44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
97ddc027cb5395a74991cabc1d8c875ee945636d
privacy.sexy/src/application/collections/windows.yaml
undergroundwires 97ddc027cb Fix dead URLs and use forks as GitHub references 
Change all GitHub URLs with forks so they survive if their maintainer
decides to remove them.

Fix dead URLs in:
  - "Windows Push Notification Service" (#101)
  - "Limit CPU usage during scans to minimum"
  - "Disable NVIDIA telemetry"
2021-11-03 20:08:56 +01:00

6239 lines
513 KiB
YAML
Raw Blame History

# Structure documented in "docs/collection-files.md"
os: windows
scripting:
language: batchfile
startCode: |-
@echo off
:: {{ $homepage }} — v{{ $version }} — {{ $date }}
:: Ensure admin privileges
fltmc >nul 2>&1 || (
echo Administrator privileges are required.
PowerShell Start -Verb RunAs '%0' 2> nul || (
echo Right-click on the script and select "Run as administrator".
pause & exit 1
)
exit 0
)
endCode: |-
pause
exit /b 0
actions:
-
category: Privacy cleanup
children:
-
category: Clear application history
children:
-
name: Clear Listary indexes
code: del /f /s /q %appdata%\Listary\UserData > nul
-
name: Clear Java cache
recommend: strict
code: rd /s /q "%APPDATA%\Sun\Java\Deployment\cache"
-
name: Clear Flash traces
recommend: standard
code: rd /s /q "%APPDATA%\Macromedia\Flash Player"
-
name: Clear Steam dumps, logs, and traces
recommend: standard
code: |-
del /f /q %ProgramFiles(x86)%\Steam\Dumps
del /f /q %ProgramFiles(x86)%\Steam\Traces
del /f /q %ProgramFiles(x86)%\Steam\appcache\*.log
-
name: Clear Visual Studio telemetry and feedback data
recommend: standard
code: |-
rmdir /s /q "%AppData%\vstelemetry" 2>nul
rmdir /s /q "%LocalAppData%\Microsoft\VSApplicationInsights" 2>nul
rmdir /s /q "%ProgramData%\Microsoft\VSApplicationInsights" 2>nul
rmdir /s /q "%Temp%\Microsoft\VSApplicationInsights" 2>nul
rmdir /s /q "%Temp%\VSFaultInfo" 2>nul
rmdir /s /q "%Temp%\VSFeedbackPerfWatsonData" 2>nul
rmdir /s /q "%Temp%\VSFeedbackVSRTCLogs" 2>nul
rmdir /s /q "%Temp%\VSRemoteControl" 2>nul
rmdir /s /q "%Temp%\VSTelem" 2>nul
rmdir /s /q "%Temp%\VSTelem.Out" 2>nul
-
category: Clear most recently used lists (MRU)
children:
-
category: Clear Quick Access (jump) lists
docs: https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf
children:
-
name: Clear recently accessed files
recommend: standard
code: del /f /q "%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\*"
-
name: Clear user pins
code: del /f /q "%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\*"
-
name: Clear regedit last key
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
-
name: Clear regedit favorites
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
-
name: Clear list of recent programs opened
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f
-
name: Clear Adobe Media Browser MRU
recommend: standard
code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f
-
name: Clear MSPaint MRU
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
-
name: Clear Wordpad MRU
recommend: standard
code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f
-
name: Clear Map Network Drive MRU MRU
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
-
name: Clear Windows Search Assistant history
recommend: standard
code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f
-
name: Clear list of Recent Files Opened, by Filetype
recommend: standard
code: |-
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
-
name: Clear windows media player recent files and URLs
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
-
name: Clear Most Recent Application's Use of DirectX
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f
-
name: Clear Windows Run MRU & typedpaths
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f
-
name: Clear Dotnet CLI telemetry
recommend: standard
code: rmdir /s /q "%USERPROFILE%\.dotnet\TelemetryStorageService" 2>nul
-
category: Clear browser history
children:
-
category: Clear Internet Explorer history
children:
-
name: Clear Internet Explorer caches
recommend: standard
docs:
# INetCache
- https://support.microsoft.com/en-us/help/260897/how-to-delete-the-contents-of-the-temporary-internet-files-folder
- https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache
# WebCache
- https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache
code: |-
del /f /q "%localappdata%\Microsoft\Windows\INetCache\IE\*"
rd /s /q "%localappdata%\Microsoft\Windows\WebCache"
-
name: Clear Internet Explorer recent URLs
recommend: strict
docs:
- https://web.archive.org/web/20160304232740/http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/
- https://web.archive.org/web/20160321221849/http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/
- https://web.archive.org/web/20150601014235/http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html
- http://sketchymoose.blogspot.com/2014/02/typedurls-registry-key.html
code: |-
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f
-
name: Clear Temporary Internet Files (browser cache)
recommend: standard
docs:
- https://en.wikipedia.org/wiki/Temporary_Internet_Files
- https://www.windows-commandline.com/delete-temporary-internet-files/ # %localappdata%\Temporary Internet Files
- https://www.thewindowsclub.com/temporary-internet-files-folder-location # %localappdata%\Microsoft\Windows\Temporary Internet Files and INetCache
code: |-
:: Windows XP
rd /s /q %userprofile%\Local Settings\Temporary Internet Files
:: Windows 7
rd /s /q "%localappdata%\Microsoft\Windows\Temporary Internet Files"
takeown /f "%localappdata%\Temporary Internet Files" /r /d y
icacls "%localappdata%\Temporary Internet Files" /grant administrators:F /t
rd /s /q "%localappdata%\Temporary Internet Files"
:: Windows 8 and above
rd /s /q "%localappdata%\Microsoft\Windows\INetCache"
-
name: Clear Internet Explorer Feeds Cache
recommend: standard
docs: https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data
code: rd /s /q "%localappdata%\Microsoft\Feeds Cache"
-
name: Clear Internet Explorer cookies
recommend: strict
docs:
- https://docs.microsoft.com/en-us/windows/win32/wininet/managing-cookies
- https://docs.microsoft.com/en-us/internet-explorer/kb-support/ie-edge-faqs
- https://www.thewindowsclub.com/cookies-folder-location-windows
code: |-
:: Windows 7 browsers
rd /s /q "%APPDATA%\Microsoft\Windows\Cookies"
:: Windows 8 and higher
rd /s /q "%localappdata%\Microsoft\Windows\INetCookies"
-
name: Clear Internet Explorer DOMStore
recommend: standard
docs: https://web.archive.org/web/20100416135352/http://msdn.microsoft.com/en-us/library/cc197062(VS.85).aspx
code: rd /s /q "%localappdata%\Microsoft\InternetExplorer\DOMStore"
-
name: Clear all Internet Explorer user data
docs:
- https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+Data
- https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data
- https://www.forensafe.com/blogs/internetexplorer.html
# Includes Internet Explorer cache, tab recovery data, persistance storage (DOMStore, indexed DB etc.)
# Folders: CacheStorage\, Tracking Protection\, Tiles\, TabRoaming\, IECompatData\
# DOMStore\, Recovery\ (that includes browser history), DomainSuggestions\,
# VersionManager\, UrlBlockManager\, Indexed DB\, imagestore\, IEFlipAheadCache\
# EUPP\, EmieUserList\, EmieSiteList\, EmieBrowserModeList\
# Files: brndlog.txt, brndlog.bak, ie4uinit-ClearIconCache.log, ie4uinit-UserConfig.log,
# MSIMGSIZ.DAT
code: rd /s /q "%localappdata%\Microsoft\Internet Explorer"
-
category: Clear Google Chrome history
children:
-
name: Clear Google Chrome crash reports
recommend: standard
docs: https://www.chromium.org/developers/crash-reports
code: |-
rd /s /q "%localappdata%\Google\Chrome\User Data\Crashpad\reports\"
rd /s /q "%localappdata%\Google\CrashReports\"
-
name: Clear Software Reporter Tool logs
recommend: standard
docs: https://support.google.com/chrome/forum/AAAAP1KN0B0T8qnffV5gwM/
code: del /f /q "%localappdata%\Google\Software Reporter Tool\*.log"
-
name: Clear all Chrome user data
docs: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md
code: |-
:: Windows XP
rd /s /q "%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data"
:: Windows Vista and later
rd /s /q "%localappdata%\Google\Chrome\User Data"
-
category: Clear Firefox history
children:
-
name: Clear browsing history and caches
recommend: standard
code: |-
set ignoreFiles="content-prefs.sqlite" "permissions.sqlite" "favicons.sqlite"
for %%d in ("%APPDATA%\Mozilla\Firefox\Profiles\"
"%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\"
) do (
IF EXIST %%d (
FOR /d %%p IN (%%d*) DO (
for /f "delims=" %%f in ('dir /b /s "%%p\*.sqlite" 2^>nul') do (
set "continue="
for %%i in (%ignoreFiles%) do (
if %%i == "%%~nxf" (
set continue=1
)
)
if not defined continue (
del /q /s /f %%f
)
)
)
)
)
-
name: Clear all Firefox user profiles, settings, and data
code: |-
rd /s /q "%localappdata%\Mozilla\Firefox\Profiles"
rd /s /q "%APPDATA%\Mozilla\Firefox\Profiles"
-
name: Clear all Opera data (user profiles, settings, and data)
code: |-
:: Windows XP
rd /s /q "%USERPROFILE%\Local Settings\Application Data\Opera\Opera"
:: Windows Vista and later
rd /s /q "%localappdata%\Opera\Opera"
rd /s /q "%APPDATA%\Opera\Opera"
-
category: Clear Safari history
children:
-
name: Clear Webpage Icons
recommend: standard
docs: https://www.sans.org/blog/safari-browser-forensics/
code: |-
:: Windows XP
del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db"
:: Windows Vista and later
del /q /s /f "%localappdata%\Apple Computer\Safari\WebpageIcons.db"
-
name: Clear Safari cache
recommend: standard
docs: https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari
code: |-
:: Windows XP
del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db"
:: Windows Vista and later
del /q /s /f "%localappdata%\Apple Computer\Safari\Cache.db"
-
name: Clear Safari cookies
recommend: strict
docs: https://kb.digital-detective.net/display/BF/Location+of+Safari+Data
code: |-
:: Windows XP
del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cookies.db"
:: Windows Vista and later
del /q /s /f "%localappdata%\Apple Computer\Safari\Cookies.db"
-
name: Clear all Safari data (user profiles, settings, and data)
docs:
- https://kb.digital-detective.net/display/BF/Location+of+Safari+Data
- https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari
- https://zerosecurity.org/2013/04/safari-forensic-tutorial
code: |-
:: Windows XP
rd /s /q "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari"
:: Windows Vista and later
rd /s /q "%AppData%\Apple Computer\Safari"
-
category: Clear Windows logs & caches
children:
-
name: Clear thumbnail cache
code: del /f /s /q /a %LocalAppData%\Microsoft\Windows\Explorer\*.db
-
category: Clear Windows log files
children:
-
category: Clear Windows Update logs
children:
-
name: Clear Windows update and SFC scan logs
docs: https://answers.microsoft.com/en-us/windows/forum/all/cwindowslogscbs/fe4e359a-bcb9-4988-954d-563ef83bac1c
recommend: standard
code: del /f /q %SystemRoot%\Temp\CBS\*
-
name: Clear Windows Update Medic Service logs
recommend: standard
docs: https://answers.microsoft.com/en-us/windows/forum/all/what-is-this-waasmedic-and-why-it-required-to/e5e55a95-d5bb-4bf4-a7ce-4783df371de4
code: |-
takeown /f %SystemRoot%\Logs\waasmedic /r /d y
icacls %SystemRoot%\Logs\waasmedic /grant administrators:F /t
rd /s /q %SystemRoot%\Logs\waasmedic
-
name: Clear Cryptographic Services Traces
recommend: standard
docs: https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows
code: |-
del /f /q %SystemRoot%\System32\catroot2\dberr.txt
del /f /q %SystemRoot%\System32\catroot2.log
del /f /q %SystemRoot%\System32\catroot2.jrs
del /f /q %SystemRoot%\System32\catroot2.edb
del /f /q %SystemRoot%\System32\catroot2.chk
-
name: Windows Update Events Logs
code: del /f /q "%SystemRoot%\Logs\SIH\*"
-
name: Windows Update Logs
code: del /f /q "%SystemRoot%\Traces\WindowsUpdate\*"
-
name: Clear Optional Component Manager and COM+ components logs
recommend: standard
code: del /f /q %SystemRoot%\comsetup.log
-
name: Clear Distributed Transaction Coordinator logs
recommend: standard
code: del /f /q %SystemRoot%\DtcInstall.log
-
name: Clear Pending File Rename Operations logs
code: del /f /q %SystemRoot%\PFRO.log
-
name: Clear Windows Deployment Upgrade Process Logs
recommend: standard
code: |-
del /f /q %SystemRoot%\setupact.log
del /f /q %SystemRoot%\setuperr.log
-
name: Clear Windows Setup Logs
recommend: standard
docs: https://support.microsoft.com/en-gb/help/927521/windows-vista-windows-7-windows-server-2008-r2-windows-8-1-and-windows
code: |-
del /f /q %SystemRoot%\setupapi.log
del /f /q %SystemRoot%\Panther\*
del /f /q %SystemRoot%\inf\setupapi.app.log
del /f /q %SystemRoot%\inf\setupapi.dev.log
del /f /q %SystemRoot%\inf\setupapi.offline.log
-
name: Clear Windows System Assessment Tool logs
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/win32/winsat/windows-system-assessment-tool-portal
code: del /f /q %SystemRoot%\Performance\WinSAT\winsat.log
-
name: Clear Password change events
recommend: standard
code: del /f /q %SystemRoot%\debug\PASSWD.LOG
-
name: Clear user web cache database
recommend: standard
docs: https://support.microsoft.com/en-gb/help/4056823/performance-issue-with-custom-default-user-profile
code: del /f /q %localappdata%\Microsoft\Windows\WebCache\*.*
-
name: Clear system temp folder when no one is logged in
recommend: standard
code: del /f /q %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.*
-
name: Clear DISM (Deployment Image Servicing and Management) Logs
recommend: standard
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files
code: |-
del /f /q %SystemRoot%\Logs\CBS\CBS.log
del /f /q %SystemRoot%\Logs\DISM\DISM.log
-
name: Clear WUAgent (Windows Update History) logs
docs: https://social.technet.microsoft.com/Forums/ie/en-US/f5744a18-d4ca-4631-8324-878b9225251d/windowssoftwaredistribution-folder-cleanup-automation?forum=winserverwsus
code: |-
setlocal EnableDelayedExpansion
SET /A wuau_service_running=0
SC queryex "wuauserv"|Find "STATE"|Find /v "RUNNING">Nul||(
SET /A wuau_service_running=1
net stop wuauserv
)
del /q /s /f "%SystemRoot%\SoftwareDistribution"
IF !wuau_service_running! == 1 (
net start wuauserv
)
endlocal
-
name: Clear Server-initiated Healing Events Logs
code: del /f /q "%SystemRoot%\Logs\SIH\*"
-
name: Common Language Runtime Logs
recommend: standard
code: |-
del /f /q "%LocalAppData%\Microsoft\CLR_v4.0\UsageTraces\*"
del /f /q "%LocalAppData%\Microsoft\CLR_v4.0_32\UsageTraces\*"
-
name: Network Setup Service Events Logs
recommend: standard
code: del /f /q "%SystemRoot%\Logs\NetSetup\*"
-
name: Disk Cleanup tool (Cleanmgr.exe) Logs
code: del /f /q "%SystemRoot%\System32\LogFiles\setupcln\*"
-
name: Clear Windows temp files
recommend: standard
code: |-
del /f /q %localappdata%\Temp\*
rd /s /q "%WINDIR%\Temp"
rd /s /q "%TEMP%"
-
name: Clear main telemetry file
recommend: standard
code: |-
if exist "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" (
takeown /f "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" /r /d y
icacls "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" /grant administrators:F /t
echo "" > "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl"
echo Clear successful: "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl"
) else (
echo "Main telemetry file does not exist. Good!"
)
-
name: Clear Event Logs in Event Viewer
docs: https://serverfault.com/questions/407838/do-windows-events-from-the-windows-event-log-have-sensitive-information
code: |-
REM https://social.technet.microsoft.com/Forums/en-US/f6788f7d-7d04-41f1-a64e-3af9f700e4bd/failed-to-clear-log-microsoftwindowsliveidoperational-access-is-denied?forum=win10itprogeneral
wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)
for /f "tokens=*" %%i in ('wevtutil.exe el') DO (
echo Deleting event log: "%%i"
wevtutil.exe cl %1 "%%i"
)
-
name: Clean Windows Defender scan history
docs: https://www.thewindowsclub.com/clear-windows-defender-protection-history
code: del "%ProgramData%\Microsoft\Windows Defender\Scans\History\" /s /f /q
-
name: Clear credentials from Windows Credential Manager
code: |-
cmdkey.exe /list > "%TEMP%\List.txt"
findstr.exe Target "%TEMP%\List.txt" > "%TEMP%\tokensonly.txt"
FOR /F "tokens=1,2 delims= " %%G IN (%TEMP%\tokensonly.txt) DO cmdkey.exe /delete:%%H
del "%TEMP%\List.txt" /s /f /q
del "%TEMP%\tokensonly.txt" /s /f /q
-
name: Delete controversial default0 user
docs: https://github.com/undergroundwires/privacy.sexy/issues/30
recommend: standard
code: net user defaultuser0 /delete 2>nul
-
name: Empty trash bin
call:
function: RunPowerShell
parameters:
code: |-
$bin = (New-Object -ComObject Shell.Application).NameSpace(10)
$bin.items() | ForEach {
Write-Host "Deleting $($_.Name) from Recycle Bin"
Remove-Item $_.Path -Recurse -Force
}
-
name: Enable Reset Base in Dism Component Store
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f
-
name: Clear Windows Product Key from Registry
code: slmgr /cpky
docs: https://winaero.com/blog/remove-windows-10-product-key-from-registry-and-protect-it-from-being-stolen/
-
name: Clear volume backups (shadow copies)
docs:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
code: vssadmin delete shadows /all /quiet
-
name: Remove Default Apps Associations
recommend: standard
code: dism /online /Remove-DefaultAppAssociations
-
name: Clear (Reset) Network Data Usage
recommend: standard
docs: https://www.windowslifestyle.com/reset-data-usage-tool-reset-network-data-usage-windows-10/
code: |-
setlocal EnableDelayedExpansion
SET /A dps_service_running=0
SC queryex "DPS"|Find "STATE"|Find /v "RUNNING">Nul||(
SET /A dps_service_running=1
net stop DPS
)
del /F /S /Q /A "%windir%\System32\sru*"
IF !dps_service_running! == 1 (
net start DPS
)
endlocal
-
name: Clear previous Windows installations
code: |-
if exist "%SystemDrive%\Windows.old" (
takeown /f "%SystemDrive%\Windows.old" /a /r /d y
icacls "%SystemDrive%\Windows.old" /grant administrators:F /t
rd /s /q "%SystemDrive%\Windows.old"
echo Deleted previous installation from "%SystemDrive%\Windows.old\"
) else (
echo No previous Windows installation has been found
)
-
category: Disable OS data collection
children:
-
category: Disable Windows telemetry and data collection
children:
-
name: Disable Customer Experience Improvement (CEIP/SQM)
docs: https://docs.microsoft.com/en-us/windows/win32/devnotes/ceipenable
recommend: standard
code: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f
-
name: Disable Application Impact Telemetry (AIT)
recommend: standard
code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f
-
name: Disable diagnostics telemetry
recommend: standard
code: |-
reg add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\ControlSet001\Services\dmwappushsvc" /v "Start" /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice" /v "Start" /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d 4 /f
sc stop "DiagTrack" & sc config "DiagTrack" start=disabled
sc stop "dmwappushservice" & sc config "dmwappushservice" start=disabled
sc stop "diagnosticshub.standardcollector.service" & sc config "diagnosticshub.standardcollector.service" start=disabled
sc stop "diagsvc" & sc config "diagsvc" start=disabled
-
name: Disable Customer Experience Improvement Program
recommend: standard
code: |-
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE
revertCode: |-
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /ENABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /ENABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /ENABLE
-
category: Disable Webcam Telemetry (devicecensus.exe)
docs:
- https://www.ghacks.net/2019/09/23/what-is-devicecensus-exe-on-windows-10-and-why-does-it-need-internet-connectivity/
- https://answers.microsoft.com/en-us/windows/forum/windows_10-security/devicecensusexe-and-host-process-for-windows-task/520d42a2-45c1-402a-81de-e1116ecf2538
children:
-
name: Disable devicecensus.exe (telemetry) task
recommend: standard
code: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /enable
-
name: Disable devicecensus.exe (telemetry) process
recommend: standard
call:
function: KillProcessWhenItStarts
parameters:
processName: DeviceCensus.exe
-
category: Disable Compatibility Telemetry (Application Experience)
children:
-
category: Disable Microsoft Compatibility Appraiser
docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/
children:
-
name: Disable Microsoft Compatibility Appraiser task
recommend: standard
code: schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /enable
-
name: Disable CompatTelRunner.exe (Microsoft Compatibility Appraiser) process
recommend: standard
call:
function: KillProcessWhenItStarts
parameters:
processName: CompatTelRunner.exe
-
name: Disable sending information to Customer Experience Improvement Program
recommend: standard
docs:
- https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/
- https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/permanently-disabling-windows-compatibility/6bf71583-81b0-4a74-ae2e-8fd73305aad1
code: schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /enable
-
name: Disable Application Impact Telemetry Agent task
recommend: standard
docs: https://www.shouldiblockit.com/aitagent.exe-6181.aspx
code: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /enable
-
name: Disable "Disable apps to improve performance" reminder
recommend: strict
docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/
code: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /enable
-
name: Disable telemetry in data collection policy
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /d 0 /t REG_DWORD /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "LimitEnhancedDiagnosticDataWindowsAnalytics" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
-
name: Disable license telemetry
recommend: standard
code: reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t "REG_DWORD" /d "1" /f
-
name: Disable error reporting
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/win32/wer/wer-settings
- https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493
code: |-
:: Disable Windows Error Reporting (WER)
reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f
:: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f
:: Disable WER sending second-level data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
:: Disable WER crash dialogs, popups
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
:: Disable Windows Error Reporting Service
sc stop "WerSvc" & sc config "WerSvc" start=disabled
sc stop "wercplsupport" & sc config "wercplsupport" start=disabled
revertCode: |-
:: Enable Windows Error Reporting (WER)
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f
:: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "0" /f
:: Enable WER sending second-level data
reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /f
:: Enable WER crash dialogs, popups
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "0" /f
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Enable
:: Enable Windows Error Reporting Service
sc config "WerSvc" start=demand
sc config "wercplsupport" start=demand
-
category: Disable automatic driver updates by Windows Update
children:
-
name: Disable device metadata retrieval (breaks auto updates)
recommend: strict
docs:
- https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f
-
name: Do not include drivers with Windows Updates
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::ExcludeWUDriversInQualityUpdate
recommend: strict
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 0 /f
-
name: Prevent Windows Update for device driver search
docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965
recommend: strict
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 1 /f
-
name: Disable cloud speech recognition
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech
code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f
-
name: Disable active probing (pings to MSFT NCSI server)
recommend: strict
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
-
name: Opt out from Windows privacy consent
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 1 /f
-
name: Disable Windows feedback
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
-
name: Disable text and handwriting collection
recommend: standard
code: |-
reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f
-
category: Deny app access to personal information
children:
-
name: Deny app access to location
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesslocation # LetAppsAccessLocation
- https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ # ConsentStore\location
- https://social.technet.microsoft.com/Forums/en-US/63904312-04af-41e5-8b57-1dd446ea45c5/ # lfsvc\Service\Configuration
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Deny" /f
:: For older Windows (before 1903)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Allow" /f
:: For older Windows (before 1903)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "1" /t REG_DWORD /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /f
-
name: Deny app access to account info, name, and picture
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Deny" /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Allow" /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /f
-
name: Deny app access to motion data
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /f
-
name: Deny app access to phone
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone
code: |-
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /f
-
name: Deny app access to trusted devices
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices
recommend: standard
code: |-
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /f
-
name: Deny app sync with devices (unpaired, beacons, TVs, etc.)
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices
code: |-
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /f
-
name: Deny app access to camera
docs:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kscategory-video-camera
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscamera
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /f
-
name: Deny app access to microphone
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophonee
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /f
-
name: Deny apps share and sync non-explicitly paired wireless devices over uPnP
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Deny" /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Allow" /f
-
name: Deny app access to diagnostics info about your other apps
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Deny" /t REG_SZ /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Allow" /t REG_SZ /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /f
-
category: Deny app access to your file system
children:
-
name: Deny app access to Document folder
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to Pictures folder
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to Videos folder
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to other filesystem
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to your contacts
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /f
-
name: Deny app access to Notifications
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO (re-activation through GUI is not possible)
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /f
-
name: Deny app access to Calendar
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /f
-
name: Deny app access to call history
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory
code: |-
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /f
-
name: Deny app access to email
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d DENY /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /f
-
name: Deny app access to tasks
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Deny" /t REG_SZ /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Allow" /t REG_SZ /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /f
-
name: Deny app access to messaging (SMS / MMS)
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Deny" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Allow" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /f
-
name: Deny app access to radios
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d DENY /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /f
-
name: Deny app access to bluetooth devices
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Allow" /t REG_SZ /f
-
category: Disable app access to voice activation
children:
-
name: Disable apps and Cortana to activate with voice
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoice
code: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 0 /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /t REG_DWORD /d 2 /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 1 /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /f
-
name: Disable apps and Cortana to activate with voice when sytem is locked
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoiceAboveLock
code: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 0 /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /t REG_DWORD /d 2 /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 1 /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /f
-
category: Disable location access
children:
-
name: Turn off Windows Location Provider
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "0" /f
-
name: Turn off location scripting
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "0" /f
-
name: Turn off location
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f
:: For older Windows (before 1903)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Deny" /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "0" /t REG_DWORD /f
:: For older Windows (before 1903)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Allow" /f
-
name: Turn off sensors
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "0" /f
-
category: Disable windows search data collection
children:
-
category: Disable cortana
children:
-
name: Do not allow Cortana
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowCortana
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /f
-
name: Do not allow Cortana experience
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 1 /f
-
name: Do not allow search and Cortana to search cloud sources like OneDrive and SharePoint
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 1 /f
-
name: Disable Cortana speech interaction while the system is locked
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-abovelock
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /f
-
name: Opt out from Cortana consent
recommend: standard
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 10 /f
-
name: Do not allow Cortana to be enabled
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 1 /f
-
name: Disable Cortana (Internet search results in start menu)
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f
-
category: Disable Cortana history
children:
-
name: Prevent Cortana from displaying history
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /f
-
name: Prevent Cortana from using device history
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /f
-
name: Remove the Cortana taskbar icon
recommend: standard
code: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /t REG_DWORD /d 0 /f
revertCode: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /f
-
name: Disable Cortana in ambient mode
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 1 /f
-
category: Disable Cortana voice listening
children:
-
name: Disable "Hey Cortana" voice activation
recommend: standard
code: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 1 /f
-
name: Disable Cortana listening to commands on Windows key + C
recommend: standard
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 1 /f
-
name: Disable using Cortana even when device is locked
recommend: standard
code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 1 /f
-
name: Disable automatic update of Speech Data
recommend: standard
code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /f
-
name: Disable Cortana voice support during Windows setup
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /f
-
category: Configure Windows search indexing
children:
-
name: Disable search indexing encrypted items / stores
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowindexingencryptedstoresoritems
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /f
-
name: Do not use automatic language detection when indexing
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-alwaysuseautolangdetection
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 1 /f
-
name: Do not allow search to use location
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 1 /f
-
name: Disable web search in search bar
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DisableWebSearch
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 0 /f
-
name: Do not search the web or display web results in Search
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
recomend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 1 /f
-
name: Disable Bing search
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 1 /f
-
category: Disable targeted ads and marketing
children:
-
name: Disable ad customization with Advertising ID
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "0" /f
-
category: Disable cloud-based tips and ads
children:
-
name: Disable Windows Tips
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "0" /f
-
name: Disable Windows Spotlight (random wallpaper on lock screen)
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight
code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "0" /f
-
name: Disable Microsoft consumer experiences
recommend: standard
docs:
- https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-71771
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics
code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "0" /f
-
name: Turn Off Suggested Content in Settings app
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004
- https://www.blogsdna.com/28017/how-to-disable-turn-off-suggested-content-on-windows-10-setting-app.htm
code: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "0" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "1" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "1" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "1" /t REG_DWORD /f
-
category: Disable biometrics (breaks fingerprinting/facial login)
children:
-
name: Do not allow the use of biometrics
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f
-
name: Do not allow users to log on using biometrics
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f
-
name: Do not start Windows Biometric Service
recommend: strict
docs: https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-biometric-service
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d 4 /f
sc stop "WbioSrvc" & sc config "WbioSrvc" start=disabled
revertCode: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d 2 /f
sc config "WbioSrvc" start=demand
-
name: Disable Wi-Fi sense
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f
-
name: Hide most used apps (tracks app launch)
docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10
recommend: strict
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 0 /t REG_DWORD /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 1 /t REG_DWORD /f
-
name: Disable Inventory Collector
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 0 /f
-
name: Disable Website Access of Language List
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general
code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 0 /f
-
name: Disable Auto Downloading Maps
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f
-
name: Disable steps recorder
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f
-
name: Disable game screen recording
recommend: standard
code: |-
reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 0 /f
-
name: Disable Windows DRM internet access
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
-
name: Disable feedback on write (sending typing info)
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
-
name: Disable Activity Feed
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f
-
category: Disable Windows Insider Program
children:
-
name: Disable Windows Insider Service
docs: https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-insider-service
recommend: standard
code: sc stop "wisvc" & sc config "wisvc" start=disabled
revertCode: sc config "wisvc" start=demand
-
name: Do not let Microsoft try features on this build
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /f
reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /f
-
name: Disable getting preview builds of Windows
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /f
-
name: Remove "Windows Insider Program" from Settings
docs: https://winaero.com/how-to-hide-the-windows-insider-program-page-from-the-settings-app-in-windows-10/
code: reg add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /t "REG_DWORD" /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /f
-
category: Disable cloud sync
docs: https://support.microsoft.com/en-us/help/4026102/windows-10-about-sync-settings
children:
-
name: Disable all settings sync
recommend: standard
enabler: all those bottom
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f
-
name: Disable Application Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable App Sync Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Credentials Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f
-
name: Disable Desktop Theme Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Personalization Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Start Layout Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Web Browser Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Windows Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Language Setting Sync
recommend: standard
docs:
- https://winaero.com/turn-on-off-sync-settings-windows-10/
- https://www.thewindowsclub.com/how-to-configure-windows-10-sync-settings-using-registry-editor
- https://tuxicoman.jesuislibre.net/blog/wp-content/uploads/Windows10_Telemetrie_1709.pdf # from guide on confidentiality and privacy with Windows 10 distributed to the French police, previous version of guide: https://www.pmenier.net/dotclear/docext/win10/.Windows10-Presentation.pdf
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 1 /f
-
category: Configure programs
children:
-
category: Disable Visual Studio data collection
children:
-
category: Disable Experience Improvement Program (PerfWatson)
docs:
- https://docs.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program
- https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/
children:
-
name: Disable SQM OS key
recommend: standard
code: |-
if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit?
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
) else (
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
)
revertCode:
if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit?
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
) else (
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
)
-
name: Disable SQM group policy
recommend: standard
code: reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
-
name: Disable visual studio telemetry
recommend: standard
code: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 0 /f
-
name: Disable Visual Studio feedback
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 0 /f
-
name: Stop and disable Visual Studio Standard Collector Service
recommend: standard
code: sc stop "VSStandardCollectorService150" & sc config "VSStandardCollectorService150" start=disabled
revertCode: sc config "VSStandardCollectorService150" start=auto & sc start "VSStandardCollectorService150"
-
name: Disable NET Core CLI telemetry
recommend: standard
code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1
revertCode: setx DOTNET_CLI_TELEMETRY_OPTOUT 0
-
name: Disable PowerShell 7+ telemetry
recommend: standard
docs: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry
code: setx POWERSHELL_TELEMETRY_OPTOUT 1
revertCode: setx POWERSHELL_TELEMETRY_OPTOUT 0
-
category: Disable NVIDIA telemetry
docs:
- https://github.com/privacysexy-forks/nVidia-modded-Inf
- https://github.com/privacysexy-forks/Disable-Nvidia-Telemetry
- https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20
children:
-
name: Uninstall NVIDIA telemetry tasks
recommend: standard
code: |-
if exist "%ProgramFiles%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL" (
rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer
rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry
)
-
name: Delete NVIDIA residual telemetry files
recommend: standard
code: |-
del /s %SystemRoot%\System32\DriverStore\FileRepository\NvTelemetry*.dll
rmdir /s /q "%ProgramFiles(x86)%\NVIDIA Corporation\NvTelemetry" 2>nul
rmdir /s /q "%ProgramFiles%\NVIDIA Corporation\NvTelemetry" 2>nul
-
name: Opt out from NVIDIA telemetry
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\NvTelemetryContainer" /v "Start" /t REG_DWORD /d 4 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /f
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /f
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /f
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\services\NvTelemetryContainer" /f
-
name: Disable NVIDIA telemetry services
recommend: standard
code: |-
schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE
schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE
schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE
revertCode: |-
schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE
schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE
schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE
-
category: Disable Visual Studio Code data collection
docs:
- https://code.visualstudio.com/updates/v1_26#_offline-mode
- https://code.visualstudio.com/docs/getstarted/settings
children:
-
name: Disable Visual Studio Code telemetry
docs: https://code.visualstudio.com/docs/getstarted/telemetry
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: telemetry.enableTelemetry
powerShellValue: $false
-
name: Disable Visual Studio Code crash reporting
docs: https://code.visualstudio.com/docs/getstarted/telemetry
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: telemetry.enableCrashReporter
powerShellValue: $false
-
name: Do not run Microsoft online experiments
docs: https://github.com/privacysexy-forks/vscode/blob/1aee0c194cff72d179b9f8ef324e47f34555a07d/src/vs/workbench/contrib/experiments/node/experimentService.ts#L173
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: workbench.enableExperiments
powerShellValue: $false
-
name: Choose manual updates over automatic updates
call:
function: SetVsCodeSetting
parameters:
setting: update.mode
powerShellValue: >-
'manual'
-
name: Show Release Notes from Microsoft online service after an update
call:
function: SetVsCodeSetting
parameters:
setting: update.showReleaseNotes
powerShellValue: $false
-
name: Automatically check extensions from Microsoft online service
call:
function: SetVsCodeSetting
parameters:
setting: extensions.autoCheckUpdates
powerShellValue: $false
-
name: Fetch recommendations from Microsoft only on demand
call:
function: SetVsCodeSetting
parameters:
setting: extensions.showRecommendationsOnlyOnDemand
powerShellValue: $true
-
name: Automatically fetch git commits from remote repository
call:
function: SetVsCodeSetting
parameters:
setting: git.autofetch
powerShellValue: $false
-
name: Fetch package information from NPM and Bower
call:
function: SetVsCodeSetting
parameters:
setting: npm.fetchOnlinePackageInfo
powerShellValue: $false
-
category: Disable Microsoft Office telemetry
docs: https://docs.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office
children:
-
name: Disable Microsoft Office logging
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f
-
name: Disable client telemetry
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f
-
name: Customer Experience Improvement Program
docs: https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f
-
name: Disable feedback
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f
-
name: Disable telemetry agent
recommend: standard
code: |-
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /DISABLE
revertCode: |-
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /ENABLE
# - (breaks office, see https://answers.microsoft.com/en-us/office/forum/office_2016-officeapps/office-2016-click-to-run-service-is-it-necessary/07f87963-7193-488a-9885-d6339105824b)
# name: Disable ClickToRun Service Monitor
# code: |-
# schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /DISABLE
# sc stop "ClickToRunSvc" & sc config "ClickToRunSvc" start=disabled
# revertCode: |-
# schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /ENABLE
# sc config "ClickToRunSvc" start=auto & sc start "ClickToRunSvc"
-
name: Disable Subscription Heartbeat
code: |-
schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /DISABLE
schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /DISABLE
revertCode: |-
schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /ENABLE
schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /ENABLE
-
category: Configure browsers
children:
-
category: Configure Edge
children:
-
category: Chromium Edge settings
children:
-
name: Disable Edge usage and crash-related data reporting (shows "Your browser is managed") # Obselete since Microsoft Edge version 89
recommend: standard
docs:
- https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::MetricsReportingEnabled
- https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#metricsreportingenabled
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /f
-
name: Disable sending site information (shows "Your browser is managed") # Obselete since Microsoft Edge version 89
recommend: standard
docs:
- https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SendSiteInfoToImproveServices
- https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#sendsiteinfotoimproveservices
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /f
-
name: Disable Automatic Installation of Microsoft Edge Chromium
docs:
- https://admx.help/?Category=EdgeChromium_Blocker&Policy=Microsoft.Policies.EdgeUpdate::NoUpdate
- https://web.archive.org/web/20210118230052/https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit
code: reg add "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /f
-
name: Disable live tile data collection
recommend: standard
docs:
- https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection
code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 0 /f
-
name: Disable MFU tracking
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableMFUTracking
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 0 /f
-
name: Disable recent apps
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableRecentApps
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 0/f
-
name: Turn off backtracking
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::TurnOffBackstack
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 0 /f
-
name: Disable Search Suggestions in Edge
docs:
- https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/address-bar-settings-gp
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 1 /f
-
category: Configure Internet Explorer
children:
-
name: Disable Geolocation in Internet Explorer
recommend: standard
code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 0 /f
-
name: Disable Internet Explorer InPrivate logging
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 0 /f
-
name: Disable Internet Explorer CEIP
recommend: standard
docs: https://www.stigviewer.com/stig/internet_explorer_8/2014-07-03/finding/V-15492
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 1 /f
-
name: Disable calling legacy WCM policies
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 1 /f
-
name: Disable SSLv3 fallback
recommend: standard
docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-04-02/finding/V-64729
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v EnableSSL3Fallback /t REG_DWORD /d 3 /f
-
name: Disable ignoring cert errors
recommend: standard
docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2017-03-01/finding/V-64717
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 0 /f
-
category: Configure Google Chrome
children:
-
name: Disable Chrome Software Reporter Tool
recommend: standard
code: |-
icacls "%localappdata%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)"
cacls "%localappdata%\Google\Chrome\User Data\SwReporter" /e /c /d %username%
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "software_reporter_tool.exe" /f
revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /f
-
category: Chrome cleanup
children:
-
name: Do not share scanned software data to Google (shows "Your browser is managed")
recommend: standard
docs:
- https://www.chromium.org/administrators/policy-list-3#ChromeCleanupReportingEnabled
- https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81593
code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /f
-
name: Prevent Chrome from scanning the system for cleanup (shows "Your browser is managed")
recommend: standard
docs:
- https://www.chromium.org/administrators/policy-list-3#ChromeCleanupEnabled
- https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81591
code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /f
-
name: Disable Chrome metrics reporting (shows "Your browser is managed")
recommend: standard
docs: https://www.stigviewer.com/stig/google_chrome_v23_windows/2013-01-11/finding/V-35780
code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /f
-
category: Configure Mozilla Firefox telemetry
children:
-
category: Disable default browser agent reporting
children:
-
name: Disable default browser agent reporting policy
recommend: standard
docs: https://www.bleepingcomputer.com/news/software/firefox-now-tells-mozilla-what-your-default-browser-is-every-day/
code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 1 /f
revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 0 /f
-
name: Disable default browser agent reporting services
recommend: standard
code: |-
schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
revertCode: |-
schtasks.exe /change /enable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
schtasks.exe /change /enable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
-
name: Disable Firefox metrics reporting
recommend: standard
docs: https://github.com/privacysexy-forks/policy-templates#disabletelemetry
code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 1 /f
revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 0 /f
-
name: Disable Google update service
recommend: standard
code: |-
sc stop "gupdate" & sc config "gupdate" start=disabled
sc stop "gupdatem" & sc config "gupdatem" start=disabled
schtasks /change /disable /tn "GoogleUpdateTaskMachineCore"
schtasks /change /disable /tn "GoogleUpdateTaskMachineUA"
revertCode: |-
sc config "gupdate" start=auto & sc start "gupdate"
sc config "gupdatem" start=auto & sc start "gupdatem"
schtasks /Change /enable /tn "GoogleUpdateTaskMachineCore"
schtasks /change /enable /tn "GoogleUpdateTaskMachineUA"
-
name: Disable Adobe Acrobat update service
recommend: standard
code: |-
sc stop "AdobeARMservice" & sc config "AdobeARMservice" start=disabled
sc stop "adobeupdateservice" & sc config "adobeupdateservice" start=disabled
sc stop "adobeflashplayerupdatesvc" & sc config "adobeflashplayerupdatesvc" start=disabled
schtasks /change /tn "Adobe Acrobat Update Task" /disable
schtasks /change /tn "Adobe Flash Player Updater" /disable
revertCode: |-
sc config "AdobeARMservice" start=auto & sc start "AdobeARMservice"
sc config "adobeupdateservice" start=auto & sc start "adobeupdateservice"
sc config "adobeflashplayerupdatesvc" start=auto & sc start "adobeflashplayerupdatesvc"
schtasks /change /tn "Adobe Acrobat Update Task" /enable
schtasks /change /tn "Adobe Flash Player Updater" /enable
-
name: Disable Razer Game Scanner Service
recommend: standard
code: sc stop "Razer Game Scanner Service" & sc config "Razer Game Scanner Service" start=disabled
revertCode: sc config "Razer Game Scanner Service" start=demand
-
name: Disable Logitech Gaming Registry Service
recommend: standard
code: sc stop "LogiRegistryService" & sc config "LogiRegistryService" start=disabled
revertCode: sc config "LogiRegistryService" start=auto & sc start "LogiRegistryService"
-
name: Disable Dropbox auto update service
recommend: standard
code: |-
sc stop "dbupdate" & sc config "dbupdate" start=disabled
sc stop "dbupdatem" & sc config "dbupdatem" start=disabled
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineCore"
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA"
revertCode: |-
sc config "dbupdate" start=auto & sc start "dbupdate"
sc config "dbupdatem" start=auto & sc start "dbupdatem"
schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineCore"
schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineUA"
-
category: Disable Media Player data collection
children:
-
name: Do not send Windows Media Player statistics
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f
-
name: Disable metadata retrieval
recommend: standard
code: |-
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
-
name: Disable Windows Media Player Network Sharing Service
recommend: standard
code: sc stop "WMPNetworkSvc" & sc config "WMPNetworkSvc" start=disabled
-
name: Disable CCleaner Monitoring
code: |-
reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 1 /f
-
category: Security improvements
children:
-
category: Meltdown and Spectre protection
docs: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot
children:
-
name: Spectre variant 2 and meltdown (own OS)
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f
wmic cpu get name | findstr "Intel" >nul && (
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 0 /f
)
wmic cpu get name | findstr "AMD" >nul && (
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 64 /f
)
revertCode: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f
-
name: Spectre variant 2 and meltdown (HyperV)
code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f
-
name: Disable administrative shares
recommend: standard
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 1 /f
-
name: Force enable data execution prevention (DEP)
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 1 /f
-
name: Disable AutoPlay and AutoRun
docs:
- https://en.wikipedia.org/wiki/AutoRun
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673
recommend: standard
code: |-
:: 255 (0xff) means all drives
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 2 /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /f
-
name: Disable remote Assistance
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f
-
name: Disable lock screen camera
recommend: standard
docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /f
-
name: Prevent the storage of the LAN Manager hash of passwords
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 10 /f
-
name: Disable Windows Installer Always install with elevated privileges
recommend: standard
docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f
-
name: Prevent WinRM from using Basic Authentication
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 1 /f
-
name: Restrict anonymous enumeration of shares
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 0 /f
-
name: Refuse less secure authentication
recommend: standard
docs:
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801
- https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 5 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 3 /f
-
name: Enable Structured Exception Handling Overwrite Protection (SEHOP)
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f
-
name: Block Anonymous enumeration of SAM accounts
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 0 /f
-
name: Restrict anonymous access to Named Pipes and Shares
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 0 /f
-
category: Disable unsafe features
children:
-
name: Disable unsafe SMBv1 protocol
recommend: standard
docs: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
code: |-
dism /online /Disable-Feature /FeatureName:"SMB1Protocol" /NoRestart
dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart
dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart
revertCode: |-
dism /online /Enable-Feature /FeatureName:"SMB1Protocol" /NoRestart
dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart
dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart
-
name: Disable PowerShell 2.0 against downgrade attacks
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637
code: |-
dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart
dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart
revertCode: |-
dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart
dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart
-
name: Disable the Windows Connect Now wizard
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now
- https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698
code: |-
reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f
-
category: Increase cryptography on ISS
children:
-
name: Increase Diffie-Hellman key (DHK) exchange to 4096-bit
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ServerMinKeyBitLength /t REG_DWORD /d 0x00001000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00001000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v Enabled /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ServerMinKeyBitLength" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ClientMinKeyBitLength" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "Enabled" /f
-
name: Disable RC2 cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v "Enabled" /f
-
name: Disable RC4 cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v "Enabled" /f
-
name: Disable DES cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v "Enabled" /f
-
name: Disable 3DES (Triple DES) cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v "Enabled" /f
-
name: Disable MD5 hash function
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /v "Enabled" /f
-
name: Disable SHA1
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /v "Enabled" /f
-
name: Disable null cipher
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v "Enabled" /f
-
name: Force not to respond to renegotiation requests
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoClients /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoServers /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v DisableRenegoOnServer /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v UseScsvForTls /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoClients" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoServers" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "DisableRenegoOnServer" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "UseScsvForTls" /f
-
name: Disable DTLS 1.0
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "DisabledByDefault" /f
-
name: Disable DTLS 1.1
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "DisabledByDefault" /f
-
name: Enable DTLS 1.3 # Windows 10 and Windows 10 Server version 1903 and newer supports DTLS 1.3
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "DisabledByDefault" /f
-
name: Disable TLS 1.0
docs: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls # After disabling TLS 1.0 must be (will be) activated SchUseStrongCrypto for .NET apps
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
-
name: Disable TLS 1.1
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /f
-
name: Enable TLS 1.3
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "DisabledByDefault" /f
-
name: Enabling Strong Authentication for .NET applications (TLS 1.2)
docs: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications
code: |-
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
-
name: Disable SSLv2
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /f
-
name: Disable SSLv3
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /f
-
category: Privacy over security
children:
-
category: Disable Windows Defender
docs: https://en.wikipedia.org/wiki/Windows_Firewall
# See defender status: Get-MpComputerStatus
children:
-
category: Disable Windows Defender Firewall # Also known as Windows Firewall, Microsoft Defender Firewall
children:
-
name: Disable Firewall through command-line utility
docs: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
code: netsh advfirewall set allprofiles state off
revertCode: netsh advfirewall set allprofiles state on
-
name: Disable Firewall through registry # Lower-level, good in case command-line utility is not available/functioning
docs:
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2
code: |-
:: Policy based
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
:: Non-policy based
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
revertCode: |-
:: Policy based
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
:: Non-policy based
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
-
name: Disable Microsoft Defender Antivirus # Depreciated since Windows 10 version 1903
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f 2>nul
-
category: Disable Defender features
children:
-
category: Disable Windows Defender Antivirus cloud protection service
docs: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus
# Also known as Microsoft MAPS (Microsoft Active Protection Service) or Microsoft SpyNet
children:
-
category: Disable cloud protection service features
children:
-
name: Turn off block at first sight
docs:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableBlockAtFirstSeen $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableBlockAtFirstSeen $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "0" /f
-
name: Set maximum time possible for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required"
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpBafsExtendedTimeout
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /f 2>nul
-
name: Set lowest possible cloud protection level # Requires "Join Microsoft MAPS"
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpCloudBlockLevel
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /f 2>nul
-
name: Disable receiving notifications to disable security intelligence # Requires "Join Microsoft MAPS"
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureDisableNotification
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /f 2>nul
-
category: Disable Defender cloud export for analysis
children:
-
name: Turn off Windows Defender SpyNet reporting
recommend: strict
docs:
- https://www.stigviewer.com/stig/windows_7/2012-07-02/finding/V-15713
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -MAPSReporting 'Disabled' } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 1 /f
-
name: Do not send file samples for further analysis
recommend: strict
doc:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SubmitSamplesConsent
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -SubmitSamplesConsent 'NeverSend' } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 1 /f
-
name: Disable Malicious Software Reporting tool diagnostic data
recommend: strict
docs: https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 0 /f
-
name: Disable uploading files for threat analysis in real-time # Requires "Join Microsoft MAPS"
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_RealtimeSignatureDelivery
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /f 2>nul
-
name: Disable the Potentially Unwanted Application (PUA) feature
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus?view=o365-worldwide
- https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/
- https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -PUAProtection 'Disabled' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -PUAProtection $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: |-
:: For legacy versions: Windows 10 v1809 and Windows Server 2019
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
:: For newer Windows versions
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f
revertCode: |-
:: For legacy versions: Windows 10 v1809 and Windows Server 2019
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /f 2>nul
:: For newer Windows versions
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /f 2>nul
-
name: Turn off tamper protection # Added in Windows 10, version 1903
docs:
- https://www.thewindowsclub.com/how-to-enable-tamper-protection-in-windows-10
- https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-tamperprotection
call:
-
function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2)
parameters:
code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /f 2>nul
-
function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2)
parameters:
code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /f 2>nul
-
name: Disable file hash computation feature # Added in Windows 10, version 2004
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation
- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /f 2>nul
-
category: Disable Windows Defender Exploit Guard
docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
children:
-
name: Disable prevention of users and apps from accessing dangerous websites
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /f 2>nul
-
name: Disable Controlled folder access
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "1" /f
-
category: Disable Network Inspection System features
children:
-
name: Disable protocol recognition
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /f 2>nul
-
name: Disable definition retirement
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /f 2>nul
-
name: Limit detection events rate to minimum
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /f 2>nul
-
category: Disable Real-Time protection
children:
-
name: Disable real-time monitoring
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableRealtimeMonitoring $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableRealtimeMonitoring $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "0" /f
-
name: Disable Intrusion Prevention System (IPS)
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableIntrusionPreventionSystem $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableIntrusionPreventionSystem $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /f 2>nul
-
name: Disable Information Protection Control (IPC)
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /f 2>nul
-
category: Disable Defender monitoring of behavior
children:
-
name: Disable behavior monitoring
docs:
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
- # Status: Get-MpComputerStatus | Select-Object -Property BehaviorMonitorEnabled
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableBehaviorMonitoring $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableBehaviorMonitoring $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "0" /f
-
name: Disable sending raw write notifications to behavior monitoring
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "0" /f
-
category: Disable Defender monitoring of downloaded files and attachments
children:
-
name: Disable scanning for all downloaded files and attachments
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableIOAVProtection $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableIOAVProtection $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "0" /f
-
name: Disable scanning files bigger than 1 KB (minimum possible)
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /f 2>nul
-
category: Disable Defender monitoring of file and program activity
children:
-
name: Disable monitoring file and program activity
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /f 2>nul
-
name: Disable bidirectional scanning of incoming and outgoing file and program activity
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
# 0: bi-directional (full on-access), 1: scan only incoming (disable on-open), 2: scan only outgoing (disable on-close)
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -RealTimeScanDirection 1 } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -RealTimeScanDirection 0 } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealtimeScanDirection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealtimeScanDirection" /f 2>nul
-
name: Disable process scanning on real-time protection
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "0" /f 2>nul
-
category: Disable Defender remediation
children:
-
name: Disable routine remediation
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#admx-microsoftdefenderantivirus-disableroutinelytakingaction
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "0" /f
-
name: Disable running scheduled auto-remediation
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -RemediationScheduleDay 8 } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Disable remediation actions
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call: # Not using ThreatIdDefaultAction as it requires known threat IDs
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -UnknownThreatDefaultAction 'NoAction' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: Remove-MpPreference -Force -UnknownThreatDefaultAction
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -LowThreatDefaultAction 'NoAction' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: Remove-MpPreference -Force -LowThreatDefaultAction
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -ModerateThreatDefaultAction 'NoAction' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: Remove-MpPreference -Force -ModerateThreatDefaultAction
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -HighThreatDefaultAction 'NoAction' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: Remove-MpPreference -Force -HighThreatDefaultAction
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -SevereThreatDefaultAction 'NoAction' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: Remove-MpPreference -Force -SevereThreatDefaultAction
-
function: RunInlineCode
parameters:
code: |-
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f
:: 1: Clean, 2: Quarantine, 3: Remove, 6: Allow, 8: Ask user, 9: No action, 10: Block, NULL: default (based on the update definition)
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f
revertCode: |-
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /f 2>nul
-
name: Auto-purge items from Quarantine folder
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
# 30 is the default, 1 is the minimum, 0 means indefinitely
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay "" } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /f 2>nul
-
name: Disable always running antimalware service
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /f 2>nul
# - Too good to disable
# category: Disable Windows Defender Device Guard and Credential Guard
# docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419
# children:
# -
# name: Disable LSA protection (disabled by default)
# docs:
# - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
# - https://itm4n.github.io/lsass-runasppl/
# - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# code: |-
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
# reg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
# revertCode: |-
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f
# reg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f
# -
# name: Disable virtualization-based security (disabled by default)
# docs:
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
# code: |-
# :: Virtualization features
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul
# :: Lock
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul
# :: HypervisorEnforcedCodeIntegrity
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f 2>nul
# revertCode: |-
# :: Virtualization features
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
# :: Lock
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /t REG_DWORD /d 1 /f
# :: HypervisorEnforcedCodeIntegrity
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
# -
# name: Disable System Guard Secure Launch
# docs:
# - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection
# - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch
# code: |-
# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 2 /f
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /t REG_DWORD /d 0 /f
# revertCode: |-
# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /t REG_DWORD /d 1 /f
# -
# name: Disable Windows Defender Application Control Code Integrity Policy
# docs:
# - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# code: |-
# del "$env:windir\System32\CodeIntegrity\SIPolicy.p7b"
# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /t REG_DWORD /d 0 /f
# revertCode: |-
# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /t REG_DWORD /d 1 /f
-
name: Disable auto-exclusions
docs:
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableAutoExclusions $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableAutoExclusions $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "0" /f
-
category: Disable Defender scans
children:
-
category: Disable scan actions
children:
-
name: Disable checking for signatures before scan
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $True } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /f 2>nul
-
name: Disable creating system restore point on a daily basis
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableRestorePoint $False } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableRestorePoint $True } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /f 2>nul
-
name: Set minumum time for keeping files in scan history folder
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call: # Default is 15, minimum is 0 which means never removing items
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1 } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15 } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /f 2>nul
-
category: Disable catch-up scans
children:
-
name: Set maximum days before a catch-up scan is forced
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup
# Default and minumum is 2, maximum is 20
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /f 2>nul
-
name: Disable catch-up full scans
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableCatchupQuickScan $False } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableCatchupQuickScan $True } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "0" /f
-
name: Disable catch-up quick scans
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /f 2>nul
-
category: Turn off scan options
children:
-
name: Disable scan heuristics
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /f 2>nul
-
category: Limit CPU usage during scans
children:
-
name: Limit CPU usage during scans to minimum
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -ScanAvgCPULoadFactor 1 } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -ScanAvgCPULoadFactor 50 } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /f 2>nul
-
name: Limit CPU usage during idle scans to minumum
docs: https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "1" /f
-
name: Disable scanning when not idle
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -ScanOnlyIfIdleEnabled $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /f 2>nul
-
name: Disable scheduled On Demand anti malware scanner (MRT)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 0 /f
-
category: Limit scanned areas
children:
-
name: Disable e-mail scanning
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableEmailScanning $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableEmailScanning $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /f 2>nul
-
name: Disable script scanning
docs: https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableScriptScanning $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableScriptScanning $False } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Disable reparse point scanning
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /f 2>nul
-
name: Disable scanning on mapped network drives on full-scan
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Disable scanning network files
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableScanningNetworkFiles $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableScanningNetworkFiles $False } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Disable scanning packed executables
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /f 2>nul
-
category: Disable scanning archive files
children:
-
name: Disable scanning archive files
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableArchiveScanning $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableArchiveScanning $False } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Limit depth for scanning archive files to minimum
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /f 2>nul
-
name: Limit file size for archive files to be scanned to minimum
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /f 2>nul
-
name: Disable scanning removable drives
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableRemovableDriveScanning $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableRemovableDriveScanning $False } catch { Write-Warning 'Function not found'; exit 1 }
-
category: Disable auto-scans
children:
-
name: Disable scheduled scans # Already disabled as default
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /f 2>nul
-
function: RunPowerShell
parameters:
# Default is also 8: never
code: try { Set-MpPreference -Force -ScanScheduleDay 8 } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Disable randomizing scheduled task times
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -RandomizeScheduleTaskTimes $False } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -RandomizeScheduleTaskTimes $True } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Disable scheduled full-scans
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -ScanParameters "QuickScan" } catch { Write-Warning 'Function not found'; exit 1 }
# (Registry revert should be enough) revertCode: try { Set-MpPreference -Force -ScanParameters "FullScan" } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Limit how many times quick scans run per day
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /f 2>nul
-
name: Disable scanning after security intelligence (signature) update
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /f 2>nul
-
category: Limit Defender updates
children:
-
category: Disable Defender Security Intelligence (signature) updates
children:
-
name: Disable forced security intelligence (signature) updates from Microsoft Update
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /f 2>nul
-
name: Disable security intelligence (signature) updates when running on battery power
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /f 2>nul
-
name: Disable checking for the latest virus and spyware security intelligence (signature) on startup
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /f 2>nul
-
name: Limit catch-up security intelligence (signature) updates # default is one day
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d 4294967295 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -SignatureUpdateCatchupInterval 4294967295 } catch { Write-Warning 'Function not found'; exit 1 }
# (Registry revert should be enough) revertCode: try { Set-MpPreference -Force -SignatureUpdateCatchupInterval "" } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Limit spyware security intelligence (signature) updates # default is one day, recommended is 7 days
# Maximize period when spyware security intelligence (signature) is considered up-to-dates
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /f 2>nul
-
name: Limit virus security intelligence (signature) updates # default is one day, recommended is 7 days
# Maximize period when virus security intelligence (signature) is considered up-to-date
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /f 2>nul
-
name: Disable security intelligence (signature) update on startup
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True } catch { Write-Warning 'Function not found'; exit 1 }
# (Registry revert should be enough) revertCode: try { Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Disable automatically checking security intelligence (signature) updates
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d 8 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -SignatureScheduleDay "8" } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Limit update checks for security intelligence (signature) updates
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /f 2>nul
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -SignatureUpdateInterval "24" } catch { Write-Warning 'Function not found'; exit 1 }
# (Registry revert should be enough) revertCode: try { Set-MpPreference -Force -SignatureUpdateInterval "" } catch { Write-Warning 'Function not found'; exit 1 }
-
category: Disable alternate definition updates
children:
-
name: Disable definition updates through both WSUS and the Microsoft Malware Protection Center
docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /f 2>nul
-
name: Disable definition updates through both WSUS and Windows Update
docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /f 2>nul
-
name: Limit Defender updates to those that complete gradual release cycle
docs: https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisableGradualRelease $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisableGradualRelease $False } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Limit Defender engine updates to those that complete gradual release cycle
docs: https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: RunPowerShell
parameters:
# Value "Delayed" is not generally supported
code: try { Set-MpPreference -Force -EngineUpdatesChannel 'Broad' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -EngineUpdatesChannel 'NotConfigured' } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Limit Defender platform updates to those that complete gradual release cycle
docs: https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: RunPowerShell
parameters:
# Value "Delayed" is not generally supported
code: try { Set-MpPreference -Force -PlatformUpdatesChannel 'Broad' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -PlatformUpdatesChannel 'NotConfigured' } catch { Write-Warning 'Function not found'; exit 1 }
-
name: Limit Defender definition updates to those that complete gradual release cycle
docs: https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: RunPowerShell # Parameter "DefinitionUpdatesChannel" is not generally supported
parameters:
code: try { Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad' } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DefinitionUpdatesChannel 'NotConfigured' } catch { Write-Warning 'Function not found'; exit 1 }
-
category: Disable Windows Defender reporting
children:
-
name: Disable Windows Defender logging
code: |-
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
revertCode: |-
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f
-
name: Disable ETW Provider of Windows Defender (Windows Event Logs)
docs:
- https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-views
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f
-
name: Do not send Watson events
# Deprecated since February 2015 update http://support.microsoft.com/kb/3036437
docs: https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::reporting_disablegenericreports
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /f 2>nul
-
name: Send minimum Windows software trace preprocessor (WPP Software Tracing) levels
docs:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /f 2>nul
-
name: Disable auditing events in Microsoft Defender Application Guard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /f 2>nul
-
category: Remove Defender from UI
children:
-
name: Hide Windows Defender Security Center icon
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "0" /f
-
name: Remove "Scan with Windows Defender" option from context menu
docs:
- https://windowsreport.com/remove-right-click-windows-defender-scan-windows-10/
- https://twigstechtips.blogspot.com/2010/06/windows-remove-with-microsoft-security.html
code: |-
reg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f 2>nul
reg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f 2>nul
reg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul
reg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul
reg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul
revertCode: |-
reg add "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f
reg add "HKCR\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
reg add "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /ve /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f
reg add "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
-
name: Remove Windows Defender Security Center from taskbar
docs: https://www.alfintechcomputer.com/what-is-securityhealthsystray-exe-windows-security-notification-icon/
code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "%windir%\system32\SecurityHealthSystray.exe" /f
-
category: Hide Defender UI
children:
-
name: Enable headless UI mode
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -UILockdown $True } catch { Write-Warning 'Function not found'; exit 1 }
# (Registry revert should be enough) revertCode: try { Set-MpPreference -Force -UILockdown $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /f 2>nul
-
name: Restrict threat history to administrators
docs: https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: RunPowerShell
parameters:
code: try { Set-MpPreference -Force -DisablePrivacyMode $True } catch { Write-Warning 'Function not found'; exit 1 }
revertCode: try { Set-MpPreference -Force -DisablePrivacyMode $False } catch { Write-Warning 'Function not found'; exit 1 }
-
function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2)
parameters:
code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /f 2>nul
-
category: Hide areas in Windows Defender Security Center
children:
-
name: Hide the "Virus and threat protection" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /f 2>nul
-
name: Hide the "Ransomware data recovery" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /f 2>nul
-
name: Hide the "Family options" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /f 2>nul
-
name: Hide the "Device performance and health" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /f 2>nul
-
name: Hide the "Account protection" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /f 2>nul
-
name: Hide the "App and browser protection" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /f 2>nul
-
category: Hide the Device security areas
children:
-
name: Hide the Device security area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /f 2>nul
-
name: Disable the Clear TPM button
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /f 2>nul
-
name: Disable the Secure boot area button
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /f 2>nul
-
name: Hide the Security processor (TPM) troubleshooter page
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /f 2>nul
-
name: Hide the TPM Firmware Update recommendation
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /f 2>nul
-
name: Hide the "Firewall and network protection" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FirewallNetworkProtection_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /f 2>nul
-
category: Hide Windows Defender notifications
children:
-
category: Hide Windows Defender Security Center notifications
docs: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications
children:
-
name: Hide all notifications
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disablenotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
-
name: Hide non-critical notifications
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disableenhancednotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /f 2>nul
-
name: Disable Windows Action Center security and maintenance notifications # For Windows 10 build 1607 and above
docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "1" /f
-
name: Disable all Windows Defender Antivirus notifications
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress
code: |-
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
revertCode: |-
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "0" /f
-
name: Suppress reboot notifications
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /f 2>nul
-
category: Disable OS components for Defender # Hackers way of disabling Defender
children:
-
category: Disable Defender tasks
children:
-
name: Disable Windows Defender ExploitGuard task
docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
code: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Enable
-
name: Disable Windows Defender Cache Maintenance task
# Cache Maintenance is the storage for temporary files that are being either quarantined by Windows Defender
# or being checked. Running this will clear the Cache.
docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable
-
name: Disable Windows Defender Cleanup task
docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae
# Periodic cleanup task
# Clears up files that are not needed anymore by Windows Defender.
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Enable
-
name: Disable Windows Defender Scheduled Scan task # May not exist
docs:
- https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d
- https://winbuzzer.com/2020/05/26/windows-defender-how-to-perform-a-scheduled-scan-in-windows-10-xcxwbt/
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Enable
-
name: Disable Windows Defender Verification task
# Check if there are any problems with your Windows Defender like in updates, system files, etc,.
# Creates daily restore points
docs:
- https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae
- https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426
- https://www.windowsphoneinfo.com/threads/same-problems-with-windows-defender-verification-and-scan-tasks.121489/#Same_problems_with_Windows_Defender_Verification_and_Scan_Tasks
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Enable
-
category: Disable Defender services and drivers
# Normally users can disable services on GUI or using commands like "sc config"
# However Defender services are protected with different ways
# 1. Some cannot be disabled (access error) normally but only with DisableServiceInRegistry
# 2. Some cannot be disabled even using DisableServiceInRegistry, must be disabled as TrustedInstaller using RunInlineCodeAsTrustedInstaller
children:
-
name: Disable Windows Defender Firewall service
docs: http://batcmd.com/windows/10/services/mpssvc/
call:
-
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters:
serviceName: MpsSvc
defaultStartUpMode: 2 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled
-
function: RenameSystemFile
parameters:
filePath: '%WinDir%\system32\mpssvc.dll'
-
name: Disable Windows Defender Antivirus service
docs: http://batcmd.com/windows/10/services/windefend/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WinDefend" >nul & sc config "WinDefend" start=disabled
revertCode: sc config "WinDefend" start=auto & sc start "WinDefend" >nul
# - # "Access is denied" when renaming file
# function: RenameSystemFile
# parameters:
# filePath: '%ProgramFiles%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ...
-
category: Disable kernel-level Windows Defender drivers
children:
-
name: Disable Windows Defender Firewall Authorization Driver service
docs: http://batcmd.com/windows/10/services/mpsdrv/
call:
-
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters:
serviceName: mpsdrv
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled
-
function: RenameSystemFile
parameters:
filePath: '%SystemRoot%\System32\drivers\mpsdrv.sys'
# - Skipping wdnsfltr "Windows Defender Network Stream Filter Driver" as it's Windows 1709 only
-
name: Disable Microsoft Defender Antivirus Network Inspection System Driver service
docs: http://batcmd.com/windows/10/services/wdnisdrv/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
# "net stop" is used to stop dependend services as well, "sc stop" fails
code: net stop "WdNisDrv" /yes >nul & sc config "WdNisDrv" start=disabled
revertCode: sc config "WdNisDrv" start=demand & sc start "WdNisDrv" >nul
-
function: RenameSystemFile
parameters:
filePath: '%SystemRoot%\System32\drivers\WdNisDrv.sys'
# - # "Access is denied" when renaming file
# function: RenameSystemFile
# parameters:
# filePath: '%SystemRoot%\System32\drivers\wd\WdNisDrv.sys'
-
name: Disable Microsoft Defender Antivirus Mini-Filter Driver service
docs:
- https://www.n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/
- http://batcmd.com/windows/10/services/wdfilter/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WdFilter" >nul & sc config "WdFilter" start=disabled
revertCode: sc config "WdFilter" start=boot & sc start "WdFilter" >nul
-
function: RenameSystemFile
parameters:
filePath: '%SystemRoot%\System32\drivers\WdFilter.sys'
# - # "Access is denied" when renaming file
# function: RenameSystemFile
# parameters:
# filePath: '%SystemRoot%\System32\drivers\wd\WdFilter.sys'
-
name: Disable Microsoft Defender Antivirus Boot Driver service
docs: http://batcmd.com/windows/10/services/wdboot/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WdBoot" >nul & sc config "WdBoot" start=disabled
revertCode: sc config "WdBoot" start=boot & sc start "WdBoot" >nul
-
function: RenameSystemFile
parameters:
filePath: '%SystemRoot%\System32\drivers\WdBoot.sys'
# - # "Access is denied" when renaming file
# function: RenameSystemFile
# parameters:
# filePath: '%SystemRoot%\System32\drivers\wd\WdBoot.sys'
-
name: Disable Microsoft Defender Antivirus Network Inspection service
docs:
- http://batcmd.com/windows/10/services/wdnissvc/
- https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WdNisSvc" >nul & sc config "WdNisSvc" start=disabled
revertCode: sc config "WdNisSvc" start=auto & sc start "WdNisSvc" >nul
# - # "Access is denied" when renaming file
# function: RenameSystemFile
# parameters:
# filePath: '%ProgramFiles%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ...
-
name: Disable Windows Defender Advanced Threat Protection Service service
docs: http://batcmd.com/windows/10/services/sense/
call:
-
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters:
serviceName: Sense
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled
-
function: RenameSystemFile
parameters:
filePath: '%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe'
-
name: Disable Windows Defender Security Center Service
docs: http://batcmd.com/windows/10/services/securityhealthservice/
call:
-
# Windows 10:
# ❌ Cannot disable through sc config as Administrator; throws "Access is denied"
# ✔️ Can disable using registry as Administrator; "DisableServiceInRegistry" function works
# ✔️ Can disable using registry as TrustedInstaller
# Windows 11:
# ❌ Cannot disable through sc config as administrator; throws "Access is denied"
# ❌ Cannot disable using registry as Administrator; using DisableServiceInRegistry throws "Requested registry access is not allowed."
# ✔️ Can disable using registry as TrustedInstaller
function: RunInlineCodeAsTrustedInstaller
parameters:
code: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f
revertCode: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 3 /f
-
function: RenameSystemFile
parameters:
filePath: '%WinDir%\system32\SecurityHealthService.exe'
-
category: Disable SmartScreen
docs:
- https://en.wikipedia.org/wiki/Microsoft_SmartScreen
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview
children:
-
category: Disable SmartScreen for apps and files
children:
-
name: Disable SmartScreen for apps and files
docs:
- https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnableSmartScreen
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "1" /f
-
name: Disable SmartScreen in file explorer
docs:
- https://winaero.com/change-windows-smartscreen-settings-windows-10/
- https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f
-
name: Disable SmartScreen preventing users from running applications
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen
- https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /f 2>nul
-
category: Disable SmartScreen in Microsoft browsers
children:
-
name: Prevent Chromium Edge SmartScreen from blocking potentially unwanted apps
docs: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "1" /f
-
name: Disable SmartScreen in Edge
docs:
- https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ # Privacy concerns
- https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen
- https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreen-settings
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63713
- https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenEnabled
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f
:: For Microsoft Edge version 77 or later
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "1" /f
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "1" /f
:: For Microsoft Edge version 77 or later
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /f 2>nul
-
name: Disable SmartScreen in Internet Explorer
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9
code: reg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /f 2>nul
-
category: Disable SmartScreen for Windows Store apps
children:
-
name: Turn off SmartScreen App Install Control feature
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen
code: |-
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f
revertCode: |-
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /f 2>nul
-
name: Turn off SmartScreen to check web content (URLs) that apps use
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f
-
name: Disable automatic updates
docs: https://docs.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f
sc stop "UsoSvc" & sc config "UsoSvc" start=disabled
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "3" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "0" /f
sc config "UsoSvc" start=auto & sc start "UsoSvc"
-
category: UI for privacy
children:
-
name: Disable lock screen app notifications
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 0 /f
docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687
-
category: Disable online content in explorer
children:
-
name: Disable online tips
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanel::AllowOnlineTips
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 1 /f
-
name: Turn off Internet File Association service
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseInternetOpenWith_2
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 0 /f
-
name: Turn off the "Order Prints" picture task
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellRemoveOrderPrints_2
- https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000042
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 0 /f
-
name: Disable the file and folder Publish to Web option
recommend: standard
docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-14255
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 0 /f
-
name: Prevent downloading a list of providers for wizards
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63621
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 0 /f
-
category: Recent documents
children:
-
name: Do not keep history of recently opened documents
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f
-
name: Clear history of recently opened documents on exit
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 01 /f
-
name: Disable Live Tiles push notifications
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Notifications::NoTileNotification
code: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 0 /f
-
name: Turn off "Look For An App In The Store" option
recommend: standard
docs:
- https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000030
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseStoreOpenWith_1
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 0 /f
-
name: Do not show recently used files in Quick Access
recommend: strict
docs:
- https://matthewhill.uk/windows/group-policy-disable-recent-files-frequent-folder-explorer/ # ShowRecent
- https://www.howto-connect.com/delete-recent-frequent-from-file-explorer-on-windows-10/ # 3134ef9c-6b18-4996-ad04-ed5912e00eb5
- https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry # Wow6432Node
code: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d 0 /t "REG_DWORD" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit?
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
)
revertCode:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d "1" /t "REG_DWORD" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit?
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
)
-
name: Disable Sync Provider Notifications
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 0 /t REG_DWORD /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 1 /t REG_DWORD /f
-
name: Turn hibernate off to disable sleep for quick start
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/compact-os#ram-pagefilesys-and-hiberfilsys
code: powercfg -h off
revertCode: powercfg -h on
-
name: Enable camera on/off OSD notifications
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-coremmres-nophysicalcameraled
- https://www.reddit.com/r/Surface/comments/88nyln/the_webcamled_took_anyone_it_apart/dwm64p5
- https://answers.microsoft.com/en-us/windows/forum/all/enable-osd-notification-for-webcam/caf1fff4-78d3-4b93-905b-ef657097a44e
code: reg add "HKLM\SOFTWARE\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /d 1 /t REG_DWORD /f
revertCode: reg delete "HKLM\Software\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /f
-
category: Hide from This PC and Browse in dialog boxes
children:
-
name: 3D Objects
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Desktop
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Documents
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Downloads
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Movies
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Music
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Pictures
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
category: Disable OS services
children:
-
name: Delivery Optimization (P2P Windows Updates)
recommend: standard
code: sc stop "DoSvc" & sc config "DoSvc" start=disabled
revertCode: sc config "DoSvc" start=auto & sc start "DoSvc"
-
name: Microsoft Windows Live ID Service
recommend: standard
code: sc stop "wlidsvc" & sc config "wlidsvc" start=demand
revertCode: sc config "wlidsvc" start=demand
-
name: Program Compatibility Assistant Service
recommend: standard
code: sc stop "PcaSvc" & sc config "PcaSvc" start=disabled
revertCode: sc config "PcaSvc" start=demand
-
name: Downloaded Maps Manager
recommend: standard
code: sc stop "MapsBroker" & sc config "MapsBroker" start=disabled
revertCode: sc config "MapsBroker" start=auto & sc start "MapsBroker"
-
name: Microsoft Retail Demo experience
recommend: standard
code: sc stop "RetailDemo" & sc config "RetailDemo" start=disabled
revertCode: sc config "RetailDemo" start=demand
-
category: Mail, contact, calendar and user data synchronization
children:
-
name: User Data Storage (UnistoreSvc) Service
recommend: strict
call:
function: DisablePerUserService
parameters:
serviceName: UnistoreSvc
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled
-
name: Sync Host (OneSyncSvc) Service Service
recommend: strict
call:
function: DisablePerUserService
parameters:
serviceName: OneSyncSvc
defaultStartUpMode: 2 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled
-
name: Contact data indexing
call:
function: DisablePerUserService
parameters:
serviceName: PimIndexMaintenanceSvc
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled
-
name: App user data access
call:
function: DisablePerUserService
parameters:
serviceName: UserDataSvc
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled
-
name: Text messaging
call:
function: DisablePerUserService
parameters:
serviceName: MessagingService
defaultStartUpMode: 3 # 0: Boot | 1: System | 2: Automatic | 3: Manual | 4: Disabled
-
name: Windows Push Notification Service
recommend: standard
docs: https://en.wikipedia.org/w/index.php?title=Windows_Push_Notification_Service&oldid=1012335551#Privacy_Issue
code: sc stop "WpnService" & sc config "WpnService" start=disabled
revertCode: sc config "WpnService" start=auto & sc start "WpnService"
-
category: Disable Xbox services
children:
-
name: Xbox Live Auth Manager
recommend: standard
code: sc stop "XblAuthManager" & sc config "XblAuthManager" start=disabled
revertCode: sc config "XblAuthManager" start=demand
-
name: Xbox Live Game Save
recommend: standard
code: sc stop "XblGameSave" & sc config "XblGameSave" start=disabled
revertCode: sc config "XblGameSave" start=demand
-
name: Xbox Live Networking Service
recommend: standard
code: sc stop "XboxNetApiSvc" & sc config "XboxNetApiSvc" start=disabled
revertCode: sc config "XboxNetApiSvc" start=demand
-
name: Disable Volume Shadow Copy Service (breaks System Restore and Windows Backup) # Also known as • Volume Snapshot Service • VSS • VSC
recommend: strict
docs:
- https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service
- https://www.schneier.com/blog/archives/2009/12/the_security_im.html
code: sc stop "VSS" & sc config "VSS" start=disabled
revertCode: sc config "VSS" start=demand
-
name: Disable NetBios for all interfaces
docs:
- https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/
- https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5f3c095-1ad2-4963-b075-787f800b81f2/
call:
function: RunPowerShell
parameters:
code: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 2 -Verbose
}
revertCode: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 0 -Verbose
}
-
category: Remove bloatware
children:
-
category: Uninstall Windows store apps
docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10
children:
-
category: Uninstall provisioned Windows apps
docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#provisioned-windows-apps
children:
-
name: App Connector app
recommend: strict
docs: https://superuser.com/a/1003226
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Appconnector # Discontinued after Windows 10 1511
-
category: Uninstall 3D modeling apps
children:
-
name: Microsoft 3D Builder app
docs: https://www.microsoft.com/en-us/p/3d-builder/9wzdncrfj3t6
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.3DBuilder
-
name: 3D Viewer app
docs: https://www.microsoft.com/en-us/p/3d-viewer/9nblggh42ths
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Microsoft3DViewer
-
category: Uninstall MSN (Bing) apps
children:
-
name: MSN Weather app
docs: https://www.microsoft.com/en-us/p/msn-weather/9wzdncrfj3q2
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingWeather
-
name: MSN Sports app
recommend: standard
docs: https://www.microsoft.com/en-us/p/msn-sports/9wzdncrfhvh4
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingSports
-
name: MSN News app
recommend: standard
docs: https://www.microsoft.com/en-us/p/microsoft-news/9wzdncrfhvfw
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingNews
-
name: MSN Money app
recommend: standard
docs: https://www.microsoft.com/en-us/p/msn-money/9wzdncrfhv4v
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingFinance
-
name: Uninstall Cortana app
recommend: standard
docs: https://www.microsoft.com/en-us/p/msn-money/9wzdncrfhv4v
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.549981C3F5F10
-
name: App Installer app
docs: https://www.microsoft.com/en-us/p/app-installer/9nblggh4nns1
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.DesktopAppInstaller
-
name: Get Help app
docs: https://www.microsoft.com/en-us/p/get-help/9nblgggzhtbj
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.GetHelp
-
name: Microsoft Tips app
docs: https://www.microsoft.com/en-us/p/microsoft-tips/9wzdncrdtbjj
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Getstarted
-
category: Extensions
children:
-
name: HEIF Image Extensions app
docs: https://www.microsoft.com/en-us/p/heif-image-extensions/9pmmsr1cgpwg
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.HEIFImageExtension
-
name: VP9 Video Extensions app
docs: https://www.microsoft.com/en-us/p/vp9-video-extensions/9n4d0msmp0pt
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.VP9VideoExtensions
-
name: Web Media Extensions app
docs: https://www.microsoft.com/en-us/p/web-media-extensions/9n5tdp8vcmhs
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WebMediaExtensions
-
name: Webp Image Extensions app
docs: https://www.microsoft.com/en-us/p/webp-image-extensions/9pg2dk419drg
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WebpImageExtension
-
name: Microsoft Messaging app
docs: https://www.microsoft.com/en-us/p/microsoft-messaging/9wzdncrfjbq6
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Messaging
-
name: Mixed Reality Portal app
docs: https://www.microsoft.com/en-us/p/mixed-reality-portal/9ng1h8b3zc7m
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MixedReality.Portal
-
category: Uninstall Microsoft Office apps
children:
-
name: My Office app
recommend: standard
docs: https://www.microsoft.com/en-us/p/my-office-app/9n8vd0f315mh
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MicrosoftOfficeHub
-
name: OneNote app
docs: https://www.microsoft.com/en-us/p/onenote-for-windows-10/9wzdncrfhvjl
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Office.OneNote
-
name: Sway app
docs: https://www.microsoft.com/en-us/p/sway/9wzdncrd2g0j
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Office.Sway
-
name: Feedback Hub app
recommend: standard
docs: https://www.microsoft.com/en-us/p/feedback-hub/9nblggh4r32n
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsFeedbackHub
-
name: Windows Alarms and Clock app
docs: https://www.microsoft.com/en-us/p/windows-alarms-clock/9wzdncrfj3pr
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsAlarms
-
name: Windows Camera app
docs: https://www.microsoft.com/en-us/p/windows-camera/9wzdncrfjbbg
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsCamera
-
name: Paint 3D app
docs: https://www.microsoft.com/en-us/p/paint-3d/9nblggh5fv99
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MSPaint
-
name: Windows Maps app
recommend: standard
docs: https://www.microsoft.com/en-us/p/windows-maps/9wzdncrdtbvb
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsMaps
-
name: Minecraft for Windows 10 app
docs: https://www.microsoft.com/en-us/p/minecraft-for-windows-10/9nblggh2jhxj
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MinecraftUWP
-
name: Microsoft Store app
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsStore
-
name: Microsoft People app
docs: https://www.microsoft.com/en-us/p/microsoft-people/9nblggh10pg8
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.People
-
name: Microsoft Pay app
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Wallet
-
name: Store Purchase app
docs: https://social.technet.microsoft.com/Forums/exchange/en-US/24b1088d-0fc5-4a82-8015-c9c964532603/store-purchase-app?forum=win10itproapps
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.StorePurchaseApp
-
name: Snip & Sketch app
docs: https://www.microsoft.com/en-us/p/snip-sketch/9mz95kl8mr0l
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.ScreenSketch
-
name: Print 3D app
docs: https://www.microsoft.com/en-us/p/print-3d/9pbpch085s3s
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Print3D
-
name: Mobile Plans app
docs: https://www.microsoft.com/en-us/p/mobile-plans/9nblggh5pnb1
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.OneConnect
-
name: Microsoft Solitaire Collection app
docs: https://www.microsoft.com/en-us/p/microsoft-solitaire-collection/9wzdncrfhwd2
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MicrosoftSolitaireCollection
-
name: Microsoft Sticky Notes app
docs: https://www.microsoft.com/en-us/p/microsoft-sticky-notes/9nblggh4qghw
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MicrosoftStickyNotes
-
category: Xbox
children:
-
name: Xbox Console Companion app
docs: https://www.microsoft.com/en-us/p/xbox-console-companion/9wzdncrfjbd8
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxApp
-
name: Xbox Live in-game experience app
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Xbox.TCUI
-
name: Xbox Game Bar app
docs: https://www.microsoft.com/en-us/p/xbox-game-bar/9nzkpstsnw4p
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxGamingOverlay
-
name: Xbox Game Bar Plugin appcache
docs: https://www.microsoft.com/en-us/p/xbox-game-bar/9nzkpstsnw4p
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxGameOverlay
-
name: Xbox Identity Provider app
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxIdentityProvider
-
name: Xbox Speech To Text Overlay app
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxSpeechToTextOverlay
-
name: Mail and Calendar app
docs: https://www.microsoft.com/en-us/p/mail-and-calendar/9wzdncrfhvqm
call:
function: UninstallStoreApp
parameters:
packageName: microsoft.windowscommunicationsapps
-
category: Zune
children:
-
name: Groove Music app
docs: https://www.microsoft.com/en-us/p/groove-music/9wzdncrfj3pt
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.ZuneMusic
-
name: Movies and TV app
docs: https://www.microsoft.com/en-us/p/movies-tv/9wzdncrfj3p2
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.ZuneVideo
-
name: Windows Calculator app
docs: https://www.microsoft.com/en-us/p/windows-calculator/9wzdncrfhvn5
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsCalculator
-
name: Microsoft Photos app
docs: https://www.microsoft.com/en-us/p/microsoft-photos/9wzdncrfjbh4
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Windows.Photos
-
name: Skype app
docs: https://www.microsoft.com/en-us/p/skype/9wzdncrfj364
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.SkypeApp
-
name: GroupMe app
docs: https://www.microsoft.com/en-us/p/groupme/9nblggh5z4f2
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.GroupMe10
-
name: Windows Voice Recorder app
docs: https://www.microsoft.com/en-us/p/windows-voice-recorder/9wzdncrfhwkn
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsSoundRecorder
-
category: Phone
children:
-
name: Your Phone Companion app # Depreciated in newer Windows 10
call:
-
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsPhone
-
function: UninstallStoreApp
parameters:
packageName: Microsoft.Windows.Phone
-
name: Communications - Phone app # Depreciated in newer Windows 10
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.CommsPhone
-
name: Your Phone app
docs: https://www.microsoft.com/en-us/p/your-phone/9nmpj99vjbwv
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.YourPhone
-
category: Uninstall installed Windows apps
docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#installed-windows-apps
children:
-
name: Microsoft Advertising app
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/uwp/monetize/install-the-microsoft-advertising-libraries
- https://social.msdn.microsoft.com/Forums/windowsapps/en-US/db8d44cb-1381-47f7-94d3-c6ded3fea36f/microsoft-ad-monetization-platform-shut-down-as-of-june-1st?forum=aiamgr
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Advertising.Xaml
-
name: Remote Desktop app
docs: https://www.microsoft.com/en-us/p/microsoft-remote-desktop/9wzdncrfj3ps?activetab=pivot:overviewtab
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.RemoteDesktop
-
name: Network Speed Test app
recommend: standard
docs: https://www.microsoft.com/en-us/p/network-speed-test/9wzdncrfhx52
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.NetworkSpeedTest
-
name: Microsoft To Do app
docs: https://www.microsoft.com/en-us/p/microsoft-to-do-lists-tasks-reminders/9nblggh5r558
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Todos
-
category: Third party
children:
-
name: Shazam app # Discontinued https://www.windowscentral.com/shazam-pulls-plug-windows-apps
call:
function: UninstallStoreApp
parameters:
packageName: ShazamEntertainmentLtd.Shazam
-
name: Candy Crush Saga app
docs: https://www.microsoft.com/en-us/p/candy-crush-saga/9nblggh18846
call:
-
function: UninstallStoreApp
parameters:
packageName: king.com.CandyCrushSaga
-
function: UninstallStoreApp
parameters:
packageName: king.com.CandyCrushSodaSaga
-
name: Flipboard app
docs: https://www.microsoft.com/en-us/p/flipboard/9wzdncrfj32q
call:
function: UninstallStoreApp
parameters:
packageName: Flipboard.Flipboard
-
name: Twitter app
docs: https://www.microsoft.com/en-us/p/twitter/9wzdncrfj140
call:
function: UninstallStoreApp
parameters:
packageName: 9E2F88E3.Twitter
-
name: iHeartRadio app
docs: https://www.microsoft.com/en-us/p/iheartradio/9wzdncrfj223
call:
function: UninstallStoreApp
parameters:
packageName: ClearChannelRadioDigital.iHeartRadio
-
name: Duolingo app
docs: https://www.microsoft.com/en-us/p/duolingo-learn-languages-for-free/9wzdncrcv5xn
call:
function: UninstallStoreApp
parameters:
packageName: D5EA27B7.Duolingo-LearnLanguagesforFree
-
name: Photoshop Express app
docs: https://www.microsoft.com/en-us/p/adobe-photoshop-express-image-editor-adjustments-filters-effects-borders/9wzdncrfj27n
call:
function: UninstallStoreApp
parameters:
packageName: AdobeSystemIncorporated.AdobePhotoshop
-
name: Pandora app
docs: https://www.microsoft.com/en-us/p/pandora/9wzdncrfj46v
call:
function: UninstallStoreApp
parameters:
packageName: PandoraMediaInc.29680B314EFC2
-
name: Eclipse Manager app
docs: https://www.microsoft.com/en-us/p/eclipse-manager/9wzdncrdjmh1
call:
function: UninstallStoreApp
parameters:
packageName: 46928bounde.EclipseManager
-
name: Code Writer app
docs: https://www.microsoft.com/en-us/p/code-writer/9wzdncrfhzdt
call:
function: UninstallStoreApp
parameters:
packageName: ActiproSoftwareLLC.562882FEEB491
-
name: Spotify app
docs: https://www.microsoft.com/en-us/p/spotify-music/9ncbcszsjrsb
call:
function: UninstallStoreApp
parameters:
packageName: SpotifyAB.SpotifyMusic
-
category: Uninstall system apps
docs:
- https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#system-apps
- https://github.com/privacysexy-forks/Windows10Debloater/blob/d4ede6d3225e7def087b389c7e8cf6be0d5e2cd7/Windows10Debloater.ps1#L43-L47
children:
-
name: File Picker app
call:
function: UninstallSystemApp
parameters:
packageName: 1527c705-839a-4832-9118-54d4Bd6a0c89
-
name: File Explorer app
call:
function: UninstallSystemApp
parameters:
packageName: c5e2524a-ea46-4f67-841f-6a9465d9d515
-
name: App Resolver UX app
call:
function: UninstallSystemApp
parameters:
packageName: E2A4F912-2574-4A75-9BB0-0D023378592B
-
name: Add Suggested Folders To Library app
call:
-
function: UninstallSystemApp
parameters:
packageName: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE
-
function: UninstallSystemApp
parameters:
packageName: InputApp
-
name: Microsoft AAD Broker Plugin app (breaks Office app authentication)
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.AAD.BrokerPlugin # Offical docs point to wrong "Microsoft.AAD.Broker.Plugin"
-
name: Microsoft Accounts Control app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.AccountsControl
-
name: Microsoft Async Text Service app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.AsyncTextService
-
category: Windows Hello setup UI
children:
-
name: Bio enrollment app (breaks biometric authentication)
docs: https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_store-insiderplat_pc/what-is-bio-enrollment-app/53808b5a-8694-4128-a5bd-34e3b954434a
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.BioEnrollment
-
name: Cred Dialog Host app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.CredDialogHost
-
name: EC app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.ECApp
-
name: Lock app (shows lock screen)
docs: https://www.getwox.com/what-is-lockapp-exe/
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.LockApp
-
category: Microsoft Edge
children:
-
name: Microsoft Edge (Legacy) app
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.MicrosoftEdge
-
name: Microsoft Edge (Legacy) Dev Tools Client app
docs: https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.MicrosoftEdgeDevToolsClient
-
name: Win32 Web View Host app / Desktop App Web Viewer
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Win32WebViewHost
-
name: Microsoft PPI Projection app
docs: https://en.wikipedia.org/wiki/Perceptive_Pixel
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.PPIProjection
-
name: ChxApp app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.Apprep.ChxApp
-
name: Assigned Access Lock App app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.AssignedAccessLockApp
-
name: Capture Picker app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.CapturePicker
-
name: Cloud Experience Host app (breaks Microsoft cloud/corporate sign in) # Allows to connect to corporate domains or Microsoft cloud based services
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.CloudExperienceHost
-
name: Content Delivery Manager app (automatically installs apps)
docs: https://www.ghacks.net/2019/12/23/how-to-block-the-automatic-installation-of-suggested-windows-10-apps/
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.ContentDeliveryManager
-
category: Uninstall Cortana system apps
children:
-
name: Search app (breaks Windows search)
docs: https://thegeekpage.com/searchui-exe-suspended-error/
call:
-
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.Cortana # Removed since version 2004
-
function: UninstallStoreApp
parameters:
packageName: Microsoft.Windows.Search # Added in version 2004, it was called "Cortana" before now it's plain "Search"
-
name: Holographic First Run app
recommend: standard
docs: https://www.addictivetips.com/windows-tips/check-pc-windows-holographic-app-requirements/
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.Holographic.FirstRun
-
name: OOBE Network Captive Port app
docs: https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details#connect-users-to-the-network
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.OOBENetworkCaptivePortal # Offical docs point to wrong "Microsoft.Windows.OOBENetworkCaptivePort"
-
name: OOBE Network Connection Flow app
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details
- https://www.windowscentral.com/windows-10-build-15019-pc-everything-you-need-know
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.OOBENetworkConnectionFlow
-
name: Windows 10 Family Safety / Parental Controls app
recommend: standard
docs: https://account.microsoft.com/family/about
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.ParentalControls
-
category: People Hub
children:
-
name: My People / People Bar App on taskbar (People Experience Host)
docs: https://winaero.com/pin-contacts-taskbar-windows-10/
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.PeopleExperienceHost
-
name: Pinning Confirmation Dialog app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.PinningConfirmationDialog
-
name: Windows Security GUI (Sec Health UI) app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.SecHealthUI
-
name: Secondary Tile Experience app
docs: https://docs.microsoft.com/en-us/windows/uwp/design/shell/tiles-and-notifications/secondary-tiles
recommend: strict # Individual tiles may track e.g. like Firefox
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.SecondaryTileExperience
-
name: Secure Assessment Browser app (breaks Microsoft Intune/Graph)
recommend: strict
docs: https://docs.microsoft.com/en-us/graph/api/resources/intune-deviceconfig-windows10secureassessmentconfiguration?view=graph-rest-1.0
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.SecureAssessmentBrowser
# -
# # Not a bloatware, required for different setting windows such as WiFi and battery panes in action bar
# name: Start app
# call:
# function: UninstallSystemApp
# parameters:
# packageName: Microsoft.Windows.ShellExperienceHost
-
category: Windows Feedback
children:
-
name: Windows Feedback app
recommend: standard
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.WindowsFeedback
-
name: Xbox Game Callable UI app (breaks Xbox Live games)
docs: https://docs.microsoft.com/en-us/gaming/xbox-live/features/general/tcui/live-tcui-overview
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.XboxGameCallableUI
-
name: CBS Preview app
recommend: standard
call:
function: UninstallSystemApp
parameters:
packageName: Windows.CBSPreview
-
name: Contact Support app
call:
function: UninstallSystemApp
parameters:
packageName: Windows.ContactSupport
# -
# # Not a bloatware, required for core OS functinoality
# name: Settings app
# call:
# function: UninstallSystemApp
# parameters:
# packageName: Windows.immersivecontrolpanel
-
name: Windows Print 3D app
call:
function: UninstallSystemApp
parameters:
packageName: Windows.Print3D
-
name: Print UI app
call:
function: UninstallSystemApp
parameters:
packageName: Windows.PrintDialog
-
category: Remove OneDrive
children:
-
name: Kill OneDrive process
recommend: strict
code: taskkill /f /im OneDrive.exe
revertCode: '"%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe"'
-
name: Uninstall OneDrive
recommend: strict
code: |-
if %PROCESSOR_ARCHITECTURE%==x86 (
%SystemRoot%\System32\OneDriveSetup.exe /uninstall 2>nul
) else (
%SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall 2>nul
)
revertCode: |-
if %PROCESSOR_ARCHITECTURE%==x86 (
%SystemRoot%\System32\OneDriveSetup.exe /silent
) else (
%SystemRoot%\SysWOW64\OneDriveSetup.exe /silent
)
-
name: Remove OneDrive leftovers
recommend: strict
code: |-
rd "%UserProfile%\OneDrive" /q /s
rd "%LocalAppData%\Microsoft\OneDrive" /q /s
rd "%ProgramData%\Microsoft OneDrive" /q /s
rd "%SystemDrive%\OneDriveTemp" /q /s
-
name: Delete OneDrive shortcuts
recommend: strict
docs: https://docs.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive.exe-from-being-advertised-after-install-office-2016
code: |-
del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk" /s /f /q
del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" /s /f /q
del "%USERPROFILE%\Links\OneDrive.lnk" /s /f /q
-
name: Disable usage of OneDrive
recommend: strict
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSyncNGSC" /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSync" /d 1 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSyncNGSC" /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSync" /d 0 /f
-
name: Prevent automatic OneDrive install for current user
recommend: strict
code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
revertCode: |-
if %PROCESSOR_ARCHITECTURE%==x86 (
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d " %SystemRoot%\System32\OneDriveSetup.exe /silent" /f
) else (
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\SysWOW64\OneDriveSetup.exe /silent" /f
)
-
name: Prevent automatic OneDrive install for new users
recommend: strict
code: |-
reg load "HKU\Default" "%SystemDrive%\Users\Default\NTUSER.DAT"
reg delete "HKU\Default\software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
reg unload "HKU\Default"
revertCode: |-
reg load "HKU\Default" "%SystemDrive%\Users\Default\NTUSER.DAT"
if %PROCESSOR_ARCHITECTURE%==x86 (
reg add "HKU\Default\software\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d " %SystemRoot%\System32\OneDriveSetup.exe /silent" /f
) else (
reg add "HKU\Default\software\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\SysWOW64\OneDriveSetup.exe /silent" /f
)
reg unload "HKU\Default"
-
name: Remove OneDrive from explorer menu
recommend: strict
code: |-
reg delete "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f
reg delete "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f
reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "0" /t REG_DWORD /f
reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "0" /t REG_DWORD /f
revertCode: |-
reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "1" /t REG_DWORD /f
reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "1" /t REG_DWORD /f
-
name: Delete all OneDrive related Services
recommend: strict
code: for /f "tokens=1 delims=," %%x in ('schtasks /query /fo csv ^| find "OneDrive"') do schtasks /Delete /TN %%x /F
-
name: Delete OneDrive path from registry
recommend: strict
docs: https://stackoverflow.com/questions/46744840/export-registry-value-to-file-and-then-set-a-variable-in-batch
code: reg delete "HKCU\Environment" /v "OneDrive" /f
-
name: Uninstall Edge (chromium-based)
call:
function: RunPowerShell
parameters:
code: |-
$installer = (Get-ChildItem "$env:ProgramFiles*\Microsoft\Edge\Application\*\Installer\setup.exe")
if (!$installer) {
Write-Host 'Could not find the installer'
} else {
& $installer.FullName -Uninstall -System-Level -Verbose-Logging -Force-Uninstall
}
-
category: Disable built-in Windows features
children:
-
name: Direct Play feature
call:
function: DisableFeature
parameters:
featureName: DirectPlay
-
name: Internet Explorer feature
call:
-
function: DisableFeature
parameters:
featureName: Internet-Explorer-Optional-x64
-
function: DisableFeature
parameters:
featureName: Internet-Explorer-Optional-x84
-
function: DisableFeature
parameters:
featureName: Internet-Explorer-Optional-amd64
-
name: Legacy Components feature
call:
function: DisableFeature
parameters:
featureName: LegacyComponents
-
category: Server features for developers & administrators
children:
-
category: Hyper-V Virtualization
children:
-
name: Hyper-V feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-All
-
name: Hyper-V GUI Management Tools feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-Management-Clients
-
name: Hyper-V Management Tools feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-Tools-All
-
name: Hyper-V Module for Windows PowerShell feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-Management-PowerShell
-
name: Telnet Client feature
docs: https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx
call:
function: DisableFeature
parameters:
featureName: TelnetClient
-
name: Net.TCP Port Sharing feature
docs: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing
call:
function: DisableFeature
parameters:
featureName: WCF-TCP-PortSharing45
-
name: SMB Direct feature
docs: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-direct
call:
function: DisableFeature
parameters:
featureName: SmbDirect
-
name: TFTP Client feature
call:
function: DisableFeature
parameters:
featureName: TFTP
-
category: Printing features
children:
-
category: Printer networking
children:
-
name: Internet Printing Client
call:
function: DisableFeature
parameters:
featureName: Printing-Foundation-InternetPrinting-Client
-
name: LPD Print Service
call:
function: DisableFeature
parameters:
featureName: LPDPrintService
-
name: LPR Port Monitor feature
call:
function: DisableFeature
parameters:
featureName: Printing-Foundation-LPRPortMonitor
-
name: Microsoft Print to PDF feature
call:
function: DisableFeature
parameters:
featureName: Printing-PrintToPDFServices-Features
-
name: Print and Document Services feature
call:
function: DisableFeature
parameters:
featureName: Printing-Foundation-Features
-
name: Work Folders Client feature
docs: https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview
call:
function: DisableFeature
parameters:
featureName: WorkFolders-Client
-
category: XPS support
children:
-
name: XPS Services feature
call:
function: DisableFeature
parameters:
featureName: Printing-XPSServices-Features
-
name: XPS Viewer feature
call:
function: DisableFeature
parameters:
featureName: Xps-Foundation-Xps-Viewer
-
name: Media Features feature
call:
function: DisableFeature
parameters:
featureName: MediaPlayback
-
name: Scan Management feature
call:
function: DisableFeature
parameters:
featureName: ScanManagementConsole
-
name: Windows Fax and Scan feature
call:
function: DisableFeature
parameters:
featureName: FaxServicesClientPackage
-
name: Windows Media Player feature
call:
function: DisableFeature
parameters:
featureName: WindowsMediaPlayer
-
name: Windows Search feature
call:
function: DisableFeature
parameters:
featureName: SearchEngine-Client-Package
-
category: Uninstall capabilities & features on demand
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#fods-that-are-not-preinstalled-but-may-need-to-be-preinstalled
children:
-
category: Preinstalled
children:
-
name: DirectX Configuration Database capability
call:
function: UninstallCapability
parameters:
capabilityName: DirectX.Configuration.Database
-
name: Internet Explorer 11 capability
call:
function: UninstallCapability
parameters:
capabilityName: Browser.InternetExplorer
-
name: Math Recognizer capability
call:
function: UninstallCapability
parameters:
capabilityName: MathRecognizer
-
name: OneSync capability (breaks Mail, People, and Calendar)
recommend: strict
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#onesync
call:
function: UninstallCapability
parameters:
capabilityName: OneCoreUAP.OneSync
-
name: OpenSSH client capability
call:
function: UninstallCapability
parameters:
capabilityName: OpenSSH.Client
-
name: PowerShell ISE capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.Windows.PowerShell.ISE
-
name: Print Management Console capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.Management.Console
-
name: Quick Assist capability
call:
function: UninstallCapability
parameters:
capabilityName: App.Support.QuickAssist
-
name: Steps Recorder capability
call:
function: UninstallCapability
parameters:
capabilityName: App.StepsRecorder
-
name: Windows Fax and Scan capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.Fax.Scan
# Following are excluded because:
# 1. They are not widely considered as "bloatware" as the community
# 2. Do not have known privacy issues
# 3. Make Windows more functional when running all scripts
# -
# name: WordPad capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.WordPad
# -
# name: Paint capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.MSPaint
# -
# name: Notepad capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.Notepad
-
category: Not preinstalled
children:
-
name: .NET Framework capability
call:
function: UninstallCapability
parameters:
capabilityName: NetFX3
-
name: Mixed Reality capability
call:
function: UninstallCapability
parameters:
capabilityName: Analog.Holographic.Desktop
-
name: Wireless Display capability
call:
function: UninstallCapability
parameters:
capabilityName: App.WirelessDisplay.Connect
-
name: Accessibility - Braille Support capability
call:
function: UninstallCapability
parameters:
capabilityName: Accessibility.Braille
-
name: Developer Mode capability
call:
function: UninstallCapability
parameters:
capabilityName: Tools.DeveloperMode.Core
-
name: Graphics Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Tools.Graphics.DirectX
-
name: IrDA capability
call:
function: UninstallCapability
parameters:
capabilityName: Network.Irda
-
name: Microsoft WebDriver capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.WebDriver
-
name: MSIX Packaging Tool Driver capability
call:
function: UninstallCapability
parameters:
capabilityName: Msix.PackagingTool.Driver
-
category: Networking tools
children:
-
name: RAS Connection Manager Administration Kit (CMAK) capability
call:
function: UninstallCapability
parameters:
capabilityName: RasCMAK.Client
-
name: RIP Listener capability
call:
function: UninstallCapability
parameters:
capabilityName: RIP.Listener
-
name: Simple Network Management Protocol (SNMP) capability
call:
function: UninstallCapability
parameters:
capabilityName: SNMP.Client
-
name: SNMP WMI Provider capability
call:
function: UninstallCapability
parameters:
capabilityName: WMI-SNMP-Provider.Client
-
name: OpenSSH Server capability
call:
function: UninstallCapability
parameters:
capabilityName: OpenSSH.Server
-
category: Printing
children:
-
name: Enterprise Cloud Print capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.EnterpriseCloudPrint
-
name: Mopria Cloud Service capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.MopriaCloudService
-
category: Remote server administration tools (RSAT)
children:
-
name: Active Directory Domain Services and Lightweight Directory Services Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.ActiveDirectory.DS-LDS.Tools
-
name: BitLocker Drive Encryption Administration Utilities capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.BitLocker.Recovery.Tools
-
name: Active Directory Certificate Services Tools
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.CertificateServices.Tools
-
name: DHCP Server Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.DHCP.Tools
-
name: DNS Server Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.Dns.Tools
-
name: Failover Clustering Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.FailoverCluster.Management.Tools
-
name: File Services Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.FileServices.Tools
-
name: Group Policy Management Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.GroupPolicy.Management.Tools
-
name: IP Address Management (IPAM) Client capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.IPAM.Client.Tools
-
name: Data Center Bridging LLDP Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.LLDP.Tools
-
name: Network Controller Management Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.NetworkController.Tools
-
name: Network Load Balancing Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.NetworkLoadBalancing.Tools
-
name: Remote Access Management Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.RemoteAccess.Management.Tools
-
name: Server Manager Tools
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.ServerManager.Tools
-
name: Shielded VM Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.Shielded.VM.Tools
-
name: Storage Replica Module for Windows PowerShell capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.StorageReplica.Tools
-
name: Volume Activation Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.VolumeActivation.Tools
-
name: Windows Server Update Services Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.WSUS.Tools
-
name: Storage Migration Service Management Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.StorageMigrationService.Management.Tools
-
name: Systems Insights Module for Windows PowerShell capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.SystemInsights.Management.Tools
-
category: Storage
children:
-
name: Windows Storage Management capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.Windows.StorageManagement
-
name: OneCore Storage Management capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.OneCore.StorageManagement
-
name: Windows Emergency Management Services and Serial Console capability
call:
function: UninstallCapability
parameters:
capabilityName: Windows.Desktop.EMS-SAC.Tools
-
name: XPS Viewer capability
call:
function: UninstallCapability
parameters:
capabilityName: XPS.Viewer
-
name: Remove Meet Now icon from taskbar
recommend: strict
docs: # Skype feature, introduced in 20H2, KB4580364 update
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TaskBar2::HideSCAMeetNow
- https://www.windowscentral.com/how-disable-meet-now-feature-windows-10
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /f
-
category: Advanced settings
children:
-
name: Change NTP (time) server to pool.ntp.org
docs: https://www.pool.ntp.org/en/use.html
recommend: strict
code: |-
:: Configure time source
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
:: Stop time service if running
SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||(
net stop w32time
)
:: Start time service and sync now
net start w32time
w32tm /config /update
w32tm /resync
revertCode: |-
:: Configure time source
w32tm /config /syncfromflags:manual /manualpeerlist:"time.windows.com"
:: Stop time service if running
SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||(
net stop w32time
)
:: Start time servie and sync now
net start w32time
w32tm /config /update
w32tm /resync
-
name: Disable Reserved Storage for updates # since 19H1 (1903)
docs:
- https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement
- https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState
- https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves
- https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy
code: |-
dism /online /Set-ReservedStorageState /State:Disabled /NoRestart
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "2" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f
revertCode: |-
DISM /Online /Set-ReservedStorageState /State:Enabled /NoRestart
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f
-
name: Run script on start-up [EXPERIMENTAL]
code: |-
del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat
copy "%~dpnx0" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat"
revertCode: del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat
functions:
-
name: KillProcessWhenItStarts
parameters:
- name: processName
# https://docs.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options
code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'{{ $processName }}'" /v "Debugger" /t REG_SZ /d "%windir%\System32\taskkill.exe" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'{{ $processName }}'" /v "Debugger" /f
-
name: DisableFeature
parameters:
- name: featureName
code: dism /Online /Disable-Feature /FeatureName:"{{ $featureName }}" /NoRestart
revertCode: dism /Online /Enable-Feature /FeatureName:"{{ $featureName }}" /NoRestart
-
name: UninstallStoreApp
parameters:
- name: packageName
call:
function: RunPowerShell
parameters:
code: Get-AppxPackage '{{ $packageName }}' | Remove-AppxPackage
revertCode: |-
$package = Get-AppxPackage -AllUsers '{{ $packageName }}'
if (!$package) {
Write-Error "Cannot reinstall '{{ $packageName }}'" -ErrorAction Stop
}
$manifest = $package.InstallLocation + '\AppxManifest.xml'
Add-AppxPackage -DisableDevelopmentMode -Register "$manifest"
-
name: UninstallSystemApp
parameters:
- name: packageName
# It simply renames files
# Because system apps are non removable (check: (Get-AppxPackage -AllUsers 'Windows.CBSPreview').NonRemovable)
# Otherwise they throw 0x80070032 when trying to uninstall them
call:
function: RunPowerShell
parameters:
code: |-
$package = Get-AppxPackage -AllUsers '{{ $packageName }}'
if (!$package) {
Write-Host 'Not installed'
exit 0
}
$directories = @($package.InstallLocation, "$env:LOCALAPPDATA\Packages\$($package.PackageFamilyName)")
foreach($dir in $directories) {
if ( !$dir -Or !(Test-Path "$dir") ) { continue }
cmd /c ('takeown /f "' + $dir + '" /r /d y 1> nul')
if($LASTEXITCODE) { throw 'Failed to take ownership' }
cmd /c ('icacls "' + $dir + '" /grant administrators:F /t 1> nul')
if($LASTEXITCODE) { throw 'Failed to take ownership' }
$files = Get-ChildItem -File -Path $dir -Recurse -Force
foreach($file in $files) {
if($file.Name.EndsWith('.OLD')) { continue }
$newName = $file.FullName + '.OLD'
Write-Host "Rename '$($file.FullName)' to '$newName'"
Move-Item -LiteralPath "$($file.FullName)" -Destination "$newName" -Force
}
}
revertCode: |-
$package = Get-AppxPackage -AllUsers '{{ $packageName }}'
if (!$package) {
Write-Error 'App could not be found' -ErrorAction Stop
}
$directories = @($package.InstallLocation, "$env:LOCALAPPDATA\Packages\$($package.PackageFamilyName)")
foreach($dir in $directories) {
if ( !$dir -Or !(Test-Path "$dir") ) { continue; }
cmd /c ('takeown /f "' + $dir + '" /r /d y 1> nul')
if($LASTEXITCODE) { throw 'Failed to take ownership' }
cmd /c ('icacls "' + $dir + '" /grant administrators:F /t 1> nul')
if($LASTEXITCODE) { throw 'Failed to take ownership' }
$files = Get-ChildItem -File -Path "$dir\*.OLD" -Recurse -Force
foreach($file in $files) {
$newName = $file.FullName.Substring(0, $file.FullName.Length - 4)
Write-Host "Rename '$($file.FullName)' to '$newName'"
Move-Item -LiteralPath "$($file.FullName)" -Destination "$newName" -Force
}
}
-
name: UninstallCapability
parameters:
- name: capabilityName
call:
function: RunPowerShell
parameters:
code: Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' | Remove-WindowsCapability -Online
revertCode: |-
$capability = Get-WindowsCapability -Online -Name '{{ $capabilityName }}*'
Add-WindowsCapability -Name "$capability.Name" -Online
-
name: RenameSystemFile
parameters:
- name: filePath
code: |-
if exist "{{ $filePath }}" (
takeown /f "{{ $filePath }}"
icacls "{{ $filePath }}" /grant administrators:F
move "{{ $filePath }}" "{{ $filePath }}.OLD" && (
echo Moved "{{ $filePath }}" to "{{ $filePath }}.OLD"
) || (
echo Could not move {{ $filePath }} 1>&2
)
) else (
echo No action required: {{ $filePath }} is not found.
)
revertCode: |-
if exist "{{ $filePath }}.OLD" (
takeown /f "{{ $filePath }}.OLD"
icacls "{{ $filePath }}.OLD" /grant administrators:F
move "{{ $filePath }}.OLD" "{{ $filePath }}" && (
echo Moved "{{ $filePath }}.OLD" to "{{ $filePath }}"
) || (
echo Could restore from backup file {{ $filePath }}.OLD 1>&2
)
) else (
echo Could not find backup file "{{ $filePath }}.OLD" 1>&2
)
-
name: SetVsCodeSetting
parameters:
- name: setting
- name: powerShellValue
call:
function: RunPowerShell
parameters:
code:
$jsonfile = \"$env:APPDATA\Code\User\settings.json\";
if (!(Test-Path $jsonfile -PathType Leaf)) {
Write-Host \"No updates. Settings file was not at $jsonfile\";
exit 0;
}
$json = Get-Content $jsonfile | Out-String | ConvertFrom-Json
$json | Add-Member -Type NoteProperty -Name '{{ $setting }}' -Value {{ $powerShellValue }} -Force
$json | ConvertTo-Json | Set-Content $jsonfile
revertCode: |-
$jsonfile = "$env:APPDATA\Code\User\settings.json"
if (!(Test-Path $jsonfile -PathType Leaf)) {
Write-Error "Settings file could not be found at $jsonfile" -ErrorAction Stop
}
$json = Get-Content $jsonfile | ConvertFrom-Json
$json.PSObject.Properties.Remove('{{ $setting }}')
$json | ConvertTo-Json | Set-Content $jsonfile
-
name: RunPowerShell
parameters:
- name: code
- name: revertCode
optional: true
code: PowerShell -ExecutionPolicy Unrestricted -Command "{{ $code | inlinePowerShell | escapeDoubleQuotes }}"
revertCode: |-
{{ with $revertCode }}
PowerShell -ExecutionPolicy Unrestricted -Command "{{ . | inlinePowerShell | escapeDoubleQuotes }}"
{{ end }}
-
name: DisablePerUserService # https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows
parameters:
- name: serviceName
- name: defaultStartUpMode
call:
function: RunPowerShell
parameters:
code: |-
$serviceQueries = @('{{ $serviceName }}', '{{ $serviceName }}_*')
foreach ($serviceQuery in $serviceQueries) {
$service = Get-Service -Name $serviceQuery -ErrorAction Ignore
if(!$service) {
Write-Host "Service `"$serviceQuery`" is not found, no action is needed"
continue
}
$name = $service.Name
Stop-Service $name -ErrorAction SilentlyContinue
if($?) {
Write-Host "Stopped `"$name`""
} else {
Write-Warning "Could not stop `"$name`""
}
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$name"
if(Test-Path $regKey) {
Set-ItemProperty $regKey -Name Start -Value 4 -Force
Write-Host "Disabled `"$name`""
} else {
Write-Host "Service is not registered at Windows startup, no action is needed."
}
}
revertCode: |-
$serviceQueries = @('{{ $serviceName }}', '{{ $serviceName }}_*')
foreach ($serviceQuery in $serviceQueries) {
$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue
if(!$service) {
Write-Warning "Service `"$serviceQuery`" not found"
continue
}
$name = $service.Name
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$name"
if(Test-Path $regKey) {
Set-ItemProperty $regKey -Name Start -Value 0 -Force
Write-Host "Enabled `"$name`", may require restarting your computer."
} else {
Write-Error "Registry key at `"$regKey`" does not exist"
}
}
-
name: RunInlineCode
parameters:
- name: code
- name: revertCode
optional: true
code: '{{ $code }}'
revertCode: '{{ with $revertCode }}{{ . }}{{ end }}'
-
name: RunPowerShellWithSameCodeAndRevertCode
parameters:
- name: code
call:
function: RunPowerShell
parameters:
code: '{{ $code }}'
revertCode: '{{ $code }}'
-
name: RunInlineCodeAsTrustedInstaller
parameters:
- name: code
- name: revertCode
call:
function: RunPowerShell
parameters:
code: |-
$trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464')
$trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount])
$command = '{{ $code }}'
$stdOutFile = New-TemporaryFile
$batchFile = New-TemporaryFile
$powerShellFile = New-TemporaryFile
try {
$batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru
"@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII
$taskName = 'privacy.sexy invoke'
if(Get-ScheduledTask $taskName -ErrorAction Ignore) { # Something may have gone wrong before
Unregister-ScheduledTask $taskName -Confirm:$false
}
$taskAction = New-ScheduledTaskAction `
-Execute 'cmd.exe' `
-Argument "cmd /c `"$batchFile`" > $stdOutFile"
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null
try {
($scheduleService = New-Object -ComObject Schedule.Service).Connect()
$scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null
$timeOutLimit = (Get-Date).AddMinutes(5)
Write-Host "Running as $trustedInstallerName"
while((Get-ScheduledTask $taskName).State -eq 'Running') {
Start-Sleep -Milliseconds 200
if((Get-Date) -gt $timeOutLimit) {
Write-Warning "Skipping results, it took so long to execute script."
break;
}
}
if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {
Write-Error "Failed to execute with exit code: $result."
}
} finally {
Unregister-ScheduledTask $taskName -Confirm:$false
}
Get-Content $stdOutFile
} finally {
Remove-Item $stdOutFile, $batchFile #
}
revertCode: |- # Duplicated until custom pipes are implemented
$trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464')
$trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount])
$command = '{{ $revertCode }}'
$stdOutFile = New-TemporaryFile
$batchFile = New-TemporaryFile
try {
$batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru
"@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII
$taskName = 'privacy.sexy invoke'
if(Get-ScheduledTask $taskName -ErrorAction Ignore) { # Something may have gone wrong before
Unregister-ScheduledTask $taskName -Confirm:$false
}
$taskAction = New-ScheduledTaskAction `
-Execute 'cmd.exe' `
-Argument "cmd /c `"$batchFile`" > $stdOutFile"
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null
try {
($scheduleService = New-Object -ComObject Schedule.Service).Connect()
$scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null
$timeOutLimit = (Get-Date).AddMinutes(5)
Write-Host "Running as $trustedInstallerName"
while((Get-ScheduledTask $taskName).State -eq 'Running') {
Start-Sleep -Milliseconds 200
if((Get-Date) -gt $timeOutLimit) {
Write-Warning "Skipping results, it took so long to execute script."
break;
}
}
if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {
Write-Error "Failed to execute with exit code: $result."
}
} finally {
Unregister-ScheduledTask $taskName -Confirm:$false
}
Get-Content $stdOutFile
} finally {
Remove-Item $stdOutFile, $batchFile
}
-
name: DisableServiceInRegistry
parameters:
- name: serviceName
- name: defaultStartUpMode
call:
function: RunPowerShell
parameters:
code: |- # We do registry way as sc config won't not work
$serviceName = '{{ $serviceName }}'
$service = Get-Service -Name $serviceName -ErrorAction Ignore
if(!$service) {
Write-Host "Service `"$serviceName`" is not found, no action is needed"
exit 0
}
$name = $service.Name
Stop-Service $name -Force -ErrorAction SilentlyContinue
if($?) {
Write-Host "Stopped `"$name`""
} else {
Write-Warning "Could not stop `"$name`""
}
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$name"
if(Test-Path $regKey) {
if( $(Get-ItemProperty -Path "$regKey").Start -eq 4) {
Write-Host "Service `"$name`" is already disabled, no action is needed"
} else {
Set-ItemProperty $regKey -Name Start -Value 4 -Force
Write-Host "Disabled `"$name`""
}
} else {
Write-Host "Service is not registered at Windows startup, no action is needed."
}
revertCode: |-
$serviceName = '{{ $serviceName }}'
$defaultStartUpMode = '{{ $defaultStartUpMode }}'
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if(!$service) {
Write-Warning "Service `"$serviceName`" not found"
continue
}
$name = $service.Name
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$name"
if(Test-Path $regKey) {
if( $(Get-ItemProperty -Path "$regKey").Start -eq $defaultStartUpMode) {
Write-Host "Service $serviceName already enabled"
} else {
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" -Name Start -Value $defaultStartUpMode
Write-Host "Enabled service $serviceName (requires reboot)"
}
Set-ItemProperty $regKey -Name Start -Value 0 -Force
Write-Host "Enabled `"$name`", may require restarting your computer."
} else {
Write-Error "Registry key at `"$regKey`" does not exist"
}
Reference in New Issue View Git Blame Copy Permalink