808/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds_vdi-recommendations-1909#remove-onedrive-components "Optimizing Windows 10, version 1909, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn"
[2]: https://web.archive.org/web/20231002162805/https://learn.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive-from-being-advertised-after-install-office-2016 "How to block OneDrive.exe from being advertised after you install Office 2016 - SharePoint | Microsoft Learn"
[3]: https://web.archive.org/web/20240803130719/https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys "Run and RunOnce Registry Keys - Win32 apps | Microsoft Learn | learn.microsoft.com"
call:
function: DeleteRegistryValue
parameters:
keyPath: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
valueName: OneDriveSetup
# Default values:
# Check : Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'OneDriveSetup'
# Windows 10 Pro (≤ 1902) : 🔴 Missing
# Windows 10 Pro (1909) : 🟢 Present
# Windows 10 Pro (2004) : 🟡 Not tested
# Windows 10 Pro (≥ 20H2) : 🔴 Missing
# Windows 11 Pro (≥ 23H2) : 🔴 Missing
evaluateDataAsPowerShell: 'true'
dataOnRevert: > # Multilines are not supported
if ([Environment]::Is64BitOperatingSystem) {
"$env:SYSTEMROOT\SysWOW64\OneDriveSetup.exe /silent"
} else {
"$env:SYSTEMROOT\System32\OneDriveSetup.exe /silent"
}
dataTypeOnRevert: REG_SZ
minimumWindowsVersion: Windows10-1909
maximumWindowsVersion: Windows10-1909
-
name: Remove OneDrive folder from File Explorer
recommend: strict
docs: |-
File Explorer shows OneDrive to allow you to access files stored in OneDrive (stored online and locally cached) [1].
[CLSID](https://learn.microsoft.com/en-us/windows/win32/com/clsid-key-hklm) for OneDrive is `018D5C66-4533-4307-9B53-224DE2ED1FE6` [2] for
both Windows 10 and 11. Changing pinning option for this key removed OneDrive from navigation file in File Explorer [2].
This CLSID includes `System.IsPinnedToNameSpaceTree` as value as `1` after clean installation in both Windows 10 and Windows 11.
[1]: https://web.archive.org/web/20231025220530/https://support.microsoft.com/en-us/office/sync-files-with-onedrive-in-windows-615391c4-2bd3-4aae-a42a-858262e42a49 "Sync files with OneDrive in Windows | support.microsoft.com"
[2]: https://web.archive.org/web/20240322101857/https://answers.microsoft.com/en-us/windows/forum/all/remove-onedrive-from-file-explorer-navigation-pane/38ac7524-2b35-4ffc-baab-40ad61dc5d79 "Remove OneDrive from File Explorer navigation pane - Microsoft Community | answers.microsoft.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
valueName: System.IsPinnedToNameSpaceTree
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
valueName: System.IsPinnedToNameSpaceTree
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
name: Disable OneDrive scheduled tasks
recommend: strict
docs: |-
This script disables the scheduled tasks associated with Microsoft OneDrive that typically
run maintenance activities such as auto-updates [1] [2] [3] and data collection [2].
Disabling these tasks impacts OneDrive's automatic background update process [1] [2] [3].
By default, Windows 10 (since 22H2) and Windows 11 (since 22H2) include the following tasks:
- `OneDrive Standalone Update Task` [1] [2] [3]
- `OneDrive Reporting Task` [1]
These tasks are enabled by default and lack official documentation from Microsoft. They can be identified
by executing `Get-ScheduledTask 'OneDrive *' | Select -ExpandProperty TaskName` in PowerShell.
These tasks are observed to persist even after OneDrive is uninstalled.
The tasks appear with a Security Identifier (SID) unique to each installation [1], following this pattern:
- `OneDrive Reporting Task-S-1-5-21-xxxxxx`
- `OneDrive Standalone Update Task-S-1-5-21-xxxxxx`
The SID, denoted by 'xxxxxx', varies per installation and represents the user account associated with the task.
SID of user accounts always start with `S-1-5-21` [4], the rest of the number changes per user.
To see all user SIDs, you can run `wmic useraccount get Name,sid`.
The SID for your account can be confirmed using `whoami /user`.
A SID which doesn't correspond to any user account may appear.
This is be due to system preparation processes (`sysprep`) that use different SIDs for tasks to prevent duplication [5].
Disabling tasks with standard user SIDs is straightforward, but attempting to disable tasks with unpredictable SIDs can
result in an error message: `Catastrophic failure (Exception from HRESULT: 0x80000FFF (E_UNEXPECTED))`.
Nonetheless, disabling tasks with the correct SID is achievable using the provided script, which locates the full task names
including the SIDs.
If OneDrive is installed for all users on a machine (which is not the default behavior [6]), an additional task is present:
- `OneDrive Per-Machine Standalone Update` [1] [7].
Disabling the `OneDrive Standalone Update Task` is recommended by Microsoft to improve system performance and reduce
unnecessary data collection [2].
### Overview of default task statuses
`\OneDrive Reporting Task-$SID`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
`\OneDrive Standalone Update Task-$SID`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟢 Ready |
| Windows 11 22H2 | 🟢 Ready |
`\OneDrive Per-Machine Standalone Update`:
| OS Version | Default status |
| ---------------- | -------------- |
| Windows 10 22H2 | 🟡 N/A (missing) |
| Windows 11 22H2 | 🟡 N/A (missing) |
[1]: https://web.archive.org/web/20231104142218/https://docs.fra.me/blog/2023/08/04/application-optimizations-microsoft-onedrive/#scheduled-tasks "Application Optimization Essentials: Microsoft OneDrive | Frame Platform Documentation | docs.fra.me"
[2]: https://web.archive.org/web/20231104142209/https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-1803 "Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20231104142301/http://windows.fyicenter.com/5623_OneDrive_Standalone_Update_Task-S-1-_Scheduled_Task_on_Windows_7.html '"OneDrive Standalone Update Task-S-1-..." Scheduled Task on Windows 7 | windows.fyicenter.com'
[4]: https://web.archive.org/web/20231104133125/https://renenyffenegger.ch/notes/Windows/security/SID/index "Windows security identifiers (SID) | renenyffenegger.ch"
[5]: https://en.wikipedia.org/w/index.php?title=Windows_Task_Scheduler&oldid=1086196699#Bugs "Windows Task Scheduler - Wikipedia | wikipedia.rg"
[6]: https://web.archive.org/web/20231104142412/https://learn.microsoft.com/en-us/sharepoint/per-machine-installation "Install the sync app per-machine (Windows) - SharePoint in Microsoft 365 | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20231104142343/https://docs.citrix.com/en-us/tech-zone/build/deployment-guides/microsoft-365-citrix.html "Deployment Guide: Microsoft 365 with Citrix Virtual Apps and Desktops | docs.citrix.com"
call:
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'OneDrive Reporting Task-*'
taskPathPattern: \
taskNamePattern: OneDrive Reporting Task-*
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'OneDrive Standalone Update Task-*'
taskPathPattern: \
taskNamePattern: OneDrive Standalone Update Task-*
-
function: DisableScheduledTask
parameters:
# Check: Get-ScheduledTask -TaskPath '\' -TaskName 'OneDrive Per-Machine Standalone Update'
taskPathPattern: \
taskNamePattern: OneDrive Per-Machine Standalone Update
-
name: Clear OneDrive environment variable
recommend: strict
docs: |-
Since Windows 10 1809, Microsoft introduced `%ONEDRIVE%` environment variable to
reach OneDrive through an alias [1]. This variable is redundant when OneDrive is
undesired.
This script deletes `OneDrive` environment variable [2].
`OneDrive` key at `HKCU\Environment` is found on both Windows 10
(since 21H2, missing in 20H2) and Windows 11 (since 23H2).
[1]: https://web.archive.org/web/20240314091504/https://superuser.com/questions/1336521/determine-onedrive-synchronisation-folders/1397495#1397495 "Determine OneDrive synchronisation folders - Super User | superuser.com"
[2]: https://stackoverflow.com/questions/46744840/export-registry-value-to-file-and-then-set-a-variable-in-batch "Export registry value to file and then set a variable in Batch - Stack Overflow | stackoverflow.com"
call:
function: DeleteRegistryValue
parameters:
keyPath: 'HKCU\Environment'
valueName: 'OneDrive'
# Check : Get-ItemProperty -Path 'HKCU:\Environment' -Name 'OneDrive'
# Windows 10 (≥ 21H2) : "C:\Users\undergroundwires\OneDrive" (REG_EXPAND_SZ)
# Windows 11 (≥ 23H2) : "C:\Users\undergroundwires\OneDrive" (REG_EXPAND_SZ)
dataTypeOnRevert: REG_EXPAND_SZ
dataOnRevert: '%USERPROFILE%\OneDrive'
-
category: Remove Edge
docs: |-
This category automates the uninstallation of Microsoft Edge (also known as "Chromium Edge" or "New Edge" [1]), the web browser that comes
pre-installed with many versions of Windows.
Microsoft Edge collects various types of data, some of which pertain to your browsing habits, such as the websites you visit, your search
queries, and the data you enter into forms [2]. Additionally, it tracks usage metrics and diagnostic data about your device data and
how the browser is functioning [2]. These pieces of information could be used for targeted advertising or profiling. Removing Microsoft
Edge ensures that it is not silently accumulating this data in the background, thereby improving your overall privacy.
By default, Microsoft Edge doesn't allow uninstallation and has officially declared Microsoft Edge as uninstallable on Windows [3].
[1]: https://en.wikipedia.org/w/index.php?title=Microsoft_Edge&oldid=1174053020#New_Edge_(2019%E2%80%93present) "Microsoft Edge - Wikipedia"
[2]: https://web.archive.org/web/20230907002709/https://support.microsoft.com/en-us/microsoft-edge/learn-more-about-diagnostic-data-collection-in-microsoft-edge-7fcee15b-39f7-ba02-bc59-9eef622c1a9f "Learn more about diagnostic data collection in Microsoft Edge - Microsoft Support"
[3]: https://web.archive.org/web/20230907002011/https://support.microsoft.com/en-us/microsoft-edge/why-can-t-i-uninstall-microsoft-edge-ee150b3b-7d7a-9984-6d83-eb36683d526d "Why can't I uninstall Microsoft Edge? - Microsoft Support"
children:
-
name: Remove Edge through official installer
docs: |-
This script uninstalls Microsoft Edge using the official installer.
This script reliably uninstalls Microsoft Edge, even when direct removal is restricted by system settings.
1. **Enable Uninstallation**:
The script modifies a registry key to permit the uninstallation of Microsoft Edge.
This step is required because from version 116 onwards, Edge cannot be uninstalled without setting this registry key [1].
2. **Mark Microsoft Edge (Legacy) as Installed**:
It creates a placeholder file to simulate the presence of the Legacy version of Microsoft Edge (Legacy).
This is necessary as the newer versions of the Edge installer check for Legacy Edge before allowing uninstallation [2].
3. **Run Uninstaller:**
The script finds and runs the Microsoft Edge installer (`setup.exe`) for each version of the browser installed on the system.
This guarantees the complete removal of all Microsoft Edge versions from the system [1].
**Note:** This script uses methods not officially documented but confirmed effective by community testing and support.
[1]: https://web.archive.org/web/20240809110743/https://github.com/undergroundwires/privacy.sexy/issues/236 "[BUG]: Edge Browser uninstall process no longer works · Issue #236 · undergroundwires/privacy.sexy | github.com"
[2]: https://archive.ph/2024.06.21-133037/https://github.com/undergroundwires/privacy.sexy/issues/309 "[BUG]: Microsoft Edge still alive after removal · Issue #309 · undergroundwires/privacy.sexy"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdateDev
valueName: AllowUninstall
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing key since Windows 10 21H2, Windows 11 21H2
-
function: CreatePlaceholderFile
parameters:
placeholderFilePath: '%SYSTEMROOT%\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe'
-
function: RunPowerShell
parameters:
codeComment: Uninstall running the official uninstaller
code: |-
$installers = (Get-ChildItem "$($env:ProgramFiles)*\Microsoft\Edge\Application\*\Installer\setup.exe")
if (!$installers) {
Write-Host 'Installer not found. Microsoft Edge may already be uninstalled.'
} else {
foreach ($installer in $installers) {
$uninstallerPath = $installer.FullName
if (-Not (Test-Path "$uninstallerPath")) {
Write-Host "Installer not found at `"$uninstallerPath`". Microsoft Edge may already be uninstalled."
continue
}
$installerArguments = @("--uninstall", "--system-level", "--verbose-logging", "--force-uninstall")
Write-Output "Uninstalling through uninstaller: $uninstallerPath"
$process = Start-Process -FilePath "$uninstallerPath" -ArgumentList $installerArguments -Wait -PassThru
if ($process.ExitCode -eq 0 -or $process.ExitCode -eq 19) {
Write-Host "Successfully uninstalled Edge."
} else {
Write-Error "Failed to uninstall, uninstaller failed with exit code $($process.ExitCode)."
}
}
}
revertCodeComment: Download and run the official uninstaller
revertCode: |-
$edgeExePath = Get-ChildItem -Path "$($env:ProgramFiles)*\Microsoft\Edge\Application" -Filter 'msedge.exe' -Recurse
if ($edgeExePath) {
Write-Host 'Microsoft Edge is already installed. Skipping reinstallation.'
Exit 0
}
Write-Host 'Downloading Microsoft Edge...'
$edgeInstallerUrl = 'https://c2rsetup.officeapps.live.com/c2r/downloadEdge.aspx?platform=Default&Channel=Stable&language=en'
$downloadPath = "$($env:TEMP)\MicrosoftEdgeSetup.exe"
Invoke-WebRequest -Uri "$edgeInstallerUrl" -OutFile "$downloadPath"
$installerArguments = @('/install', '/silent')
Write-Host 'Installing Microsoft Edge...'
$process = Start-Process -FilePath "$downloadPath" -ArgumentList "$installerArguments" -Wait -PassThru
Remove-Item -Path $downloadPath -Force
if ($process.ExitCode -eq 0) {
Write-Host 'Successfully reinstalled Microsoft Edge.'
} else {
Write-Error "Failed to reinstall Microsoft Edge. Installer failed with exit code $($process.ExitCode)."
}
-
category: Remove Edge associations
docs: |-
This category removes Microsoft Edge browser associations from your Windows system,
enhancing privacy and system control.
These associations often remain after uninstalling Edge, potentially leading to unexpected behaviors and privacy concerns [1].
Removing these associations will:
- Preventi Edge from automatically handling various file types and web protocols
- Reduce potential data collection and tracking via Microsoft Edge
- Eliminate leftover settings that may cause system instability after uninstalling Edge [1]
- Potentially improve system performance by removing unnecessary file and protocol handlers
This category is recommended if you've decided not to use Edge or have uninstalled it.
This gives you full control over which applications handle your files and web protocols.
> **Caution:**
> This will change how your system handles various file types and web protocols.
> Remember to set up an alternative browser.
### Technical Details
This category addresses associations found under specific registry keys:
- `HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\FileAssociations`
- `HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\Capabilities\URLAssociations`
The scripts remove associations for file types (like .htm, .html, .pdf, .svg), and protocols
such as (http, https, and ftp).
This category does not clear associations under `HKLM\SOFTWARE\Clients\StartMenuInternet` registry key.
Because default installer already clears these keys.
[1]: https://web.archive.org/web/20240803173827/https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy"
[2]: https://web.archive.org/web/20231001221635/https://learn.microsoft.com/en-us/deployedge/edge-default-browser "Set Microsoft Edge as the default browser on Windows and macOS | Microsoft Learn"
children:
-
name: Remove Edge application selection associations
docs: |-
This script prevents Microsoft Edge from being listed as a default program for various file types
and web links in Windows, giving you control over which programs open your files and enhancing
your privacy.
It improves privacy by preventing Edge from appearing as an option when selecting programs
to open certain files or web links.
This increases user control and reduces data collection and tracking via Microsoft Edge.
If you've uninstalled Edge, this script stabilizes your system by removing leftover associations [1].
It may also boost performance by removing unnecessary Edge-related file and protocol handlers.
> **Caution:**
> After running this script, Edge will no longer appear as a default program for associated file types and URLs.
> Remember to set up an alternative browser.
### Technical Details
The script removes all Edge associations for web-related file types (e.g., .htm, .html, .pdf, .svg) and
protocols (e.g., http, https, mailto) from the Windows registry.
Tests confirm that these associations vary across Windows versions:
| Association | ProgID | Win 10 1903 | Win 10 1909 | Win 10 20H2 | Win 10 21H2 | Win 10 22H2 | Win 11 21H2 | Win 11 22H2 | Win 11 23H2 | Registry Path |
|-------------|--------|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|:-----------:|:-------------:|
| .webp | MSEdgeHTM | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .xml | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| http | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| https | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .htm | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .html | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .pdf | MSEdgePDF | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .svg | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| mailto | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| read | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .mht | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .mht | MSEdgeMHT | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .mhtml | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .mhtml | MSEdgeMHT | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| microsoft-edge | MSEdgeHTM | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| microsoft-edge (HKLM) | MSEdgeHTM | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .xht | MSEdgeHTM | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| .xhtml | MSEdgeHTM | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
| ftp | MSEdgeHTM | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts` |
To view current Edge associations, run this PowerShell command:
```powershell
$registryPaths = @(
'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts',
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts'
)
$results = @()
foreach ($path in $registryPaths) {
if (-Not (Test-Path $path)) {
continue
}
$items = Get-Item -Path $path |
ForEach-Object { $_.Property } |
Where-Object { $_ -Match 'MSEdge' }
foreach ($item in $items) {
$split = $item -split '_'
if ($split.Count -ge 2) {
$results += [PSCustomObject]@{
ProgID = $split[0]
Association = $split[1]
RegistryPath = $path
}
}
}
}
$results | Format-Table -Property ProgID, Association, RegistryPath -AutoSize
```
[1]: https://web.archive.org/web/20240803173827/https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy"
call:
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_.webp"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .webp
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-20H2
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_.xml"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .xml
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_http"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: http
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_https"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: https
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_.htm"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .htm
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_.html"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .html
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgePDF_.pdf"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .pdf
progId: MSEdgePDF
minimumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_.svg"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .svg
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_mailto"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: mailto
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_read"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ❌ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: read
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
maximumWindowsVersion: Windows10-MostRecent
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_.mht"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ❌ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .mht
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
maximumWindowsVersion: Windows10-MostRecent
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeMHT_.mht"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .mht
progId: MSEdgeMHT
minimumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_.mhtml"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ❌ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .mhtml
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
maximumWindowsVersion: Windows10-MostRecent
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeMHT_.mhtml"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .mhtml
progId: MSEdgeMHT
minimumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_microsoft-edge"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (1909) | ❌ Windows 10 Pro (≥ 20H2) | ❌ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: microsoft-edge
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
maximumWindowsVersion: Windows10-1909
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_microsoft-edge"
# Availability: ❌ Windows 10 Pro (≤ 1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (21H2) | ❌ Windows 11 Pro (≥ 22H2)
registryHive: HKLM
associatedFilenameWithExtensionOrUrlProtocol: microsoft-edge
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
maximumWindowsVersion: Windows11-21H2
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_.xht"
# Availability: ❌ Windows 10 Pro (≥ 1903) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .xht
progId: MSEdgeHTM
minimumWindowsVersion: Windows11-21H2
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_.xhtml"
# Availability: ❌ Windows 10 Pro (≥ 1903) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: .xhtml
progId: MSEdgeHTM
minimumWindowsVersion: Windows11-21H2
-
function: RemoveApplicationSelectionAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts" | findstr "MSEdgeHTM_ftp"
# Availability: ❌ Windows 10 Pro (≥ 1903) | ✅ Windows 11 Pro (≥ 21H2)
registryHive: HKCU
associatedFilenameWithExtensionOrUrlProtocol: ftp
progId: MSEdgeHTM
minimumWindowsVersion: Windows11-21H2
-
name: Remove Edge Open With associations
docs: |-
This script removes Microsoft Edge associations from the **Open With** context menu
for various file types.
It enhances privacy by reducing Microsoft Edge's integration with the operating system.
This limits data collection opportunities during file interactions.
It also enhances system stability by removing leftover Edge associations after uninstalling
the browser [1].
It may improve system performance by simplifying the **Open With** menu.
Removing these associations gives you control over which applications handle your files, thereby
reducing unwanted data sharing with Microsoft.
> **Caution:**
> Removing these associations may change how certain file types and web links are handled on your system.
> Remember to set up an alternative browser.
### Technical Details
The script targets file extensions such as `.htm`, `.html`, `.pdf`, and `.svg`, removing their
associations with Microsoft Edge in the Windows Registry.
These associations persist even after uninstalling Edge (last confirmed with Edge v115 on
Windows 11 22H2 and Windows 10 21H1).
The script applies to Windows 10 (version 1909 and later) and Windows 11.
The table below shows the default data confirmed by tests:
| Association | Windows 10 1903 | Windows 10 1909 | Windows 10 20H2 | Windows 10 21H2 | Windows 10 22H2 | Windows 11 21H2 | Windows 11 22H2 | Windows 11 23H2 | Registry Path |
|-------------|-----------------|-----------------|-----------------|-----------------|-----------------|-----------------|-----------------|-----------------|---------------|
| .htm | ❌ | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | `HKLM\Software\Classes\.htm\OpenWithProgIds` |
| .html | ❌ | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | `HKLM\Software\Classes\.html\OpenWithProgIds` |
| .mht | ❌ | ✅ MSEdgeMHT | ✅ MSEdgeMHT | ✅ MSEdgeMHT | ✅ MSEdgeMHT | ✅ MSEdgeMHT | ✅ MSEdgeMHT | ✅ MSEdgeMHT | `HKLM\Software\Classes\.mht\OpenWithProgIds` |
| .mhtml | ❌ | ✅ MSEdgeMHT | ✅ MSEdgeMHT | ✅ MSEdgeMHT | ✅ MSEdgeMHT | ✅ MSEdgeMHT | ✅ MSEdgeMHT | ✅ MSEdgeMHT | `HKLM\Software\Classes\.mhtml\OpenWithProgIds` |
| .pdf | ❌ | ✅ MSEdgePDF | ✅ MSEdgePDF | ✅ MSEdgePDF | ✅ MSEdgePDF | ✅ MSEdgePDF | ✅ MSEdgePDF | ✅ MSEdgePDF | `HKLM\Software\Classes\.pdf\OpenWithProgids` |
| .shtml | ❌ | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | `HKLM\Software\Classes\.shtml\OpenWithProgids` |
| .svg | ❌ | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | `HKLM\Software\Classes\.svg\OpenWithProgIds` |
| .webp | ❌ | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | `HKLM\Software\Classes\.webp\OpenWithProgids` |
| .xht | ❌ | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | `HKLM\Software\Classes\.xht\OpenWithProgIds` |
| .xhtml | ❌ | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | `HKLM\Software\Classes\.xhtml\OpenWithProgIds` |
| .xml | ❌ | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | ✅ MSEdgeHTM | `HKLM\Software\Classes\.xml\OpenWithProgIds` |
To view all Edge-related associations on your system, run the following PowerShell command:
```powershell
@("Registry::HKEY_LOCAL_MACHINE\Software\Classes", "Registry::HKEY_CURRENT_USER\Software\Classes") |
ForEach-Object {
Get-ChildItem -Path "$_\*\OpenWithProgIds" -ErrorAction SilentlyContinue |
ForEach-Object {
$extension = $_.PSParentPath.Split('\')[-1]
$registryPath = $_.PSPath
$formattedRegistryPath = $_.PSPath -replace '^Microsoft\.PowerShell\.Core\\Registry::', ''
Get-ItemProperty -LiteralPath $registryPath -ErrorAction SilentlyContinue |
ForEach-Object {
$_.PSObject.Properties |
Where-Object { $_.Name -like "MSEdge*" } |
ForEach-Object {
$progId = $_.Name;
[PSCustomObject]@{
Extension = $extension
ProgID = $progId
RegistryPath = $formattedRegistryPath
Hive = if ($formattedRegistryPath -match 'HKEY_LOCAL_MACHINE') { 'HKLM' } else { 'HKCU' }
}
}
}
}
} | Sort-Object Extension, ProgID -Unique | Format-Table -AutoSize
```
[1]: https://web.archive.org/web/20240803173827/https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy"
call:
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.htm\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .htm
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.html\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .html
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.mht\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .mht
progId: MSEdgeMHT
minimumWindowsVersion: Windows10-1909
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.mhtml\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .mhtml
progId: MSEdgeMHT
minimumWindowsVersion: Windows10-1909
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.pdf\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .pdf
progId: MSEdgePDF
minimumWindowsVersion: Windows10-1909
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.shtml\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .shtml
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.svg\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .svg
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.webp\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .webp
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.xht\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .xht
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.xhtml\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .xhtml
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
function: RemoveFileOpenWithAssociation
parameters:
# Check default: reg query "HKLM\Software\Classes\.xml\OpenWithProgIds" | findstr "MSEdge"
# Default value: ❌ Windows 10 Pro (1903) | ✅ Windows 10 Pro (≥ 1909) | ✅ Windows 11 Pro (≥ 21H2)
fullFileNameExtensionWithDot: .xml
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-1909
-
name: Remove Edge user associations
docs: |-
This script removes user-chosen Microsoft Edge associations for specific file types and web links.
Even if a user does not explicitly choose Edge as the default browser, it is chosen by default.
Edge associations often remain after uninstalling the browser [1].
This can affect privacy and system performance.
Removing these associations will:
- Enhance privacy by reducing Microsoft Edge's presence in your system
- Improve system stability, especially if Edge is uninstalled [1]
- Boost performance by eliminating unnecessary file associations
- Improve user control by allowing you to choose the browser you wish to use.
Removing these associations allows you to choose which applications open.
This enhances user control, privacy, system stability, and performance.
> **Caution:**
> Removing these associations will prompt you to choose a default application
> the next time you open files or URL protocols previously associated with Edge.
> Remember to set up an alternative browser.
### Technical Details
The script affects various file types (such as .htm, .html) and web protocols (e.g., http, https, ftp).
It deletes Edge associations from the Windows Registry that control the user-chosen associations.
This action applies to Windows 10 versions from 1909 onward and all versions of Windows 11.
Earlier Windows 10 versions (like 1903) do not have these specific Edge associations by default.
The table below shows the availability of Edge associations across different Windows versions,
confirmed by tests:
| Association | ProgId | Type | Win 10 1903 | Win 10 1909 | Win 10 20H2 | Win 10 21H2 | Win 10 22H2 | Win 11 21H2 | Win 11 22H2 | Win 11 23H2 | Registry Path |
|-------------|--------|------|:-----------------:|:-----------------:|:-----------------:|:-----------------:|:-----------------:|:-----------------:|:-----------------:|:-----------------:|---------------|
| http | MSEdgeHTM | URL | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice` |
| https | MSEdgeHTM | URL | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice` |
| microsoft-edge | MSEdgeHTM | URL | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice` |
| microsoft-edge-holographic | MSEdgeHTM | URL | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge-holographic\UserChoice` |
| ms-xbl-3d8b930f | MSEdgeHTM | URL | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\ms-xbl-3d8b930f\UserChoice` |
| read | MSEdgeHTM | URL | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\read\UserChoice` |
| .htm | MSEdgeHTM | File | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice` |
| .html | MSEdgeHTM | File | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice` |
| .pdf | MSEdgePDF | File | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice` |
| .svg | MSEdgeHTM | File | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice` |
| .mht | MSEdgeHTM | File | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice` |
| .mht | MSEdgeMHT | File | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice` |
| .mhtml | MSEdgeHTM | File | ❌ | ❌ | ❌ | ✅ | ✅ | ❌ | ❌ | ❌ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice` |
| .mhtml | MSEdgeMHT | File | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice` |
| .xml | MSEdgeHTM | File | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice` |
| ftp | MSEdgeHTM | URL | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice` |
| .xht | MSEdgeHTM | File | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice` |
| .xhtml | MSEdgeHTM | File | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ✅ | ✅ | `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice` |
To verify these associations on your system, run this PowerShell command:
```powershell
$baseRegistryPaths = @(
'HKCU:\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations',
'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts'
)
$results = @()
foreach ($baseKey in $baseRegistryPaths) {
$subKeys = Get-ChildItem -Path $baseKey -ErrorAction SilentlyContinue
foreach ($subKey in $subKeys) {
$userChoicePath = Join-Path $subKey.PSPath 'UserChoice'
if (-Not (Test-Path $userChoicePath)) {
continue
}
$progId = (Get-ItemProperty -Path $userChoicePath -Name ProgId -ErrorAction SilentlyContinue).ProgId
if ($progId -and ($progId -like "MSEdge*")) {
$formattedRegistryPath = $userChoicePath -replace '^Microsoft\.PowerShell\.Core\\Registry::', ''
$results += [PSCustomObject]@{
ProgID = $progId
Association = $subKey.PSChildName
RegistryPath = $formattedRegistryPath
}
}
}
}
$results | Format-Table -AutoSize
````
[1]: https://web.archive.org/web/20240803173827/https://github.com/undergroundwires/privacy.sexy/issues/64 "[BUG]: can't sign in again · Issue #64 · undergroundwires/privacy.sexy"
call:
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
urlProtocol: http
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-20H2
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
urlProtocol: https
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-20H2
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
urlProtocol: microsoft-edge
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-20H2
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\microsoft-edge-holographic\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
urlProtocol: microsoft-edge-holographic
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-20H2
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\ms-xbl-3d8b930f\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
urlProtocol: ms-xbl-3d8b930f
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-20H2
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\read\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
urlProtocol: read
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-20H2
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .htm
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-20H2
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .html
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-20H2
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .pdf
progId: MSEdgePDF
minimumWindowsVersion: Windows10-20H2
# reassociateOnRevert: false # 📂 Unprotected on Windows 10 Pro (≤ 21H2) | 🔒️ Protected on Windows 10 Pro (≥ 22H2) | 🔒️ Protected on Windows 11 Pro (≥ 22H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 1909) | ✅ Windows 10 Pro (≥ 20H2) | ✅ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .svg
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-20H2
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 20H2) | ✅ Windows 10 Pro (≥ 21H2) | ❌ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .mht
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-21H2
maximumWindowsVersion: Windows10-MostRecent
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 22H2) | ✅ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .mht
progId: MSEdgeMHT
minimumWindowsVersion: Windows11-21H2
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 20H2) | ✅ Windows 10 Pro (≥ 21H2) | ❌ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .mhtml
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-21H2
maximumWindowsVersion: Windows10-MostRecent
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 22H2) | ✅ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .mhtml
progId: MSEdgeMHT
minimumWindowsVersion: Windows11-21H2
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 21H2) | ✅ Windows 10 Pro (22H2) | ❌ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .xml
progId: MSEdgeHTM
minimumWindowsVersion: Windows10-22H2
maximumWindowsVersion: Windows10-22H2
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserURLAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 22H2) | ✅ Windows 11 Pro (≥ 21H2)
urlProtocol: ftp
progId: MSEdgeHTM
minimumWindowsVersion: Windows11-21H2
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 22H2) | ✅ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .xht
progId: MSEdgeHTM
minimumWindowsVersion: Windows11-21H2
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
function: RemoveUserFileAssociation
parameters:
# Check default: reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice"
# Availability: ❌ Windows 10 Pro (≤ 22H2) | ✅ Windows 11 Pro (≥ 21H2)
fileExtensionWithDotPrefix: .xhtml
progId: MSEdgeHTM
minimumWindowsVersion: Windows11-21H2
reassociateOnRevert: 'true' # 📂 Unprotected on Windows 10 Pro (≥ 1903) | 📂 Unprotected on Windows 11 Pro (≥ 21H2)
-
name: Remove Edge shortcuts
docs: |-
This script removes Microsoft Edge shortcuts from specific locations on your computer, enhancing the privacy and
integrity of your system.
When installed, Microsoft Edge, places shortcuts in various locations on your computer. Even after uninstalling the
Edge browser, some of these shortcuts may not be removed (tested since ≥ Edge v117). This script ensures the
removal of these residual shortcuts.
These shortcuts can serve as access points for malicious entities, potentially compromising your computer's security
and privacy. By deleting these shortcuts, the script helps in reducing these vulnerabilities, thus contributing to
a more secure and private computing environment.
Besides contributing to privacy and security, removing these unused shortcuts also contributes to a cleaner and more
organized computer system, providing an enhanced user experience.
The script specifically targets and removes shortcuts from the following paths, which have been tested and verified to
exist on default installations of Windows since Windows 10 22H2 and Windows 11 22H2:
| Path | Windows 11 | Windows 10 |
| ---- |:----------:|:----------:|
| `%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists |
| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists |
| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists |
| `%PUBLIC%\Desktop\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists |
| `%SYSTEMROOT%\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk` | ✅ Exists | ✅ Exists |
| `%USERPROFILE%\Desktop\Microsoft Edge.lnk` | ❌ Missing | ❌ Missing |
call:
# Exclude:
# - `DisableEdgeDesktopShortcutCreation` because it's highly documented and it does not really bring value since this script already deletes `Microsoft Edge.lnk` from public folder.
function: RemoveShortcutFiles
parameters:
targetFile: '%PROGRAMFILES(X86)%\Microsoft\Edge\Application\msedge.exe'
shortcutItems: |-
@{ Revert = $True; Path = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk"; }
@{ Revert = $True; Path = "$env:AppData\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"; }
@{ Revert = $True; Path = "$env:AppData\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"; }
@{ Revert = $True; Path = "$env:Public\Desktop\Microsoft Edge.lnk"; }
@{ Revert = $True; Path = "$env:SystemRoot\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"; }
@{ Revert = $False; Path = "$env:UserProfile\Desktop\Microsoft Edge.lnk"; }
-
category: Disable built-in Windows features
children:
-
name: Disable "Direct Play" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `DirectPlay` |
| **Display name** | DirectPlay |
| **Description** | Enables the installation of DirectPlay component. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
call:
function: DisableWindowsFeature
parameters:
featureName: DirectPlay # Get-WindowsOptionalFeature -FeatureName 'DirectPlay' -Online
disabledByDefault: 'true'
-
name: Disable "Internet Explorer" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Internet-Explorer-Optional-amd64`, `Internet-Explorer-Optional-x84`, `Internet-Explorer-Optional-x64` |
| **Display name** | Internet Explorer 11 |
| **Description** | Finds and displays information and Web sites on the Internet. |
| **Default** (Windows 11 ≥ 23H2) | 🟡 Missing |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled (or 🟡 Missing based on architecture) |
call:
-
function: DisableWindowsFeature
parameters:
featureName: Internet-Explorer-Optional-x64 # Get-WindowsOptionalFeature -FeatureName 'Internet-Explorer-Optional-x64' -Online
ignoreMissingOnRevert: 'true'
-
function: DisableWindowsFeature
parameters:
featureName: Internet-Explorer-Optional-x84 # Get-WindowsOptionalFeature -FeatureName 'Internet-Explorer-Optional-x84' -Online
ignoreMissingOnRevert: 'true'
-
function: DisableWindowsFeature
parameters:
featureName: Internet-Explorer-Optional-amd64 # Get-WindowsOptionalFeature -FeatureName 'Internet-Explorer-Optional-amd64' -Online
ignoreMissingOnRevert: 'true'
-
name: Disable "Legacy Components" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `LegacyComponents` |
| **Display name** | Legacy Components |
| **Description** | Controls legacy components in Windows. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
call:
function: DisableWindowsFeature
parameters:
featureName: LegacyComponents # Get-WindowsOptionalFeature -FeatureName 'LegacyComponents' -Online
disabledByDefault: 'true'
-
category: Disable Hyper-V virtualization features
children:
-
name: Disable "Hyper-V" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Microsoft-Hyper-V-All` |
| **Display name** | Hyper-V |
| **Description** | Provides services and management tools for creating and running virtual machines and their resources. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
call:
function: DisableWindowsFeature
parameters:
featureName: Microsoft-Hyper-V-All # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-All' -Online
disabledByDefault: 'true'
-
name: Disable "Hyper-V GUI Management Tools" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Microsoft-Hyper-V-Management-Clients` |
| **Display name** | Hyper-V GUI Management Tools |
| **Description** | Includes the Hyper-V Manager snap-in and Virtual Machine Connection tool. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
call:
function: DisableWindowsFeature
parameters:
featureName: Microsoft-Hyper-V-Management-Clients # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Management-Clients' -Online
disabledByDefault: 'true'
-
name: Disable "Hyper-V Management Tools" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Microsoft-Hyper-V-Tools-All` |
| **Display name** | Hyper-V Management Tools |
| **Description** | Includes GUI and command-line tools for managing Hyper-V. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
call:
function: DisableWindowsFeature
parameters:
featureName: Microsoft-Hyper-V-Tools-All # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Tools-All' -Online
disabledByDefault: 'true' # Default: Disabled (tested: Windows 10 22H2, Windows 11 23H2)
-
name: Disable "Hyper-V Module for Windows PowerShell" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Microsoft-Hyper-V-Management-PowerShell` |
| **Display name** | Hyper-V Module for Windows PowerShell |
| **Description** | Includes Windows PowerShell cmdlets for managing Hyper-V. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
call:
function: DisableWindowsFeature
parameters:
featureName: Microsoft-Hyper-V-Management-PowerShell # Get-WindowsOptionalFeature -FeatureName 'Microsoft-Hyper-V-Management-PowerShell' -Online
disabledByDefault: 'true'
-
category: Disable printing features
children:
-
category: Disable printer networking
children:
-
name: Disable "Internet Printing Client" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Printing-Foundation-InternetPrinting-Client` |
| **Display name** | Internet Printing Client |
| **Description** | Enables clients to use HTTP to connect to printers on Web print servers |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
call:
function: DisableWindowsFeature
parameters:
featureName: Printing-Foundation-InternetPrinting-Client # Get-WindowsOptionalFeature -FeatureName 'Printing-Foundation-InternetPrinting-Client' -Online
-
name: Disable "LPD Print Service" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Printing-Foundation-LPDPrintService` |
| **Display name** | LPD Print Service |
| **Description** | Makes your Windows computer work as a Line Printer Daemon (LPD) and Remote Line Printer client |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
call:
function: DisableWindowsFeature
parameters:
featureName: Printing-Foundation-LPDPrintService # Get-WindowsOptionalFeature -FeatureName 'Printing-Foundation-LPDPrintService' -Online
disabledByDefault: 'true'
-
name: Disable "LPR Port Monitor" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Printing-Foundation-LPRPortMonitor` |
| **Display name** | LPR Port Monitor |
| **Description** | Enables clients to print to TCP/IP printers connected to a Unix (or VAX) server |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🔴 Disabled |
call:
function: DisableWindowsFeature
parameters:
featureName: Printing-Foundation-LPRPortMonitor # Get-WindowsOptionalFeature -FeatureName 'Printing-Foundation-LPRPortMonitor' -Online
disabledByDefault: 'true'
-
name: Disable "Microsoft Print to PDF" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Printing-PrintToPDFServices-Features` |
| **Display name** | Microsoft Print to PDF |
| **Description** | Provides binaries on the system for creating the Microsoft Print to PDF Print Queue |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
call:
function: DisableWindowsFeature
parameters:
featureName: Printing-PrintToPDFServices-Features # Get-WindowsOptionalFeature -FeatureName 'Printing-PrintToPDFServices-Features' -Online
-
name: Disable "Print and Document Services" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Printing-Foundation-Features` |
| **Display name** | Print and Document Services |
| **Description** | Enable print, fax, and scan tasks on this computer |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
call:
function: DisableWindowsFeature
parameters:
featureName: Printing-Foundation-Features # Get-WindowsOptionalFeature -FeatureName 'Printing-Foundation-Features' -Online
-
name: Disable "Work Folders Client" feature
docs: |-
See: [Work Folders overview | Microsoft Learn | learn.microsoft.com](https://web.archive.org/web/20240314102358/https://learn.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview)
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `WorkFolders-Client` |
| **Display name** | Work Folders Client |
| **Description** | Allows file synchronization with a configured file server. |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
call:
function: DisableWindowsFeature
parameters:
featureName: WorkFolders-Client # Get-WindowsOptionalFeature -FeatureName 'WorkFolders-Client' -Online
-
category: Disable XPS support features
children:
-
name: Disable "Microsoft XPS Document Writer" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Printing-XPSServices-Features` |
| **Display name** | Microsoft XPS Document Writer |
| **Description** | Provides binaries on the system for creating the XPS Document Writer Print Queue. |
| **Default** (Windows 11 ≥ 23H2) | 🔴 Disabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
call:
function: DisableWindowsFeature
parameters:
featureName: Printing-XPSServices-Features # Get-WindowsOptionalFeature -FeatureName 'Printing-XPSServices-Features' -Online
disabledByDefault: 'true'
-
name: Disable "XPS Viewer" feature
recommend: standard # Deprecated and missing on modern versions of Windows
docs: |-
This feature has been part of older versions on Windows [1].
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `Xps-Foundation-Xps-Viewer` |
| **Display name** | XPS Viewer |
| **Description** | Allows you to read, copy, print, sign, and set permissions for XPS documents. |
| **Default** (Windows 11 ≥ 23H2) | 🟡 Missing |
| **Default** (Windows 10 ≥ 22H2) | 🟡 Missing |
[1]: "Unattended Windows Setup Reference | systemscenter.ru" https://web.archive.org/web/20240406125031/https://systemscenter.ru/unattend.en/index.html?page=html%2Fdb43485b-ffad-476f-9b22-97bde41ceb47.htm
call:
function: DisableWindowsFeature
parameters:
featureName: Xps-Foundation-Xps-Viewer # Get-WindowsOptionalFeature -FeatureName 'Xps-Foundation-Xps-Viewer' -Online
ignoreMissingOnRevert: 'true'
-
name: Disable "Media Features" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `MediaPlayback` |
| **Display name** | Media Features |
| **Description** | Controls media features such as Windows Media Player. |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
call:
function: DisableWindowsFeature
parameters:
featureName: MediaPlayback # Get-WindowsOptionalFeature -FeatureName 'MediaPlayback' -Online
-
name: Disable "Scan Management" feature
recommend: standard # Deprecated and missing on modern versions of Windows
docs: |-
This feature has been part of older versions on Windows [1].
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `ScanManagementConsole` |
| **Display name** | Scan Management |
| **Description** | Manages distributed scanners, scan processes, and scan servers. |
| **Default** (Windows 11 ≥ 23H2) | 🟡 Missing |
| **Default** (Windows 10 ≥ 22H2) | 🟡 Missing |
[1]: "Unattended Windows Setup Reference | systemscenter.ru" https://web.archive.org/web/20240406125031/https://systemscenter.ru/unattend.en/index.html?page=html%2Fdb43485b-ffad-476f-9b22-97bde41ceb47.htm
call:
function: DisableWindowsFeature
parameters:
featureName: ScanManagementConsole # Get-WindowsOptionalFeature -FeatureName 'ScanManagementConsole' -Online
ignoreMissingOnRevert: 'true'
-
name: Disable "Windows Fax and Scan" feature
recommend: standard # Deprecated and missing on modern versions of Windows
docs: |-
This feature has been part of older versions on Windows [1].
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `FaxServicesClientPackage` |
| **Display name** | Windows Fax and Scan |
| **Description** | Enable fax and scan tasks on this computer |
| **Default** (Windows 11 ≥ 23H2) | 🟡 Missing |
| **Default** (Windows 10 ≥ 22H2) | 🟡 Missing |
[1]: "Unattended Windows Setup Reference | systemscenter.ru" https://web.archive.org/web/20240406125031/https://systemscenter.ru/unattend.en/index.html?page=html%2Fdb43485b-ffad-476f-9b22-97bde41ceb47.htm
call:
function: DisableWindowsFeature
parameters:
featureName: FaxServicesClientPackage # Get-WindowsOptionalFeature -FeatureName 'FaxServicesClientPackage' -Online
ignoreMissingOnRevert: 'true'
-
name: Disable "Windows Media Player" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `WindowsMediaPlayer` |
| **Display name** | Windows Media Player |
| **Description** | Windows Media Player |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
call:
function: DisableWindowsFeature
parameters:
featureName: WindowsMediaPlayer # Get-WindowsOptionalFeature -FeatureName 'WindowsMediaPlayer' -Online
-
name: Disable "Windows Search" feature
docs: |-
### Overview of default feature statuses
| | |
| ---- | --- |
| **Feature name** | `SearchEngine-Client-Package` |
| **Display name** | Windows Search |
| **Description** | Provides content indexing, property caching, and search results for files, e-mail, and other content. |
| **Default** (Windows 11 ≥ 23H2) | 🟢 Enabled |
| **Default** (Windows 10 ≥ 22H2) | 🟢 Enabled |
call:
function: DisableWindowsFeature
parameters:
featureName: SearchEngine-Client-Package # Get-WindowsOptionalFeature -FeatureName 'SearchEngine-Client-Package' -Online
-
category: Remove on-demand capabilities and features
docs: https://web.archive.org/web/20240314062310/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#fods-that-are-not-preinstalled-but-may-need-to-be-preinstalled
children:
-
category: Remove preinstalled features on demand
children:
-
name: Remove "DirectX Configuration Database" capability
call:
function: UninstallCapability
parameters:
capabilityName: DirectX.Configuration.Database
-
name: Remove "Internet Explorer 11" capability
call:
function: UninstallCapability
parameters:
capabilityName: Browser.InternetExplorer
-
name: Remove "Math Recognizer" capability
call:
function: UninstallCapability
parameters:
capabilityName: MathRecognizer
-
name: Remove "OneSync" capability (breaks Mail, People, and Calendar)
recommend: strict
docs: https://web.archive.org/web/20240314062310/https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod?view=windows-11#onesync
call:
function: UninstallCapability
parameters:
capabilityName: OneCoreUAP.OneSync
-
name: Remove "OpenSSH client" capability
call:
function: UninstallCapability
parameters:
capabilityName: OpenSSH.Client
-
name: Remove "PowerShell ISE" capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.Windows.PowerShell.ISE
-
name: Remove "Print Management Console" capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.Management.Console
-
name: Remove "Quick Assist" capability
call:
function: UninstallCapability
parameters:
capabilityName: App.Support.QuickAssist
-
name: Remove "Steps Recorder" capability
call:
function: UninstallCapability
parameters:
capabilityName: App.StepsRecorder
-
name: Remove "Windows Fax and Scan" capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.Fax.Scan
# Following are excluded because:
# 1. They are not widely considered as "bloatware" as the community
# 2. Do not have known privacy issues
# 3. Make Windows more functional when running all scripts
# -
# name: Remove "WordPad" capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.WordPad
# -
# name: Remove "Paint" capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.MSPaint
# -
# name: Remove "Notepad" capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.Notepad
-
category: Remove not preinstalled features on demand
children:
-
name: Remove ".NET Framework" capability
call:
function: UninstallCapability
parameters:
capabilityName: NetFX3
-
name: Remove "Mixed Reality" capability
call:
function: UninstallCapability
parameters:
capabilityName: Analog.Holographic.Desktop
-
name: Remove "Wireless Display" capability
call:
function: UninstallCapability
parameters:
capabilityName: App.WirelessDisplay.Connect
-
name: Remove "Accessibility - Braille Support" capability
call:
function: UninstallCapability
parameters:
capabilityName: Accessibility.Braille
-
name: Remove "Developer Mode" capability
call:
function: UninstallCapability
parameters:
capabilityName: Tools.DeveloperMode.Core
-
name: Remove "Graphics Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Tools.Graphics.DirectX
-
name: Remove "IrDA" capability
call:
function: UninstallCapability
parameters:
capabilityName: Network.Irda
-
name: Remove "Microsoft WebDriver" capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.WebDriver
-
name: Remove "MSIX Packaging Tool Driver" capability
call:
function: UninstallCapability
parameters:
capabilityName: Msix.PackagingTool.Driver
-
name: Remove "OpenSSH Server" capability
call:
function: UninstallCapability
parameters:
capabilityName: OpenSSH.Server
-
category: Remove printing capabilities
children:
-
name: Remove "Enterprise Cloud Print" capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.EnterpriseCloudPrint
-
name: Remove "Mopria Cloud Service" capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.MopriaCloudService
-
category: Remove Remote Server Administration Tools (RSAT)
children:
-
name: Remove "Active Directory Domain Services and Lightweight Directory Services Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.ActiveDirectory.DS-LDS.Tools
-
name: Remove "BitLocker Drive Encryption Administration Utilities" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.BitLocker.Recovery.Tools
-
name: Remove "Active Directory Certificate Services Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.CertificateServices.Tools
-
name: Remove "DHCP Server Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.DHCP.Tools
-
name: Remove "DNS Server Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.Dns.Tools
-
name: Remove "Failover Clustering Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.FailoverCluster.Management.Tools
-
name: Remove "File Services Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.FileServices.Tools
-
name: Remove "Group Policy Management Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.GroupPolicy.Management.Tools
-
name: Remove "IP Address Management (IPAM) Client" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.IPAM.Client.Tools
-
name: Remove "Data Center Bridging LLDP Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.LLDP.Tools
-
name: Remove "Network Controller Management Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.NetworkController.Tools
-
name: Remove "Network Load Balancing Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.NetworkLoadBalancing.Tools
-
name: Remove "Remote Access Management Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.RemoteAccess.Management.Tools
-
name: Remove "Server Manager Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.ServerManager.Tools
-
name: Remove "Shielded VM Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.Shielded.VM.Tools
-
name: Remove "Storage Replica Module for Windows PowerShell" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.StorageReplica.Tools
-
name: Remove "Volume Activation Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.VolumeActivation.Tools
-
name: Remove "Windows Server Update Services Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.WSUS.Tools
-
name: Remove "Storage Migration Service Management Tools" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.StorageMigrationService.Management.Tools
-
name: Remove "Systems Insights Module for Windows PowerShell" capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.SystemInsights.Management.Tools
-
category: Remove storage capabilities
children:
-
name: Remove "Windows Storage Management" capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.Windows.StorageManagement
-
name: Remove "OneCore Storage Management" capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.OneCore.StorageManagement
-
name: Remove "Windows Emergency Management Services and Serial Console" capability
call:
function: UninstallCapability
parameters:
capabilityName: Windows.Desktop.EMS-SAC.Tools
-
name: Remove "XPS Viewer" capability
call:
function: UninstallCapability
parameters:
capabilityName: XPS.Viewer
-
category: Remove Widgets
docs: |-
Windows 11 adds a new taskbar flyout named "Widgets", which displays a panel with Microsoft Start, a news aggregator
with personalized stories and content (expanding upon the "news and interests" panel introduced in later builds of Windows 10) [1].
It's rebranding/future version of older "Windows 10 News and Interests" feature [2].
The user can customize the panel by adding or removing widgets, rearranging, resizing, and personalizing the content [1].
It has privacy implications as it collects data about your usage of the computer such as diagnostics data [3].
[1]: https://web.archive.org/web/20240314091958/https://en.wikipedia.org/wiki/Features_new_to_Windows_11#Windows_shell "Features new to Windows 11 | Wikipedia"
[2]: https://www.bleepingcomputer.com/news/microsoft/windows-10-news-and-interests-enabled-for-everyone-in-latest-update/ "Windows 10 News and Interests enabled for everyone in latest update | Bleeping Computer"
[3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "What data does Microsoft collect? | Widgets | Microsoft"
children:
-
name: Remove "Widgets" from taskbar
recommend: strict
docs: |-
To control whether the Widgets button is visible on the taskbar, Microsoft introduced `TaskbarDa` registry value [1].
Possible `DWORD` 32-bit settings for the `TaskbarDa` value are [1] [2]:
1. 0 = Hidden
2. 1 = Visible
This registry key does not exist in Windows 11 installations by default.
[1]: https://web.archive.org/web/20231206213443/https://www.elevenforum.com/t/add-or-remove-widgets-button-on-taskbar-in-windows-11.32/ " Add or Remove Widgets Button on Taskbar in Windows 11 | Windows Eleven Forum"
[2]: https://www.bleepingcomputer.com/news/microsoft/new-windows-11-registry-hacks-to-customize-your-device/ "New Windows 11 registry hacks to customize your device | Bleeping Computer"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
valueName: TaskbarDa
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: Remove "Windows Web Experience Pack" (breaks Widgets)
recommend: strict
docs: |-
This script removes the "Windows Web Experience Pack" app.
This app is responsible for enabling the Widgets feature [1].
Widgets are mini-programs that provide information and easy access to frequently used functions.
The app is not essential, and its removal does not impact other functionalities of the operating system, provided you do not
ntend to use Widgets.
"Windows Web Experience Pack" app collects diagnostic data, and the individual widgets it enables might also gather user data [2].
By removing this app, you also detach yourself from the necessity to agree to Microsoft's general privacy terms [3].
This agreement allows Microsoft to collect your personal data [3].
You can view these terms at the [Microsoft Privacy Statement](https://web.archive.org/web/20231006103250/https://privacy.microsoft.com/en-US/privacystatement).
The app is not needed and not known to break other OS functionality if you do not wish to use Widgets feature.
This app is known to collect diagnostics data, individual widgets might also collect data [2].
For additional information, you can visit the [Microsoft Store Page](https://archive.ph/2023.11.01-233200/https://apps.microsoft.com/detail/windows-web-experience-pack/9MSSGKG348SP?hl=en-us&gl=US).
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ❌ |
| Windows 10 | 20H2 | ❌ |
| Windows 10 | 21H2 | ❌ |
| Windows 10 | 22H2 | ❌ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20231101233028/https://support.microsoft.com/en-us/windows/how-to-update-the-windows-web-experience-pack-in-the-microsoft-store-a16c9bf1-f042-4dc9-a523-740cca1e1e60 "How to update the Windows Web Experience Pack in the Microsoft Store | support.microsoft.com"
[2]: https://archive.ph/2023.11.01-233200/https://apps.microsoft.com/detail/windows-web-experience-pack/9MSSGKG348SP?hl=en-us&gl=US "Windows Web Experience Pack - Microsoft Store Apps | apps.microsoft.com/store"
[3]: https://web.archive.org/web/20231101233034/https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "Stay up to date with widgets | support.microsoft.com"
call:
function: UninstallStoreApp
parameters:
packageName: MicrosoftWindows.Client.WebExperience # Get-AppxPackage MicrosoftWindows.Client.WebExperience
publisherId: cw5n1h2txyewy
-
name: Remove "Meet Now" icon from taskbar
recommend: strict
docs: # Skype feature, introduced in 20H2, KB4580364 update
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TaskBar2::HideSCAMeetNow
- https://www.windowscentral.com/how-disable-meet-now-feature-windows-10
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
valueName: HideSCAMeetNow
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
category: Remove Windows Copilot
docs: |-
This category includes scripts to disable or remove the Windows Copilot feature.
"Windows Copilot" is also known as "Copilot in Windows" [1] [2] [3],
Windows Copilot is an AI assistant within Windows [1] [2].
It helps with a wide range of tasks, like adjusting system settings [1] [2].
It can deliver web results [1], and supports generating creative content, like images [1] [2],
and providing personalized suggestions based on user data analysis [2].
While these features enhance user experience, they raise privacy concerns due to the extensive personal
data access and processing involved, including user files [4], keyboard and voice inputs [3], and browser
history [3].
Such data is transmitted to Microsoft's servers [3].
Transmitting this data to Microsoft poses potential privacy and security risks.
Moreover, Copilot's susceptibility to attacks like prompt engineering underlines its security risks [5].
More about security vulnerabilities: [Attacks on language models](https://erkinekici.com/articles/attacks-on-language-models/).
Removing Windows Copilot reduces privacy and security risks, improves system performance, and simplifies
the user interface.
[1]: https://web.archive.org/web/20240122063553/https://www.microsoft.com/en-us/windows/copilot-ai-features "Copilot in Windows & Other AI-Powered Features | Microsoft | www.microsoft.com"
[2]: https://web.archive.org/web/20240122063357/https://support.microsoft.com/en-us/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0 "Welcome to Copilot in Windows - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240122063412/https://support.microsoft.com/en-us/windows/copilot-in-windows-your-data-and-privacy-3e265e82-fc76-4d0a-afc0-4a0de528b73a "Copilot in Windows: Your data and privacy - Microsoft Support | support.microsoft.com"
[4]: https://web.archive.org/web/20240122063447/https://concentric.ai/too-much-access-microsoft-copilot-data-risks-explained/ "2023 Microsoft Copilot Data Risks Explained | Concentric AI | concentric.ai"
[5]: https://erkinekici.com/articles/attacks-on-language-models/ "Attacks on language models :: Erkin Ekici | erkinekici.com"
children:
-
name: Disable Copilot feature
recommend: strict
docs: |-
This script deactivates the Windows Copilot feature, enhancing user privacy and potentially improving system performance.
By default, Copilot is enabled and appears on the taskbar when available [1] [2].
Disabling Windows Copilot prevents it from appearing on the taskbar and stops it from functioning [1] [2].
This action is useful for users who prioritize privacy and system performance, as it eliminates a potential
channel for data sharing with Microsoft servers and reduces the attacks on language models [3].
Read more: [Attacks on language models](https://erkinekici.com/articles/attacks-on-language-models/).
The script operates by modifying two registry keys:
- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot!TurnOffWindowsCopilot`:
This key disables Copilot for all users on the device [2] [4].
- `HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot!TurnOffWindowsCopilot`:
This key disables Copilot for the current user [1] [4].
To fully disable Copilot, both machine-level (`HKLM`) and user-level (`HKCU`) settings might need
adjustment, given reports that `HKLM` alone is inadequate [4].
This script turns off Copilot, enhancing privacy by preventing data collection and transmission,
and improving security by reducing the risk of language model attacks [3].
[1]: https://web.archive.org/web/20240122064120/https://learn.microsoft.com/en-us/windows/client-management/manage-windows-copilot "Manage Copilot in Windows - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240522162728/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot "WindowsAI Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://erkinekici.com/articles/attacks-on-language-models/ "Attacks on language models :: Erkin Ekici | erkinekici.com"
[4]: https://web.archive.org/web/20240122064046/https://www.elevenforum.com/t/enable-or-disable-windows-copilot-in-windows-11.17045/ "Enable or Disable Windows Copilot in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot
valueName: TurnOffWindowsCopilot
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot
valueName: TurnOffWindowsCopilot
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Disable Copilot access
recommend: strict
docs: |-
This script disables Copilot access on your computer, enhancing your privacy.
It prevents the Copilot feature from activating or being suggested for use locally [1] [2].
When activated, Copilot can access and process a vast array of personal data, potentially leading to privacy concerns.
By setting your local user's eligibility status to "ineligible" this script effectively removes the possibility of Copilot
being automatically offered or activated on your system.
It works by adjusting the `HKCU\Software\Microsoft\Windows\Shell\Copilot\BingChat!IsUserEligible` registry key [1] [2] [3].
Typically, this key may be modified by Microsoft based on your account activity [3].
However, running this script will override such adjustments, maintaining your privacy preference and potentially
enhancing system performance by disabling background services.
Please restart your computer after applying this script to activate changes [2] [3].
If reverting, relog into your Microsoft account to reset settings [3].
[1]: https://web.archive.org/web/20240122065339/https://itstechbased.com/how-to-enable-new-copilot-ai-in-windows-11-22631-2262-beta/ "How to Enable New Copilot AI in Windows 11 22631.2262 (Beta) - Tech Based | itstechbased.com"
[2]: https://web.archive.org/web/20240122065302/https://betawiki.net/wiki/Windows_10_build_19045.3754 "Windows 10 build 19045.3754 - BetaWiki | betawiki.net"
[3]: https://web.archive.org/web/20240122065316/https://www.neowin.net/guides/how-to-enable-copilot-in-windows-10/ "How to enable Copilot in Windows 10 - Neowin | www.neowin.net"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\Shell\Copilot\BingChat
valueName: IsUserEligible
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # Default value for this key varies, seen as `0` on some Windows 11 23H2, key does not exist on some Windows 10 22H2
-
function: ShowComputerRestartSuggestion
-
name: Disable Copilot auto-launch on start
recommend: strict
docs: |-
This script stops the Copilot feature from automatically starting up with Windows,
providing a more controlled and resource-efficient computing experience.
With the release of Windows 11 builds 25992 (Canary) and 23615 (Dev), users encountered a new functionality
that would auto-launch Copilot on wider screens [1] [2] [3].
This script modifies the `HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings!AutoOpenCopilotLargeScreens`
registry key to configure this setting [1] [2].
This script ensures Copilot stays inactive at startup, activating only when the user initiates it manually.
This change not only respects user preference but also frees up system resources that would otherwise be consumed by this feature,
potentially leading to faster startup times and better overall performance.
[1]: https://web.archive.org/web/20240122071219/https://www.elevenforum.com/t/enable-or-disable-open-copilot-at-startup-in-windows-11.19626/ "Enable or Disable Open Copilot at Startup in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[2]: https://web.archive.org/web/20240122071337/https://blogs.windows.com/windows-insider/2024/01/11/announcing-windows-11-insider-preview-build-23615-dev-channel/ "Announcing Windows 11 Insider Preview Build 23615 (Dev Channel) | Windows Insider Blog | blogs.windows.com"
[3]: https://web.archive.org/web/20240122071352/https://geekrewind.com/how-to-turn-open-copilot-when-windows-starts-on-or-off-in-windows-11/ "How to Turn “Open Copilot when Windows Starts” On or Off in Windows 11 - Geek Rewind | geekrewind.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings
valueName: AutoOpenCopilotLargeScreens
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 23H2)
-
name: Remove "Copilot" icon from taskbar
recommend: strict
docs: |-
This script removes the Copilot icon from the taskbar.
Windows added a taskbar button enabled by default to launch Windows Copilot [1].
This feature was introduced with the Windows 11 22H2 Moments 4 update [2] [3].
The script configures the `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced!ShowCopilotButton`
registry key [3] [4].
This script will turn off the Copilot button in the Settings app of Windows 11, which will hide or remove
the Copilot icon from the taskbar [4].
Disabling the Copilot button won't uninstall the feature but will hide the icon from the taskbar, simplifying
the user interface and reducing distractions.
This action also reduces the visibility of a feature with privacy implications from data collection and processing.
[1]: https://web.archive.org/web/20240122072226/https://blogs.windows.com/windows-insider/2023/06/29/announcing-windows-11-insider-preview-build-23493/ "Announcing Windows 11 Insider Preview Build 23493 | Windows Insider Blog | blogs.windows.com"
[2]: https://web.archive.org/web/20240122072448/https://support.microsoft.com/en-us/topic/october-31-2023-kb5031455-os-builds-22621-2506-and-22631-2506-preview-6513c5ec-c5a2-4aaf-97f5-44c13d29e0d4 "October 31, 2023—KB5031455 (OS Builds 22621.2506 and 22631.2506) Preview - Microsoft Support | support.microsoft.com"
[3]: https://web.archive.org/web/20240122071203/https://www.elevenforum.com/t/add-or-remove-copilot-button-on-taskbar-in-windows-11.16015/ "Add or Remove Copilot Button on Taskbar in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[4]: https://web.archive.org/web/20240122071007/https://www.thewindowsclub.com/how-to-show-or-hide-copilot-button-on-taskbar-in-windows "How to remove Copilot from Taskbar in Windows 11 | www.thewindowsclub.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
valueName: ShowCopilotButton
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 23H2)
-
function: ShowExplorerRestartSuggestion
-
category: Disable non-essential services
docs: |-
This category contains scripts designed to enhance privacy by disabling system services that are not essential for your
operating system's core functions.
A Windows service is a program that runs in the background, automatically starting and operating without direct user
interaction, even when no user is logged in [1].
Disabling these services, especially those transmitting data to external parties or running unseen, significantly
reduces the risk of unwanted data exposure.
Taking these proactive steps is crucial for minimizing privacy risks and improving your system's security.
[1]: https://web.archive.org/web/20240219200713/https://learn.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications "Introduction to Windows Service Applications - .NET Framework | Microsoft Learn | learn.microsoft.com"
children:
-
name: Disable Microsoft Account Sign-in Assistant (breaks Microsoft Store and Microsoft Account sign-in)
recommend: strict
docs: |-
This script disables the **Microsoft Account Sign-in Assistant** (`wlidsvc`) service.
This service helps users sign in with their Microsoft account, giving access to Microsoft's services and apps [1] [2].
This service connects with Microsoft's cloud for authentication [3].
Formerly known as the "Microsoft Windows Live ID Service", it supported sign-ins for applications such as
Office and Windows Live Messenger [4].
Currently, it uses Microsoft Entra (formerly Azure AD [5]) as identity service [6] [7].
It's used to facilitate creation of primary identifier Microsoft use for devices [8]
Disabling this service prioritizes user privacy by limiting data sharing with Microsoft but necessitates a trade-off
regarding certain convenience features and system capabilities.
> **Caution**:
> While Microsoft indicates this service can be safely disabled, [1] doing so may impact essential features and functionalities [3].
>
> - **Microsoft Sign-in**:
> Disabling this service prevents users from signing into the computer with their Microsoft account [2] [8].
> It also affects scenarios requiring user action for completion [6].
> For instance, users might not see the Microsoft Entra sign-in option [6] [7] [9], leading to the creation of a local account instead [6] [7].
> - **Windows Autopilot**:
> Windows Autopilot is a set of technologies used by IT departments to set up and pre-configure new devices [9].
> It requires this service to retrieve the Windows Autopilot profile [10].
> - **Microsoft Store**:
> On Windows 11 and Windows 10, failure messages may appear, indicating a break in functionality [11].
> Known error messages include `PUR-AuthenticationFailure v3ZtcNH7IECS00iL.36.1`, `0x800706d9`, and `0x800704cf` [11].
> - **Feature Updates**:
> Feature updates, which add new functionalities to Windows [12], will not be offered [3] [13] [14] [15] [16].
> Disabling this service disrupts feature updates by impacting Subscription Activation (license authentication) [16].
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
[1]: https://web.archive.org/web/20240218231654/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#microsoft-account-sign-in-assistant "Security guidelines for system services in Windows Server 2016 | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240218232041/https://batcmd.com/windows/10/services/wlidsvc/ "Microsoft Account Sign-in Assistant - Windows 10 Service - batcmd.com | batcmd.com"
[3]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#12-microsoft-account "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[4]: https://web.archive.org/web/20240219000506/https://www.howtogeek.com/30348/what-are-wlidsvc.exe-and-wlidsvcm.exe-and-why-are-they-running/ "What Are WLIDSVC.EXE and WLIDSVCM.EXE and Why Are They Running? | howtogeek.com"
[5]: https://web.archive.org/web/20240218232515/https://learn.microsoft.com/en-us/entra/fundamentals/new-name "New name for Azure Active Directory - Microsoft Entra | Microsoft Learn | learn.microsoft.com"
[6]: https://web.archive.org/web/20240120200946/https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#search "Device restriction settings for Windows 10/11 in Microsoft Intune | Microsoft Learn | learn.microsoft.com"
[7]: https://web.archive.org/web/20240218234642/https://learn.microsoft.com/en-us/autopilot/pre-provision#user-flow "Windows Autopilot for pre-provisioned deployment | Microsoft Learn | learn.microsoft.com"
[8]: https://web.archive.org/web/20211129073326/https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-configuration-manual#required-endpoints "Manually configuring devices for Update Compliance - Windows Deployment | Microsoft Docs | docs.microsoft.com"
[9]: https://web.archive.org/web/20240218234541/https://learn.microsoft.com/en-us/autopilot/windows-autopilot "Overview of Windows Autopilot | Microsoft Learn | learn.microsoft.com"
[10]: https://web.archive.org/web/20240218235057/https://learn.microsoft.com/en-us/autopilot/policy-conflicts "Windows Autopilot policy conflicts | Microsoft Learn | learn.microsoft.com"
[11]: https://web.archive.org/web/20240218233743/https://github.com/undergroundwires/privacy.sexy/issues/100 "[BUG]: Running the script broke Windows Store login; unable to install any Store apps due to error 0x800704cf · Issue #100 · undergroundwires/privacy.sexy | github.com"
[12]: https://web.archive.org/web/20240218233355/https://learn.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#types-of-updates "Windows client updates, channels, and tools - Windows Deployment | Microsoft Learn | learn.microsoft.com"
[13]: https://web.archive.org/web/20240219000354/https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/windows-feature-updates-never-offered "Windows 10 feature updates not offered on Intune-managed devices - Intune | Microsoft Learn | learn.microsoft.com"
[14]: https://web.archive.org/web/20240218235145/https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates "Configure feature updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Learn | learn.microsoft.com"
[15]: https://web.archive.org/web/20240218235015/https://learn.microsoft.com/en-us/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting#feature-updates-arent-being-offered-while-other-updates-are "Windows Update issues troubleshooting - Windows Client | Microsoft Learn"
[16]: https://web.archive.org/web/20240218233634/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountsigninassistant "Accounts Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
call:
function: DisableService
parameters:
serviceName: wlidsvc # Check: (Get-Service -Name 'wlidsvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Downloaded Maps Manager
recommend: standard
docs: |-
This script disables the **Downloaded Maps Manager** (`MapsBroker`) service.
This service manages downloaded maps [1].
Disabling this service prevents apps from accessing maps [1], enhancing privacy by limiting access to sensitive location data
> **Caution**: This may affect apps that rely on downloaded maps but prioritizes user privacy [1].
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Automatic |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Automatic |
[1]: https://web.archive.org/web/20240219135016/https://batcmd.com/windows/10/services/mapsbroker/ "Downloaded Maps Manager - Windows 10 Service - batcmd.com | batcmd.com"
call:
function: DisableService
parameters:
serviceName: MapsBroker # Check: (Get-Service -Name 'MapsBroker').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable Microsoft Retail Demo
recommend: standard
docs: |-
This script disables the **Microsoft Retail Demo** (`RetailDemo`) service.
This service is used to control device activity when the device is in retail demo mode [1].
For personal use, this service is generally redundant, and disabling it strengthens privacy.
By turning off this service, you prevent the potential misuse of demo content and settings, ensuring that your
device operates under standard conditions without unnecessary exposure to retail demo features.
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
[1]: https://web.archive.org/web/20240219135100/https://batcmd.com/windows/10/services/retaildemo/ "Retail Demo Service - Windows 10 Service - batcmd.com | batcmd.com"
call:
function: DisableService
parameters:
serviceName: RetailDemo # Check: (Get-Service -Name 'RetailDemo').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
category: Disable synchronization of mail, contacts, calendar, and user data
docs: |-
This category contains scripts that improve privacy by turning off services that synchronize mail, contacts,
calendars, and other user data.
Turning off these services stops the automatic sharing and storing of personal information
across devices and apps, crucial for privacy.
children:
-
name: Disable User Data Storage
recommend: strict
docs: |-
This script disables the **User Data Storage** (`UnistoreSvc`) service.
This service stores user data like contact info, calendars, and messages [1].
Disabling this service boosts privacy by blocking app access to this data.
This script is recommended for users who prioritize privacy over the convenience of synchronized user data.
> **Caution**: Some applications may not function correctly without access to this data [1].
[1]: https://web.archive.org/web/20240219134932/https://batcmd.com/windows/10/services/unistoresvc/ "User Data Storage - Windows 10 Service - batcmd.com | batcmd.com"
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc_*").Start
serviceName: UnistoreSvc
defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual
-
name: Disable Sync Host
recommend: strict
docs: |-
This script turns off the **Sync Host** (`OneSyncSvc`) service.
This service syncs mail, contacts, calendars, and other user data across devices and apps [1].
Disabling this service stops the automatic sharing of personal information, enhancing privacy.
This script is recommended for individuals prioritizing the security of their personal data over the functionality of
data synchronization.
> **Caution**: Mail and other applications relying on synchronized data may not perform as intended without this service [1].
[1]: https://web.archive.org/web/20240219141722/https://batcmd.com/windows/10/services/onesyncsvc/ "Sync Host - Windows 10 Service - batcmd.com | batcmd.com"
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc_*").Start
serviceName: OneSyncSvc
defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual
-
name: Disable User Data Access
docs: |-
This script disables the **User Data Access** (`UserDataSvc`) service.
This service allows apps to access personal data such as contacts, calendars, and messages [1].
By disabling this service, you enhance your privacy by preventing apps from accessing this personal information.
This script is recommended for users valuing privacy more than some app functionalities relying on user data.
> **Caution**: It's important to be aware that some apps relying on this data may not function correctly without it [1].
[1]: https://web.archive.org/web/20240219141730/https://batcmd.com/windows/10/services/userdatasvc/ "User Data Access - Windows 10 Service - batcmd.com | batcmd.com"
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc_*").Start
serviceName: UserDataSvc
defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual
-
name: Disable Messaging Service
docs: |-
This script disables the **Messaging Service** (`MessagingService`) service.
This service supports text messaging and related functions [1].
Disabling this service improves privacy by reducing how the system processes text messages [1].
Users should consider this action if they prioritize privacy and do not use native text messaging features extensively.
> **Caution**: Be advised that disabling this service may affect the functionality of text messaging and related services [1].
[1]: https://web.archive.org/web/20240219141734/https://batcmd.com/windows/10/services/messagingservice/ "MessagingService - Windows 10 Service - batcmd.com | batcmd.com"
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService_*").Start
serviceName: MessagingService
defaultStartupMode: Manual # Allowed values: Boot | System | Automatic | Manual
-
name: Disable Windows Push Notifications
recommend: strict # Enhances privacy but reduces convenience.
docs: |-
This script disables the Windows Push Notification Service (WNS), including the
`WpnService` and `WpnUserService`.
WNS enables third-party developers to send notifications (toast, tile, badge, and raw updates)
from their cloud services [1].
However, this service raises privacy concerns:
- It relies on connections to Microsoft cloud servers [1] [2] [3] [4] [5], potentially exposing
user data.
This delivers both local and push notifications to your device [1].
- It may bypass VPN protections and expose your device's real IP address, according to
Wikipedia (uncited) [2].
Running this script will:
- Enhance your privacy by reducing data sent to Microsoft servers
- Improve security by limiting potential attack vectors
- Boost system performance by reducing background processes
> **Caution**:
> After running this script, you will no longer receive instant notifications from most apps.
> This may include important updates or messages.
### Technical Details
This script disables two services:
1. `WpnService` (Windows Push Notifications System Service) [3]
2. `WpnUserService` (Windows Push Notifications User Service) [4]
Disabling `WpnUserService` may cause these issues:
- **Network & Internet** in Settings:
- Windows 10: May cause issues accessing network settings [5] [6] [7].
- Windows 11: No reported issues [5].
- To reproduce (Windows 10):
1. Open **Settings**
2. Select **Network & Internet**
- **Notification Center** in taskbar:
- All Windows 11 versions:
- Prevents opening **Notification Center** [8] (known as *Action Center* on
Windows 10 [9]) .
- The **Notification Center** (known as **notification area** on Windows 10 [10])
is at the right end of the taskbar [11].
- It includes system status icons (e.g., date/time, battery, Wi-Fi) and
notifications [8] [11].
- To reproduce (Windows 11): Click the **Notification Center** icon on the taskbar.
- **Notifications & Actions** in Settings:
- Some Windows 11 versions: Unable to access **Notifications & Actions** [12] on
Settings app.
- To reproduce (Windows 11):
1. Open **Settings**
2. Select **System**
3. Select **Notifications**
Confirmed side effects per Windows version after disabling `WpnUserService` and rebooting:
| Windows Version | Taskbar Notifications Center | Notifications & Actions Settings | Network Settings |
| --------------- | ---------------------------- | -------------------------------- |------------------|
| Windows 11 23H2 | 🔴 Affected | 🔴 Affected | 🟢 Unaffected |
| Windows 11 22H2 | 🔴 Affected | 🔴 Affected | 🟢 Unaffected |
| Windows 11 21H2 | 🔴 Affected | 🟢 Unaffected | 🟢 Unaffected |
| Windows 10 22H2 | 🟢 Unaffected | 🟢 Unaffected | 🔴 Breaks |
| Windows 10 21H2 | 🟢 Unaffected | 🟢 Unaffected | 🔴 Breaks |
| Windows 10 20H2 | 🟢 Unaffected | 🟢 Unaffected | 🔴 Breaks |
| Windows 10 19H2 | 🟢 Unaffected | 🟢 Unaffected | 🟢 Unaffected |
| Windows 10 19H1 | 🟢 Unaffected | 🟢 Unaffected | 🟢 Unaffected |
Due to these issues, this script disables `WpnUserService` only on Windows 10 version 19H2 and earlier versions.
### Overview of default service statuses
`WpnService`:
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 19H1) | 🟢 Running | Automatic |
| Windows 11 (all versions) | 🟢 Running | Automatic |
`WpnUserService_<Suffix>`:
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 19H1) | 🟢 Running | Automatic |
| Windows 11 (all versions) | 🟢 Running | Automatic |
[1]: https://web.archive.org/web/20240218223751/https://learn.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview "Windows Push Notification Services (WNS) overview - Windows apps | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240218223848/https://en.wikipedia.org/w/index.php?title=Windows_Push_Notification_Service&oldid=1012335551#Privacy_Issue "Windows Push Notification Service - Wikipedia | en.wikipedia.org"
[3]: https://web.archive.org/web/20240218223841/https://batcmd.com/windows/10/services/wpnservice/ "Windows Push Notifications System Service - Windows 10 Service - batcmd.com | batcmd.com"
[4]: https://web.archive.org/web/20240218223900/https://batcmd.com/windows/10/services/wpnuserservice/ "Windows Push Notifications User Service - Windows 10 Service - batcmd.com | batcmd.com"
[5]: https://web.archive.org/web/20240218223920/https://github.com/undergroundwires/privacy.sexy/issues/110 '[BUG]: "SystemSettings.exe - Stack-based buffer" when accessing network settings · Issue #110 · undergroundwires/privacy.sexy | github.com/undergroundwires/privacy.sexy'
[6]: https://web.archive.org/web/20240218225733/https://github.com/undergroundwires/privacy.sexy/issues/166 "[BUG]: Network & Internet Problem after using the script · Issue #166 · undergroundwires/privacy.sexy | GitHub | github.com/undergroundwires/privacy.sexy"
[7]: https://web.archive.org/web/20240812132702/https://github.com/undergroundwires/privacy.sexy/issues/225 "[Improvements] possible workaround for issue #110 · Issue #225 · undergroundwires/privacy.sexy · GitHub | github.com"
[8]: https://web.archive.org/web/20240812131424/https://github.com/undergroundwires/privacy.sexy/issues/314 "[BUG]: Script that breaks calendar in taskbar · Issue #314 · undergroundwires/privacy.sexy · GitHub | github.com"
[9]: https://archive.ph/2024.08.12-133902/https://support.microsoft.com/en-us/windows/how-to-open-notification-center-and-quick-settings-f8dc196e-82db-5d67-f55e-ba5586fbb038%23WindowsVersion=Windows_10 "Windows 10 | How to open Notification Center and Quick Settings - Microsoft Support | support.microsoft.com"
[10]: https://archive.ph/2024.08.12-133132/https://support.microsoft.com/en-us/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3%23WindowsVersion=Windows_10 "Windows 10 | Customize the taskbar notification area - Microsoft Support | support.microsoft.com"
[11]: https://archive.ph/2024.08.12-133105/https://support.microsoft.com/en-us/windows/customize-the-taskbar-notification-area-e159e8d2-9ac5-b2bd-61c5-bb63c1d437c3%23WindowsVersion=Windows_11 "Windows 11 | Customize the taskbar notification area - Microsoft Support | support.microsoft.com"
[12]: https://web.archive.org/web/20240812131129/https://github.com/undergroundwires/privacy.sexy/issues/227 "[BUG]: Disabling \"Windows Push Notification Service\" also breaks action center · Issue #227 · undergroundwires/privacy.sexy · GitHub | github.com"
call:
-
function: DisableService
parameters:
serviceName: WpnService # Check: (Get-Service -Name 'WpnService').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService_*").Start
serviceName: WpnUserService
defaultStartupMode: Automatic # Allowed values: Boot | System | Automatic | Manual
maximumWindowsVersion: Windows10-1909
-
category: Disable Xbox services
docs: |-
This category includes scripts to turn off Xbox services.
While enhancing gaming, these services may impact privacy and system performance for non-Xbox Live users.
Turning off these services protects privacy by stopping unnecessary data sharing with Xbox Live servers.
children:
-
name: Disable Xbox Live Auth Manager
recommend: standard
docs: |-
This script disables the **Xbox Live Auth Manager** (`XblAuthManager`) service.
This service manages Xbox Live login and permissions [1].
Turning off this service can enhance privacy for users who do not use Xbox Live, as it prevents potentially
unnecessary communication with Xbox Live servers.
> **Caution:** Disabling this service could impact apps needing Xbox Live login.
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
[1]: https://web.archive.org/web/20240219142010/https://batcmd.com/windows/10/services/xblauthmanager/ "Xbox Live Auth Manager - Windows 10 Service - batcmd.com | batcmd.com"
call:
function: DisableService
parameters:
serviceName: XblAuthManager # Check: (Get-Service -Name 'XblAuthManager').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Xbox Live Game Save
recommend: standard
docs: |-
This script disables the **Xbox Live Game Save** (`XblGameSave`) service.
This service synchronizes save data for games that are enabled with Xbox Live save features [1].
If you're not using Xbox Live to save games, turning off this service can protect your privacy by stopping
save data transfers to Xbox Live [1].
> **Caution:** Be aware that stopping this service will prevent game save synchronization with Xbox Live [1],
> affecting users who play Xbox Live-enabled games.
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
[1]: https://web.archive.org/web/20240219141930/https://batcmd.com/windows/10/services/xblgamesave/ "Xbox Live Game Save - Windows 10 Service - batcmd.com | batcmd.com"
call:
function: DisableService
parameters:
serviceName: XblGameSave # Check: (Get-Service -Name 'XblGameSave').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Xbox Live Networking
recommend: standard
docs: |-
This script disables the **Xbox Live Networking Service** (`XboxNetApiSvc`) service.
This service supports the `Windows.Networking.XboxLive` application programming interface [1].
Disabling this service is useful for those not using Xbox Live, as it stops the system from Xbox Live
networking activities.
This script may enhance privacy and improve system performance by reducing unnecessary network traffic and
resource use.
> **Caution:** Turning off this service could impact apps and games using Xbox Live network features.
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
[1]: https://web.archive.org/web/20240219141939/https://www.tenable.com/audits/items/CIS_MS_Windows_10_Enterprise_Level_1_v1.12.0.audit:413ad68866cc396f0bd1dd4ead7deb97 "5.45 Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is ... | Tenable® | www.tenable.com"
call:
function: DisableService
parameters:
serviceName: XboxNetApiSvc # Check: (Get-Service -Name 'XboxNetApiSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Shadow Copy (breaks System Restore and Windows Backup)
recommend: strict
docs: |-
This script disables the **Shadow Copy** service, known also as the
*Volume Shadow Copy Service* (VSS) [1] [2] [3] [4] [5] or *Volume Snapshot Service* [4] [6].
This service is integral for system backups [1] [2] [3] [5] and data snapshots [1] [5] [7].
It allows for data recovery [1] [5] and system restore points [1] [7] [8].
Introduced with Windows Server 2003 [1], VSS facilitates backups and system restores without needing to take applications offline [1].
It creates a consistent snapshot of data for backup, supporting functions like archiving, data mining, and disk-to-disk backups [1].
These snapshots can restore data in case of data loss, to the original location or a new one, if the original has failed [1].
However, VSS has privacy and security risks:
- It can store unencrypted versions of files, even after users have encrypted and securely deleted them [5] [7].
This feature, while useful for recovery, poses a risk as it allows retrieving deleted files,
undermining efforts to permanently remove sensitive information.
- Malware may use this service for persistence [4].
- Forensic investigators use shadow copies to recover deleted files and analyze your behavior [5].
Disabling VSS can also free up system resources and potentially improve performance by eliminating the creation and storage of shadow copies.
But it will render system restore points [1] [8] and Windows Backup [1] features inoperative, potentially compromising data recovery capabilities.
This trade-off between privacy/security and system recovery features should be carefully considered.
> **Caution**:
> Disabling this service will make shadow copies unavailable for backup, which could cause backup processes to fail [3].
> Services that depend on VSS will not start, affecting features like Windows Server Backup [1], Shadow Copies of Shared Folders [1],
> System Center Data Protection Manager [1], and System Restore [1] [8].
### Overview of default service statuses
| OS Version | Status | Start type |
| ---------- | -------| ---------- |
| Windows 10 (≥ 22H2) | 🔴 Stopped | Manual |
| Windows 11 (≥ 23H2) | 🔴 Stopped | Manual |
[1]: https://web.archive.org/web/20240218220458/https://learn.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service "Volume Shadow Copy Service | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240218220517/https://learn.microsoft.com/en-us/windows/win32/vss/volume-shadow-copy-service-overview?redirectedfrom=MSDN "Volume Shadow Copy Service Overview - Win32 apps | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240218221447/https://batcmd.com/windows/10/services/vss/ "Volume Shadow Copy - Windows 10 Service - batcmd.com | batcmd.com"
[4]: https://archive.ph/2024.02.18-221756/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 "CVE-2021-36934 - Security Update Guide - Microsoft - Windows Elevation of Privilege Vulnerability | msrc.microsoft.com"
[5]: https://web.archive.org/web/20240218221441/https://www.iiis.org/CDs2018/CD2018Spring/papers/ZA288KS.pdf "Forensic Analysis of Windows 10 Volume Shadow Copy Service | University of North Georgia | iiis.org"
[6]: https://web.archive.org/web/20240218220401/https://download.microsoft.com/download/7/1/B/71B9C665-6D2B-4154-AB7E-9CDC40647B57/697737_ebook_mobile_TechPreview.pdf "Introducing Windows Server 2016 Technical Preview | John McCabe and the Windows Server team | download.microsoft.com"
[7]: https://web.archive.org/web/20240218220503/https://www.schneier.com/blog/archives/2009/12/the_security_im.html "The Security Implications of Windows Volume Shadow Copy - Schneier on Security | www.schneier.com"
[8]: https://web.archive.org/web/20240218220527/https://github.com/undergroundwires/privacy.sexy/issues/81 "[BUG]: Can't access sign-in options nor create a restore point · Issue #81 · undergroundwires/privacy.sexy · GitHub | github.com/undergroundwires/privacy.sexy"
call:
function: DisableService
parameters:
serviceName: VSS # Check: (Get-Service -Name 'VSS').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
category: Remove Snipping Tool
docs: |-
This category addresses privacy risks related to the **Snipping Tool** [1] [2]
(also called **screen capture** [3]) and its earlier forms, **Snip & Sketch** [1] [4]
and **Screen Sketch** [4].
The Snipping Tool enables users to capture screenshots [2] [5] and record their screens [2].
This capability can expose sensitive information displayed on the screen unintentionally.
Earlier versions had significant privacy vulnerabilities, allowing recovery of cropped
screenshot portions [6] [7].
For example, bank details edited out of a saved screenshot could still be extracted by
malicious entities [6].
Although updates have remedied these issues in modern versions [6], the potential for
data exposure remains a concern.
Disabling this tool enhances privacy by preventing unintentional capture of sensitive
information and protecting against vulnerabilities.
[1]: https://archive.ph/2024.04.24-100718/https://apps.microsoft.com/detail/9mz95kl8mr0l?hl=en-US&gl=US "Snipping Tool - Microsoft Apps | apps.microsoft.com"
[2]: https://web.archive.org/web/20240424101014/https://www.microsoft.com/en-us/windows/learning-center/how-to-record-screen-windows-11 "How to Record Your Screen on Windows 11 | Microsoft Windows | www.microsoft.com"
[3]: https://web.archive.org/web/20240424100904/https://github.com/undergroundwires/privacy.sexy/issues/343 "[BUG]: Snipping Tool still can be executable via its keyboard shortcut · Issue #343 · undergroundwires/privacy.sexy · GitHub | github.com"
[4]: https://web.archive.org/web/20240424100700/https://blogs.windows.com/windowsexperience/2018/10/02/find-out-whats-new-in-windows-and-office-in-october/ "Find out whats new in Windows and Office in October | Windows Experience Blog | blogs.windows.com"
[5]: https://web.archive.org/web/20240424101031/https://support.microsoft.com/en-us/windows/open-snipping-tool-and-take-a-screenshot-a35ac9ff-4a58-24c9-3253-f12bac9f9d44 "Open Snipping Tool and take a screenshot - Microsoft Support | support.microsoft.com"
[6]: https://archive.ph/2024.04.24-100742/https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28303 "CVE-2023-28303 - Security Update Guide - Microsoft - Windows Snipping Tool Information Disclosure Vulnerability | msrc.microsoft.com"
[7]: https://web.archive.org/web/20240424100805/https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/ "Windows 11 Snipping Tool privacy bug exposes cropped image content | www.bleepingcomputer.com"
children:
-
name: Remove outdated "Snipping Tool" app
docs: |-
This script removes the outdated **Snipping Tool** app.
It was previously known as **Snip & Sketch** [1] [2] [3].
It allows users to capture, edit, and share screenshots [3].
In recent Windows versions, this app is part of the *Windows Feature Experience Pack*
(`MicrosoftWindows.Client.Core`) and is no longer a separate application [4] [5] [6] [7].
This script disables snipping functionality on older Windows versions.
privacy.sexy does not remove the entire Windows Feature Experience Pack,
as it contains many other essential functions [7].
This app comes pre-installed on certain versions of Windows [1] [2].
### Overview of default preinstallation
| OS | Version | Existence |
| -- |:-------:|:---------:|
| Windows 10 | 19H2 | ✅ |
| Windows 10 | 20H2 | ✅ |
| Windows 10 | 21H2 | ✅ |
| Windows 10 | 22H2 | ✅ |
| Windows 11 | 21H2 | ✅ |
| Windows 11 | 22H2 | ✅ |
| Windows 11 | 23H2 | ✅ |
[1]: https://web.archive.org/web/20210727081048/https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10 "Windows 10 - Apps - Windows Application Management | Microsoft Docs"
[2]: https://web.archive.org/web/20221101231811/https://learn.microsoft.com/en-us/windows/application-management/provisioned-apps-windows-client-os "Get the provisioned apps on Windows client operating system - Windows Application Management | Microsoft Learn"
[3]: https://archive.ph/2024.04.24-100718/https://apps.microsoft.com/detail/9mz95kl8mr0l?hl=en-US&gl=US "Snipping Tool - Microsoft Apps | apps.microsoft.com"
[4]: https://web.archive.org/web/20240320082149/https://blogs.windows.com/windows-insider/2020/11/30/releasing-windows-feature-experience-pack-120-2212-1070-0-to-the-beta-channel/ "Releasing Windows Feature Experience Pack 120.2212.1070.0 to the Beta Channel | Windows Insider Blog | blogs.windows.com"
[5]: https://archive.ph/2024.03.20-082058/https://twitter.com/XenoPanther/status/1504870414702592003 "Xeno on X: \"Parts of MicrosoftWindows.Client.CBS have been moved to MicrosoftWindows.Client.Core \" / X | twitter.com/XenoPanther"
[6]: https://web.archive.org/web/20240320082048/https://answers.microsoft.com/en-us/insider/forum/all/snipping-tool-issues-with-build-25295/065a6718-70a0-4e3b-ab1b-21f6315c0296 "Snipping Tool issues with Build 25295 - Microsoft Community | answers.microsoft.com"
[7]: https://web.archive.org/web/20240424100904/https://github.com/undergroundwires/privacy.sexy/issues/343 "[BUG]: Snipping Tool still can be executable via its keyboard shortcut · Issue #343 · undergroundwires/privacy.sexy · GitHub | github.com"
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.ScreenSketch # Get-AppxPackage Microsoft.ScreenSketch
publisherId: 8wekyb3d8bbwe
-
name: Disable outdated Snipping Tool
docs: |-
This script disables the outdated Snipping Tool [1] [2].
This app is enabled by default [1] [2].
The script modifies the `HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableSnippingTool` [1] [2]
registry key, preventing the tool from launching [1] [2] [3] and disabling the print screen
key activation [3].
After running this script, any attempt to open the Snipping Tool will show this message [4],
confirming its deactivation (tested on Windows 11 and 10):
> Windows cannot open this program because it has been prevented by a software restriction policy.
> For more information please contact your system administrator.
This script does not affect the new Snipping Tool in Windows 11, only the store app version.
[1]: https://web.archive.org/web/20240424103745/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TabletPCShell::DisableSnippingTool_2 "Do not allow Snipping Tool to run | admx.help"
[2]: https://web.archive.org/web/20240424103728/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-tabletshell#disablesnippingtool_1 "ADMX_TabletShell Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240424103901/https://www.thewindowsclub.com/disable-snipping-tool-in-windows-10 "How to Disable Snipping Tool or Print Screen in Windows 11/10 | www.thewindowsclub.com"
[4]: https://web.archive.org/web/20240424103809/https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994599(v=ws.11)#windows-cannot-open-a-program "Troubleshoot Software Restriction Policies | Microsoft Learn | learn.microsoft.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\TabletPC
valueName: DisableSnippingTool
dataType: REG_DWORD
data: "1"
deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 23H2)
-
name: Disable Snipping Tool keyboard shortcut (**Windows logo key** + **Shift** + **S**)
docs: |-
This script disables the **Windows logo key** + **Shift** + **S** keyboard shortcut.
This keyboard shortcut by default launches the Snipping Tool to capture screenshots [1] [2].
During the screenshot process, the screen darkens to indicate the selected area [1].
By preventing Windows Explorer from recognizing this keyboard shortcut [3], the script enhances privacy by
reducing the risk of unintended data exposure through screenshots.
This script also disables the **Windows logo key** + **S** keyboard shortcut [4], which by default
activates search functions on Windows [5].
> **Caution**: Due to limitation of configuring disabled keys on Windows [6],
> this will also disable the other Windows logo keyboard shortcuts including **S** button.
[1]: https://web.archive.org/web/20240424101031/https://support.microsoft.com/en-us/windows/open-snipping-tool-and-take-a-screenshot-a35ac9ff-4a58-24c9-3253-f12bac9f9d44 "Open Snipping Tool and take a screenshot - Microsoft Support | support.microsoft.com"
[2]: https://web.archive.org/web/20240424105319/https://support.lenovo.com/us/sv/solutions/ht117622 "How to take a screenshot using the Snipping Tool in Windows 10 and 11 - Lenovo Support US | support.lenovo.com"
[3]: https://web.archive.org/web/20240424100904/https://github.com/undergroundwires/privacy.sexy/issues/343 "[BUG]: Snipping Tool still can be executable via its keyboard shortcut · Issue #343 · undergroundwires/privacy.sexy · GitHub | github.com"
[4]: https://web.archive.org/web/20240424105243/https://github.com/microsoft/PowerToys/issues/18450#issuecomment-1204728155 "[PowerToys Run] Win+S hotkey won't gain focus when Start menu is open · Issue #18450 · microsoft/PowerToys · GitHub | github.com"
[5]: https://web.archive.org/web/20240424105403/https://support.microsoft.com/en-us/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec "Keyboard shortcuts in Windows - Microsoft Support | support.microsoft.com"
[6]: https://web.archive.org/web/20240424104551/https://www.geoffchappell.com/notes/windows/shell/explorer/globalhotkeys.htm "Disable Global Hot Keys | www.geoffchappell.com"
call:
function: DisableWindowsKeyPlusCharacterHotkey
parameters:
characterKeyToDisable: S
-
name: Disable Print Screen keyboard shortcut for Snipping Tool
docs: |-
This script prevents the Print Screen key from launching the Snipping Tool.
This is the default Windows behavior starting from Windows 11 22H2 [1].
The script targets the `HKCU\Control Panel\Keyboard\PrintScreenKeyForSnippingEnabled` registry key.
This key toggles the setting "Use the Print screen button to open screen snipping" in the control panel [1] [2] [3].
Changing this setting through the user interface also modifies this registry entry [3].
This key is absent by default in modern Windows versions, confirmed through testing starting with Windows
10 22H2 and Windows 11 23H2, which indicates that the Print Screen shortcut is enabled.
Applying these changes requires restarting File Explorer (`explorer.exe`) [3].
Both `explorer.exe` [4] and `Taskbar.dll` [5] reads this configuration at startup.
[1]: https://web.archive.org/web/20240424111406/https://blogs.windows.com/windows-insider/2023/04/07/announcing-windows-11-insider-preview-build-22621-1546-and-22624-1546/ "Announcing Windows 11 Insider Preview Build 22621.1546 and 22624.1546 | Windows Insider Blog | blogs.windows.com"
[2]: https://web.archive.org/web/20240424111351/https://www.elevenforum.com/t/enable-or-disable-use-print-screen-key-to-open-screen-snipping-in-windows-11.520/ "Enable or Disable Use Print Screen Key to Open Screen Snipping in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[3]: https://web.archive.org/web/20240424100904/https://github.com/undergroundwires/privacy.sexy/issues/343 "[BUG]: Snipping Tool still can be executable via its keyboard shortcut · Issue #343 · undergroundwires/privacy.sexy · GitHub | github.com"
[4]: https://github.com/privacysexy-forks/10_0_22622_601/blob/c598035e1a6627384d646140fe9e4d234b36b11d/C/Windows/System32/Taskbar.dll.strings#L9711 "10_0_22622_601/C/Windows/System32/Taskbar.dll.strings at c598035e1a6627384d646140fe9e4d234b36b11d · WinDLLsExports/10_0_22622_601 · GitHub | github.com"
[5]: https://github.com/privacysexy-forks/10_0_22621_891/blob/fde7af7776698377aceb48a54bcf7bedaadd5c2d/C/Windows/explorer.exe.strings#L7645 "10_0_22621_891/C/Windows/explorer.exe.strings at fde7af7776698377aceb48a54bcf7bedaadd5c2d · WinDLLsExports/10_0_22621_891 · GitHub"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKCU\Control Panel\Keyboard
valueName: PrintScreenKeyForSnippingEnabled
dataType: REG_DWORD
data: "0"
deleteOnRevert: 'true' # This key does not exist (tested since Windows 10 22H2, and Windows 11 23H2)
-
function: ShowExplorerRestartSuggestion
-
category: Advanced settings
children:
-
name: Set NTP (time) server to `pool.ntp.org`
docs: https://www.ntppool.org/en/use.html
recommend: strict
# `sc queryex` output is same in every OS language
# Marked: refactor-with-revert-call, refactor-with-variables
# This would allow re-using `StartService` and `StopService`
code: |-
:: Configure time source
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
:: Stop time service if running
SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||(
net stop w32time
)
:: Start time service and sync now
net start w32time
w32tm /config /update
w32tm /resync
revertCode: |-
:: Configure time source
w32tm /config /syncfromflags:manual /manualpeerlist:"time.windows.com"
:: Stop time service if running
SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||(
net stop w32time
)
:: Start time service and sync now
net start w32time
w32tm /config /update
w32tm /resync
-
name: Disable reserved storage for updates # since 19H1 (1903)
docs:
- https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement
- https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState
- https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves
- https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy
call:
-
function: RunInlineCode
parameters:
code: dism /online /Set-ReservedStorageState /State:Disabled /NoRestart
revertCode: dism /online /Set-ReservedStorageState /State:Enabled /NoRestart
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager
valueName: ShippedWithReserves
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager
valueName: PassedPolicy
dataType: REG_DWORD
data: '0'
dataOnRevert: '1' # Default value: `1` on Windows 10 Pro (≥ 22H2) | `1` on Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager
valueName: MiscPolicyInfo
dataType: REG_DWORD
data: '2'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: Run script on startup [EXPERIMENTAL]
code: |-
del /f /q %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat
copy "%~dpnx0" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat"
revertCode: del /f /q %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat
functions:
-
name: TerminateRunningProcess # 💡 If applicable, consider using `TerminateAndBlockExecution` in script calls.
parameters:
- name: executableNameWithExtension # Name of the executable file, including its extension, to be terminated.
- name: revertExecutablePath # Path of the executable to be run during the revert process.
optional: true
- name: revertExecutableArgs # Arguments to pass to the executable during the revert process.
optional: true
docs: |-
This function is designed to terminate a specified running process.
It checks if the process is currently running and, if so, uses the `taskkill` command to forcibly terminate it.
This function is particularly useful for stopping processes that may interfere with system configurations or other operations.
call:
-
function: Comment
parameters:
codeComment: Check and terminate the running process "{{ $executableNameWithExtension }}"
revertCodeComment: >-
{{ with $revertExecutablePath }}
Optionally start the process "{{ $executableNameWithExtension }}" if not running
{{ end }}
-
function: RunInlineCode
parameters:
code: |-
tasklist /fi "ImageName eq {{ $executableNameWithExtension }}" /fo csv 2>NUL | find /i "{{ $executableNameWithExtension }}">NUL && (
echo {{ $executableNameWithExtension }} is running and will be killed.
taskkill /f /im {{ $executableNameWithExtension }}
) || (
echo Skipping, {{ $executableNameWithExtension }} is not running.
)
# `start` command is used to start processes without blocking execution of rest of the script, see https://ss64.com/nt/start.html.
revertCode: |-
{{ with $revertExecutablePath }}
tasklist /fi "ImageName eq {{ $executableNameWithExtension }}" /fo csv 2>NUL | find /i "{{ $executableNameWithExtension }}">NUL && (
echo Skipping, {{ $executableNameWithExtension }} is already running.
) || (
if exist "{{ . }}" (
start "" "{{ . }}" {{ with $revertExecutableArgs }}{{ . }}{{ end }}
echo Executed {{ . }} {{ with $revertExecutableArgs }}{{ . }}{{ end }}
) else (
echo Failed to run the file, it does not exist. 1>&2
)
)
{{ end }}
-
name: TerminateExecutableOnLaunch # 💡 Usage: This is a low-level function. Favor using `TerminateAndBlockExecution` in script calls.
parameters:
- name: executableNameWithExtension # Filename of the executable (including its extension) to be terminated upon launch.
docs: |-
It immediately terminates a specified process whenever it starts.
The function adds `Debugger` registry value to point to the `taskkill.exe` utility, a command-line tool used for terminating processes.
This effectively means that every time the process attempts to start, `taskkill.exe` is invoked instead, leading to the immediate termination of the process.
Read more: [Image File Execution Options | Microsoft Learn](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options)
call:
-
function: Comment
parameters:
codeComment: Configure termination of "{{ $executableNameWithExtension }}" immediately upon its startup
revertCodeComment: Remove configuration preventing "{{ $executableNameWithExtension }}" from starting
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{{ $executableNameWithExtension }}
valueName: Debugger
dataType: REG_SZ
data: '%WINDIR%\System32\taskkill.exe'
deleteOnRevert: 'true' # No executable has debugging enabled by default
-
name: DisableWindowsFeature
docs: |-
This function manages the enabling and disabling of specified Windows features.
Its primary role is to disable a target feature, with options to handle cases where the feature is
absent or to maintain its default state upon reversal.
parameters:
- name: featureName # The name of the Windows feature to be disabled
- name: disabledByDefault # Specifies whether the feature is disabled by default in the operating system.
optional: true # If set to true, the function will not re-enable the feature during a revert operation.
- name: ignoreMissingOnRevert # When set to true, the revert operation will skip any actions for features that cannot be found, instead of failing.
optional: false
call:
-
function: Comment
parameters:
codeComment: Disable the "{{ $featureName }}" feature
revertCodeComment: Revert the '{{ $featureName }}' feature to its default settings
-
function: RunPowerShell
parameters:
code: |-
$featureName = '{{ $featureName }}'
$feature = Get-WindowsOptionalFeature `
-FeatureName "$featureName" `
-Online `
-ErrorAction Stop
if (-Not $feature) {
Write-Output "Skipping: The feature `"$featureName`" is not found. No action required."
Exit 0
}
if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled) {
Write-Output "Skipping: The feature `"$featureName`" is already disabled. No action required."
Exit 0
}
try {
Write-Host "Disabling feature: `"$featureName`"."
Disable-WindowsOptionalFeature `
-FeatureName "$featureName" `
-Online `
-NoRestart `
-LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) `
-WarningAction SilentlyContinue `
-ErrorAction Stop `
| Out-Null
} catch {
Write-Error "Failed to disable the feature `"$featureName`": $($_.Exception.Message)"
Exit 1
}
Write-Output "Successfully disabled the feature `"$featureName`"."
Exit 0
revertCode: |-
$featureName = '{{ $featureName }}'
$ignoreMissingOnRevert = {{ with $ignoreMissingOnRevert }} $true # {{ end }} $false
$disabledByDefault = {{ with $disabledByDefault }} $true # {{ end }} $false
$feature = Get-WindowsOptionalFeature `
-FeatureName "$featureName" `
-Online `
-ErrorAction Stop
if (-Not $feature) {
if ($ignoreMissingOnRevert) {
Write-Output "Skipping: The feature `"$featureName`" is not found. No action required."
Exit 0
}
Write-Error "Failed to revert changes to the feature `"$featureName`". The feature is not found."
Exit 1
}
if ($feature.State -eq [Microsoft.Dism.Commands.FeatureState]::Enabled) {
Write-Output "Skipping: The feature `"$featureName`" is already enabled. No action required."
Exit 0
}
if ($disabledByDefault) {
Write-Output "Skipping: The feature `"$featureName`" is already disabled and this is the default configuration."
Exit 0
}
try {
Write-Host "Enabling feature: `"$featureName`"."
Enable-WindowsOptionalFeature `
-FeatureName "$featureName" `
-Online `
-NoRestart `
-LogLevel ([Microsoft.Dism.Commands.LogLevel]::Errors) `
-WarningAction SilentlyContinue `
-ErrorAction Stop `
| Out-Null
} catch {
Write-Error "Failed to enable feature `"$featureName`": $($_.Exception.Message)"
Exit 1
}
Write-Output "Successfully enabled the feature `"$featureName`"."
Exit 0
-
name: UninstallStoreApp
parameters:
- name: packageName
- name: publisherId
call:
-
function: RunPowerShell
parameters:
codeComment: Uninstall '{{ $packageName }}' Microsoft Store app.
code: Get-AppxPackage '{{ $packageName }}' | Remove-AppxPackage
# This script attempts to reinstall the app that was just uninstalled, if necessary.
# Re-installation strategy:
# 1. Attempt to locate the package from another user's installation:
# - Utilizes the `Get-AppxPackage` command with the `-AllUsers` flag to search across all user installations.
# - Iterates through the results to locate the manifest file required for re-installation.
# 2. Attempt to locate the package from the system installation:
# - Utilizes the `Get-AppxPackage` command with `-RegisterByFamilyName` to search for the manifest file in the system installation.
# - The app's package family name is constructed using its name and publisher ID.
# Package Family Name is: `<name>_<publisherid>`
# Learn more about package identity: https://learn.microsoft.com/en-us/windows/apps/desktop/modernize/package-identity-overview#publisher-id (https://archive.ph/Sx4JC)
# - Based on tests, Windows attempts to locate the file in the installation location of the package.
# This location can be identified using commands such as `(Get-AppxPackage -AllUsers 'Windows.PrintDialog').InstallLocation`.
# Possible installation locations include:
# - `%WINDIR%\SystemApps\{PackageFamilyName}` (for system apps)
# - `%WINDIR%\{ShortAppName}` (for system apps)
# - `%SYSTEMDRIVE%\Program Files\WindowsApps\{PackageName}` (for non-system apps)
# View all package locations: `Get-AppxPackage | Sort Name | Format-Table Name, InstallLocation`
revertCodeComment: Reinstall '{{ $packageName }}' if it was previously uninstalled.
revertCode: |-
$packageName='{{ $packageName }}'
$publisherId='{{ $publisherId }}'
if (Get-AppxPackage -Name $packageName) {
Write-Host "Skipping, `"$packageName`" is already installed for the current user."
exit 0
}
Write-Host "Starting the installation process for `"$packageName`"..."
# Attempt installation using the manifest file
Write-Host "Checking if `"$packageName`" is installed on another user profile..."
$packages = @(Get-AppxPackage -AllUsers $packageName)
if (!$packages) {
Write-Host "`"$packageName`" is not installed on any other user profiles."
} else {
foreach ($package in $packages) {
Write-Host "Found package `"$($package.PackageFullName)`"."
$installationDir = $package.InstallLocation
if ([string]::IsNullOrWhiteSpace($installationDir)) {
Write-Warning "Installation directory for `"$packageName`" is not found or invalid."
continue
}
$manifestPath = Join-Path -Path $installationDir -ChildPath 'AppxManifest.xml'
try {
if (-Not (Test-Path "$manifestPath")) {
Write-Host "Manifest file not found for `"$packageName`" on another user profile: `"$manifestPath`"."
continue
}
} catch {
Write-Warning "An error occurred while checking for the manifest file: $($_.Exception.Message)"
continue
}
Write-Host "Manifest file located. Trying to install using the manifest: `"$manifestPath`"..."
try {
Add-AppxPackage -DisableDevelopmentMode -Register "$manifestPath" -ErrorAction Stop
Write-Host "Successfully installed `"$packageName`" using its manifest file."
exit 0
} catch {
Write-Warning "Error installing from manifest: $($_.Exception.Message)"
}
}
}
# Attempt installation using the package family name
$packageFamilyName = "$($packageName)_$($publisherId)"
Write-Host "Trying to install `"$packageName`" using its package family name: `"$packageFamilyName`" from system installation..."
try {
Add-AppxPackage -RegisterByFamilyName -MainPackage $packageFamilyName -ErrorAction Stop
Write-Host "Successfully installed `"$packageName`" using its package family name."
exit 0
} catch {
Write-Warning "Error installing using package family name: $($_.Exception.Message)"
}
throw "Unable to reinstall the requested package ($packageName). " + `
"It appears to no longer be included in this version of Windows. " + `
"You may search for it or an alternative in the Microsoft Store or " + `
"consider using an earlier version of Windows where this package was originally provided."
-
function: CreateRegistryKey
parameters:
codeComment: Mark '{{ $packageName }}' as deprovisioned to block reinstall during Windows updates.
revertCodeComment: Remove '{{ $packageName }}' from deprovisioned list to allow reinstall during updates.
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\{{ $packageName }}_{{ $publisherId }}
deleteOnRevert: 'true'
-
name: UninstallNonRemovableStoreApp
parameters:
- name: packageName
- name: publisherId
docs: |-
This function uninstalls a non-removable app by marking it as removable and then
running the built-in app uninstallation process.
Process:
1. Mark package as 'EndOfLife':
- Sets EndOfLife key in `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\<User SID>\<Package Family Name>` [1] [2].
This enables removal of normally non-removable apps [1] [2], preventing uninstallation failure (error `0x80070032`).
- No packages are marked as 'EndOfLife' by default (tested on Windows 10 Pro ≥ 22H2 and Windows 11 Pro ≥ 23H2).
- Even though this script deletes this key right after app removal, it's also removed on revert to restore default OS state.
This handles cases where the key might remain (e.g., manual addition, third-party tools, incomplete script execution), as keeping this
key may have unintended side effects.
2. Uninstall store app using Windows' built-in app package removal
3. Remove 'EndOfLife' mark:
- Deletes the EndOfLife key added in step 1
- Restores the app to its default, non-removable state
- Prevents potential side effects like blocking Windows Updates [3].
[1]: https://web.archive.org/web/20240809110626/https://github.com/undergroundwires/privacy.sexy/issues/260 "Improve system app uninstallation with a hard delete · Issue #260 · undergroundwires/privacy.sexy | github.com"
[2]: https://web.archive.org/web/20240809110743/https://github.com/undergroundwires/privacy.sexy/issues/236 "[BUG]: Edge Browser uninstall process no longer works · Issue #236 · undergroundwires/privacy.sexy | github.com"
[3]: https://web.archive.org/web/20240809111127/https://github.com/undergroundwires/privacy.sexy/issues/287 "\"Remove system apps\" breaks windows commulative updates · Issue #287 · undergroundwires/privacy.sexy | github.com"
call:
-
function: CreateRegistryKey
parameters:
codeComment: Enable removal of system app '{{ $packageName }}' by marking it as "EndOfLife"
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }}
replaceSid: 'true'
deleteOnRevert: 'true' # Although unnecessary due to the `DeleteRegistryKey` step later, this handles edge cases where this value may exist.
-
function: UninstallStoreApp
parameters:
packageName: '{{ $packageName }}'
publisherId: '{{ $publisherId }}'
-
function: DeleteRegistryKey
parameters:
codeComment: Revert '{{ $packageName }}' to its default, non-removable state.
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\$CURRENT_USER_SID\{{ $packageName }}_{{ $publisherId }}
replaceSid: 'true'
-
name: UninstallNonRemovableStoreAppWithCleanup # ❗️ Prefer `UninstallNonRemovableStoreApp` for new scripts
# 💡 Purpose:
# This function is designed for comprehensive cleanup, removing the store app along with associated data such as installation directories, user data, and metadata.
#
# It is maintained primarily for backward compatibility, supporting users who need to reverse changes made by earlier versions of privacy.sexy scripts that included app data removal.
# Historically, due to limitations in uninstalling non-removable apps through Windows package management tools (like `Remove-AppxPackage`), earlier versions of privacy.sexy scripts
# relied on a soft-deletion approach for app data. Newer scripts can now effectively use Windows package management to remove such apps.
#
# For general usage in new scripts, prefer `UninstallNonRemovableStoreApp`. It offers a simpler, safer, and less invasive approach. The extensive cleanup performed by
# this function is typically unnecessary for most users.
parameters:
- name: packageName
- name: publisherId
call:
-
function: ClearStoreAppDataBeforeUninstallation
parameters:
packageName: '{{ $packageName }}'
publisherId: '{{ $publisherId }}'
-
function: UninstallNonRemovableStoreApp
parameters:
packageName: '{{ $packageName }}'
publisherId: '{{ $publisherId }}'
-
function: ClearStoreAppDataAfterUninstallation
parameters:
packageName: '{{ $packageName }}'
publisherId: '{{ $publisherId }}'
-
name: ClearStoreAppDataBeforeUninstallation
parameters:
- name: packageName
- name: publisherId
call:
-
# ❗️ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting.
# Clear: Installation (SystemApps, Directory I)
# - Folder : %WINDIR%\SystemApps\{PackageFamilyName}
# - Example : C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy
# - Check : (Get-AppxPackage -AllUsers 'Windows.CBSPreview').InstallLocation
# - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
function: SoftDeleteFiles
parameters:
fileGlob: '%WINDIR%\SystemApps\{{ $packageName }}_{{ $publisherId }}\*'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
recurse: 'true'
-
# ❗️ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting.
# Clear: Installation (SystemApps, Directory II)
# - Folder : %WINDIR%\{ShortAppName}
# - Example : C:\Windows\PrintDialog
# - Check : (Get-AppxPackage -AllUsers 'Windows.PrintDialog').InstallLocation
# - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
function: SoftDeleteFiles
parameters:
fileGlob: >-
%WINDIR%\$(("{{ $packageName }}" -Split '\.')[-1])\*
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
recurse: 'true'
-
# ❗️ ORDERING: Run before `UninstallStoreApp` to ensure required manifest data is available for reinstallation when reverting.
# Clear: Installation (non-system i.e. provisioned and installed apps)
# - Folder : %SYSTEMDRIVE%\Program Files\WindowsApps\{PackageFullName}
# - Example : C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe
# - Check : (Get-AppxPackage -AllUsers 'Microsoft.BingWeather').InstallLocation
# - Check all : Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "Store" } | Sort Name | Format-Table Name, InstallLocation
function: SoftDeleteFiles
parameters:
fileGlob: '%SYSTEMDRIVE%\Program Files\WindowsApps\{{ $packageName }}_*_{{ $publisherId }}\*'
grantPermissions: 'true' # 🔒️ Protected on Windows 11 since 22H2 (when deleting `Microsoft.SecHealthUI`)
recurse: 'true'
-
name: ClearStoreAppDataAfterUninstallation
parameters:
- name: packageName
- name: publisherId
call:
-
# ❗️ ORDERING: Run after `UninstallStoreApp` to ensure only leftover files are removed without keeping unnecessary files on the system.
# Clear: User-specific data
# - Folder : %LOCALAPPDATA%\Packages\{PackageFamilyName}
# - Example : C:\Users\undergroundwires\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy
# - Check : "$env:LOCALAPPDATA\Packages\$((Get-AppxPackage -AllUsers 'Windows.CBSPreview').PackageFamilyName)"
function: SoftDeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Packages\{{ $packageName }}_{{ $publisherId }}\*'
recurse: 'true'
-
# ❗️ ORDERING: Run after `UninstallStoreApp` to ensure only leftover files are removed without keeping unnecessary files on the system.
# Clear: Metadata
# - Folder : %PROGRAMDATA%\Microsoft\Windows\AppRepository\Packages\{PackageFullName}
# - Example : C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Windows.CBSPreview_10.0.19580.1000_neutral_neutral_cw5n1h2txyewy
# - Check : "$env:PROGRAMDATA\Microsoft\Windows\AppRepository\Packages\$((Get-AppxPackage -AllUsers 'Windows.CBSPreview').PackageFullName)"
function: SoftDeleteFiles
parameters:
fileGlob: '%PROGRAMDATA%\Microsoft\Windows\AppRepository\Packages\{{ $packageName }}_*_{{ $publisherId }}\*'
grantPermissions: 'true' # 🔒️ Protected on Windows 10 since 22H2 | 🔒️ Protected on Windows 11 since 22H2
recurse: 'true'
-
name: UninstallCapability
parameters:
- name: capabilityName
call:
function: RunPowerShell
parameters:
code: Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' | Remove-WindowsCapability -Online
revertCode: |-
$capability = Get-WindowsCapability -Online -Name '{{ $capabilityName }}*'
Add-WindowsCapability -Name "$capability.Name" -Online
-
name: SoftDeleteFiles
# 💡 Purpose:
# Renames files matching a given glob pattern by appending a `.OLD` extension, effectively "soft deleting" them.
# It does not touch any of the folders.
# This allows for easier restoration and less immediate disruption compared to permanent deletion.
# 🤓 Implementation:
# 1. (with `grantPermissions`:) Elevate script privileges.
# 2. Iterate every file in the given directory, and for each file:
# - (with `grantPermissions`:) Grant permissions to file to be able to modify it.
# - Rename the file.
# - (with `grantPermissions`:) Restore permissions of the file to its original state
# 3. (with `grantPermissions`:) Remove elevated script privileges.
parameters:
- name: fileGlob
- name: grantPermissions # Grants permission on the files found, and restores original permissions after modification.
optional: true
- name: recurse # If set, deletes all files in all directories recursively.
optional: true
- name: beforeIteration # (Iteration callback) Code to run before iteration.
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Soft delete files matching pattern
{{ with $grantPermissions }}(with additional permissions){{ end }}
: "{{ $fileGlob }}"
revertCodeComment: >-
Restore files matching pattern
{{ with $grantPermissions }}(with additional permissions){{ end }}
: "{{ $fileGlob }}"
-
function: IterateGlob
parameters:
pathGlob: '{{ $fileGlob }}'
revertPathGlob: '{{ $fileGlob }}.OLD'
recurse: '{{ with $recurse }}{{ . }}{{ end }}'
# Elevating privileges:
# Another (simpler) implementation would be:
# ```
# $setPrivilegeFunction = [System.Diagnostics.Process].GetMethods(42) | Where-Object { $_.Name -eq 'SetPrivilege' }
# $privileges = @('SeRestorePrivilege', 'SeTakeOwnershipPrivilege')
# foreach ($privilege in $privileges) {
# $setPrivilegeFunction.Invoke($null, @($privilege, 2))
# }
# ```
beforeIteration: |-
{{ with $beforeIteration }}
{{ . }}
{{ end }}
$renamedCount = 0
$skippedCount = 0
$failedCount = 0
{{ with $grantPermissions }}
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class Privileges {
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid {
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool AddPrivilege(string privilege) {
try {
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
} catch (Exception ex) {
throw new Exception("Failed to adjust token privileges", ex);
}
}
public static bool RemovePrivilege(string privilege) {
try {
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = 0; // This line is changed to revoke the privilege
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
} catch (Exception ex) {
throw new Exception("Failed to adjust token privileges", ex);
}
}
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetCurrentProcess();
}
"@
[Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null
[Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null
$adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'
$adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount])
$adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( `
$adminAccount, `
[System.Security.AccessControl.FileSystemRights]::FullControl, `
[System.Security.AccessControl.AccessControlType]::Allow `
)
{{ end }}
# Marked: refactor-with-variables
# Granting permission is identical to `DisableScheduledTask`.
duringIteration: |-
if (Test-Path -Path $path -PathType Container) {
Write-Host "Skipping folder (not its contents): `"$path`"."
$skippedCount++
continue
}
if($revert -eq $true) {
if (-not $path.EndsWith('.OLD')) {
Write-Host "Skipping non-backup file: `"$path`"."
$skippedCount++
continue
}
} else {
if ($path.EndsWith('.OLD')) {
Write-Host "Skipping backup file: `"$path`"."
$skippedCount++
continue
}
}
$originalFilePath = $path
Write-Host "Processing file: `"$originalFilePath`"."
if (-Not (Test-Path $originalFilePath)) {
Write-Host "Skipping, file `"$originalFilePath`" not found."
$skippedCount++
exit 0
}
{{ with $grantPermissions }}
$originalAcl = Get-Acl -Path "$originalFilePath"
$accessGranted = $false
try {
$acl = Get-Acl -Path "$originalFilePath"
$acl.SetOwner($adminAccount) # Take Ownership (because file is owned by TrustedInstaller)
$acl.AddAccessRule($adminFullControlAccessRule) # Grant rights to be able to move the file
Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop
$accessGranted = $true
} catch {
Write-Warning "Failed to grant access to `"$originalFilePath`": $($_.Exception.Message)"
}
{{ end }}
if ($revert -eq $true) {
$newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4)
} else {
$newFilePath = "$($originalFilePath).OLD"
}
try {
Move-Item -LiteralPath "$($originalFilePath)" -Destination "$newFilePath" -Force -ErrorAction Stop
Write-Host "Successfully processed `"$originalFilePath`"."
$renamedCount++
{{ with $grantPermissions }}
if ($accessGranted) {
try {
Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop
} catch {
Write-Warning "Failed to restore access on `"$newFilePath`": $($_.Exception.Message)"
}
}
{{ end }}
} catch {
Write-Error "Failed to rename `"$originalFilePath`" to `"$newFilePath`": $($_.Exception.Message)"
$failedCount++
{{ with $grantPermissions }}
if ($accessGranted) {
try {
Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop
} catch {
Write-Warning "Failed to restore access on `"$originalFilePath`": $($_.Exception.Message)"
}
}
{{ end }}
}
afterIteration: |-
if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {
Write-Host "Successfully processed $renamedCount items and skipped $skippedCount items."
}
if ($failedCount -gt 0) {
Write-Warning "Failed to processed $($failedCount) items."
}
{{ with $grantPermissions }}
[Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null
[Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null
{{ end }}
-
name: SetVsCodeSetting
parameters:
- name: setting
- name: powerShellValue
call:
function: RunPowerShell
parameters:
code: |-
$settingKey='{{ $setting }}'
$settingValue={{ $powerShellValue }}
$jsonFilePath = "$($env:APPDATA)\Code\User\settings.json"
if (!(Test-Path $jsonFilePath -PathType Leaf)) {
Write-Host "Skipping, no updates. Settings file was not at `"$jsonFilePath`"."
exit 0
}
try {
$fileContent = Get-Content $jsonFilePath -ErrorAction Stop
} catch {
throw "Error, failed to read the settings file: `"$jsonFilePath`". Error: $_"
}
if ([string]::IsNullOrWhiteSpace($fileContent)) {
Write-Host "Settings file is empty. Treating it as default empty JSON object."
$fileContent = "{}"
}
try {
$json = $fileContent | ConvertFrom-Json
} catch {
throw "Error, invalid JSON format in the settings file: `"$jsonFilePath`". Error: $_"
}
$existingValue = $json.$settingKey
if ($existingValue -eq $settingValue) {
Write-Host "Skipping, `"$settingKey`" is already configured as `"$settingValue`"."
exit 0
}
$json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force
$json | ConvertTo-Json | Set-Content $jsonFilePath
Write-Host "Successfully applied the setting to the file: `"$jsonFilePath`"."
revertCode: |-
$settingKey='{{ $setting }}'
$settingValue={{ $powerShellValue }}
$jsonFilePath = "$($env:APPDATA)\Code\User\settings.json"
if (!(Test-Path $jsonFilePath -PathType Leaf)) {
Write-Host "Skipping, no need to revert because settings file is not found: `"$jsonFilePath`"."
exit 0
}
try {
$fileContent = Get-Content $jsonFilePath -ErrorAction Stop
} catch {
throw "Error, failed to read the settings file: `"$jsonFilePath`". Error: $_"
}
if ([string]::IsNullOrWhiteSpace($fileContent)) {
Write-Host "Skipping, no need to revert because settings file is empty: `"$jsonFilePath`"."
exit 0
}
try {
$json = $fileContent | ConvertFrom-Json
} catch {
throw "Error, invalid JSON format in the settings file: `"$jsonFilePath`". Error: $_"
}
if (!$json.PSObject.Properties[$settingKey]) {
Write-Host "Skipping, no need to revert because setting `"$settingKey`" does not exist."
exit 0
}
if ($json.$settingKey -ne $settingValue) {
Write-Host "Skipping, setting (`"$settingKey`") has different configuration than `"$settingValue`": `"$($json.$settingKey)`"."
exit 0
}
$json.PSObject.Properties.Remove($settingKey)
$json | ConvertTo-Json | Set-Content $jsonFilePath
Write-Host "Successfully reverted the setting from file: `"$jsonFilePath`"."
-
name: RunPowerShell
parameters:
- name: code
- name: revertCode
optional: true
- name: codeComment
optional: true
- name: revertCodeComment
optional: true
call:
-
function: Comment
parameters:
codeComment: '{{ with $codeComment }}{{ . }}{{ end }}'
revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}'
-
function: RunInlineCode
parameters:
code: PowerShell -ExecutionPolicy Unrestricted -Command "{{ $code | inlinePowerShell | escapeDoubleQuotes }}"
revertCode: |-
{{ with $revertCode }}
PowerShell -ExecutionPolicy Unrestricted -Command "{{ . | inlinePowerShell | escapeDoubleQuotes }}"
{{ end }}
-
name: DisablePerUserService
parameters:
- name: serviceName # The name of the service to disable
- name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
docs: |-
This function disables both system-wide and per-user services for a specified service.
Windows creates per-user services when a user signs in and deletes them upon sign-out [1].
Per-user services use the naming format <service name>_LUID, where LUID is a locally unique identifier for the user context [1].
Per-user services have system-wide counterparts with the same default startup mode [1].
These services can only be disabled using registry modifications [1].
They are hidden from the **Services** management console and not displayed in the group policy services policy editor [1].
[1]: https://web.archive.org/web/20240119153912/https://learn.microsoft.com/en-us/windows/application-management/per-user-services-in-windows "Per-user services - Windows Application Management | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: 'Disable per-user "{{ $serviceName }}" service for all users'
revertCodeComment: 'Restore per-user "{{ $serviceName }}" service to its default configuration for all users'
-
function: DisableServiceInRegistry
parameters:
serviceName: '{{ $serviceName }}'
defaultStartupMode: '{{ $defaultStartupMode }}'
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
-
function: Comment
parameters:
codeComment: 'Disable per-user "{{ $serviceName }}" service for individual user accounts'
revertCodeComment: 'Restore per-user "{{ $serviceName }}" service to its default configuration for individual user accounts'
-
function: DisableServiceInRegistry
parameters:
serviceName: '{{ $serviceName }}_*'
defaultStartupMode: '{{ $defaultStartupMode }}'
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
-
name: RunInlineCode
# Marked: refactor-with-partials
# Same function in macOS, Linux, Windows
parameters:
- name: code
optional: true
- name: revertCode
optional: true
code: '{{ with $code }}{{ . }}{{ end }}'
revertCode: '{{ with $revertCode }}{{ . }}{{ end }}'
-
name: RunPowerShellWithSameCodeAndRevertCode
parameters:
- name: code
- name: codeComment
optional: true
call:
function: RunPowerShell
parameters:
code: '{{ $code }}'
revertCode: '{{ $code }}'
codeComment: '{{ with $codeComment }}{{ . }}{{ end }}'
revertCodeComment: '{{ with $codeComment }}{{ . }}{{ end }}'
-
name: RunInlineCodeAsTrustedInstaller
parameters:
- name: code # Batchfile code to execute with TrustedInstaller privileges.
- name: revertCode # Optional batchfile code to revert changes. This code also runs with TrustedInstaller privileges.
optional: true
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
docs: |-
This function executes PowerShell code with TrustedInstaller privileges, which may be required for performing system-level tasks
that require the highest permission levels.
This function is designed to handle tasks that cannot be completed under normal user or administrator privileges,
such as modifying protected registry keys or system files.
call:
function: RunPowerShellWithWindowsVersionConstraints
parameters:
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
# PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks.
# Seen e.g. on Windows 11 when reverting scripts after executing them and reboot.
# They are seen to throw different exceptions:
# - `Unregister-ScheduledTask : The system cannot find the file specified`
# `ObjectNotFound: (MSFT_ScheduledTask:Root/Microsoft/...T_ScheduledTask)` with `HRESULT 0x80070002`
# - `No MSFT_ScheduledTask objects found with property 'TaskName'`
# - Because task is already running but `Get-ScheduledTask` cannot find it it throws:
# `Failed to execute with exit code: 267009`
# Solution
# Checking if task is running:
# - ❌ Not using `$(schtasks.exe /query /tn "$taskName" 2>$null)".Contains('Running')` because it outputs
# different text (not always "Running") in German/English versions.
# - ❌ Not using `(Get-ScheduledTask $taskName -ErrorAction Ignore).State -eq 'Running'
# because `Get-ScheduledTask `sometimes fails.
# - ✅ Using `(Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009` where "267009" indicates running.
# Deleting existing task:
# - ❌ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002`
# - ✅ Using `schtasks.exe /delete /tn "$taskName" /f` with additional `| Out-Null` or `2>&1 | Out-Null`
# to suppress errors.
code: |-
$command = @'
{{ $code }}
'@
$trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464')
$trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount])
$streamOutFile = New-TemporaryFile
$batchFile = New-TemporaryFile
try {
$batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru
"@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII
$taskName = 'privacy.sexy invoke'
schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output
$taskAction = New-ScheduledTaskAction `
-Execute 'cmd.exe' `
-Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1"
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask `
-TaskName $taskName `
-Action $taskAction `
-Settings $settings `
-Force `
-ErrorAction Stop `
| Out-Null
try {
($scheduleService = New-Object -ComObject Schedule.Service).Connect()
$scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null
$timeOutLimit = (Get-Date).AddMinutes(5)
Write-Host "Running as $trustedInstallerName"
while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {
Start-Sleep -Milliseconds 200
if((Get-Date) -gt $timeOutLimit) {
Write-Warning "Skipping results, it took so long to execute script."
break;
}
}
if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {
Write-Error "Failed to execute with exit code: $result."
}
} finally {
schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors
}
Get-Content $streamOutFile
} finally {
Remove-Item $streamOutFile, $batchFile
}
# Marked: refactor-with-variables
# `revertCode` is complete duplicate of `code`.
revertCode: |-
{{ with $revertCode }}
$command = @'
{{ . }}
'@
$trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464')
$trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount])
$streamOutFile = New-TemporaryFile
$batchFile = New-TemporaryFile
try {
$batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru
"@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII
$taskName = 'privacy.sexy invoke'
schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output
$taskAction = New-ScheduledTaskAction `
-Execute 'cmd.exe' `
-Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1"
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask `
-TaskName $taskName `
-Action $taskAction `
-Settings $settings `
-Force `
-ErrorAction Stop `
| Out-Null
try {
($scheduleService = New-Object -ComObject Schedule.Service).Connect()
$scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null
$timeOutLimit = (Get-Date).AddMinutes(5)
Write-Host "Running as $trustedInstallerName"
while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {
Start-Sleep -Milliseconds 200
if((Get-Date) -gt $timeOutLimit) {
Write-Warning "Skipping results, it took so long to execute script."
break;
}
}
if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {
Write-Error "Failed to execute with exit code: $result."
}
} finally {
schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors
}
Get-Content $streamOutFile
} finally {
Remove-Item $streamOutFile, $batchFile
}
{{ end }}
-
name: DisableServiceInRegistry
# 💡 Purpose:
# Disables a specified service via the registry.
# Use this method only if `DisableService` does not work.
parameters: # Ensure that this function has the same parameters as `DisableService` and `DisableServiceInRegistryAsTrustedInstaller` to simplify testing and interchangeability.
- name: serviceName
- name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
call:
function: RunPowerShellWithWindowsVersionConstraints
# Marked: refactor-with-revert-call, refactor-with-variables
# Implementation of those should share similar code: `DisableService`, `StopService`, `StartService`, `DisableServiceInRegistry`
parameters:
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
code: |- # We do the registry way because GUI, "sc config" or "Set-Service" will not work
$serviceQuery = '{{ $serviceName }}'
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue
if(!$service) {
Write-Host "Service query `"$serviceQuery`" did not yield any results, no need to disable it."
Exit 0
}
$serviceName = $service.Name
Write-Host "Disabling service: `"$serviceName`"."
# -- 2. Stop if running
if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is running, trying to stop it."
try {
Stop-Service -Name "$serviceName" -Force -ErrorAction Stop
Write-Host "Stopped `"$serviceName`" successfully."
} catch {
Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_"
}
} else {
Write-Host "`"$serviceName`" is not running, no need to stop."
}
# -- 3. Skip if service info is not found in registry
$registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
if(!(Test-Path $registryKey)) {
Write-Host "`"$registryKey`" is not found in registry, cannot enable it."
Exit 0
}
# -- 4. Skip if already disabled
if( $(Get-ItemProperty -Path "$registryKey").Start -eq 4) {
Write-Host "`"$serviceName`" is already disabled from start, no further action is needed."
Exit 0
}
# -- 5. Disable service
try {
Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop
Write-Host "Disabled `"$serviceName`" successfully."
} catch {
Write-Error "Could not disable `"$serviceName`": $_"
}
revertCode: |-
$serviceQuery = '{{ $serviceName }}'
$defaultStartupMode = '{{ $defaultStartupMode }}'
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue
if(!$service) {
Write-Warning "Service query `"$serviceQuery`" did not yield and results, cannot enable it."
Exit 1
}
$serviceName = $service.Name
Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start."
# -- 2. Skip if service info is not found in registry
$registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
if(!(Test-Path $registryKey)) {
Write-Warning "`"$registryKey`" is not found in registry, cannot enable it."
Exit 1
}
# -- 3. Enable if not already enabled
$defaultStartupRegValue = `
if ($defaultStartupMode -eq 'Boot') { '0' } `
elseif($defaultStartupMode -eq 'System') { '1' } `
elseif($defaultStartupMode -eq 'Automatic') { '2' } `
elseif($defaultStartupMode -eq 'Manual') { '3' } `
else { throw "Unknown start mode: $defaultStartupMode"}
if( $(Get-ItemProperty -Path "$registryKey").Start -eq $defaultStartupRegValue) {
Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start."
} else {
try {
Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force
Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, this may require restarting your computer."
} catch {
Write-Error "Could not enable `"$serviceName`": $_"
Exit 1
}
}
# -- 4. Start if not running (must be enabled first)
if($defaultStartupMode -eq 'Automatic') {
if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is not running, trying to start it."
try {
Start-Service $serviceName -ErrorAction Stop
Write-Host "Started `"$serviceName`" successfully."
} catch {
Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_"
}
} else {
Write-Host "`"$serviceName`" is already running, no need to start."
}
}
-
name: DisableServiceInRegistryAsTrustedInstaller
# 💡 Purpose:
# Disables a specified service via the registry with TrustedInstaller privileges for higher access rights.
# Use this method only if `DisableServiceInRegistry` fails due to permission issues.
# Marked: refactor-with-variables
# The logic is almost same as `DisableServiceInRegistry`, but this is executed as TrustedInstaller.
# The logic should be reused.
parameters: # Ensure that this function has the same parameters as `DisableService` and `DisableServiceInRegistry` to simplify testing and interchangeability.
- name: serviceName
- name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual
- name: waitForDependentServicesOnStop # Set to `true` to stop the service and wait for all dependent services to stop as well.
optional: true # Set to `false` to stop the service immediately without waiting for dependents.
call:
-
function: Comment
parameters:
codeComment: "Disable the service `{{ $serviceName }}` using TrustedInstaller privileges"
revertCodeComment: "Restore the service `{{ $serviceName }}` using TrustedInstaller privileges"
-
function: RunInlineCodeAsTrustedInstaller
parameters:
# Some services are not stoppable (i.e. WdFilter) and attempting to stop it with `sc stop` returns:
# `[SC] ControlService FAILED 1052: The requested control is not valid for this service.`. This code
# handles it, and provides an user-friendly error message. If the error is something else, it prints the error
# to the console.
# Marked refactor-with-if-syntax:
# {{ with }} is used awkwardly with commented out code.
code: |-
setlocal EnableDelayedExpansion
set "serviceName={{ $serviceName }}"
{{ with $waitForDependentServicesOnStop }}set "stopWithDependencies=true"{{ end }}
{{ with $waitForDependentServicesOnStop }}:: {{ end }}set "stopWithDependencies=false"
if "!stopWithDependencies!"=="true" (
echo Stopping the service "!serviceName!" and waiting for its dependencies to stop.
net stop "!serviceName!" /yes
) else (
echo Stopping the service "!serviceName!".
sc stop "!serviceName!" >nul 2>&1
)
if !ERRORLEVEL! EQU 0 (
echo Successfully stopped the service "!serviceName!".
) else (
if !ERRORLEVEL! EQU 1052 (
echo Warning: The service "!serviceName!" does not accept a stop command and may need to be stopped manually or on reboot.
) else (
echo Error: Failed to stop service "!serviceName!" with exit code: !ERRORLEVEL!. Retrieving more information...
>&2 net helpmsg !ERRORLEVEL!
)
)
echo Updating registry settings to disable service "!serviceName!"...
reg add "HKLM\SYSTEM\CurrentControlSet\Services\!serviceName!" /v "Start" /t REG_DWORD /d "4" /f
if !ERRORLEVEL! EQU 0 (
echo Service "!serviceName!" has been successfully disabled in the registry and will not start automatically on next boot.
) else (
echo Error: Unable to disable service "!serviceName!" in the registry. Please check your permissions or contact your administrator.
)
endlocal
revertCode: |-
setlocal EnableDelayedExpansion
set "serviceName={{ $serviceName }}"
set "defaultStartupMode={{ $defaultStartupMode }}"
set "defaultStartupRegValue=-1"
echo Restoring changes for "!serviceName!"...
if /i "!defaultStartupMode!"=="Boot" (
set "defaultStartupRegValue=0"
) else if /i "!defaultStartupMode!"=="System" (
set "defaultStartupRegValue=1"
) else if /i "!defaultStartupMode!"=="Automatic" (
set "defaultStartupRegValue=2"
) else if /i "!defaultStartupMode!"=="Manual" (
set "defaultStartupRegValue=3"
) else (
echo Error: Unknown startup mode specified: "!defaultStartupMode!". Revert cannot proceed.
exit /b 1
)
echo Restoring registry settings for service "!serviceName!" to default startup mode "!defaultStartupMode!"...
reg add "HKLM\SYSTEM\CurrentControlSet\Services\!serviceName!" /v "Start" /t REG_DWORD /d "!defaultStartupRegValue!" /f
if !ERRORLEVEL! EQU 0 (
echo Successfully restored the registry settings for "!serviceName!".
) else (
echo Error: Failed to update registry settings for "!serviceName!". Check permissions or contact your administrator.
)
if /i not "!defaultStartupMode!"=="Manual" (
echo Attempting to restart service "!serviceName!"...
sc start "!serviceName!" >nul 2>&1
if !ERRORLEVEL! EQU 0 (
echo Service "!serviceName!" restarted successfully.
) else (
echo Warning: Unable to restart service "!serviceName!". It may require a manual start or system reboot.
)
)
endlocal
-
name: SetMpPreference
# Configures preferences for Microsoft Defender scans and updates.
# ❗️ Requires "WinDefend" service in running state, otherwise fails
parameters:
- name: property
- name: value
-
# When provided, it sets defaults using `Set-MpPreference`.
# Used by default in Windows 10 as `Remove-MpPreference` cmdlet is very limited/poor in Windows 10.
# Ignored by default in Windows 11 with providing a value for `setDefaultOnWindows11`
name: default
optional: true
-
# When reverting in Windows 11, `Set-MpPreference` is called instead of `Remove-MpPreference`
# Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11.
name: setDefaultOnWindows11
optional: true
call:
function: RunPowerShell
parameters:
# Unsupported arguments ->
# Skips when error contains "Cannot convert", this happens e.g. when trying to set `PlatformUpdatesChannel`,
# `EngineUpdatesChannel`, `DefinitionUpdatesChannel` to `Broad`. `Broad` is not supported on all platforms
# and throws e.g. with:
# `Cannot process argument transformation on parameter 'EngineUpdatesChannel'. Cannot convert value
# "Broad" to type "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType".
# Error: "Unable to match the identifier name Broad to a valid enumerator name. Specify one of the
# following enumerator names and try again: NotConfigured, Beta, Preview"`
code: |-
$propertyName = '{{ $property }}'
$value = {{ $value }}
if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {
Write-Host "Skipping. `"$propertyName`" is already `"$value`" as desired."
exit 0
}
$command = Get-Command 'Set-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Set-MpPreference".'
exit 0
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"
Set-MpPreference -Force -{{ $property }} $value -ErrorAction Stop
Write-Host "Successfully set `"$propertyName`" to `"$value`"."
exit 0
} catch {
if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"
exit 0
} elseif (($_ | Out-String) -like '*Cannot convert*') {
Write-Host "Skipping. Argument `"$value`" for property `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
} else {
Write-Error "Failed to set using $($command.Name): $_"
exit 1
}
}
# `Remove-MpPreference` is different in Windows 11 / 10
# Windows 11 and 10 have different revert behavior which is caused by different `Remove-MpPreference` cmdlet versions used
# Windows 10 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2019-ps
# Windows 11 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2022-ps
# On Windows 11:
# - By default, `Remove-MpPreference` sets default values for settings for all cases.
# - `setDefaultOnWindows11` parameter changes this behavior to set the default value using `Set-MpPreference`
# On Windows 10:
# - If `default` argument is provided, it's set using `Set-MpPreference`
# - `default` argument should not be provided if `Remove-MpPreference` is supported in Windows 10.
revertCode: |-
$propertyName = '{{ $property }}'
{{ with $default }} $defaultValue = {{ . }} {{ end }}
$setDefaultOnWindows10 = {{ with $default }} $true # {{ end }} $false
$setDefaultOnWindows11 = {{ with $setDefaultOnWindows11 }} $true # {{ end }} $false
$osVersion = [System.Environment]::OSVersion.Version
function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) }
function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) }
# ------ Set-MpPreference ------
if(($setDefaultOnWindows10 -and (Test-IsWindows10)) -or ($setDefaultOnWindows11 -and (Test-IsWindows11))) {
if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $defaultValue) {
Write-Host "Skipping. `"$propertyName`" is already configured as desired `"$defaultValue`"."
exit 0
}
$command = Get-Command 'Set-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Set-MpPreference".'
exit 1
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName `$defaultValue -ErrorAction Stop"
Write-Host "Successfully restored `"$propertyName`" to its default `"$defaultValue`"."
exit 0
} catch {
if ($_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"
} else {
Write-Error "Failed to set using $($command.Name): $_"
}
exit 1
}
}
# ------ Remove-MpPreference ------
$command = Get-Command 'Remove-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Remove-MpPreference".'
exit 1
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName -ErrorAction Stop"
Write-Host "Successfully restored `"$propertyName`" to its default."
exit 0
} catch {
if ($_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"
} else {
Write-Error "Failed to set using $($command.Name): $_"
}
exit 1
}
-
name: StopService
parameters:
- name: serviceName
- name: serviceRestartStateFile # This file is created only if the service is successfully stopped.
optional: true
- name: waitUntilStopped # Makes the script wait until the service is stopped
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Stop service: {{ $serviceName }}
{{ with $serviceRestartStateFile }}(with state flag){{ end }}
{{ with $waitUntilStopped }}(wait until stopped){{ end }}
-
function: RunPowerShell
parameters:
# Marked: refactor-with-variables
# - Implementation of those should share similar code: `DisableService`, `StopService`, `StartService`, `DisableServiceInRegistry`
# - Creating the marker file is same as in script `CreatePlaceholderFile`
code: |-
$serviceName = '{{ $serviceName }}'
Write-Host "Stopping service: `"$serviceName`"."
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if (!$service) {
Write-Host "Skipping, service `"$serviceName`" could not be not found, no need to stop it."
exit 0
}
if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "Skipping, `"$serviceName`" is not running, no need to stop."
exit 0
}
Write-Host "`"$serviceName`" is running, stopping it."
try {
$service | Stop-Service -Force -ErrorAction Stop
{{ with $waitUntilStopped }}
$service.WaitForStatus([System.ServiceProcess.ServiceControllerStatus]::Stopped)
{{ end }}
} catch {
throw "Failed to stop the service `"$serviceName`": $_"
}
Write-Host "Successfully stopped the service: `"$serviceName`"."
{{ with $serviceRestartStateFile }}
$stateFilePath = '{{ . }}'
$expandedStateFilePath = [System.Environment]::ExpandEnvironmentVariables($stateFilePath)
if (Test-Path -Path $expandedStateFilePath) {
Write-Host "Skipping creating a service state file, it already exists: `"$expandedStateFilePath`"."
} else {
# Ensure the directory exists
$parentDirectory = [System.IO.Path]::GetDirectoryName($expandedStateFilePath)
if (-not (Test-Path $parentDirectory -PathType Container)) {
try {
New-Item -ItemType Directory -Path $parentDirectory -Force -ErrorAction Stop | Out-Null
} catch {
Write-Warning "Failed to create parent directory of service state file `"$parentDirectory`": $_"
}
}
# Create the state file
try {
New-Item -ItemType File -Path $expandedStateFilePath -Force -ErrorAction Stop | Out-Null
Write-Host 'The service will be started again.'
} catch {
Write-Warning "Failed to create service state file `"$expandedStateFilePath`": $_"
}
}
{{ end }}
-
name: StartService
parameters:
- name: serviceName
- name: serviceRestartStateFile # Used for "check and delete": Starts the service only if file exists, always deletes the file.
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Start service: {{ $serviceName }}
{{ with $serviceRestartStateFile }}(with state flag){{ end }}
-
function: RunPowerShell
parameters:
# Marked: refactor-with-variables
# - Implementation of those should share similar code: `DisableService`, `StopService`, `StartService`, `DisableServiceInRegistry`
# - Removing the marker file is same as in script `CreatePlaceholderFile`
code: |-
$serviceName = '{{ $serviceName }}'
{{ with $serviceRestartStateFile }}
$stateFilePath = '{{ . }}'
$expandedStateFilePath = [System.Environment]::ExpandEnvironmentVariables($stateFilePath)
if (-not (Test-Path -Path $expandedStateFilePath)) {
Write-Host "Skipping starting the service: It was not running before."
} else {
try {
Remove-Item -Path $expandedStateFilePath -Force -ErrorAction Stop
Write-Host 'The service is expected to be started.'
} catch {
Write-Warning "Failed to delete the service state file `"$expandedStateFilePath`": $_"
}
}
{{ end }}
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if (!$service) {
throw "Failed to start service `"$serviceName`": Service not found."
}
if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "Skipping, `"$serviceName`" is already running, no need to start."
exit 0
}
Write-Host "`"$serviceName`" is not running, starting it."
try {
$service | Start-Service -ErrorAction Stop
Write-Host "Successfully started the service: `"$serviceName`"."
} catch {
Write-Warning "Failed to start the service: `"$serviceName`"."
exit 1
}
-
name: DisableService
parameters: # Ensure that this function has the same parameters as `DisableServiceInRegistry` and `DisableServiceInRegistryAsTrustedInstaller` to simplify testing and interchangeability.
- name: serviceName
- name: defaultStartupMode # Allowed values: Automatic | Manual
- name: ignoreMissingOnRevert # When set to true, the revert operation will skip any actions for services that cannot be found, instead of failing.
optional: true
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
call:
-
function: Comment
parameters:
codeComment: "Disable service(s): `{{ $serviceName }}`"
revertCodeComment: "Restore service(s) to default state: `{{ $serviceName }}`"
-
# Marked: refactor-with-revert-call, refactor-with-variables
# Implementation of those should share similar code: `DisableService`, `StopService`, `StartService`, `DisableServiceInRegistry`
function: RunPowerShellWithWindowsVersionConstraints
# Careful with Set-Service cmdlet:
# 1. It exits with positive code even if service is disabled
# 2. It had breaking API change for `-StartupMode` parameter:
# Powershell >= 6.0 : Automatic, AutomaticDelayedStart, Disabled, InvalidValue, Manual
# PowerShell <= 5 : Boot, System, Automatic, Manual, Disabled
# So "Disabled", "Automatic" and "Manual" are only consistent ones.
# Read more:
# https://github.com/PowerShell/PowerShell/blob/v7.2.0/src/Microsoft.PowerShell.Commands.Management/commands/management/Service.cs#L2966-L2978
# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.4
parameters:
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
code: |-
$serviceName = '{{ $serviceName }}'
Write-Host "Disabling service: `"$serviceName`"."
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if(!$service) {
Write-Host "Service `"$serviceName`" could not be not found, no need to disable it."
Exit 0
}
# -- 2. Stop if running
if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is running, stopping it."
try {
Stop-Service -Name "$serviceName" -Force -ErrorAction Stop
Write-Host "Stopped `"$serviceName`" successfully."
} catch {
Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_"
}
} else {
Write-Host "`"$serviceName`" is not running, no need to stop."
}
# -- 3. Skip if already disabled
$startupType = $service.StartType # Does not work before .NET 4.6.1
if(!$startupType) {
$startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode
if(!$startupType) {
$startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode
}
}
if($startupType -eq 'Disabled') {
Write-Host "$serviceName is already disabled, no further action is needed"
}
# -- 4. Disable service
try {
Set-Service -Name "$serviceName" -StartupType Disabled -Confirm:$false -ErrorAction Stop
Write-Host "Disabled `"$serviceName`" successfully."
} catch {
Write-Error "Could not disable `"$serviceName`": $_"
}
revertCode: |-
$serviceName = '{{ $serviceName }}'
$defaultStartupMode = '{{ $defaultStartupMode }}'
$ignoreMissingOnRevert = {{ with $ignoreMissingOnRevert }} $true # {{ end }} $false
Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start."
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if (!$service) {
if ($ignoreMissingOnRevert) {
Write-Output "Skipping: The service `"$serviceName`" is not found. No action required."
Exit 0
}
Write-Warning "Failed to revert changes to the service `"$serviceName`". The service is not found."
Exit 1
}
# -- 2. Enable or skip if already enabled
$startupType = $service.StartType # Does not work before .NET 4.6.1
if(!$startupType) {
$startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode
if(!$startupType) {
$startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode
}
}
if($startupType -eq "$defaultStartupMode") {
Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start, no further action is needed."
} else {
try {
Set-Service -Name "$serviceName" -StartupType "$defaultStartupMode" -Confirm:$false -ErrorAction Stop
Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, this may require restarting your computer."
} catch {
Write-Error "Could not enable `"$serviceName`": $_"
Exit 1
}
}
# -- 4. Start if not running (must be enabled first)
if($defaultStartupMode -eq 'Automatic') {
if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is not running, starting it."
try {
Start-Service $serviceName -ErrorAction Stop
Write-Host "Started `"$serviceName`" successfully."
} catch {
Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_"
}
} else {
Write-Host "`"$serviceName`" is already running, no need to start."
}
}
-
name: ShowMessage
parameters:
- name: message
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
- name: showOnRevert
optional: true
- name: warn
optional: true
call:
function: RunPowerShellWithWindowsVersionConstraints
parameters:
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
code: |-
$message = '{{ $message }}'
$warn = {{ with $warn }} $true # {{ end }} $false
if ($warn) {
Write-Warning "$message"
} else {
Write-Host "Note: " -ForegroundColor Blue -NoNewLine
Write-Output "$message"
}
# Marked: refactor-with-variables
# Unfortunately duplicates `code` inside `showOnRevert` flag as privacy.sexy compiler does not support better way for now.
revertCode: |-
{{ with $showOnRevert }}
$message = '{{ $message }}'
$warn = {{ with $warn }} $true # {{ end }} $false
if ($warn) {
Write-Warning "$message"
} else {
Write-Host "Note: " -ForegroundColor Blue -NoNewLine
Write-Output "$message"
}
{{ end }}
-
name: RemoveShortcutFiles
parameters:
- name: shortcutItems
- name: targetFile
call:
function: RunPowerShell
parameters:
code: |-
$shortcuts = @(
{{ $shortcutItems }}
)
foreach ($shortcut in $shortcuts) {
if (-Not (Test-Path $shortcut.Path)) {
Write-Host "Skipping, shortcut does not exist: `"$($shortcut.Path)`"."
continue
}
try {
Remove-Item -Path $shortcut.Path -Force -ErrorAction Stop
Write-Output "Successfully removed shortcut: `"$($shortcut.Path)`"."
} catch {
Write-Error "Encountered an issue while attempting to remove shortcut at: `"$($shortcut.Path)`"."
}
}
revertCode: |-
$targetFilePath = "{{ $targetFile }}"
$expandedTargetFilePath = [System.Environment]::ExpandEnvironmentVariables($targetFilePath)
$shortcuts = @(
{{ $shortcutItems }}
)
if (-Not (Test-Path $expandedTargetFilePath)) {
Write-Warning "Target file `"$expandedTargetFilePath`" does not exist."
}
$wscriptShell = $null
try {
$wscriptShell = New-Object -ComObject WScript.Shell
} catch {
throw "Failed to create WScript.Shell object: $($_.Exception.Message)"
}
foreach ($shortcut in $shortcuts) {
if (-Not $shortcut.Revert) {
Write-Host "Skipping, revert operation is not needed for: `"$($shortcut.Path)`"."
continue
}
if (Test-Path $shortcut.Path) {
Write-Host "Shortcut already exists, skipping: `"$($shortcut.Path)`"."
continue
}
try {
$shellShortcut = $wscriptShell.CreateShortcut($shortcut.Path)
$shellShortcut.TargetPath = $expandedTargetFilePath
$shellShortcut.Save()
Write-Output "Successfully created shortcut at `"$($shortcut.Path)`"."
} catch {
Write-Error "An error occurred while creating the shortcut at `"$($shortcut.Path)`"."
}
}
-
name: Comment
# 💡 Purpose:
# Adds a comment in the executed code for better readability and debugging.
# This function does not affect the execution flow but helps in understanding the purpose of subsequent code.
parameters:
- name: codeComment
optional: true
- name: revertCodeComment
optional: true
call:
function: RunInlineCode
parameters:
code: '{{ with $codeComment }}:: {{ . }}{{ end }}'
revertCode: '{{ with $revertCodeComment }}:: {{ . }}{{ end }}'
-
# Behavior:
# Searches for files and directories based on a Unix-style glob pattern and iterates over them.
# Similar to the `ls` command.
# Primarily supports the `*` wildcard; compatibility with other patterns is not tested.
# 💡 Usage:
# This is a low-level function. Favor using other functions in script calls.
# It provides following variables for the code in argument value:
# - `$expandedPath` : Expanded path glob pattern.
# - `$path` : Current iterated path (only available for `duringIteration`)
name: IterateGlob
parameters:
- name: pathGlob # Glob pattern for search.
- name: revertPathGlob # Glob pattern for reverting changes.
optional: true
- name: beforeIteration # (Iteration callback) Code to run before iteration.
optional: true
- name: duringIteration # (Iteration callback) Code to run for each found item.
- name: afterIteration # (Iteration callback) Code to run after iteration.
optional: true
- name: recurse # If set, includes all files and directories recursively.
optional: true
call:
function: RunPowerShell
parameters:
code: |-
$pathGlobPattern = "{{ $pathGlob }}"
$expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern)
Write-Host "Searching for items matching pattern: `"$($expandedPath)`"."
{{ with $beforeIteration }}
{{ . }}
{{ end }}
$foundAbsolutePaths = @()
{{ with $recurse }}
Write-Host 'Iterating files and directories recursively.'
try {
$foundAbsolutePaths += @(
Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName
)
} catch [System.Management.Automation.ItemNotFoundException] {
# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions
}
{{ end }}
try {
$foundAbsolutePaths += @(
Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName
)
} catch [System.Management.Automation.ItemNotFoundException] {
# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions
}
$foundAbsolutePaths = $foundAbsolutePaths `
| Select-Object -Unique `
| Sort-Object -Property { $_.Length } -Descending
if (!$foundAbsolutePaths) {
Write-Host 'Skipping, no items available.'
exit 0
}
Write-Host "Initiating processing of $($foundAbsolutePaths.Count) items from `"$expandedPath`"."
foreach ($path in $foundAbsolutePaths) {
{{ $duringIteration }}
}
{{ with $afterIteration }}
{{ . }}
{{ end }}
# Marked: refactor-with-variables
# Unfortunately a lot of duplication here as privacy.sexy compiler does not support better way for now.
# The difference from this script and `code` is that:
# - It sets `$revert` variable to `$true`.
# - It uses value of `$revertPathGlob` instead of `$pathGlob`
revertCode: |-
{{ with $revertPathGlob }}
$revert = $true
$pathGlobPattern = "{{ . }}"
$expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern)
Write-Host "Searching for items matching pattern: `"$($expandedPath)`"."
{{ with $beforeIteration }}
{{ . }}
{{ end }}
$foundAbsolutePaths = @()
{{ with $recurse }}
Write-Host 'Iterating files and directories recursively.'
try {
$foundAbsolutePaths += @(
Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName
)
} catch [System.Management.Automation.ItemNotFoundException] {
# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions
}
{{ end }}
try {
$foundAbsolutePaths += @(
Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName
)
} catch [System.Management.Automation.ItemNotFoundException] {
# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions
}
$foundAbsolutePaths = $foundAbsolutePaths `
| Select-Object -Unique `
| Sort-Object -Property { $_.Length } -Descending
if (!$foundAbsolutePaths) {
Write-Host 'Skipping, no items available.'
exit 0
}
Write-Host "Initiating processing of $($foundAbsolutePaths.Count) items from `"$expandedPath`"."
foreach ($path in $foundAbsolutePaths) {
{{ $duringIteration }}
}
{{ with $afterIteration }}
{{ . }}
{{ end }}
{{ end }}
-
name: DeleteGlob
# Behavior:
# Deletes files and directories based on a Unix-style glob pattern.
# Optionally, it can grant full permissions to the items before deletion.
# 💡 Usage:
# This is a low-level function. Favor higher-level functions like `ClearDirectoryContents`, `DeleteDirectory`, and `DeleteFiles`
# for clearer intent and enhanced security when applicable.
# 🚫 Limitations:
# The function might not perform as expected if the current user lacks read permissions on the parent directory.
# This specific use case is not addressed in the implementation because it has not been deemed necessary for the function's intended
# applications.
parameters:
- name: pathGlob # Glob pattern for search.
- name: grantPermissions # Grants permission on items of the parent directory recursively (including all files and directories) to be able to delete them.
optional: true
- name: beforeIteration # (Iteration callback) Code to run before iteration.
optional: true
- name: duringIteration # (Iteration callback) Code to run for each found item.
optional: true
- name: afterIteration # (Iteration callback) Code to run after iteration.
optional: true
- name: recurse # If set, deletes all files and directories recursively.
optional: true
call:
function: IterateGlob
parameters:
pathGlob: '{{ $pathGlob }}'
recurse: '{{ with $recurse }}{{ . }}{{ end }}'
# Marked: refactor-with-variables (optionally)
# Granting permissions has limitations for wildcard due to `takeown` and `icacls`. These commands are used for their simplicity to avoid adjusting token privileges.
# However, adjusting token privileges is already implemented by `SoftFileDelete`, when this kind of implementations are reusable, this script can be improved to
# use `Get-Acl`, `Set-Acl` instead for better wildcards support. When using `Get-Acl`, `Set-Acl`, think also about a way to handle when the user is lacking "List Folder"
# Considerations for using `Get-Acl` and `Set-Acl`:
# These commands may encounter issues when the user lacks "List Folder" permissions on a parent directory, which is essential for the `DeleteGlob` function.
# This is robustly handled by `takeown`.
# `takeown` effectively handles scenarios where the user lacks "List Folder" permissions.
# It requires a localized 'yes' flag, which varies with the system language ('y' for English).
# To find the localized 'yes', the script uses the `choice` command. This approach is simpler and more reliable
# than parsing `takeown /?`, which has proven to be inconsistent across different languages.
# For future enhancements:
# - Explore handling folder listing permission issues when transitioning to `Get-Acl` and `Set-Acl`.
# - Currently, `takeown` is preferred for its reliability in permission handling, especially in wildcard scenarios.
beforeIteration: |-
{{ with $grantPermissions }}
# Not using `Get-Acl`/`Set-Acl` to avoid adjusting token privileges
$parentDirectory = [System.IO.Path]::GetDirectoryName($expandedPath)
$fileName = [System.IO.Path]::GetFileName($expandedPath)
if ($parentDirectory -like '*[*?]*') {
throw "Unable to grant permissions to glob path parent directory: `"$parentDirectory`", wildcards in parent directory are not supported by ``takeown`` and ``icacls``."
}
if (($fileName -ne '*') -and ($fileName -like '*[*?]*')) {
throw "Unable to grant permissions to glob path file name: `"$fileName`", wildcards in file name is not supported by ``takeown`` and ``icacls``."
}
Write-Host "Taking ownership of `"$expandedPath`"."
$cmdPath = $expandedPath
if ($cmdPath.EndsWith('\')) {
$cmdPath += '\' # Escape trailing backslash for correct handling in batch commands
}
$takeOwnershipCommand = "takeown /f `"$cmdPath`" /a" # `icacls /setowner` does not succeed, so use `takeown` instead.
if (-not (Test-Path -Path "$expandedPath" -PathType Leaf)) {
$localizedYes = 'Y' # Default 'Yes' flag (fallback)
try {
$choiceOutput = cmd /c "choice <nul 2>nul"
if ($choiceOutput -and $choiceOutput.Length -ge 2) {
$localizedYes = $choiceOutput[1]
} else {
Write-Warning "Failed to determine localized 'Yes' character. Output: `"$choiceOutput`""
}
} catch {
Write-Warning "Failed to determine localized 'Yes' character. Error: $_"
}
$takeOwnershipCommand += " /r /d $localizedYes"
}
$takeOwnershipOutput = cmd /c "$takeOwnershipCommand 2>&1" # `stderr` message is misleading, e.g. "ERROR: The system cannot find the file specified." is not an error.
if ($LASTEXITCODE -eq 0) {
Write-Host "Successfully took ownership of `"$expandedPath`" (using ``$takeOwnershipCommand``)."
} else {
Write-Host "Did not take ownership of `"$expandedPath`" using ``$takeOwnershipCommand``, status code: $LASTEXITCODE, message: $takeOwnershipOutput."
# Do not write as error or warning, because this can be due to missing path, it's handled in next command.
# `takeown` exits with status code `1`, making it hard to handle missing path here.
}
Write-Host "Granting permissions for `"$expandedPath`"."
$adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'
$adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount])
$adminAccountName = $adminAccount.Value
$grantPermissionsCommand = "icacls `"$cmdPath`" /grant `"$($adminAccountName):F`" /t"
$icaclsOutput = cmd /c "$grantPermissionsCommand"
if ($LASTEXITCODE -eq 3) {
Write-Host "Skipping, no items available for deletion according to: ``$grantPermissionsCommand``."
exit 0
} elseif ($LASTEXITCODE -ne 0) {
Write-Host "Take ownership message:`n$takeOwnershipOutput"
Write-Host "Grant permissions:`n$icaclsOutput"
Write-Warning "Failed to assign permissions for `"$expandedPath`" using ``$grantPermissionsCommand``, status code: $LASTEXITCODE."
} else {
$fileStats = $icaclsOutput | ForEach-Object { $_ -match '\d+' | Out-Null; $matches[0] } | Where-Object { $_ -ne $null } | ForEach-Object { [int]$_ }
if ($fileStats.Count -gt 0 -and ($fileStats | ForEach-Object { $_ -eq 0 } | Where-Object { $_ -eq $false }).Count -eq 0) {
Write-Host "Skipping, no items available for deletion according to: ``$grantPermissionsCommand``."
exit 0
} else {
Write-Host "Successfully granted permissions for `"$expandedPath`" (using ``$grantPermissionsCommand``)."
}
}
{{ end }}
$deletedCount = 0
$failedCount = 0
{{ with $beforeIteration }}
{{ . }}
{{ end }}
duringIteration: |-
{{ with $duringIteration }}
{{ . }}
{{ end }}
if (-not (Test-Path $path)) { # Re-check existence as prior deletions might remove subsequent items (e.g., subdirectories).
Write-Host "Successfully deleted: $($path) (already deleted)."
$deletedCount++
continue
}
try {
Remove-Item -Path $path -Force -Recurse -ErrorAction Stop
$deletedCount++
Write-Host "Successfully deleted: $($path)"
} catch {
$failedCount++
Write-Warning "Unable to delete $($path): $_"
}
afterIteration: |-
{{ with $afterIteration }}
{{ . }}
{{ end }}
Write-Host "Successfully deleted $($deletedCount) items."
if ($failedCount -gt 0) {
Write-Warning "Failed to delete $($failedCount) items."
}
-
name: ClearDirectoryContents
# 💡 Purpose:
# Empties the contents of a directory recursively (including all of its files and subfolders) while preserving
# the directory itself.
# This is beneficial when other applications depend on the existence of the directory.
# For deleting the directory itself too, use `DeleteDirectory`.
# 🤓 Implementation:
# - Formats the provided glob pattern to ensure only contents are targeted, then delegates to `DeleteGlob`.
# - Provides a user-friendly comment in code.
parameters:
- name: directoryGlob
- name: grantPermissions
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Clear directory contents
{{ with $grantPermissions }}(with additional permissions){{ end }}
: "{{ $directoryGlob }}"
-
function: DeleteGlob
parameters:
# Ensure path ends with '\*':
# - 'C:\' becomes 'C:\*'
# - 'C:' becomes 'C:\*'
# - 'C:\*' remains 'C:\*'
pathGlob: >-
$($directoryGlob = '{{ $directoryGlob }}'; if ($directoryGlob.EndsWith('\*')) { $directoryGlob } elseif ($directoryGlob.EndsWith('\')) { "$($directoryGlob)*" } else { "$($directoryGlob)\*" } )
grantPermissions: '{{ with $grantPermissions }}true{{ end }}'
recurse: 'true' # Logs every deleted file name
-
name: DeleteDirectory
# 💡 Purpose:
# Deletes an entire directory, including its contents.
# ❗️ Use with caution; if you intend to preserve the directory and delete only its contents, use `ClearDirectoryContents`.
# 🤓 Implementation:
# Formats the provided glob pattern to target the directory, then delegates to `DeleteGlob`.
# - Provides a user-friendly comment in code.
parameters:
- name: directoryGlob # The directory to delete along with its files and subdirectories
- name: grantPermissions # Grants permission on the parent directory and its sub-items recursively (including all files and directories) to be able to delete them.
optional: true
- name: beforeIteration # (Iteration callback) Code to run before iteration.
optional: true
- name: duringIteration # (Iteration callback) Code to run for each found item.
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Delete directory
{{ with $grantPermissions }}(with additional permissions){{ end }}
: "{{ $directoryGlob }}"
-
function: DeleteGlob
parameters:
# Ensure path ends with '\':
# - 'C:\' remains 'C:\'
# - 'C:' becomes 'C:\'
pathGlob: >-
$($directoryGlob = '{{ $directoryGlob }}'; if (-Not $directoryGlob.EndsWith('\')) { $directoryGlob += '\' }; $directoryGlob )
grantPermissions: '{{ with $grantPermissions }}true{{ end }}'
recurse: 'true' # Logs every deleted file name
beforeIteration: '{{ with $beforeIteration }}{{ . }}{{ end }}'
duringIteration: '{{ with $duringIteration }}{{ . }}{{ end }}'
-
name: DeleteFiles
# 💡 Purpose:
# Deletes files but does not touch any directories.
# Use `DeleteDirectory` or `ClearDirectoryContents` to delete directories.
parameters:
- name: fileGlob # File glob pattern to delete.
- name: grantPermissions # Grants permission on the files found, and restores original permissions after modification.
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Delete files matching pattern: "{{ $fileGlob }}"
-
function: DeleteGlob
parameters:
pathGlob: '{{ $fileGlob }}'
grantPermissions: '{{ with $grantPermissions }}true{{ end }}'
beforeIteration: |-
$skippedCount = 0
duringIteration: |-
if (Test-Path -Path $path -PathType Container) {
Write-Host "Skipping, the path is not a file but a folder: $($path)."
$skippedCount++
continue
}
afterIteration: |-
if ($skippedCount -gt 0) {
Write-Host "Skipped $($skippedCount) items."
}
-
name: DeleteFilesFromFirefoxProfiles
parameters:
- name: pathGlob # File name inin profile file
call:
- # Windows XP
function: DeleteFiles
parameters:
fileGlob: '%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\*\{{ $pathGlob }}'
- # Windows Vista and newer
function: DeleteFiles
parameters:
fileGlob: '%APPDATA%\Mozilla\Firefox\Profiles\*\{{ $pathGlob }}'
- # Firefox installations from Microsoft Store
function: DeleteFiles
parameters:
fileGlob: '%LOCALAPPDATA%\Packages\Mozilla.Firefox_n80bbvh6b1yt2\LocalCache\Roaming\Mozilla\Firefox\Profiles\*\{{ $pathGlob }}'
-
name: DisableScheduledTask
parameters:
- name: taskPathPattern
- name: taskNamePattern
- name: disableOnRevert
optional: true
- name: grantPermissions
optional: true
call:
-
function: Comment
parameters:
codeComment: "Disable scheduled task(s): `{{ $taskPathPattern }}{{ $taskNamePattern }}`"
revertCodeComment: "Restore scheduled task(s) to default state: `{{ $taskPathPattern }}{{ $taskNamePattern }}`"
-
function: RunPowerShell
parameters:
# Marked: refactor-with-variables
# Granting permission is identical to `SoftDeleteFiles`.
# It's also duplicated in `code` and `revertCode`
code: |-
$taskPathPattern='{{ $taskPathPattern }}'
$taskNamePattern='{{ $taskNamePattern }}'
Write-Output "Disabling tasks matching pattern `"$taskNamePattern`"."
$tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore)
if (-Not $tasks) {
Write-Output "Skipping, no tasks matching pattern `"$taskNamePattern`" found, no action needed."
exit 0
}
$operationFailed = $false
foreach ($task in $tasks) {
$taskName = $task.TaskName
if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {
Write-Output "Skipping, task `"$taskName`" is already disabled, no action needed."
continue
}
{{ with $grantPermissions }}
$taskFullPath = "$($task.TaskPath)$($task.TaskName)"
$adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'
$adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount])
$taskFilePath="$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"
$accessGranted = $false
try {
$originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop
$modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop
$modifiedAcl.SetOwner($adminAccount)
$taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( `
$adminAccount, `
[System.Security.AccessControl.FileSystemRights]::FullControl, `
[System.Security.AccessControl.AccessControlType]::Allow `
)
$modifiedAcl.SetAccessRule($taskFileAccessRule)
Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop
Write-Host "Successfully granted permissions for `"$taskFullPath`" ."
$accessGranted = $true
} catch {
Write-Warning "Failed to grant access to `"$taskFullPath`": $($_.Exception.Message)"
}
{{ end }}
try {
$task | Disable-ScheduledTask -ErrorAction Stop | Out-Null
Write-Output "Successfully disabled task `"$taskName`"."
} catch {
Write-Error "Failed to disable task `"$taskName`": $($_.Exception.Message)"
$operationFailed = $true
}
{{ with $grantPermissions }}
if ($accessGranted) {
try {
Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop
Write-Host "Successfully restored permissions for `"$taskFullPath`" ."
} catch {
Write-Warning "Failed to restore access on `"$taskFilePath`": $($_.Exception.Message)"
}
}
{{ end }}
}
if ($operationFailed) {
Write-Output 'Failed to disable some tasks. Check error messages above.'
exit 1
}
# Not failing if tasks cannot be found because all tasks disabled by privacy.sexy do not exist in all Windows versions by default.
revertCode: |-
$taskPathPattern='{{ $taskPathPattern }}'
$taskNamePattern='{{ $taskNamePattern }}'
$shouldDisable = {{ with $disableOnRevert }} $true # {{ end }} $false
Write-Output "Enabling tasks matching pattern `"$taskNamePattern`"."
$tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore)
if (-Not $tasks) {
Write-Warning ( `
"Missing task: Cannot enable, no tasks matching pattern `"$taskNamePattern`" found." `
+ " This task appears to be not included in this version of Windows." `
)
exit 0
}
$operationFailed = $false
foreach ($task in $tasks) {
$taskName = $task.TaskName
if ($shouldDisable) {
if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {
Write-Output "Skipping, task `"$taskName`" is already disabled, no action needed."
continue
}
} else {
if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) `
-and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {
Write-Output "Skipping, task `"$taskName`" is already enabled, no action needed."
continue
}
}
{{ with $grantPermissions }}
$taskFullPath = "$($task.TaskPath)$($task.TaskName)"
$adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'
$adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount])
$taskFilePath="$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"
$accessGranted = $false
try {
$originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop
$modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop
$modifiedAcl.SetOwner($adminAccount)
$taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( `
$adminAccount, `
[System.Security.AccessControl.FileSystemRights]::FullControl, `
[System.Security.AccessControl.AccessControlType]::Allow `
)
$modifiedAcl.SetAccessRule($taskFileAccessRule)
Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop
Write-Host "Successfully granted permissions for `"$taskFullPath`" ."
$accessGranted = $true
} catch {
Write-Warning "Failed to grant access to `"$taskFullPath`": $($_.Exception.Message)"
}
{{ end }}
try {
if ($shouldDisable) {
$task | Disable-ScheduledTask -ErrorAction Stop | Out-Null
Write-Output "Successfully disabled task `"$taskName`"."
} else {
$task | Enable-ScheduledTask -ErrorAction Stop | Out-Null
Write-Output "Successfully enabled task `"$taskName`"."
}
} catch {
Write-Error "Failed to restore task `"$taskName`": $($_.Exception.Message)"
$operationFailed = $true
}
{{ with $grantPermissions }}
if ($accessGranted) {
try {
Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop
Write-Host "Successfully restored permissions for `"$taskFullPath`" ."
} catch {
Write-Warning "Failed to restore access on `"$taskFilePath`": $($_.Exception.Message)"
}
}
{{ end }}
}
if ($operationFailed) {
Write-Output 'Failed to restore some tasks. Check error messages above.'
exit 1
}
-
name: CreateRegistryKey
parameters:
- name: keyPath # Full path of the subkey or entry to be added.
- name: replaceSid # Replaces "$CURRENT_USER_SID" string in registry key with user SID.
optional: true
- name: deleteOnRevert # Set to 'true' to revert to the initial state by deleting the registry key.
optional: true
- name: codeComment
optional: true
- name: revertCodeComment
optional: true
call:
# Marked: refactor-with-variables
# - Replacing SID is same as `DeleteRegistryKey`
# - Registry path construction with hive is same as `DeleteRegistryValue` and `DeleteRegistryKey`
# - Deleting on revert is same as `DeleteRegistryKey`
function: RunPowerShell
parameters:
code: |-
$keyPath='{{ $keyPath }}'
$registryHive = $keyPath.Split('\')[0]
$registryPath = "$($registryHive):$($keyPath.Substring($registryHive.Length))"
{{ with $replaceSid }}
$userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value
$registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid)
{{ end }}
if (Test-Path $registryPath) {
Write-Host "Skipping, no action needed, registry path `"$registryPath`" already exists."
exit 0
}
try {
New-Item -Path $registryPath -Force -ErrorAction Stop | Out-Null
Write-Host "Successfully created the registry key at path `"$registryPath`"."
} catch {
Write-Error "Failed to create the registry key at path `"$registryPath`": $($_.Exception.Message)"
}
revertCode: |-
{{ with $deleteOnRevert }}
$keyPath='{{ $keyPath }}'
$registryHive = $keyPath.Split('\')[0]
$registryPath = "$($registryHive):$($keyPath.Substring($registryHive.Length))"
{{ with $replaceSid }}
$userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value
$registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid)
{{ end }}
Write-Host "Removing registry key at `"$registryPath`"."
if (-not (Test-Path -LiteralPath $registryPath)) {
Write-Host "Skipping, no action needed, registry key `"$registryPath`" does not exist."
exit 0
}
try {
Remove-Item `
-LiteralPath $registryPath `
-Force `
-ErrorAction Stop `
| Out-Null
Write-Host "Successfully removed the registry key at path `"$registryPath`"."
} catch {
Write-Error "Failed to remove the registry key at path `"$registryPath`": $($_.Exception.Message)"
}
{{ end }}
codeComment: '{{ with $codeComment }}{{ . }}{{ end }}'
revertCodeComment: '{{ with $revertCodeComment }}{{ . }}{{ end }}'
-
name: DeleteRegistryKey
# Removes the entire registry key, including all subkeys and values.
# ❗ Use with caution. Consider `ClearRegistryValues` or `DeleteRegistryValues` for less destructive operations.
parameters:
- name: keyPath # Full path of the subkey or entry to be deleted. No glob/wildcard interpretation.
- name: replaceSid # Replaces "$CURRENT_USER_SID" string in registry key with user SID.
optional: true
- name: recreateOnRevert # If true, recreates the deleted registry key when reverting the action.
optional: true
- name: codeComment
optional: true
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
call:
-
function: Comment
parameters:
codeComment: >-
Remove the registry key "{{ $keyPath }}"
{{ with $codeComment }}({{ . }}){{ end }}
revertCodeComment: >-
Recreate the registry key "{{ $keyPath }}"
-
# Marked: refactor-with-variables
# - Replacing SID is same as `CreateRegistryKey`
# - Registry path construction with hive is same as `DeleteRegistryValue` and `CreateRegistryKey`
# - Deleting is same as reverting `CreateRegistryKey`
function: RunPowerShellWithWindowsVersionConstraints
parameters:
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
code: |-
$keyPath='{{ $keyPath }}'
$registryHive = $keyPath.Split('\')[0]
$registryPath = "$($registryHive):$($keyPath.Substring($registryHive.Length))"
{{ with $replaceSid }}
$userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value
$registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid)
{{ end }}
Write-Host "Removing registry key at `"$registryPath`"."
if (-not (Test-Path -LiteralPath $registryPath)) {
Write-Host "Skipping, no action needed, registry key `"$registryPath`" does not exist."
exit 0
}
try {
Remove-Item `
-LiteralPath $registryPath `
-Force `
-ErrorAction Stop `
| Out-Null
Write-Host "Successfully removed the registry key at path `"$registryPath`"."
} catch {
Write-Error "Failed to remove the registry key at path `"$registryPath`": $($_.Exception.Message)"
}
revertCode: |-
{{ with $recreateOnRevert }}
$keyPath='{{ $keyPath }}'
$registryHive = $keyPath.Split('\')[0]
$registryPath = "$($registryHive):$($keyPath.Substring($registryHive.Length))"
{{ with $replaceSid }}
$userSid = (New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([Security.Principal.SecurityIdentifier]).Value
$registryPath = $registryPath.Replace('$CURRENT_USER_SID', $userSid)
{{ end }}
Write-Host "Restoring registry key at `"$registryPath`"."
if (Test-Path -LiteralPath $registryPath) {
Write-Host "Skipping, no action needed, registry key `"$registryPath`" already exists."
Exit 0
}
try {
New-Item `
-Path $registryPath `
-Force -ErrorAction Stop `
| Out-Null
Write-Host "Successfully created the registry key at path `"$registryPath`"."
} catch {
Write-Error "Failed to create registry key `"$registryPath`": $($_.Exception.Message)"
Exit 1
}
{{ end }}
-
name: ShowExplorerRestartSuggestion
call:
-
function: Comment
parameters:
codeComment: Suggest restarting explorer.exe for changes to take effect
revertCodeComment: Suggest restarting explorer.exe for changes to take effect
-
function: ShowMessage
parameters:
message: >-
This script will not take effect until you restart explorer.exe.
You can restart explorer.exe by restarting your computer or by running following on command prompt:
`taskkill /f /im explorer.exe & start explorer`.
showOnRevert: 'true'
-
name: ShowComputerRestartSuggestion
call:
-
function: Comment
parameters:
codeComment: Suggest restarting computer for changes to take effect
revertCodeComment: Suggest restarting computer for changes to take effect
-
function: ShowMessage
parameters:
message: For the changes to fully take effect, please restart your computer.
showOnRevert: 'true'
-
name: BlockViaHostsFile
parameters:
- name: domain
call:
function: RunPowerShell
parameters:
# Marked: improve-comment-inlining
# `[char]35` is used in place of `#` because otherwise, the compiler interprets it
# as an inline PowerShell comment. This workaround allows for the inclusion of the
# hash symbol in strings without confusing the PowerShell parser.
codeComment: 'Add hosts entries for {{ $domain }}'
code: |-
$domain ='{{ $domain }}'
$hostsFilePath = "$env:WINDIR\System32\drivers\etc\hosts"
$comment = "managed by privacy.sexy"
$hostsFileEncoding = [Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding]::Utf8
$blockingHostsEntries = @(
@{ AddressType = "IPv4"; IPAddress = '0.0.0.0'; }
@{ AddressType = "IPv6"; IPAddress = '::1'; }
)
try {
$isHostsFilePresent = Test-Path `
-Path $hostsFilePath `
-PathType Leaf `
-ErrorAction Stop
} catch {
Write-Error "Failed to check hosts file existence. Error: $_"
exit 1
}
if (-Not $isHostsFilePresent) {
Write-Output "Creating a new hosts file at $hostsFilePath."
try {
New-Item -Path $hostsFilePath -ItemType File -Force -ErrorAction Stop | Out-Null
Write-Output "Successfully created the hosts file."
} catch {
Write-Error "Failed to create the hosts file. Error: $_"
exit 1
}
}
foreach ($blockingEntry in $blockingHostsEntries) {
Write-Output "Processing addition for $($blockingEntry.AddressType) entry."
try {
$hostsFileContents = Get-Content `
-Path "$hostsFilePath" `
-Raw `
-Encoding $hostsFileEncoding `
-ErrorAction Stop
} catch {
Write-Error "Failed to read the hosts file. Error: $_"
continue
}
$hostsEntryLine = "$($blockingEntry.IPAddress)`t$domain $([char]35) $comment"
if ((-Not [String]::IsNullOrWhiteSpace($hostsFileContents)) -And ($hostsFileContents.Contains($hostsEntryLine))) {
Write-Output 'Skipping, entry already exists.'
continue
}
try {
Add-Content `
-Path $hostsFilePath `
-Value $hostsEntryLine `
-Encoding $hostsFileEncoding `
-ErrorAction Stop
Write-Output 'Successfully added the entry.'
} catch {
Write-Error "Failed to add the entry. Error: $_"
continue
}
}
revertCodeComment: 'Remove hosts entries for {{ $domain }}'
# Marked: refactor-with-variables
# Both code and revertCode sections perform similar operations with slight variations.
# Avoiding `Set-Content`:
# Using `Set-Content` with or without the `-Force` flag can lead to inconsistent failures,
# manifesting as a "Stream was not readable (WriteErrorException)" error. This issue is
# likely due to rapid consecutive read/write operations that PowerShell's `Set-Content`
# cannot reliably handle in all scenarios.
# To avoid this problem and ensure reliable file operations, we use the .NET class methods
# `WriteAllText` for writing to files and `ReadAllText` for reading files. These methods
# provide a more stable approach for handling file I/O operations, especially in scripts
# that perform frequent file updates.
revertCode: |-
$domain ='{{ $domain }}'
$hostsFilePath = "$env:WINDIR\System32\drivers\etc\hosts"
$comment = "managed by privacy.sexy"
$hostsFileEncoding = [System.Text.Encoding]::UTF8
$blockingHostsEntries = @(
@{ AddressType = "IPv4"; IPAddress = '0.0.0.0'; }
@{ AddressType = "IPv6"; IPAddress = '::1'; }
)
try {
$isHostsFilePresent = Test-Path `
-Path $hostsFilePath `
-PathType Leaf `
-ErrorAction Stop
} catch {
Write-Error "Failed to check hosts file existence. Error: $_"
exit 1
}
if (-Not $isHostsFilePresent) {
Write-Output 'Skipping, the hosts file does not exist.'
exit 0
}
foreach ($blockingEntry in $blockingHostsEntries) {
Write-Output "Processing removal for $($blockingEntry.AddressType) entry."
try {
$hostsFileContents = [System.IO.File]::ReadAllText($hostsFilePath, $hostsFileEncoding)
} catch {
Write-Error "Failed to read the hosts file for removal. Error: $_"
continue
}
$hostsEntryLine = "$($blockingEntry.IPAddress)`t$domain $([char]35) $comment"
if ([String]::IsNullOrWhiteSpace($hostsFileContents) -Or (-Not $hostsFileContents.Contains($hostsEntryLine))) {
Write-Output 'Skipping, entry not found.'
continue
}
$hostsEntryRemovalPattern = [regex]::Escape($hostsEntryLine) + "(\r?\n)?"
$hostsFileContentAfterRemoval = $hostsFileContents -Replace $hostsEntryRemovalPattern, ""
try {
[System.IO.File]::WriteAllText($hostsFilePath, $hostsFileContentAfterRemoval, $hostsFileEncoding)
Write-Output 'Successfully removed the entry.'
} catch {
Write-Error "Failed to remove the entry. Error: $_"
continue
}
}
-
name: RequireTLSMinimumKeySize
parameters:
- name: algorithmName # Specifies the cryptographic algorithm to configure.
- name: keySizeInBits # Determines the minimum key size in bits for the specified algorithm.
- name: ignoreServerSide # If set, the function will not configure the server-side minimum key size.
optional: true
docs: |-
This function configures the minimum key sizes for cryptographic algorithms,
enhancing the security of the Transport Layer Security (TLS) protocol on system level [1].
The function modifies registry keys to enforce the minimum key size for both client and
server-side TLS key exchange. All versions of Windows 10 and newer support these settings [1].
To set the minimum key size, add the `ServerMinKeyBitLength` and/or `ClientMinKeyBitLength` DWORD values
in the registry under the appropriate `KeyExchangeAlgorithms` subkey for the specified algorithm [1] [2].
[1]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
call:
-
function: Comment
parameters:
codeComment: Require "{{ $algorithmName }}" key exchange algorithm to have at "{{ $keySizeInBits }}" least bits keys for TLS/SSL connections
revertCodeComment: Restore key size requirement for "{{ $algorithmName }}" for TLS/SSL connections
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }}
valueName: ServerMinKeyBitLength
dataType: REG_DWORD
data: '{{ $keySizeInBits }}'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
# Marked: refactor-with-if-syntax
# Only run if `ignoreServerSide !== false`, then use `SetRegistryValue`
setupCode: |-
{{ with $ignoreServerSide }}
Write-Host 'Skipping server-side configuration. This setting is not managed by this mechanism. No action needed.'
Exit 0
{{ end }}
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\{{ $algorithmName }}
valueName: ClientMinKeyBitLength
dataType: REG_DWORD
data: '{{ $keySizeInBits }}'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
name: DisableTLSCipher
parameters:
- name: algorithmName
docs: |-
This function disables specified symmetric cipher algorithms by modifying the
`SCHANNEL\Ciphers` subkey in the registry [1] [2] [3] [4].
Changes to this key apply instantly and do not require a system restart. [1].
Setting the `Enabled` registry value to `0` disables the cipher [1] [2]
If this value is not configured [1] or set to `1` [1] [2].
[1]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[3]: https://web.archive.org/web/20240420182953/https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v2.pdf "OWASP TESTING GUIDE 2007 V2 | owasp.org"
[4]: https://web.archive.org/web/20240426092730/https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233 "Demystifying Schannel - Microsoft Community Hub"
call:
-
function: Comment
parameters:
codeComment: Disable the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL connections
revertCodeComment: Restore the use of "{{ $algorithmName }}" cipher algorithm for TLS/SSL connections
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\{{ $algorithmName }}
valueName: Enabled
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
name: DisableWindowsKeyPlusCharacterHotkey
parameters:
- name: characterKeyToDisable
docs: |-
This function disables specific hotkeys that combine the Windows key with another key.
Windows Explorer registers nearly two dozen such combinations as global hotkeys, primarily
for taskbar-related functionalities [1].
Although these settings are not extensively documented [1], they are acknowledged by Microsoft [2].
The function modifies the registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisabledHotkeys` [1] [3] [4].
The specified alphabetical character must be provided in uppercase for the registry data [1].
This adjustment requires a restart of the explorer process (`explorer.exe`) [3] [5] or a system restart [4].
> **Caution**:
> Disabling a character will block all hotkey combinations that use it [1] [4].
> For example, disabling "V" affects both `Win-V` and `Win-Shift-V` [1] [4].
> See the [Microsoft Support page](https://web.archive.org/web/20240424105403/https://support.microsoft.com/en-us/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec)
> on keyboard shortcuts to understand which Windows key combinations will be affected.
[1]: https://web.archive.org/web/20240424104551/https://www.geoffchappell.com/notes/windows/shell/explorer/globalhotkeys.htm "Disable Global Hot Keys | www.geoffchappell.com"
[2]: https://web.archive.org/web/20240424112600/https://github.com/microsoft/PowerToys/issues/12928#issuecomment-999819246 "Shortcut overlay disregard `DisabledHotkeys` registry setting. · Issue #12928 · microsoft/PowerToys · GitHub"
[3]: https://web.archive.org/web/20240424112650/https://www.nextofwindows.com/how-to-disable-any-specific-win-keyboard-shortcut-in-windows "How To Disable Any Specific Win Keyboard Shortcut in Windows - NEXTOFWINDOWS.COM | www.nextofwindows.com"
[4]: https://web.archive.org/web/20240424113022/https://www.ghacks.net/2015/03/22/how-to-disable-specific-global-hotkeys-in-windows/ "How to disable specific global hotkeys in Windows - gHacks Tech News | www.ghacks.net"
[5]: https://web.archive.org/web/20240424100904/https://github.com/undergroundwires/privacy.sexy/issues/343#issuecomment-2056279298 "[BUG]: Snipping Tool still can be executable via its keyboard shortcut · Issue #343 · undergroundwires/privacy.sexy · GitHub | github.com"
call:
-
function: Comment
parameters:
codeComment: Disable the global Windows hotkey "{{ $characterKeyToDisable }}" to prevent its default action.
revertCodeComment: Restore the global Windows hotkey "{{ $characterKeyToDisable }}" to re-enable its default functionality.
-
function: RunPowerShell
parameters:
code: |-
$keyToDisable='{{ $characterKeyToDisable }}'
$keyToDisableInUppercase = $keyToDisable.ToUpper()
$registryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced'
$propertyName = 'DisabledHotkeys'
$disabledKeys = Get-ItemProperty `
-Path $registryPath `
-Name $propertyName `
-ErrorAction SilentlyContinue `
| Select-Object -ExpandProperty "$propertyName"
if ($disabledKeys) {
if ($disabledKeys.Contains($keyToDisableInUppercase)) {
Write-Host "Skipping: Key `"$keyToDisableInUppercase`" is already disabled. All disabled keys: `"$disabledKeys`". No action needed."
exit 0
}
$newKeysToDisable = "$($disabledKeys)$($keyToDisableInUppercase)"
Write-Host "Some keys are already disabled: `"$disabledKeys`", but not `"$keyToDisableInUppercase`", disabling it too, new disabled keys: `"$newKeysToDisable`"."
try {
Set-ItemProperty `
-Path $registryPath `
-Name $propertyName `
-Value "$newKeysToDisable" `
-Force `
-ErrorAction Stop
Write-Host "Successfully disabled,`"$keyToDisableInUppercase`", all disabled keys: `"$newKeysToDisable`"."
Exit 0
} catch {
Write-Error "Failed to disable `"$newKeysToDisable`": $_"
Exit 1
}
} else {
Write-Host "No keys has been disabled before, disabling: `"$keyToDisableInUppercase`"."
try {
Set-ItemProperty `
-Path $registryPath `
-Name $propertyName `
-Value "$keyToDisableInUppercase" `
-Force `
-ErrorAction Stop
Write-Host "Successfully disabled `"$keyToDisableInUppercase`"."
Exit 0
} catch {
Write-Error "Failed to disable `"$keyToDisableInUppercase`": $_"
Exit 1
}
}
revertCode: |-
$keyToRestore='{{ $characterKeyToDisable }}'
$keyToRestoreInUppercase = $keyToRestore.ToUpper()
$registryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced'
$propertyName = 'DisabledHotkeys'
$disabledKeys = Get-ItemProperty `
-Path $registryPath `
-Name $propertyName `
-ErrorAction SilentlyContinue `
| Select-Object -ExpandProperty "$propertyName"
if (-Not $disabledKeys) {
Write-Host "Skipping: No keys has been disabled before, no need to restore `"$keyToRestoreInUppercase`"."
Exit 0
}
if (-Not $disabledKeys.Contains($keyToRestoreInUppercase)) {
Write-Host "Skipping: Key `"$keyToRestoreInUppercase`" is not disabled. All disabled keys: `"$disabledKeys`". No action needed."
Exit 0
}
$newKeysToDisable = $disabledKeys.Replace($keyToRestoreInUppercase, "")
if (-Not $newKeysToDisable) {
Write-Host "Removing all entries from the disabled keys as the last key `"$keyToRestoreInUppercase`" is being restored."
try {
Remove-ItemProperty `
-Path $registryPath `
-Name $propertyName `
-Force `
-ErrorAction Stop
Write-Host "Successfully removed the `"$propertyName`" property from the registry, no disabled keys remain."
Exit 0
} catch {
Write-Error "Failed to remove the empty `"$propertyName`" property from the registry: $_"
Exit 1
}
}
try {
Write-Host "Restoring `"$keyToRestoreInUppercase`", all disabled keys: `"$disabledKeys`", new disabled keys: `"$newKeysToDisable`"."
Set-ItemProperty `
-Path $registryPath `
-Name $propertyName `
-Value "$newKeysToDisable" `
-Force `
-ErrorAction Stop
Write-Host "Successfully restored `"$keyToRestoreInUppercase`", disabled keys now: `"$newKeysToDisable`"."
Exit 0
} catch {
Write-Error "Failed to restore `"$keysToDisable`": $_"
Exit 1
}
-
function: ShowExplorerRestartSuggestion
-
name: DisableTLSHash
parameters:
- name: algorithmName
docs: |-
This function disables specified hash algorithm by modifying the `SCHANNEL\HASHES`
subkey in the registry [1] [2] [3].
This subkey is used to control the use of hash algorithms such as SHA-1 and MD5 [1].
Changes to this key apply instantly and do not require a system restart. [1].
Setting the `Enabled` registry value to `0` disables the cipher [1] [2]
If this value is not configured [1] or set to `1` [1] [2].
[1]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[3]: https://web.archive.org/web/20240426092730/https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233 "Demystifying Schannel - Microsoft Community Hub"
call:
-
function: Comment
parameters:
codeComment: Disable usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL connections
revertCodeComment: Restore usage of "{{ $algorithmName }}" hash algorithm for TLS/SSL connections
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\{{ $algorithmName }}
valueName: Enabled
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing subkeys under `Hashes` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
name: DisableTLSProtocol
parameters:
- name: protocolName
docs: |-
This function disables the specified TLS protocol by modifying the registry
settings under the `SCHANNEL\Protocols` subkey [1] [2] [3] [4].
This action prevents the Windows operating system from using the protocol during
SSL/TLS communications, enhancing system security by eliminating older or less secure
protocols that might be susceptible to attacks.
The function executes several commands to update the Windows registry.
It sets `Enabled` and `DisabledByDefault` for both `Server` and `Client` configurations
as recommended in various security guidelines [1] [2] [3] [4].
[1]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[3]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240426092730/https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233 "Demystifying Schannel - Microsoft Community Hub"
call:
-
function: Comment
parameters:
codeComment: Disable usage of "{{ $protocolName }}" protocol for TLS/SSL connections
revertCodeComment: Restore usage of "{{ $protocolName }}" protocol for TLS/SSL connections
# Marked: refactor-with-if-syntax
# - Rest of this function does the opposite of `EnableTLSProtocol`, introduce `ToggleTLSProtocolState`?
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server
valueName: Enabled
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server
valueName: DisabledByDefault
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client
valueName: Enabled
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client
valueName: DisabledByDefault
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing subkeys under `Ciphers` since Windows 10 Pro (≥ 22H1) and Windows 11 Pro (≥ 23H2)
-
name: RunPowerShellWithSetup
# 💡 Purpose:
# Runs the same setup code before both the main code and any revert code.
parameters:
- name: code
- name: revertCode
optional: true
- name: setupCode # Optional PowerShell code to be executed before `code`, and before `revertCode` if `revertCode` is used.
optional: true
call:
function: RunPowerShell
parameters:
code: |-
{{ with $setupCode }}{{ . }}{{ end }}
{{ $code }}
revertCode: |-
{{ with $revertCode }}
{{ with $setupCode }}{{ . }}{{ end }}
{{ . }}
{{ end }}
-
name: SetRegistryValue
parameters:
- name: keyPath # Full path of the subkey or entry to be added.
- name: valueName # Name of the add registry entry.
- name: dataType # Type for the registry entry.
- name: data # Data for the new registry entry.
- name: evaluateDataAsPowerShell # If true, evaluates 'data' as a PowerShell expression before setting the registry value.
optional: true
- name: dataOnRevert # Specifies the value to restore when reverting the registry change, instead of deleting the entry.
optional: true
- name: deleteOnRevert # Set to 'true' to revert to the initial state by deleting the registry key.
optional: true
- name: setupCode # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
docs: |-
This function creates or modifies a registry entry at a specified path.
> 💡 Use this function for a consistent approach instead of directly using `reg add` or `reg delete` commands.
call:
function: RunPowerShellWithWindowsVersionConstraints
parameters:
setupCode: '{{ with $setupCode }}{{ . }}{{ end }}'
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
code: |-
$data = '{{ $data }}'
{{ with $evaluateDataAsPowerShell }}
$data = $({{ $data }})
{{ end }}
reg add '{{ $keyPath }}' `
/v '{{ $valueName }}' `
/t '{{ $dataType }}' `
/d "$data" `
/f
revertCode: |-
{{ with $deleteOnRevert }}
reg delete '{{ $keyPath }}' `
/v '{{ $valueName }}' `
/f 2>$null
{{ end }}{{ with $dataOnRevert }}
$revertData = '{{ . }}'
{{ with $evaluateDataAsPowerShell }}
$revertData = $({{ . }})
{{ end }}
reg add '{{ $keyPath }}' `
/v '{{ $valueName }}' `
/t '{{ $dataType }}' `
/d "$revertData" `
/f
{{ end }}
-
name: EnableTLSProtocol
parameters:
- name: protocolName
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
docs: |-
This function enables of specific TLS protocols by modifying registry entries at
`HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols` [1] [2].
By setting the `DisabledByDefault` registry key to `0`, the it enables the system to negotiate
the use of protocols that might otherwise not be used by default [1].
By setting the `Enabled` registry key to '1', it explicitly allows the use of the protocol [1], overriding
any system defaults that might otherwise prohibit its use [3].
On reverting the changes, it deletes the registry values, effectively restoring the original protocol settings.
The default Windows installation does not include values under the `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols`
registry subtree, as confirmed by tests on Windows 10 22H2 Pro and Windows 11 23H2 Pro.
> **Caution**: Enabling a TLS protocol may not always be safe on certain Windows versions, as experimental support
> for some protocols can lead to system instability [4] [5].
[1]: https://web.archive.org/web/20240423073705/https://learn.microsoft.com/en-US/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel "Restrict cryptographic algorithms and protocols - Windows Server | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2 "Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10 | Bundesamt für Sicherheit in der Informationstechnik | bsi.bund.de"
[3]: https://web.archive.org/web/20240402112853/https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings "Transport Layer Security (TLS) registry settings | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240503122422/https://github.com/undergroundwires/privacy.sexy/issues/175 "Add TLS 1.3 support warning · Issue #175 · undergroundwires/privacy.sexy | github.com"
[5]: https://web.archive.org/web/20240429193908/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- "Protocols in TLS/SSL (Schannel SSP) - Win32 apps | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: Enable "{{ $protocolName }}" protocol as default for TLS/SSL connections
revertCodeComment: Restore "{{ $protocolName }}" protocol defaults for TLS/SSL handshake
# Marked: refactor-with-if-syntax
# - Rest of this function does the opposite of `DisableTLSProtocol`, introduce `ToggleTLSProtocolState`?
- # Server -> Enable
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server
valueName: Enabled
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
- # Server -> Do not disable
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Server
valueName: DisabledByDefault
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
- # Client -> Enable
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client
valueName: Enabled
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
- # Client -> Do not disable
function: SetRegistryValue
parameters:
keyPath: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{{ $protocolName }}\Client
valueName: DisabledByDefault
dataType: REG_DWORD
data: '0'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
-
name: SetDotNetRegistryKey
parameters:
- name: valueName
- name: valueData
docs: |-
This function configuresregistry settings specifically for .NET Framework applications by setting values within the Windows Registry
at the `HKLM\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>\{{ valueName }}!{{ valueData }}` keys [1] [2] [3].
It affects the following .NET Framework versions:
- `v4.0.30319`: Used for configurations pertaining to .NET Framework 4 and later versions [1] [2] [3].
- `v2.0.50727`: Targets .NET Framework 3.5 settings [1] [3].
Note that there are no version-based keys such as `v3.0` or `v3.5`, ensuring that only recognized versions are configured.
The `Wow6432Node` within the registry path indicates compatibility adjustments for 32-bit applications running on 64-bit machines
it is absent in purely 32-bit environments [4].
These settings are applied globally, affecting all .NET applications on the system.
The configurations include enabling features or protocols that might not be active by default, depending on the framework version.
It configures settings globally, affecting all .NET applications [1].
When reverting changes, the function removes the specified keys to restore settings to their original state.
On standard Windows installations, no other subkeys exist under the `.NETFramework\{version}\` registry path besides
`v4.0.30319\AspNetEnforceViewStateMac!AspNetEnforceViewStateMac` [3], as tested since Windows 10 Pro 22H2 and Windows 11 23H2 Pro.
[1]: https://web.archive.org/web/20240503121044/https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls "Transport Layer Security (TLS) best practices with .NET Framework | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240504125305/https://learn.microsoft.com/en-us/officeonlineserver/enable-tls-1-1-and-tls-1-2-support-in-office-online-server#enable-strong-cryptography-in-net-framework-45-or-higher "Enable TLS 1.1 and TLS 1.2 support in Office Online Server - Office Online Server | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240504125553/https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/connect/ssl-pe-no-cipher-error-endpoint-5022 "SSL_PE_NO_CIPHER error at endpoint 5022 - SQL Server | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240504125535/https://learn.microsoft.com/en-us/troubleshoot/windows-client/application-management/wow6432node-registry-key-present-32-bit-machine "WOW6432Node listed in 32-bit version of Windows - Windows Client | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: Configure "{{ $valueName }}" for .NET applications
revertCodeComment: Restore "{{ $valueName }}" configuration for .NET applications
- # x86 | = .NET Framework 3.5
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: '{{ $valueData }}'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # x64 | = .NET Framework 3.5
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: '{{ $valueData }}'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # x86 | ≥ .NET Framework 4
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: '{{ $valueData }}'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
- # x64 | ≥ .NET Framework 4
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: '{{ $valueData }}'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: BlockUWPAccessViaGPO
parameters:
- name: policyName
docs: |-
This function blocks UWP apps from accessing the specified OS feature.
It uses Group Policy Objects (GPO) using `HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy` registry keys [1] [2].
This policies prevent user modification of these settings via the graphical user interface.
Additionally, the script configures exceptions using the `UserInControlOfTheseApps`, `ForceAllowTheseApps`, and
`ForceDenyTheseApps` keys [2]. These keys, of type `REG_MULTI_SZ`, manage lists of null-terminated strings [3]
The script sets these to `NULL`, ensuring that even empty lists are properly terminated with a null character to
maintain registry integrity [3] [4].
[1]: https://web.archive.org/web/20230911110911/https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#31-services-configuration "Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services - Windows Privacy | Microsoft Learn"
[2]: https://web.archive.org/web/20240427110714/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy "Privacy Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240521092322/https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types "Registry value types - Win32 apps | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240521092438/https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regsetvalueexa "[in] cbData must include the size of the terminating null character or characters. | RegSetValueExA function (winreg.h) - Win32 apps | Microsoft Learn"
call:
-
function: Comment
parameters:
codeComment: Disable app access ({{ $policyName }}) using GPO (re-activation through GUI is not possible)
revertCodeComment: Restore app access ({{ $policyName }}) using GPO
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy
valueName: "{{ $policyName }}"
dataType: REG_DWORD
data: '2'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy
valueName: "{{ $policyName }}_UserInControlOfTheseApps"
dataType: REG_MULTI_SZ
data: '\0' # `REG_MULTI_SZ` means null terminated string list, empty list should also be terminated with null character
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy
valueName: "{{ $policyName }}_ForceAllowTheseApps"
dataType: REG_MULTI_SZ
data: '\0' # `REG_MULTI_SZ` means null terminated string list, empty list should also be terminated with null character
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy
valueName: "{{ $policyName }}_ForceDenyTheseApps"
dataType: REG_MULTI_SZ
data: '\0' # `REG_MULTI_SZ` means null terminated string list, empty list should also be terminated with null character
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: BlockUWPAccessViaConsentStore
parameters:
- name: appCapability
docs: |-
This function blocks UWP apps from accessing the specified OS feature.
This function restricts UWP apps from utilizing certain OS features by modifying settings in the
`CapabilityAccessManager\ConsentStore` [1]. It sets the specified app capability to "Deny", overriding the
default "Allow" setting present in Windows versions since 10 22H2 and Windows 11 23H2.
Run following command to see all available settings:
> `reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore`
[1]: https://web.archive.org/web/20240427114500/https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ "Registry Keys for Windows 10 Application Privacy Settings - Jose Espitia | joseespitia.com"
call:
-
function: Comment
parameters:
codeComment: Disable app capability ({{ $appCapability }}) using user privacy settings
revertCodeComment: Restore app capability ({{ $appCapability }}) using user privacy settings
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\{{ $appCapability }}
valueName: Value
dataType: REG_SZ
data: 'Deny'
dataOnRevert: 'Allow' # Default value: `Allow` for all subkeys on Windows 10 Pro (≥ 21H1) and on Windows 11 Pro (≥ 22H2)
-
name: BlockUWPLegacyDeviceAccess
parameters:
- name: deviceAccessId
docs: |-
This function blocks UWP apps from accessing the specified OS feature.
It applies to older versions of Windows [1].
It modifies registry settings in the `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global` [1].
[1]: https://web.archive.org/web/20240427103845/https://www.c-amie.co.uk/technical/windows-10-registry-paths-for-privacy-settings/ "Windows 10 Registry Paths for Privacy Settings - C:Amie (not) Com! | c-amie.co.uk"
call:
-
function: Comment
parameters:
codeComment: Disable app access ({{ $deviceAccessId }}) in older Windows versions (before 1903)
revertCodeComment: Restore app access ({{ $deviceAccessId }}) in older Windows versions (before 1903)
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{{ $deviceAccessId }}
valueName: "Value"
dataType: REG_SZ
data: 'Deny'
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
name: BlockExecutablesFromRunningViaShell # 💡 Usage: This is a low-level function. Favor using `TerminateAndBlockExecution` in script calls.
parameters:
- name: executableNameWithExtension # Filename of the executable (including its extension) to be blocked
docs: |-
This function prevents specified executable files from running on Windows through the `DisallowRun` policy.
Users cannot execute these blocked programs via the Run dialog [1], double-clicking [1], the File menu [1], File Explorer [2] [3],
or any application using `ShellExecute` or `ShellExecuteEx` functions [1].
This function does not block executables launched by system processes like Task Manager or through other processes, including those
initiated via the command prompt (`cmd.exe`) [2] [3].
The script targets the `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun` registry key [1] [2] [3],
which does not exist by default.
[1]: https://web.archive.org/web/20240525130534/https://learn.microsoft.com/en-us/windows/win32/api/shlobj_core/ne-shlobj_core-restrictions "RESTRICTIONS (shlobj_core.h) - Win32 apps | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240525130542/https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools#disallowapps "ADMX_ShellCommandPromptRegEditTools Policy CSP - Windows Client Management | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240525130647/https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsTools::DisallowApps "Don't run specified Windows applications | admx.help"
call:
-
function: RunPowerShell
parameters:
codeComment: Add a rule to prevent the executable "{{ $executableNameWithExtension }}" from running via File Explorer
code: |-
$executableFilename='{{ $executableNameWithExtension }}'
try {
$registryPathForDisallowRun='HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun'
$existingBlockEntries = Get-ItemProperty `
-Path "$registryPathForDisallowRun" `
-ErrorAction Ignore
$nextFreeRuleIndex = 1
if ($existingBlockEntries) {
$existingBlockingRuleForExecutable = $existingBlockEntries.PSObject.Properties `
| Where-Object { $_.Value -eq $executableFilename }
if ($existingBlockingRuleForExecutable) {
$existingBlockingRuleIndexForExecutable = $existingBlockingRuleForExecutable.Name
Write-Output "Skipping, no action needed: `$executableFilename` is already blocked under rule index `"$existingBlockingRuleIndexForExecutable`"."
exit 0
}
$occupiedRuleIndexes = $existingBlockEntries.PSObject.Properties `
| Where-Object { $_.Name -Match '^\d+$' } `
| Select -ExpandProperty Name
if ($occupiedRuleIndexes) {
while ($occupiedRuleIndexes -Contains $nextFreeRuleIndex) {
$nextFreeRuleIndex += 1
}
}
}
Write-Output "Adding block rule for `"$executableFilename`" under rule index `"$nextFreeRuleIndex`"."
if (!(Test-Path $registryPathForDisallowRun)) {
New-Item `
-Path "$registryPathForDisallowRun" `
-Force `
-ErrorAction Stop `
| Out-Null
}
New-ItemProperty `
-Path "$registryPathForDisallowRun" `
-Name "$nextFreeRuleIndex" `
-PropertyType String `
-Value "$executableFilename" ` `
-ErrorAction Stop `
| Out-Null
Write-Output "Successfully blocked `"$executableFilename`" with rule index `"$nextFreeRuleIndex`"."
} catch {
Write-Error "Failed to block `"$executableFilename`": $_"
Exit 1
}
revertCodeComment: Remove the rule that prevents the executable "{{ $executableNameWithExtension }}" from running via File Explorer
revertCode: |-
$executableFilename='{{ $executableNameWithExtension }}'
try {
$blockEntries = Get-ItemProperty `
-Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' `
-ErrorAction Ignore
if (-Not $blockEntries) {
Write-Output "Skipping, no action needed: No block rules exist, `"$executableFilename`" is not blocked."
exit 0
}
$blockingRulesForExecutable = @(
$blockEntries.PSObject.Properties `
| Where-Object { $_.Value -eq $executableFilename }
)
if (-Not $blockingRulesForExecutable) {
Write-Output "Skipping, no action needed: `"$executableFilename`" is not currently blocked."
exit 0
}
foreach ($blockingRuleForExecutable in $blockingRulesForExecutable) {
$blockingRuleIndexForExecutable = $blockingRuleForExecutable.Name
Write-Output "Removing rule `"$blockingRuleIndexForExecutable`" that blocks `"$executableFilename`"."
Remove-ItemProperty `
-Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' `
-Name "$blockingRuleIndexForExecutable" `
-Force `
-ErrorAction Stop
Write-Output "Successfully revoked blocking of `$executableFilename` under rule `"$blockingRuleIndexForExecutable`"."
}
} catch {
Write-Error "Failed to revoke blocking of `"$executableFilename`": $_"
Exit 1
}
-
function: RunPowerShell
parameters:
codeComment: Activate the DisallowRun policy to block specified programs from running via File Explorer
code: |-
try {
$fileExplorerDisallowRunRegistryPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'
$currentDisallowRunPolicyValue = Get-ItemProperty `
-Path "$fileExplorerDisallowRunRegistryPath" `
-Name 'DisallowRun' `
-ErrorAction Ignore `
| Select -ExpandProperty DisallowRun
if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) {
Write-Output "Creating DisallowRun policy at `"$fileExplorerDisallowRunRegistryPath`"."
if (!(Test-Path $fileExplorerDisallowRunRegistryPath)) {
New-Item `
-Path "$fileExplorerDisallowRunRegistryPath" `
-Force `
-ErrorAction Stop `
| Out-Null
}
New-ItemProperty `
-Path "$fileExplorerDisallowRunRegistryPath" `
-Name 'DisallowRun' `
-Value 1 `
-PropertyType DWORD `
-Force `
-ErrorAction Stop `
| Out-Null
Write-Output 'Successfully activated DisallowRun policy.'
Exit 0
}
if ($currentDisallowRunPolicyValue -eq 1) {
Write-Output 'Skipping, no action needed: DisallowRun policy is already in place.'
Exit 0
}
Write-Output 'Updating DisallowRun policy from unexpected value `"$currentDisallowRunPolicyValue`" to `"1`".'
Set-ItemProperty `
-Path "$fileExplorerDisallowRunRegistryPath" `
-Name 'DisallowRun' `
-Value 1 `
-Type DWORD `
-Force `
-ErrorAction Stop `
| Out-Null
Write-Output 'Successfully activated DisallowRun policy.'
} catch {
Write-Error "Failed to activate DisallowRun policy: $_"
Exit 1
}
revertCodeComment: Restore the File Explorer DisallowRun policy if no other blocks are active
revertCode: |-
try {
$currentDisallowRunPolicyValue = Get-ItemProperty `
-Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' `
-Name 'DisallowRun' `
-ErrorAction Ignore `
| Select-Object -ExpandProperty 'DisallowRun'
if ([string]::IsNullOrEmpty($currentDisallowRunPolicyValue)) {
Write-Output 'Skipping, no action needed: DisallowRun policy is not active.'
Exit 0
}
if ($currentDisallowRunPolicyValue -ne 1) {
Write-Output "Skipping, DisallowRun policy is not configured by privacy.sexy, unexpected value: `"$currentDisallowRunPolicyValue`"."
Exit 0
}
$remainingBlockingRules = Get-ItemProperty `
-Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' `
-ErrorAction Ignore
if ($remainingBlockingRules) {
Write-Output 'Skipping deactivating DisallowRun policy, there are still active rules.'
Exit 0
}
Write-Output 'No remaining rules, deleting DisallowRun policy.'
Remove-ItemProperty `
-Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' `
-Name 'DisallowRun' `
-Force `
-ErrorAction Stop
Write-Output 'Successfully restored DisallowRun policy.'
} catch {
Write-Error "Failed to restore DisallowRun policy: $_"
Exit 1
}
-
name: TerminateAndBlockExecution
parameters:
- name: executableNameWithExtension # Filename of the executable (including its extension) to be terminated and blocked
docs: |-
This function combines actions to terminate and block the re-execution of a specified executable on Windows.
It is designed for scripts that need to prevent an unwanted executable from affecting the system.
call:
-
function: TerminateRunningProcess
parameters:
executableNameWithExtension: '{{ $executableNameWithExtension }}'
-
function: TerminateExecutableOnLaunch
parameters:
executableNameWithExtension: '{{ $executableNameWithExtension }}'
-
function: BlockExecutablesFromRunningViaShell
parameters:
executableNameWithExtension: '{{ $executableNameWithExtension }}'
-
name: CreatePlaceholderFile
parameters:
- name: placeholderFilePath
call:
function: RunPowerShell
parameters:
codeComment: 'Create a placeholder file at "{{ $placeholderFilePath }}".'
code: |-
$filePath = '{{ $placeholderFilePath }}'
$expandedFilePath = [System.Environment]::ExpandEnvironmentVariables($filePath)
$placeholderText = 'privacy.sexy placeholder'
Write-Output "Creating placeholder file at `"$expandedFilePath`"."
$parentDirectory = [System.IO.Path]::GetDirectoryName($expandedFilePath)
if (Test-Path $expandedFilePath -PathType Leaf) {
Write-Host "Skipping file creation as `"$expandedFilePath`" already exists."
Exit 0
}
if (Test-Path $parentDirectory -PathType Container) {
Write-Host "Skipping parent directory creation as `"$parentDirectory`" already exists."
} else {
try {
New-Item `
-ItemType Directory `
-Path "$parentDirectory" `
-Force `
-ErrorAction Stop `
| Out-Null
Write-Output "Successfully created directory for placeholder file at `"$parentDirectory`"."
} catch {
Write-Error "Failed to create directory for placeholder at `"$parentDirectory`": $_"
Exit 1
}
}
try {
New-Item `
-ItemType File `
-Path $expandedFilePath `
-Value "$placeholderText" `
-Force `
-ErrorAction Stop `
| Out-Null
Write-Host "Successfully created a placeholder file at `"$expandedFilePath`"."
} catch {
Write-Error "Failed to create placeholder file at `"$expandedFilePath`": $_"
Exit 1
}
revertCodeComment: 'Remove the placeholder file at "{{ $placeholderFilePath }}".'
revertCode: |-
$filePath = '{{ $placeholderFilePath }}'
$expandedFilePath = [System.Environment]::ExpandEnvironmentVariables($filePath)
$placeholderText = 'privacy.sexy placeholder'
Write-Output "Attempting to remove placeholder file at `"$expandedFilePath`"."
if (-Not (Test-Path $expandedFilePath -PathType Leaf)) {
Write-Host "Skipping file removal as `"$expandedFilePath`" does not exist, no action needed."
Exit 0
}
$currentContent = Get-Content $expandedFilePath `
-ErrorAction SilentlyContinue
if ($currentContent -ne $placeholderText) {
Write-Output "Skipping removal as the file at `"$expandedFilePath`" was not created by privacy.sexy."
Exit 0
}
Write-Output "File contents match the placeholder content. Proceeding to remove the file."
try {
Remove-Item `
-Path $expandedFilePath `
-Force `
-ErrorAction Stop
Write-Host "Successfully removed the placeholder file at `"$expandedFilePath`"."
} catch {
Write-Error "Failed to delete the placeholder file at `"$expandedFilePath`": $_"
Exit 1
}
-
name: SetChromePolicyViaRegistry
parameters:
- name: valueName
- name: dwordData
docs: |-
This function sets a specified Google Chrome policy value to given REG_DWORD data.
This script applies these policies via the Windows Registry at HKLM\SOFTWARE\Policies\Google\Chrome [1].
These policies are also known as *platform policies* [2].
They take the highest precedence, meaning that they override user settings [2].
By default, no policies are configured under this registry path.
This has been tested on Windows 10 from version 22H2 onwards and Windows 11 from version 23H2 onwards,
with Google Chrome starting from version 125.
[1]: https://web.archive.org/web/20240624102414/https://support.google.com/chrome/a/answer/10407780?hl=en "Manage Chrome browser with Windows device management - Chrome Enterprise and Education Help | support.google.com"
[2]: https://web.archive.org/web/20240624102622/https://support.google.com/chrome/a/answer/9037717?hl=en#zippy=%2Cplatform-policies "Understand Chrome policy management - Chrome Enterprise and Education Help | support.google.com"
call:
-
function: Comment
parameters:
codeComment: Configure "{{ $valueName }}" Chrome policy
revertCodeComment: Restore "{{ $valueName }}" Chrome policy
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Google\Chrome
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: "{{ $dwordData }}"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) | Tested since Chrome v125
-
name: ShowChromeRestartSuggestion
docs: |-
This function alerts users to restart Google Chrome to activate changes.
It may be necessary to restart the browser following policy modifications for settings to be applied [1] [2].
This is named "Dynamic Policy Refresh" (`dynamic_refresh`) [2].
This indicates that certain policy values might not be applied without restarting Chrome [2].
[1]: https://web.archive.org/web/20240624102414/https://support.google.com/chrome/a/answer/10407780?hl=en "Manage Chrome browser with Windows device management - Chrome Enterprise and Education Help | support.google.com"
[2]: https://web.archive.org/web/20240624105512/https://chromium.googlesource.com/chromium/src/+/main/docs/enterprise/add_new_policy.md "Chromium Docs - Policy Settings in Chrome | chromium.googlesource.com"
call:
-
function: Comment
parameters:
codeComment: Suggest restarting Chrome for changes to take effect
revertCodeComment: Suggest restarting Chrome for changes to take effect
-
function: ShowMessage
parameters:
message: For the changes to fully take effect, please restart Google Chrome.
showOnRevert: 'true'
-
name: SetEdgePolicyViaRegistry
parameters:
- name: valueName
- name: dwordData
docs: |-
This function sets a specific Microsoft Edge policy value using `REG_DWORD` data.
This determines the operational behavior of Microsoft Edge [1].
It configures *mandatory policies*.
These policies which override user preferences and cannot be changed by users [2].
In contrast, *recommended policies* set defaults that users may change [2].
This script applies this policies via the Windows Registry at `HKLM\SOFTWARE\Policies\Microsoft\Edge` [1] [2].
Alternatively, `HKCU` can be to apply settings for the current user only [3] [4].
By default, no policies are pre-configured at these registry paths.
This has been tested on Windows 10 from version 22H2 onwards and Windows 11 from version 23H2 onwards,
with Microsoft Edge starting from version 125.
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240519111447/https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge "Configure Microsoft Edge for Windows with policy settings | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240624105249/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-manage-extensions-ref-guide#configure-using-the-windows-registry "Detailed guide to the ExtensionSettings policy | Microsoft Learn | learn.microsoft.com"
[4]: https://web.archive.org/web/20240624105313/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service#control-userdevice-policy-precedence "Microsoft Edge management service | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: Configure "{{ $valueName }}" Edge policy
revertCodeComment: Restore "{{ $valueName }}" Edge policy
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\Edge
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: "{{ $dwordData }}"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) | Tested since Edge ≥ 125
-
name: ShowEdgeRestartSuggestion
docs: |-
This function prompts users to restart Microsoft Edge to implement changes.
A restart may be required to apply settings after modifying Edge policies, referred to as "Dynamic Policy Refresh" [1].
This indicates that certain policy values might not be applied without restarting Edge [1].
[1]: https://web.archive.org/web/20240517212443/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies "Microsoft Edge Browser Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: Suggest restarting Edge for changes to take effect
revertCodeComment: Suggest restarting Edge for changes to take effect
-
function: ShowMessage
parameters:
message: For the changes to fully take effect, please restart Microsoft Edge.
showOnRevert: 'true'
-
name: SetLegacyEdgePolicyViaRegistry
parameters:
- name: policySubkey
- name: valueName
- name: dwordData
docs: |-
This function configures policies specifically for Edge (Legacy) via the Windows Registry.
It configures two policies using different ways:
- **Via Group Policies**:
Policies for Edge (Legacy) are located at `HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge` [1] [2].
By default, no group policies are configured, tested since Windows 10 Pro ≥ 19H1 (1909).
- **Via User Settings**:
Local user settings for Edge (Legacy) are stored at
`HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge` [3] [4].
This path is operational on versions of Windows with Legacy Edge installed and was tested on Windows 10 Pro 19H1 (1909).
The path does not exist in modern versions of Windows tested from Windows 10 Pro (≥ 22H2) onwards.
[1]: https://web.archive.org/web/20240624133131/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/available-policies "Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) | Microsoft Learn | learn.microsoft.com"
[2]: https://web.archive.org/web/20240314101034/https://learn.microsoft.com/en-us/previous-versions/windows/edge-legacy/group-policies/telemetry-management-gp#prevent-microsoft-edge-from-gathering-live-tile-information-when-pinning-a-site-to-start "Microsoft Edge - Telemetry and data collection group policies | Microsoft Learn | learn.microsoft.com"
[3]: https://web.archive.org/web/20240624133305/https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2018-8530 "CVE-2018-8530 - Security Update Guide - Microsoft - Microsoft Edge Security Feature Bypass Vulnerability | msrc.microsoft.com"
[4]: https://web.archive.org/web/20240624133326/https://learn.microsoft.com/en-us/skype-sdk/websdk/docs/troubleshooting/gatheringlogs/logs-media "Gathering Media Logs from the Skype Web SDK or Conversation Control | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: Configure "{{ $valueName }}" Edge (Legacy) policy
revertCodeComment: Restore "{{ $valueName }}" Edge (Legacy) policy
-
function: SetRegistryValue # Via GPO
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\{{ $policySubkey }}
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: "{{ $dwordData }}"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 19H1) and Windows 11 Pro (≥ 23H2)
-
function: SetRegistryValue # Via user settings
parameters:
keyPath: HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\{{ $policySubkey }}
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: "{{ $dwordData }}"
deleteOnRevert: 'true' # Exists by default on Windows 10 Pro (≥ 19H1), since Windows 10 Pro (≥ 21H2) and Windows 11 Pro (≥ 23H2)
-
name: SetEdgeUpdatePolicyViaRegistry
parameters:
- name: valueName
- name: dwordData
docs: |-
This function configures update policies for the Microsoft Edge update mechanism via the Windows Registry.
The function affects both Edge and the Microsoft Edge WebView2 Runtime [1].
It modifies settings within the `HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate` registry key [1].
These settings are applicable to Microsoft Edge version 77 or later [1].
By default, no policies are configured under this registry path.
This has been tested on Windows 10 from version 22H2 onwards and Windows 11 from version 23H2 onwards,
with Microsoft Edge updates starting from version 1.3.187.41.
[1]: https://web.archive.org/web/20240622121924/https://learn.microsoft.com/en-us/deployedge/microsoft-edge-update-policies "Microsoft Edge Update Policy Documentation | Microsoft Learn | learn.microsoft.com"
call:
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate
valueName: "{{ $valueName }}"
dataType: REG_DWORD
data: "{{ $dwordData }}"
deleteOnRevert: 'true' # Missing by default since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2) | Tested since EdgeUpdate ≥ 1.3.187.41
-
name: RunPowerShellWithWindowsVersionConstraints
docs: |-
This function executes PowerShell code on Windows systems that meet specified Windows version requirements.
It ensures the script runs only on Windows versions within the specified range.
parameters:
- name: code # The main PowerShell code to execute.
- name: revertCode # Optional PowerShell code to revert any changes. Executed only if provided.
optional: true
- name: setupCode # PowerShell code to execute before version checks.
optional: true
- name: minimumWindowsVersion # Specifies the minimum Windows version for executing the PowerShell script.
optional: true # Allowed values:
# Windows11-FirstRelease (First Windows 11) | Windows11-21H2 | Windows10-22H2 |
# Windows10-21H2 | Windows10-20H2 | Windows10-1909 | Windows10-1607
- name: maximumWindowsVersion # Specifies the maximum Windows version for executing the PowerShell script.
optional: true # Allowed values:
# Windows11-21H2 | Windows10-MostRecent (most recent Windows) |
# Windows10-22H2 | Windows10-1909 | Windows10-1903
call:
function: RunPowerShellWithSetup
parameters:
# Marked: refactor-with-if-syntax
# If checks can be handled during compile time.
setupCode: |- # See: Find build numbers: https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions
{{ with $minimumWindowsVersion }}
$versionName = '{{ . }}'
$buildNumber = switch ($versionName) {
'Windows11-FirstRelease' { '10.0.22000' }
'Windows11-21H2' { '10.0.22000' }
'Windows10-22H2' { '10.0.19045' }
'Windows10-21H2' { '10.0.19044' }
'Windows10-20H2' { '10.0.19042' }
'Windows10-1909' { '10.0.18363' }
'Windows10-1607' { '10.0.14393' }
default {
throw "Internal privacy.sexy error: No build for minimum Windows '$versionName'"
}
}
$minVersion = [System.Version]::Parse($buildNumber)
$version = [Environment]::OSVersion.Version
$versionNoPatch = [System.Version]::new($version.Major, $version.Minor, $version.Build)
if ($versionNoPatch -lt $minVersion) {
Write-Output "Skipping: Windows ($versionNoPatch) is below minimum $minVersion ($versionName)"
Exit 0
}
{{ end }}{{ with $maximumWindowsVersion }}
$versionName = '{{ . }}'
$buildNumber = switch ($versionName) {
'Windows11-21H2' { '10.0.22000' }
'Windows10-MostRecent' { '10.0.19045' }
'Windows10-22H2' { '10.0.19045' }
'Windows10-1909' { '10.0.18363' }
'Windows10-1903' { '10.0.18362' }
default {
throw "Internal privacy.sexy error: No build for maximum Windows '$versionName'"
}
}
$maxVersion=[System.Version]::Parse($buildNumber)
$version = [Environment]::OSVersion.Version
$versionNoPatch = [System.Version]::new($version.Major, $version.Minor, $version.Build)
if ($versionNoPatch -gt $maxVersion) {
Write-Output "Skipping: Windows ($versionNoPatch) is above maximum $maxVersion ($versionName)"
Exit 0
}
{{ end }}{{ with $setupCode }}
{{ . }}
{{ end }}
code: '{{ $code }}'
revertCode: '{{ with $revertCode }}{{ . }}{{ end }}'
-
name: SetRegistryValueAsTrustedInstaller
parameters: # The parameters should be always in sync/compatible with `SetRegistryValue`.
- name: keyPath # Full path of the subkey or entry to be added.
- name: valueName # Name of the add registry entry.
- name: dataType # Type for the registry entry.
- name: data # Data for the new registry entry.
- name: deleteOnRevert # Set to 'true' to revert to the initial state by deleting the registry key.
optional: true
- name: dataOnRevert # Specifies the value to restore when reverting the registry change, instead of deleting the entry.
optional: true
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
docs: >-
Sets registry value using TrustedInstaller privileges.
> - 💡 Use this function for a consistent approach instead of directly using `reg add` or `reg delete` commands.
> - ❗️ Use this function only when `SetRegistryValue` fails with permission errors.
call:
# Marked: refactor-with-variables
# Should be re-using same code as SetRegistryValue but only as TrustedInstaller.
function: RunInlineCodeAsTrustedInstaller
parameters:
code: reg add "{{ $keyPath }}" /v "{{ $valueName }}" /t "{{ $dataType }}" /d "{{ $data }}" /f
revertCode: |-
{{ with $deleteOnRevert }}
reg delete "{{ $keyPath }}" /v "{{ $valueName }}" /f 2>nul
{{ end }}{{ with $dataOnRevert }}
reg add "{{ $keyPath }}" /v "{{ $valueName }}" /t "{{ $dataType }}" /d "{{ . }}" /f
{{ end }}
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
-
name: DeleteVisualStudioLicense
parameters:
- name: productGuid
docs: |-
This function deletes license data for a specific Visual Studio product GUID.
Visual Studio stores license data in the registry in
`HKCR\Licenses\<Product GUID>\<Numeric Value>!(Default)` [1] [2].
Each numeric subkey contains a default value with binary license data.
`HKCR` is a virtual view combining `HKCU\Software\Classes` and `HKLM\Software\Classes` [3].
The actual license data is stored in `HKLM\Software\Classes`.
This function removes the entire registry key for the given product GUID,
including all subkeys and values, effectively deleting the license.
[1]: https://web.archive.org/web/20240809125530/https://github.com/privacysexy-forks/VSKeyExtractor/blob/main/Program.cs "VSKeyExtractor/Program.cs at main · privacysexy-forks/VSKeyExtractor | github.com"
[2]: https://web.archive.org/web/20240809125330/https://github.com/privacysexy-forks/VSCELicense/blob/master/VSCELicense.psm1 "VSCELicense/VSCELicense.psm1 at master · privacysexy-forks/VSCELicense | github.com"
[3]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: Remove Visual Studio license for product {{ $productGuid }}
-
function: DeleteRegistryKey
parameters:
keyPath: HKLM\SOFTWARE\Classes\Licenses\{{ $productGuid }}
-
name: ClearRegistryValues
# Deletes values in the specified registry key, preserving the key and subkeys.
# 💡 Use `DeleteRegistryValue` for more granular and less destructive operations.
# 💡 Use `DeleteRegistryKey` to remove the entire key structure.
parameters:
- name: keyPath # Full path of the subkey or entry where the value resides. No glob/wildcard interpretation.
- name: deleteSubkeyValuesRecursively # Whether to recursively clear values in subkeys.
optional: true
docs: |-
This function deletes registry values within the specified registry key.
It can operate in two modes: non-recursive (default) and recursive:
1. Non-recursive mode (default):
- Deletes all values directly under the specified key
- Preserves the key itself and any subkeys
- Does not affect values in subkeys
- The behavior is equivalent to `reg delete /va "<path>" /f` [1].
2. Recursive mode:
- Deletes all values under the specified key
- Deletes all values in all subkeys recursively
- Preserves the key structure (keys and subkeys remain, only values are deleted)
[1]: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-delete#parameters "reg delete | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: >-
Clear register values from "{{ $keyPath }}"
{{ with $deleteSubkeyValuesRecursively }}(recursively){{ end }}
-
function: RunPowerShell
parameters:
code: |-
$rootRegistryKeyPath = '{{ $keyPath }}'
function Clear-RegistryKeyValues {
try {
$currentRegistryKeyPath = $args[0]
Write-Output "Clearing registry values from `"$currentRegistryKeyPath`"."
$formattedRegistryKeyPath = $currentRegistryKeyPath -replace '^([^\\]+)', '$1:'
if (-Not (Test-Path -LiteralPath $formattedRegistryKeyPath)) {
Write-Output "Skipping: Registry key not found: `"$formattedRegistryKeyPath`"."
return
}
$directValueNames=(Get-Item -LiteralPath $formattedRegistryKeyPath -ErrorAction Stop | Select-Object -ExpandProperty Property)
if (-Not $directValueNames) {
Write-Output 'Skipping: Registry key has no direct values.'
} else {
foreach ($valueName in $directValueNames) {
Remove-ItemProperty `
-LiteralPath $formattedRegistryKeyPath `
-Name $valueName `
-ErrorAction Stop
Write-Output "Successfully deleted value: `"$valueName`" from `"$formattedRegistryKeyPath`"."
}
Write-Output "Successfully cleared all direct values in `"$formattedRegistryKeyPath`"."
}
{{ with $deleteSubkeyValuesRecursively }}
Write-Output "Iterating subkeys recursively: `"$formattedRegistryKeyPath`"."
$subKeys = Get-ChildItem -LiteralPath $formattedRegistryKeyPath -ErrorAction Stop
if (!$subKeys) {
Write-Output 'Skipping: no subkeys available.'
return
}
foreach ($subKey in $subKeys) {
$subkeyName = $($subKey.PSChildName)
Write-Output "Processing subkey: `"$subkeyName`""
$subkeyPath = Join-Path -Path $currentRegistryKeyPath -ChildPath $subkeyName
Clear-RegistryKeyValues $subkeyPath
}
Write-Output "Successfully cleared all subkeys in `"$formattedRegistryKeyPath`"."
{{ end }}
} catch {
Write-Error "Failed to clear registry values in `"$formattedRegistryKeyPath`". Error: $_"
Exit 1
}
}
Clear-RegistryKeyValues $rootRegistryKeyPath
-
name: DeleteRegistryValue # See also `DeleteRegistryKey`, `ClearRegistryValues`
parameters:
- name: keyPath # Full path of the subkey or entry where the value resides. No glob/wildcard interpretation.
- name: valueName # Name of the registry value to be deleted. No glob/wildcard interpretation.
- name: dataOnRevert # Data to store upon revert.
optional: true
- name: dataTypeOnRevert # Type of the data to store upon revert.
optional: true
- name: deleteOnRevert # If true, it reverts to the initial state by deleting the registry key.
optional: true
- name: evaluateDataAsPowerShell # If true, evaluates 'dataOnRevert' as a PowerShell expression before setting the registry value.
optional: true
- name: matchDataBeforeDelete # If provided a pattern, only deletes if current value equals this
optional: true
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
- name: grantPermissions # If true, it removes Deny ACLs from the registry key
optional: true
docs: |-
This function creates or modifies a registry entry at a specified path.
> 💡 Use this function for a consistent approach instead of directly using `reg add` or `reg delete` commands.
call:
-
function: Comment
parameters:
codeComment: >-
Delete the registry value "{{ $valueName }}" from the key "{{ $keyPath }}"
{{ with $grantPermissions }}(with additional permissions){{ end }}
revertCodeComment: >- # Do not render `$dataOnRevert` as `$evaluateDataAsPowerShell` will result in ugly data values.
{{ with $dataOnRevert }}
Restore the registry value "{{ $valueName }}" in key "{{ $keyPath }}" to its original value {{ with $grantPermissions }} (with additional permissions){{ end }}
{{ end }}{{ with $deleteOnRevert }}
Remove the registry value "{{ $valueName }}" from key "{{ $keyPath }}" to restore its original state {{ with $grantPermissions }} (with additional permissions){{ end }}
{{ end }}
-
function: RunPowerShellWithWindowsVersionConstraints
parameters:
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
# Marked: refactor-with-variables
# - Registry path construction with hive is same as `DeleteRegistryKey` and `CreateRegistryKey`
# - Deleting key in `deleteOnRevert` on revert code is same as "code"
code: |-
$keyName = '{{ $keyPath }}'
$valueName = '{{ $valueName }}'
$hive = $keyName.Split('\')[0]
$path = "$($hive):$($keyName.Substring($hive.Length))"
Write-Host "Removing the registry value '$valueName' from '$path'."
if (-Not (Test-Path -LiteralPath $path)) {
Write-Host 'Skipping, no action needed, registry key does not exist.'
Exit 0
}
$existingValueNames = (Get-ItemProperty -LiteralPath $path).PSObject.Properties.Name
if (-Not ($existingValueNames -Contains $valueName)) {
Write-Host 'Skipping, no action needed, registry value does not exist.'
Exit 0
}
{{ with $matchDataBeforeDelete }}
$expectedData = '{{ . }}'
$currentData = Get-ItemProperty -LiteralPath $path -Name $valueName | Select-Object -ExpandProperty $valueName
if ($currentData -ne $expectedData) {
Write-Host "Skipping, no action needed, current data '$currentData' is not same as '$expectedData'."
Exit 0
}
{{ end }}
{{ with $grantPermissions }} Grant-Permissions {{ end }}
try {
if ($valueName -ieq '(default)') {
Write-Host 'Removing the default value.'
$(Get-Item -LiteralPath $path).OpenSubKey('', $true).DeleteValue('')
} else {
Remove-ItemProperty `
-LiteralPath $path `
-Name $valueName `
-Force `
-ErrorAction Stop
}
Write-Host 'Successfully removed the registry value.'
} catch {
Write-Error "Failed to remove the registry value: $($_.Exception.Message)"
} {{ with $grantPermissions }} finally { Revoke-Permissions } {{ end }}
revertCode: |-
{{ with $dataOnRevert }}
$data = '{{ . }}'
{{ with $evaluateDataAsPowerShell }}
$data = $(Invoke-Expression $data)
{{ end }}
{{ with $dataTypeOnRevert }}
$rawType = '{{ . }}'
{{ end }}
$rawPath = '{{ $keyPath }}'
$value = '{{ $valueName }}'
$hive = $rawPath.Split('\')[0]
$path = "$($hive):$($rawPath.Substring($hive.Length))"
Write-Host "Restoring value '$value' at '$path' with type '$rawType' and value '$data'."
if (-Not $rawType) {
throw "Internal privacy.sexy error: Data type is not provided for data '$data'."
}
if (-Not (Test-Path -LiteralPath $path)) {
try {
New-Item `
-Path $path `
-Force -ErrorAction Stop `
| Out-Null
Write-Host 'Successfully created registry key.'
} catch {
throw "Failed to create registry key: $($_.Exception.Message)"
}
}
$currentData = Get-ItemProperty `
-LiteralPath $path `
-Name $value `
-ErrorAction SilentlyContinue `
| Select-Object -ExpandProperty $value
if ($currentData -eq $data) {
Write-Host 'Skipping, no changes required, the registry data is already as expected.'
Exit 0
}
{{ with $grantPermissions }} Grant-Permissions {{ end }}
try {
$type = switch ($rawType) {
'REG_SZ' { 'String' }
'REG_DWORD' { 'DWord' }
'REG_QWORD' { 'QWord' }
'REG_EXPAND_SZ' { 'ExpandString' }
default {
throw "Internal privacy.sexy error: Failed to find data type for: '$rawType'."
}
}
Set-ItemProperty `
-LiteralPath $path `
-Name $value `
-Value $data `
-Type $type `
-Force `
-ErrorAction Stop
Write-Host 'Successfully restored the registry value.'
} catch {
throw "Failed to restore the value: $($_.Exception.Message)"
} {{ with $grantPermissions }} finally { Revoke-Permissions } {{ end }}
{{ end }}{{ with $deleteOnRevert }}
$keyName = '{{ $keyPath }}'
$valueName = '{{ $valueName }}'
$hive = $keyName.Split('\')[0]
$path = "$($hive):$($keyName.Substring($hive.Length))"
Write-Host "Removing the registry value '$valueName' from '$path'."
if (-Not (Test-Path -LiteralPath $path)) {
Write-Host 'Skipping, no action needed, registry key does not exist.'
Exit 0
}
$existingValueNames = (Get-ItemProperty -LiteralPath $path).PSObject.Properties.Name
if (-Not ($existingValueNames -Contains $valueName)) {
Write-Host 'Skipping, no action needed, registry value does not exist.'
Exit 0
}
{{ with $grantPermissions }} Grant-Permissions {{ end }}
try {
if ($valueName -ieq '(default)') {
Write-Host 'Removing the default value.'
$(Get-Item -LiteralPath $path).OpenSubKey('', $true).DeleteValue('')
} else {
Remove-ItemProperty `
-LiteralPath $path `
-Name $valueName `
-Force `
-ErrorAction Stop
}
Write-Host 'Successfully removed the registry value.'
} catch {
Write-Error "Failed to remove the registry value: $($_.Exception.Message)"
} {{ with $grantPermissions }} finally { Revoke-Permissions } {{ end }}
{{ end }}
# Note:
# Storing the original ACL (e.g., `$originalAcl = $subkey.GetAccessControl()`) and restoring it with `SetAccessControl()`
# does not work due to broken identity references. Therefore, changes are managed individually.
setupCode: |-
{{ with $grantPermissions }}
$RawRegistryPath = '{{ $keyPath }}'
$AclChanges = [PSCustomObject]@{ `
PreviousOwner = $null
RemovedRules = @()
AddedRules = @()
InheritanceDisabled = $false
}
function Test-AccessModified {
return $AclChanges.PreviousOwner `
-Or $AclChanges.RemovedRules.Count -gt 0 `
-Or $AclChanges.AddedRules.Count -gt 0 `
-Or $AclChanges.InheritanceDisabled
}
function Open-RegistryKey {
param ([Parameter(Mandatory=$true)][int]$Rights)
# [OutputType([Microsoft.Win32.RegistryKey])] # Not working through cmd.exe
$hive = $RawRegistryPath.Split('\')[0]
$pathWithoutHive = $RawRegistryPath.Substring($hive.Length + 1)
try {
$rootKey = switch ($hive) {
'HKCU' { [Microsoft.Win32.Registry]::CurrentUser }
'HKLM' { [Microsoft.Win32.Registry]::LocalMachine }
default {
Write-Error "Internal error: Unknown registry hive ($hive)."
Exit 1
}
}
$key = $rootKey.OpenSubKey( `
$pathWithoutHive, `
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, `
$Rights `
)
} catch {
throw "Error when opening '$pathWithoutHive' on '$hive' hive: $_"
}
if (-Not $key) {
throw "Unknown error when opening '$pathWithoutHive' on '$hive' hive."
}
return $key
}
function Grant-Permissions {
Write-Host "Granting permissions to '$RawRegistryPath' registry key."
$adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'
$adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount])
try {
$subkey = Open-RegistryKey -Rights ([System.Security.AccessControl.RegistryRights]::TakeOwnership)
$acl = $subkey.GetAccessControl()
$owner = $acl.GetOwner([System.Security.Principal.NTAccount])
if ($owner -eq $adminAccount) {
$subkey.Close()
} else {
$AclChanges.PreviousOwner = $owner
$acl.SetOwner($adminAccount)
$subkey.SetAccessControl($acl)
$subkey.Close()
Write-Host "Successfully took ownership from '$($owner.Value)'."
}
} catch {
Write-Warning "Failed to take ownership. Error: $($_.Exception.Message)"
}
try {
$subkey = Open-RegistryKey -Rights ([System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $subkey.GetAccessControl()
$adminFullControlExists = $acl.Access | Where-Object { `
$_.IdentityReference -eq $adminAccount -and `
$_.RegistryRights -eq [System.Security.AccessControl.RegistryRights]::FullControl -and `
$_.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Allow `
}
if (-Not $adminFullControlExists) {
Write-Host 'Granting full control to administrators.'
$fullControlRule = New-Object System.Security.AccessControl.RegistryAccessRule( `
$adminAccount, `
[System.Security.AccessControl.RegistryRights]::FullControl, `
[System.Security.AccessControl.AccessControlType]::Allow `
)
$acl.AddAccessRule($fullControlRule)
$AclChanges.AddedRules += $fullControlRule
}
if ($acl.AreAccessRulesProtected) {
$acl.SetAccessRuleProtection($false, $false)
$AclChanges.InheritanceDisabled = $true
}
$denyRules = @($acl.Access.Where({ $_.AccessControlType -eq 'Deny' }))
foreach ($denyRule in $denyRules) {
Write-Host "Removing a deny rule for '$($denyRule.IdentityReference)'."
if ($acl.RemoveAccessRule($denyRule)) {
$AclChanges.RemovedRules += $denyRule
} else {
Write-Warning 'Failed to remove the rule.'
}
}
if (-Not (Test-AccessModified)) {
Write-Host 'No access modifications were necessary.'
$subkey.Close()
} else {
$subkey.SetAccessControl($acl)
$subkey.Close()
Write-Host 'Successfully applied new access rules.'
}
} catch {
Write-Warning "Failed to modify access. Error: $($_.Exception.Message)"
}
}
function Revoke-Permissions {
Write-Host "Restoring permissions: '$RawRegistryPath'."
if (-Not (Test-AccessModified)) {
Write-Host 'Skipping revoking permissions, they were not granted.'
return
} else {
try {
$subkey = Open-RegistryKey -Rights ( `
[System.Security.AccessControl.RegistryRights]::TakeOwnership -bor `
[System.Security.AccessControl.RegistryRights]::ChangePermissions `
)
$acl = $subkey.GetAccessControl()
if ($AclChanges.PreviousOwner) {
Write-Host 'Restoring owner.'
$acl.SetOwner($AclChanges.PreviousOwner)
}
foreach ($rule in $AclChanges.AddedRules) {
Write-Host "Removing rule for '$($rule.IdentityReference)'."
if (-Not $acl.RemoveAccessRule($rule)) {
Write-Warning 'Failed to remove the rule.'
}
}
foreach ($rule in $AclChanges.RemovedRules) {
$acl.AddAccessRule($rule)
Write-Host "Adding a rule for '$($rule.IdentityReference)'."
}
if ($AclChanges.InheritanceDisabled) {
$acl.SetAccessRuleProtection($true, $true)
Write-Host 'Restoring inheritance.'
}
$subkey.SetAccessControl($acl)
$subkey.Close()
Write-Host 'Successfully restored permissions.'
} catch {
Write-Warning "Failed to restore permissions. Error: $($_.Exception.Message)"
}
}
}
{{ end }}
-
name: HideExplorerThisPCFolderViaClsid # ❗ This method is not reliable on Windows 11, prioritize `HideExplorerThisPCFolderViaGuid`
parameters:
- name: folderClsid # A GUID representing a CLSID for a specific folder, used in Windows registry operations
docs: |-
This function hides specific folders from the "This PC" view in Windows Explorer using their CLSIDs.
The script uses CLSIDs (Class Identifiers) that represent special folders in the OS [1].
These CLSIDs can be opened and tested using [2]:
```batchfile
explorer.exe shell:::{CLSID}
```
Script behavior differs based on the Windows version.
### Windows 11
On Windows 11, it sets:
- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{<Folder CLSID>}!HiddenByDefault` [3]
- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{<Folder CLSID>}!HideIfEnabled` [3]
Community reports suggest that the `HiddenByDefault` and `HideIfEnabled` method is effective only on certain Windows 11 versions [3].
### Windows 10 and below
On Windows 10 and below, it deletes (only working configuration, tested since Windows 10 Pro ≥ 22H2):
- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{<Folder CLSID>}` [4]
- `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{<Folder CLSID>}` [4]
This method is reported to have also worked on Windows 8.1 [4].
Tests show that setting this value requires restarting `explorer.exe` on Windows 10.
[1]: https://archive.ph/2023.07.18-200525/https://www.autohotkey.com/docs/v1/misc/CLSID-List.htm "CLSID List (Windows Class Identifiers) | AutoHotkey v1 | autohotkey.com"
[2]: https://web.archive.org/web/20240729215209/https://marslo.github.io/ibook/cheatsheet/windows/clsid.html "clsid · ibook | marslo.github.io"
[3]: https://web.archive.org/web/20240118234902/https://www.elevenforum.com/t/add-or-remove-folders-under-this-pc-in-file-explorer-in-windows-11.7122/ "Add or Remove Folders under This PC in File Explorer in Windows 11 Tutorial | Windows 11 Forum | www.elevenforum.com"
[4]: https://web.archive.org/web/20161020161850/https://pricklytech.wordpress.com/2013/10/17/windows-8-1-x64-removing-the-folders-from-file-explorer/ "Windows 8.1 x64 Removing the Folders from File Explorer | Michael Lane's Technology Blog | pricklytech.wordpress.com"
call:
-
function: DeleteRegistryKey
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{{{ $folderClsid }}}
recreateOnRevert: 'true'
maximumWindowsVersion: Windows10-MostRecent # No action needed on Windows 11
-
function: DeleteRegistryKey
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{{{ $folderClsid }}}
recreateOnRevert: 'true'
maximumWindowsVersion: Windows10-MostRecent # No action needed on Windows 11
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{{{ $folderClsid }}}
valueName: 'HiddenByDefault'
dataType: REG_DWORD
data: '1' # It hides on Windows 11 Pro (≥ 23H2) 11, this is the default behavior but this value is missing by default
deleteOnRevert: 'true' # Missing on Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
minimumWindowsVersion: Windows11-FirstRelease # `HiddenByDefault` has no effect Windows 10
-
function: SetRegistryValue
parameters:
keyPath: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{{{ $folderClsid }}}
valueName: 'HideIfEnabled'
dataType: REG_DWORD
data: '0x22ab9b9' # Default value on Windows 11 Pro (≥ 23H2) 11, it hides
dataOnRevert: '0x22ab9b9' # Default value: Missing on Windows 10 Pro (≥ 22H2) | `0x22ab9b9` on Windows 11 Pro (≥ 23H2)
minimumWindowsVersion: Windows11-FirstRelease # `HideIfEnabled` has no effect Windows 10
-
function: ShowExplorerRestartSuggestion
-
name: HideExplorerThisPCFolderViaGuid # See also `HideExplorerThisPCFolderViaClsid`
parameters:
- name: folderId # A GUID representing a specific folder in the registry
- name: showOnRevert # If true, sets the folder to 'Show' when reverting changes
optional: true
- name: hideOnRevert # If true, deletes the registry value when reverting changes
optional: true
docs: |-
This function removes shortcuts from "This PC" in Explorer [1] [2].
It does not affect shortcuts in "Quick Access"[1].
This function sets the default behavior on Windows 11, as user folders from "This PC"
have already been removed [3].
Microsoft documents folder IDs in their source code [4].
The script modifies these registry keys:
- `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{<Folder GUID>}\PropertyBag!ThisPCPolicy`:
Hides folder at machine level [1] [2].
- `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{<Folder GUID>}\PropertyBag!ThisPCPolicy`:
Same as above, but for 64-bit OS [2].
- `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideMyComputerIcons!{<Folder GUID>}`:
Hides folders at user level [1].
One must restart Explorer (`explorer.exe`) for changes to take affect [3].
This has been verified by tests on Windows 10 Pro (≥ 22H2).
[1]: https://web.archive.org/web/20240729130512/https://superuser.com/questions/1470599/hide-3d-objects-from-this-pc/1470630#1470630 "windows 10 - Hide "3D Objects" from "This PC" - Super User | superuser.com"
[2]: https://web.archive.org/web/20200921094814/https://liquidwarelabs.zendesk.com/hc/en-us/articles/210638663-Windows-10-local-shell-folders-are-not-hidden-after-redirection-causing-Location-is-not-available-error-OR-ProfileDisk-will-show-these-shorts-using-local-ProfileDisk-path "Windows 10 local shell folders are not hidden after redirection causing \"Location is not available\" error, OR ProfileDisk will show these shorts using local ProfileDisk path Liquidware Customer Support | liquidwarelabs.zendesk.com"
[3]: https://web.archive.org/web/20240729151344/https://blogs.windows.com/windows-insider/2022/06/09/announcing-windows-11-insider-preview-build-25136/ "Announcing Windows 11 Insider Preview Build 25136 | Windows Insider Blog | blogs.windows.com"
[4]: https://web.archive.org/web/20240803200324/https://github.com/privacysexy-forks/wdkmetadata/blob/99192741981aa7b7dc7db4aca3401f5d20496c91/generation/WDK/IdlHeaders/um/KnownFolders.h "wdkmetadata/generation/WDK/IdlHeaders/um/KnownFolders.h at 99192741981aa7b7dc7db4aca3401f5d20496c91 · privacysexy-forks/wdkmetadata · GitHub | github.com"
call:
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{{{ $folderId }}}\PropertyBag
valueName: ThisPCPolicy
dataType: REG_SZ
data: 'Hide'
deleteOnRevert: '{{ with $hideOnRevert }}true{{ end }}' # By default, this value does not exist if the item is hidden since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
dataOnRevert: '{{ with $showOnRevert }}Show{{ end }}' # This is the default value if this item is shown by default
-
function: SetRegistryValue
parameters:
keyPath: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{{{ $folderId }}}\PropertyBag
valueName: ThisPCPolicy
dataType: REG_SZ
data: Hide
deleteOnRevert: '{{ with $hideOnRevert }}true{{ end }}' # By default, this value does not exist if the item is hidden since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
dataOnRevert: '{{ with $showOnRevert }}Show{{ end }}' # This is the default value if this item is shown by default
-
function: SetRegistryValue
parameters:
keyPath: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideMyComputerIcons
valueName: '{{{ $folderId }}}'
dataType: REG_DWORD
data: '1'
deleteOnRevert: 'true' # Missing key since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 23H2)
-
function: ShowExplorerRestartSuggestion
-
name: RemoveFileOpenWithAssociation
parameters:
- name: fullFileNameExtensionWithDot # File extension with leading dot (e.g. `.txt`)
- name: progId # Program identifier to remove from Open With menu
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
docs: |-
This function removes a program from the **Open With** context menu for a specific file extension.
Windows stores file associations in the Registry under `HKCU\Software\Classes` and `HKLM\Software\Classes` [1].
This function modifies the `HKCU\` key, which takes precedence over `HKLM\` [1].
[1]: https://web.archive.org/web/20240802114228/https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key "HKEY_CLASSES_ROOT Key - Win32 apps | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: 'Delete Open With association for "{{ progId }}" for {{ $fullFileNameExtensionWithDot }}'
revertCodeComment: 'Restore Open With association for "{{ progId }}" for {{ $fullFileNameExtensionWithDot }}'
-
function: DeleteRegistryValue
parameters:
keyPath: 'HKLM\Software\Classes\{{ $fullFileNameExtensionWithDot }}\OpenWithProgids'
valueName: '{{ $progId }}'
dataTypeOnRevert: REG_SZ
dataOnRevert: "[string]::Empty" # Use non-empty string value for function parameter to evaluate as true
evaluateDataAsPowerShell: 'true' # Evaluate [string]::Empty as PowerShell expression
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
-
name: RemoveApplicationSelectionAssociation
parameters:
- name: progId # ProgID (Programmatic Identifier) of the application association to remove
- name: associatedFilenameWithExtensionOrUrlProtocol # The file extension or URL protocol associated with the ProgID.
- name: registryHive # The registry hive to target. Allowed values: HKCU | HKLM
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
docs: |-
This function removes application associations from the Windows registry.
It modifies the `HKCU|HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts`
registry subkey.
This key in Windows stores user preferences for file type and application associations.
When a user opens a file with a non-default application, Windows may display a "toast" notification
suggesting the use of the default application for that file type.
The user's response to this suggestion is recorded in the ApplicationAssociationToasts registry key.
This allows Windows to remember the user's application preferences for specific file types
and determine whether to show the notification again in the future.
This function will delete the association only if the specified ProgID matches the given file extension or URL protocol.
If the ProgID is associated with a different file type or URL, the association remains untouched.
call:
-
function: Comment
parameters:
codeComment: 'Remove file association for "{{ $progId }}" for {{ $associatedFilenameWithExtensionOrUrlProtocol }}'
revertCodeComment: 'Restore toast association for "{{ $progId }}" for {{ $associatedFilenameWithExtensionOrUrlProtocol }}'
-
function: DeleteRegistryValue
parameters:
keyPath: '{{ $registryHive }}\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts'
valueName: '{{ $progId }}_{{ $associatedFilenameWithExtensionOrUrlProtocol }}'
dataTypeOnRevert: REG_DWORD
dataOnRevert: "0"
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
-
name: RemoveUserFileAssociation
parameters:
- name: progId # Program ID to remove from file association
- name: fileExtensionWithDotPrefix # File extension (with a dot prefix) to disassociate
- name: reassociateOnRevert # Indicates whether to attempt reassociation of the file type when reverting changes
optional: true
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
docs: |-
This function removes the `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\<File Extension>\UserChoice!<ProgID>`
registry key [1] [2].
This key sets the default app association for files [1].
Removing it causes Windows to reset the association when the user signs in [2].
### Testing
Test results for different Windows version when removing `.htm` assocation:
| Windows version | Delete | Re-add | Delete without ACLs | Re-add without ACLs | Deny ACLs | Owner | Has Owner Full Control |
| --------------- |:------:|:------:|:-------------------:|:-------------------:|:----------:|-------|:----------------------:|
| Windows 10 Pro 1903 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 10 Pro 1909 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 10 Pro 20H2 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 10 Pro 21H2 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 11 Pro 21H2 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 10 Pro 22H2 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 11 Pro 22H2 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 11 Pro 23H2 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
These registry keys are protected by deny ACLs, which prevent programmatic modifications.
To work around this limitation, the script temporarily removes these deny ACLs to allow changes.
However, the .pdf association at `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice` is a special case.
This value can be deleted but not re-created on newer Windows versions.
This behavior is likely due to tamper protection introduced in Windows 10 22H2 and Windows 11 22H2 onwards [2], though official documentation is lacking.
The following table shows the results for the `.pdf` file association:
| Windows version | Delete | Re-add | Delete without ACLs | Re-add without ACLs | Deny ACLs | Owner | Has Owner Full Control |
| --------------- |:------:|:------:|:-------------------:|:-------------------:|:----------:|-------|:----------------------:|
| Windows 10 Pro 1903 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 10 Pro 1909 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 10 Pro 20H2 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 10 Pro 21H2 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 11 Pro 21H2 | ❌ | ❌ | ✅ | ✅ | 1 | Administrators | ✅ Yes |
| Windows 10 Pro 22H2 | ❌ | ❌ | ✅ | ❌ | 1 | Administrators | ✅ Yes |
| Windows 11 Pro 22H2 | ❌ | ❌ | ✅ | ❌ | 1 | Administrators | ✅ Yes |
| Windows 11 Pro 23H2 | ❌ | ❌ | ✅ | ❌ | 1 | Administrators | ✅ Yes |
The data in these tables was gathered using this PowerShell script:
```powershell
$registryPath = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice"
$pathParts = $registryPath -split ':\\'
$registryHive = $pathParts[0]
$pathWithoutHive = $pathParts[1]
$valueName = "ProgId"
$registryRootKey = if ($registryHive -eq 'HKCU') { [Microsoft.Win32.Registry]::CurrentUser } else { [Microsoft.Win32.Registry]::LocalMachine }
$registrySubKey = $registryRootKey.OpenSubKey(
$pathWithoutHive,
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::ReadPermissions
)
$accessControlList = $registrySubKey.GetAccessControl()
$owner = $accessControlList.GetOwner([System.Security.Principal.NTAccount])
$denyACLs = @($accessControlList.Access | Where-Object { $_.AccessControlType -eq 'Deny' })
$denyACLsCount = $denyACLs.Count
$hasFullControl = $null -ne ($accessControlList.Access | Where-Object {
$_.IdentityReference -eq $owner -and
$_.RegistryRights -eq [System.Security.AccessControl.RegistryRights]::FullControl -and
$_.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Allow
} | Select-Object -First 1)
$originalValue = Get-ItemProperty -Path $registryPath -Name $valueName -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $valueName
$registrySubKey.Close()
$canDelete = $false
try {
Remove-ItemProperty -Path $registryPath -Name $valueName -ErrorAction Stop
$canDelete = $true
}
catch [System.UnauthorizedAccessException], [System.Security.SecurityException] {
Write-Warning "Access is denied while deleting `"$registryPath`"."
}
$canReAdd = $false
if ($canDelete -and $originalValue) {
try {
Set-ItemProperty -Path $registryPath -Name $valueName -Value $originalValue -ErrorAction Stop
$canReAdd = $true
}
catch [System.UnauthorizedAccessException], [System.Security.SecurityException] {
Write-Warning "Access is denied while re-adding `"$registryPath`"."
}
}
$canDeleteAfterRemovingDenyACLs = $false
$canReAddAfterRemovingDenyACLs = $false
if ($denyACLsCount -gt 0) {
$registrySubKey = $registryRootKey.OpenSubKey(
$pathWithoutHive,
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::ChangePermissions
)
$accessControlList = $registrySubKey.GetAccessControl()
foreach ($denyACL in $denyACLs) {
$accessControlList.RemoveAccessRule($denyACL)
}
$registrySubKey.SetAccessControl($accessControlList)
$registrySubKey.Close()
try {
Remove-ItemProperty -Path $registryPath -Name $valueName -ErrorAction Stop
$canDeleteAfterRemovingDenyACLs = $true
}
catch [System.UnauthorizedAccessException], [System.Security.SecurityException] {
Write-Warning "Access is denied while deleting `"$registryPath`" after removing deny ACLs."
}
if ($canDeleteAfterRemovingDenyACLs -and $originalValue) {
try {
Set-ItemProperty -Path $registryPath -Name $valueName -Value $originalValue -ErrorAction Stop
$canReAddAfterRemovingDenyACLs = $true
}
catch [System.UnauthorizedAccessException], [System.Security.SecurityException] {
Write-Warning "Access is denied while re-adding `"$registryPath`" after removing deny ACLs."
}
}
$registrySubKey = $registryRootKey.OpenSubKey(
$pathWithoutHive,
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::ChangePermissions
)
$accessControlList = $registrySubKey.GetAccessControl()
foreach ($denyACL in $denyACLs) {
$accessControlList.AddAccessRule($denyACL)
}
$registrySubKey.SetAccessControl($accessControlList)
$registrySubKey.Close()
}
$results = @(
@{Test = "Permissions: Owner"; Result = $owner}
@{Test = "Permissions: Deny ACLs"; Result = $denyACLsCount}
@{Test = "Permissions: Has owner Full control"; Result = $hasFullControl}
@{Test = "Operations: Can delete"; Result = $canDelete}
@{Test = "Operations: Can re-add"; Result = $canReAdd}
@{Test = "Operations: Can delete after removing deny ACLs"; Result = $canDeleteAfterRemovingDenyACLs}
@{Test = "Operations: Can re-add after removing deny ACLs"; Result = $canReAddAfterRemovingDenyACLs}
)
$results | ForEach-Object { [PSCustomObject]$_ } | Format-Table -AutoSize -Wrap
```
However after removing deny ACLs these registry keys can be modified without issues:
[1]: https://web.archive.org/web/20240808100346/https://bugzilla.mozilla.org/show_bug.cgi?id=1852412 "1852412 - [win11] setAsDefaultUserChoice fails on some devices | bugzilla.mozilla.org"
[2]: https://web.archive.org/web/20240808095751/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile "CopyProfile | Microsoft Learn | learn.microsoft.com"z
call:
-
function: Comment
parameters:
codeComment: 'Remove user-chosen file association for "{{ $progId }}" for {{ $fileExtensionWithDotPrefix }} files'
revertCodeComment: 'Restore user-chosen file association for "{{ $progId }}" for {{ $fileExtensionWithDotPrefix }} files'
-
function: DeleteRegistryValue
parameters:
keyPath: 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\{{ $fileExtensionWithDotPrefix }}\UserChoice'
valueName: ProgId
matchDataBeforeDelete: "{{ $progId }}"
dataTypeOnRevert: "{{ with $reassociateOnRevert }}REG_SZ{{ end }}"
dataOnRevert: "{{ with $reassociateOnRevert }}{{ $progId }}{{ end }}"
grantPermissions: 'true' # 🔒️ Protected with deny ACLs on Windows 10 Pro (≥ 1903) | 🔒️ Windows 11 Pro (≥ 21H2)
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
-
name: RemoveUserURLAssociation
parameters:
- name: progId # Program ID to remove from file association
- name: urlProtocol # File extension (with a dot prefix) to disassociate
- name: maximumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
- name: minimumWindowsVersion # See `RunPowerShellWithWindowsVersionConstraints`
optional: true
docs: |-
This function removes the `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\<File Extension>\UserChoice!<ProgID>`
registry key [1] [2].
This key sets the default app association for files [1].
Removing it causes Windows to reset the association when the user signs in [2].
On revert, it does not restore the associated software for user URLs because this registry key is protected on modern versions
of Windows (confirmed on Windows 10 Pro 22H2 and later, and Windows 11 Pro 22H2 and later) due to a new tamper protection mechanism [1].
### Testing
Test results for different Windows version when removing `http` assocation:
| Windows version | Delete | Re-add | Deny ACLs | Owner | Has Owner Full Control |
| --------------- |:------:|:------:|:---------:|-------|:----------------------:|
| Windows 10 Pro 1903 | ✅ | ✅ | ✅ | None | Administrators | ✅ Yes |
| Windows 10 Pro 1909 | ✅ | ✅ | ✅ | None | Administrators | ✅ Yes |
| Windows 10 Pro 20H2 | ✅ | ✅ | ✅ | None | Administrators | ✅ Yes |
| Windows 10 Pro 21H2 | ✅ | ✅ | ✅ | None | Administrators | ✅ Yes |
| Windows 11 Pro 21H2 | ✅ | ✅ | ✅ | None | Administrators | ✅ Yes |
| Windows 10 Pro 22H2 | ✅ | ✅ | ❌ | None | Administrators | ✅ Yes |
| Windows 11 Pro 22H2 | ✅ | ✅ | ❌ | None | Administrators | ✅ Yes |
| Windows 11 Pro 23H2 | ✅ | ✅ | ❌ | None | Administrators | ✅ Yes |
This table shows that these registry keys have the necessary permissions granted to the administrator, but
since Windows 10 Pro 22H2 and Windows 11 Pro 22H2, re-adding this key still results in "Access is denied" errors.
This key is protected by another undocumented mechanism.
Tests show that not all `UrlAssociations` subkeys are protected, but some (such as `http`) are.
For example, editing `bingmaps` works fine, but browser values such as `http` and `https`
result in "Access is denied" errors.
The data in table is collected by running this PowerShell script:
```powershell
$pathWithoutHive = "Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice"
$fullPath = "HKCU:\$pathWithoutHive"
$valueName = "ProgId"
$registrySubKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey(
$pathWithoutHive,
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::ReadPermissions
)
$accessControlList = $registrySubKey.GetAccessControl()
$owner = $accessControlList.GetOwner([System.Security.Principal.NTAccount])
$denyACLsCount = ($accessControlList.Access | Where-Object { $_.AccessControlType -eq 'Deny' }).Count
$hasFullControl = $accessControlList.Access | Where-Object {
$_.IdentityReference -eq $owner -and
$_.RegistryRights -eq [System.Security.AccessControl.RegistryRights]::FullControl -and
$_.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Allow
} | Select-Object -First 1
$originalValue = Get-ItemProperty -Path $fullPath -Name $valueName -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $valueName
$canDelete = $false
try {
Remove-ItemProperty -Path $fullPath -Name $valueName -ErrorAction Stop
$canDelete = $true
} catch [System.UnauthorizedAccessException], [System.Security.SecurityException] {
Write-Warning "Access is denied while deleting `"$fullPath`"."
$canDelete = $false
}
$canReAdd = $false
if ($canDelete -and $originalValue) {
try {
Set-ItemProperty -Path $fullPath -Name $valueName -Value $originalValue -ErrorAction Stop
$canReAdd = $true
} catch [System.UnauthorizedAccessException], [System.Security.SecurityException] {
Write-Warning "Access is denied while re-adding `"$fullPath`"."
$canReAdd = $false
}
}
[PSCustomObject]@{
"Permissions: Owner" = $owner
"Permissions: Deny ACLs" = $denyACLsCount
"Permissions: Has owner Full control" = $($hasFullControl -ne $null)
"Operations: Can delete" = $canDelete
"Operations: Can re-add" = $canReAdd
}
```
[1]: https://web.archive.org/web/20240808100346/https://bugzilla.mozilla.org/show_bug.cgi?id=1852412 "1852412 - [win11] setAsDefaultUserChoice fails on some devices | bugzilla.mozilla.org"
[2]: https://web.archive.org/web/20240808095751/https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile "CopyProfile | Microsoft Learn | learn.microsoft.com"
call:
-
function: Comment
parameters:
codeComment: 'Remove user-chosen URL association for "{{ $progId }}" for {{ $urlProtocol }} URL protocol'
-
function: DeleteRegistryValue
parameters:
# Notes:
# - Revert logic is commented out because Windows does not allow modifying this key with new tamper protection mechanism
# since Windows 10 Pro (≥ 22H2) and Windows 11 Pro (≥ 22H2).
# - Granting permissions is not necessary as `Administrator` has all necessary permissions without any explicit deny rules.
# (tested since Windows 10 Pro (≥ 1903) and Windows 11 Pro (≥ 21H2))
keyPath: 'HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\{{ $urlProtocol }}\UserChoice'
valueName: ProgId
matchDataBeforeDelete: '{{ $progId }}'
minimumWindowsVersion: '{{ with $minimumWindowsVersion }}{{ . }}{{ end }}'
maximumWindowsVersion: '{{ with $maximumWindowsVersion }}{{ . }}{{ end }}'
Reference in New Issue View Git Blame Copy Permalink