44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b6bfc2572740c0cd46d3bc0058fa767dd5fa862e
privacy.sexy/src/application/application.yaml
undergroundwires b6bfc25727 🐛 fixed removing onedrive does not delete scheduled tasks
2020-08-10 19:12:04 +02:00

2216 lines
157 KiB
YAML
Raw Blame History

# Structure documented in "./application.yaml.d.ts" (as code)
name: privacy.sexy
repositoryUrl: https://github.com/undergroundwires/privacy.sexy
actions:
-
category: Privacy cleanup
children:
-
category: Clear application history
children:
-
name: Clear Listary indexes
recommend: false
code: del /f /s /q %appdata%\Listary\UserData > nul
-
name: Clear Java cache
recommend: true
code: rd /s /q "%APPDATA%\Sun\Java\Deployment\cache"
-
name: Clear Flash traces
recommend: true
code: rd /s /q "%APPDATA%\Macromedia\Flash Player"
-
name: Clear Steam dumps, logs and traces
recommend: true
code: |-
del /f /q %ProgramFiles(x86)%\Steam\Dumps
del /f /q %ProgramFiles(x86)%\Steam\Traces
del /f /q %ProgramFiles(x86)%\Steam\appcache\*.log
-
name: Clear Visual Studio telemetry and feedback data
recommend: true
code: |-
rmdir /s /q "%AppData%\vstelemetry" 2>nul
rmdir /s /q "%LocalAppData%\Microsoft\VSApplicationInsights" 2>nul
rmdir /s /q "%ProgramData%\Microsoft\VSApplicationInsights" 2>nul
rmdir /s /q "%Temp%\Microsoft\VSApplicationInsights" 2>nul
rmdir /s /q "%Temp%\VSFaultInfo" 2>nul
rmdir /s /q "%Temp%\VSFeedbackPerfWatsonData" 2>nul
rmdir /s /q "%Temp%\VSFeedbackVSRTCLogs" 2>nul
rmdir /s /q "%Temp%\VSRemoteControl" 2>nul
rmdir /s /q "%Temp%\VSTelem" 2>nul
rmdir /s /q "%Temp%\VSTelem.Out" 2>nul
-
category: Clear most recently used lists (MRU)
children:
-
name: Clear windows recent files
recommend: true
docs: https://www.tenforums.com/tutorials/3476-reset-clear-recent-items-frequent-places-windows-10-a.html
code: |-
rd /s /q "%USERPROFILE%\Recent"
rd /s /q "%APPDATA%\Microsoft\Windows\Recent"
del /f /q %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\*
del /f /q %APPDATA%\Microsoft\Windows\Recent\CustomDestinations\*
-
name: Clear regedit last key
recommend: true
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
-
name: Clear regedit favorites
recommend: true
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
-
name: Clear list of recent programs opened
recommend: true
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f
-
name: Clear Adobe Media Browser MRU
recommend: true
code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f
-
name: Clear MSPaint MRU
recommend: true
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
-
name: Clear Wordpad MRU
recommend: true
code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f
-
name: Clear Map Network Drive MRU MRU
recommend: true
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
-
name: Clear Windows Search Assistant history
recommend: true
code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f
-
name: Clear list of Recent Files Opened, by Filetype
recommend: true
code: |-
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
-
name: Clear windows media player recent files and urls
recommend: true
code: |-
reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
-
name: Clear Most Recent Application's Use of DirectX
recommend: true
code: |-
reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f
-
name: Clear Windows Run MRU & typedpaths
recommend: true
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f
-
category: Clear browser history
children:
-
name: Clear Internet Explorer traces
recommend: true
code: |-
del /f /q "%localappdata%\Microsoft\Windows\INetCache\IE\*"
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f
rd /s /q "%localappdata%\Microsoft\Internet Explorer"
rd /s /q "%APPDATA%\Microsoft\Windows\Cookies"
rd /s /q "%USERPROFILE%\Cookies"
rd /s /q "%USERPROFILE%\Local Settings\Traces"
rd /s /q "%localappdata%\Temporary Internet Files"
rd /s /q "%localappdata%\Microsoft\Windows\Temporary Internet Files"
rd /s /q "%localappdata%\Microsoft\Windows\INetCookies\PrivacIE"
rd /s /q "%localappdata%\Microsoft\Feeds Cache"
rd /s /q "%localappdata%\Microsoft\InternetExplorer\DOMStore"
-
name: Clear Google Chrome traces
recommend: true
code: |-
del /f /q "%localappdata%\Google\Software Reporter Tool\*.log"
rd /s /q "%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data"
rd /s /q "%localappdata%\Google\Chrome\User Data"
rd /s /q "%localappdata%\Google\CrashReports\""
rd /s /q "%localappdata%\Google\Chrome\User Data\Crashpad\reports\""
-
category: Clear Firefox traces
children:
-
name: Clear browsing history and caches
recommend: true
code: |-
set ignoreFiles="content-prefs.sqlite" "permissions.sqlite" "favicons.sqlite"
for %%d in ("%APPDATA%\Mozilla\Firefox\Profiles\"
"%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\"
) do (
IF EXIST %%d (
FOR /d %%p IN (%%d*) DO (
for /f "delims=" %%f in ('dir /b /s "%%p\*.sqlite" 2^>nul') do (
set "continue="
for %%i in (%ignoreFiles%) do (
if %%i == "%%~nxf" (
set continue=1
)
)
if not defined continue (
del /q /s /f %%f
)
)
)
)
)
-
name: Clear all user settings and data
recommend: false
enables: Clear browsing history and caches
code: |-
rd "%localappdata%\Local\Mozilla\Firefox\Profiles"
rd /s /q "%APPDATA%\Mozilla\Firefox\Profiles"
-
name: Clear Opera traces
recommend: true
code: |-
rd /s /q "%USERPROFILE%\AppData\Local\Opera\Opera"
rd /s /q "%APPDATA%\Opera\Opera"
rd /s /q "%USERPROFILE%\Local Settings\Application Data\Opera\Opera"
-
name: Clear Safari traces
recommend: true
code: |-
rd /s /q "%USERPROFILE%\AppData\Local\Apple Computer\Safari\Traces"
rd /s /q "%APPDATA%\Apple Computer\Safari"
del /q /s /f "%USERPROFILE%\AppData\Local\Apple Computer\Safari\Cache.db"
del /q /s /f "%USERPROFILE%\AppData\Local\Apple Computer\Safari\WebpageIcons.db"
rd /s /q "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Traces"
del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db"
del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db"
-
category: Clear windows logs & caches
children:
-
name: Clear thumbnail cache
recommend: false
code: del /f /s /q /a %LocalAppData%\Microsoft\Windows\Explorer\*.db
-
name: Clear Windows log files
recommend: true
code: |-
del /f /q %SystemRoot%\Temp\CBS\*
del /f /q %SystemRoot%\comsetup.log
del /f /q %SystemRoot%\DtcInstall.log
del /f /q %SystemRoot%\PFRO.log
del /f /q %SystemRoot%\setupact.log
del /f /q %SystemRoot%\setuperr.log
del /f /q %SystemRoot%\Debug\PASSWD.LOG
del /f /q %SystemRoot%\security\Traces\*.log
del /f /q %SystemRoot%\security\Traces\*.old
del /f /q %SystemRoot%\SoftwareDistribution\ReportingEvents.log
del /f /q %SystemRoot%\Traces\CBS\*
del /f /q %SystemRoot%\Traces\DISM\*
del /f /q %SystemRoot%\Traces\NetSetup\*
del /f /q %SystemRoot%\Traces\SIH\*
del /f /q %SystemRoot%\Traces\waasmedic\*
del /f /q %SystemRoot%\Traces\WindowsUpdate\*
del /f /q %LOCALAPPDATA%\Microsoft\Windows\WebCache\*.log
del /f /q /s %SystemRoot%\Microsoft.NET\Framework\*.log
del /f /q %SystemRoot%\inf\setupapi.dev.log
del /f /q %SystemRoot%\inf\setupapi.offline.log
del /f /q %SystemRoot%\Panther\*
del /f /q %localappdata%\Microsoft\CLR_v4.0\UsageTraces\*
del /f /q %localappdata%\Microsoft\CLR_v4.0_32\UsageTraces\*
del /f /q %localappdata%\Microsoft\Windows\WebCache\*
del /f /q %SystemRoot%\System32\catroot2\dberr.txt
del /f /q %SystemRoot%\System32\LogFiles\WMI\*.etl
del /f /q %SystemRoot%\System32\LogFiles\setupcln\*
del /f /q %SystemRoot%\appcompat\Programs\Install\*
del /f /q %SystemRoot%\SoftwareDistribution\DataStore\Traces\*.log
del /f /q %SystemRoot%\Performance\WinSAT\winsat.log
del /f /q %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.log
rd /s /q "%localappdata%\Microsoft\Windows\Traces"
-
name: Clear Windows temp files
recommend: true
code: |-
del /f /q %localappdata%\Temp\*
rd /s /q "%WINDIR%\Temp"
rd /s /q "%TEMP%"
-
name: Clear main telemetry file
recommend: true
code: echo "" > %ProgramData%\Microsoft\Diagnosis\ETLTraces\AutoLogger\AutoLogger-Diagtrack-Listener.etl
-
name: Clear Event Logs in Event Viewer
recommend: false
docs: https://serverfault.com/questions/407838/do-windows-events-from-the-windows-event-log-have-sensitive-information
code: for /f "tokens=*" %%G in ('wevtutil.exe el') DO (wevtutil.exe cl %1 "%%G")
-
name: Clear credentials from Windows Credential Manager
recommend: false
code: |-
cmdkey.exe /list > "%TEMP%\List.txt"
findstr.exe Target "%TEMP%\List.txt" > "%TEMP%\tokensonly.txt"
FOR /F "tokens=1,2 delims= " %%G IN (%TEMP%\tokensonly.txt) DO cmdkey.exe /delete:%%H
del "%TEMP%\List.txt" /s /f /q
del "%TEMP%\tokensonly.txt" /s /f /q
-
name: Empty trash bin
recommend: false
code: rd /s %systemdrive%\$Recycle.bin
-
name: Enable Reset Base in Dism Component Store
recommend: true
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f
-
name: Clear Windows Product Key from Registry
recommend: false
code: slmgr /cpky
docs: https://winaero.com/blog/remove-windows-10-product-key-from-registry-and-protect-it-from-being-stolen/
-
name: Clear volume backups (shadow copies)
recommend: false
docs:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
code: vssadmin delete shadows /all /quiet
-
name: Remove Default Apps Associations
recommended: false
code: dism /online /Remove-DefaultAppAssociations
-
name: Clear (Reset) Network Data Usage
recommended: false
docs: https://www.windowslifestyle.com/reset-data-usage-tool-reset-network-data-usage-windows-10/
code: |-
setlocal EnableDelayedExpansion
SET /A dps_service_running=0
SC queryex "DPS"|Find "STATE"|Find /v "RUNNING">Nul||(
SET /A dps_service_running=1
net stop DPS
)
del /F /S /Q /A "%windir%\System32\sru*"
IF !dps_service_running! == 1 (
net start DPS
)
endlocal
-
category: Disable OS data collection
children:
-
category: Disable Windows telemetry and data collection
children:
-
name: Disable Customer Experience Improvement (CEIP/SQM)
recommend: true
code: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f
docs: https://docs.microsoft.com/en-us/windows/win32/devnotes/ceipenable
-
name: Disable Application Impact Telemetry (AIT)
recommend: true
code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f
-
name: Disable diagnostics telemetry
recommend: true
code: |-
reg add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\ControlSet001\Services\dmwappushsvc" /v "Start" /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice" /v "Start" /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d 4 /f
sc stop "DiagTrack" & sc config "DiagTrack" start=disabled
sc stop "dmwappushservice" & sc config "dmwappushservice" start=disabled
sc stop "diagnosticshub.standardcollector.service" & sc config "diagnosticshub.standardcollector.service" start=disabled
sc stop "diagsvc" & sc config "diagsvc" start=disabled
-
name: Disable Customer Experience Improvement Program
recommend: true
code: |-
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE
revertCode: |-
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /ENABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /ENABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /ENABLE
-
name: Disable Webcam Telemetry (devicecensus.exe)
recommend: true
docs: https://www.ghacks.net/2019/09/23/what-is-devicecensus-exe-on-windows-10-and-why-does-it-need-internet-connectivity/
code: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /DISABLE
revertCode: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /ENABLE
-
name: Disable Application Experience (Compatibility Telemetry)
recommend: true
code: |-
schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE
schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE
schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /DISABLE
schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /DISABLE
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f
revertCode: |-
schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /ENABLE
schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /ENABLE
schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /ENABLE
schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /ENABLE
-
name: Disable telemetry in data collection policy
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /d 0 /t REG_DWORD /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "LimitEnhancedDiagnosticDataWindowsAnalytics" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
-
name: Disable license telemetry
recommend: true
code: reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t "REG_DWORD" /d "1" /f
-
name: Disable error reporting
recommend: true
docs:
- https://docs.microsoft.com/en-us/windows/win32/wer/wer-settings
- https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493
code: |-
:: Disable Windows Error Reporting (WER)
reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f
:: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f
:: Disable WER sending second-level data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
:: Disable WER crash dialogs, popups
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
:: Disable Windows Error Reporting Service
sc stop "WerSvc" & sc config "WerSvc" start=disabled
sc stop "wercplsupport" & sc config "wercplsupport" start=disabled
revertCode: |-
:: Enable Windows Error Reporting (WER)
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f
:: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "0" /f
:: Enable WER sending second-level data
reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /f
:: Enable WER crash dialogs, popups
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "0" /f
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Enable
:: Enable Windows Error Reporting Service
sc config "WerSvc" start=demand
sc config "wercplsupport" start=demand
-
name: Disable online device metadata collection
recommend: false
docs:
- https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f
-
name: Disable cloud speech recognation
recommend: true
docs: https://www.tenforums.com/tutorials/101902-turn-off-online-speech-recognition-windows-10-a.html
code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f
-
name: Disable active prompting (pings to MSFT NCSI server)
recommend: false
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
-
name: Opt out from Windows privacy consent
recommend: true
code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 1 /f
-
name: Disable Windows feedback
recommend: true
docs: https://www.tenforums.com/tutorials/2441-change-feedback-frequency-windows-10-a.html
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
-
name: Disable text and handwriting collection
recommend: true
code: |-
reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f
-
category: Deny app access to personal information
children:
-
name: Deny app access to location
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /t REG_DWORD /d 2 /f
-
name: Deny app accesss my name, picture, and other account info
recommend: true
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d DENY /f
-
name: Deny app access to motion data
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /t REG_DWORD /d 2 /f
-
name: Deny app access to phone
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /t REG_DWORD /d 2 /f
-
name: Deny app access to trusted devices
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /t REG_DWORD /d 2 /f
-
name: Deny app sync with devices
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /t REG_DWORD /d 2 /f
-
name: Deny app access to camera
recommend: false
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /t REG_DWORD /d 2 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d DENY /f
-
name: Deny app access to microphone
recommend: false
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f
-
name: Deny apps share and sync non-explicitly paired wireless devices over uPnP
recommend: false
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d DENY /f
-
name: Deny app access to diagnostics info about your other apps
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /t REG_DWORD /d 2 /f
-
name: Deny app access to your file system
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Deny" /t REG_SZ /f
-
name: Deny app access to your contacts
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /t REG_DWORD /d 2 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d DENY /f
-
name: Deny app access to Notifications
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /t REG_DWORD /d 2 /f
-
name: Deny app access to Account Information
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /t REG_DWORD /d 2 /f
-
name: Deny app access to Calendar
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /t REG_DWORD /d 2 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d DENY /f
-
name: Deny app access to call history
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD /d 2 /f
-
name: Deny app access to email
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f
-
name: Deny app access to tasks
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /t REG_DWORD /d 2 /f
-
name: Deny app access to messaging
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /t REG_DWORD /d 2 /f
-
name: Deny app access to radios
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /t REG_DWORD /d 2 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d DENY /f
-
name: Deny app access to videos
recommend: true
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to pictures
recommend: true
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to documents
recommend: true
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to bluetooth devices
recommend: true
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to text/mms
recommend: true
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Deny" /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Allow" /f
-
name: Deny location access
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Deny" /t REG_SZ /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f
-
name: Deny sensor access
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v Value /t REG_SZ /d Deny /f
-
category: Disable windows search data collection
children:
-
name: Disable cortana
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /d 0 /t REG_DWORD /f
-
name: Disable web search in search bar
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v DisableWebSearch /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /d 0 /t REG_DWORD /f
-
name: Disable search web when searching pc
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v ConnectedSearchUseWeb /t REG_DWORD /d 0 /f
-
name: Disable search indexing encrypted items / stores
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowIndexingEncryptedStoresOrItems /t REG_DWORD /d 0 /f
-
name: Disable location based info in searches
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AllowSearchToUseLocation /t REG_DWORD /d 0 /f
-
name: Disable language detection
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v AlwaysUseAutoLangDetection /t REG_DWORD /d 0 /f
-
category: Disable targeted ads and marketing
children:
-
name: Disable ad customization with Advertising ID
recommend: true
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d 1 /f
-
name: Disable targeted tips
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f
-
name: Turn Off Suggested Content in Settings app
recommend: true
docs: https://www.tenforums.com/tutorials/100541-turn-off-suggested-content-settings-app-windows-10-a.html
code: |-
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v "SubscribedContent-338393Enabled" /d "0" /t REG_DWORD /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f
-
name: Disable biometrics
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d 4 /f
-
name: Disable Wi-Fi sense
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f
-
name: Disable App Launch Tracking
docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10
recommend: true
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 0 /t REG_DWORD /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 1 /t REG_DWORD /f
-
name: Disable Inventory Collector
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 0 /f
-
name: Disable Website Access of Language List
recommend: true
docs: https://www.tenforums.com/tutorials/82980-turn-off-website-access-language-list-windows-10-a.html
code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 0 /f
-
name: Disable Auto Downloading Maps
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f
-
name: Disable steps recorder
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f
-
name: Disable game screen recording
recommend: true
code: |-
reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 0 /f
-
name: Disable Windows DRM internet access
docs: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
-
name: Disable feedback on write (sending typing info)
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
-
name: Disable Activity Feed
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f
-
name: Disable Windows Insider Program
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /t "REG_DWORD" /d "1" /f
sc stop "wisvc" & sc config "wisvc" start=disabled
-
category: Disable cloud sync
children:
-
name: Disable all settings sync
recommend: true
enabler: all those bottom
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f
-
name: Disable Application Setting Sync
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable App Sync Setting Sync
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Credentials Setting Sync
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f
-
name: Disable Desktop Theme Setting Sync
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Personalization Setting Sync
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Start Layout Setting Sync
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Web Browser Setting Sync
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Windows Setting Sync
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Language Setting Sync
recommend: true
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v Enabled /d 0 /f
-
category: Configure programs
children:
-
category: Disable Visual Studio data collection
children:
-
category: Disable Experience Improvement Program (PerfWatson)
children:
-
name: Disable SQM 64 bit OS key
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v OptIn /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v OptIn /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v OptIn /t REG_DWORD /d 0 /f
-
name: Disable SQM 32 bit OS key
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v OptIn /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v OptIn /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v OptIn /t REG_DWORD /d 0 /f
-
name: Disable SQM group policy
recommend: true
code: reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v OptIn /t REG_DWORD /d 0 /f
-
name: Disable visual studio telemetry
recommend: true
code: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v TurnOffSwitch /t REG_DWORD /d 1 /f
-
name: Disable Visual Studio feedback
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableFeedbackDialog /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableEmailInput /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v DisableScreenshotCapture /t REG_DWORD /d 1 /f
-
name: Stop and disable Visual Studio Standard Collector Service
recommend: true
code: |-
sc stop "VSStandardCollectorService150"
net stop VSStandardCollectorService150 2>nul
sc config "VSStandardCollectorService150" start=disabled
-
category: Configure Windows Defender
children:
-
name: Disable Microsoft SpyNet (Windows Defender cloud export for analysis)
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
-
name: Disable sending infection information
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f
-
name: Disable NET Core CLI telemetry
recommend: true
code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1
revertCode: setx DOTNET_CLI_TELEMETRY_OPTOUT 0
-
name: Disable NVIDIA telemetry
recommend: true
code: |-
:: Uninstall telemetry tasks
rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer
rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry
:: Delete residual files
cd %systemdrive%\System32\DriverStore\FileRepository\
del /s NvTelemetry*.dll
rmdir /s /q "%ProgramFiles(x86)%\NVIDIA Corporation\NvTelemetry" 2>nul
rmdir /s /q "%ProgramFiles%\NVIDIA Corporation\NvTelemetry" 2>nul
:: Opt out
reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\NvTelemetryContainer" /v "Start" /t REG_DWORD /d 4 /f
:: Disable telemetry services
schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
docs:
- https://github.com/CHEF-KOCH/nVidia-modded-Inf
- https://github.com/NateShoffner/Disable-Nvidia-Telemetry
- https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20
-
name: Disable Visual Studio Code telemetry
recommend: true
docs: https://code.visualstudio.com/docs/getstarted/telemetry
code: |-
mkdir %appdata%\Code\User
del %appdata%\Code\User\settings.json
echo { "telemetry.enableCrashReporter": false, "telemetry.enableTelemetry": false } > %appdata%\Code\User\settings.json
-
name: Disable Microsoft Office telemetry
recommend: true
docs: https://docs.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office
code: |-
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\osm" /v "Enablelogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\osm" /v "EnableUpload" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\osm" /v "Enablelogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\osm" /v "EnableUpload" /t REG_DWORD /d 0 /f
schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /DISABLE
sc stop "ClickToRunSvc" & sc config "ClickToRunSvc" start=disabled
revertCode: |-
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\osm" /v "Enablelogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\osm" /v "EnableUpload" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\osm" /v "Enablelogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\osm" /v "EnableUpload" /t REG_DWORD /d 1 /f
schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /ENABLE
sc config "ClickToRunSvc" start=auto
-
category: Configure browsers
children:
-
category: Configure Edge
children:
-
name: Disable live tile data collection
recommend: true
code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f
-
name: Disable MFU tracking
recommend: true
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f
-
name: Disable recent apps
recommend: true
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f
-
name: Turn off backtracking
recommend: true
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f
-
name: Disable Search Suggestions in Edge
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f
-
name: Disable Automatic Installation of Microsoft Edge Chromium
recommend: false
code: reg add HKLM\SOFTWARE\Microsoft\EdgeUpdate /v DoNotUpdateToEdgeWithChromium /t REG_DWORD /d 1 /f
docs: https://www.tenforums.com/tutorials/146650-disable-installation-microsoft-edge-windows-update-windows-10-a.html
-
category: Configure Internet Explorer
children:
-
name: Disable Geolocation in Internet Explorer
recommend: true
code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f
-
name: Disable Internet Explorer InPrivate logging
recommend: true
code: |-
reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f
-
name: Disable Internet Explorer CEIP
recommend: true
code: |-
reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f
-
name: Disable calling legacy WCM policies
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f
-
name: Disable SSLv3 fallback
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f
-
name: Disable ignoring cert errors
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f
-
category: Configure Google Chrome
children:
-
name: Disable Chrome Software Reporter Tool
recommend: true
code: |-
icacls "%localappdata%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)"
cacls "%localappdata%\Google\Chrome\User Data\SwReporter" /e /c /d %username%
reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "software_reporter_tool.exe" /f
-
name: Disable Chrome metrics reporting
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
-
name: Disable Google update service
recommend: true
code: |-
sc stop "gupdate" & sc config "gupdate" start=disabled
sc stop "gupdatem" & sc config "gupdatem" start=disabled
schtasks /Change /DISABLE /TN "GoogleUpdateTaskMachineCore"
schtasks /Change /DISABLE /TN "GoogleUpdateTaskMachineUA"
-
name: Disable Adobe Acrobat update service
recommend: true
code: |-
sc stop "AdobeARMservice" & sc config AdobeARMservice start=disabled
sc stop "adobeupdateservice" & sc config adobeupdateservice start=disabled
sc stop "adobeflashplayerupdatesvc" & sc config adobeflashplayerupdatesvc start=disabled
schtasks /change /tn "Adobe Acrobat Update Task" /disable
schtasks /change /tn "Adobe Flash Player Updater" /disable
-
name: Disable Razer Game Scanner Service
recommend: true
code: |-
sc stop "Razer Game Scanner Service" & sc config "Razer Game Scanner Service" start=disabled
-
name: Disable Logitech Gaming Registry Service
recommend: true
code: |-
sc stop "LogiRegistryService" & sc config "LogiRegistryService" start=disabled
-
name: Disable Dropbox auto update service
recommend: true
code: |-
sc stop "dbupdate" & sc config "dbupdate" start=disabled
sc stop "dbupdatem" & sc config "dbupdatem" start=disabled
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineCore"
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA"
-
category: Disable Media Player data collection
children:
-
name: Do not send Windows Media Player statistics
recommend: true
code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f
-
name: Disable meta data retrieval
recommend: true
code: |-
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
-
name: Disable dows Media Player Network Sharing Service
recommend: true
code: sc stop "WMPNetworkSvc" & sc config "WMPNetworkSvc" start=disabled
-
category: Security improvements
children:
-
category: Meltdown and Spectre protection
docs: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot
children:
-
name: Spectre variant 2 and meltdown (Intel)
recommend: false
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
-
name: Spectre variant 2 and meltdown (AMD)
recommend: false
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 64 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
-
name: Spectre variant 2 and meltdown (HyperV)
recommend: false
code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
-
name: Disable administrative shares
recommend: true
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 1 /f
-
name: Force enable data execution prevention (DEP)
recommend: false
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f
-
name: Disable AutoPlay and AutoRun
recommend: false
docs:
- https://en.wikipedia.org/wiki/AutoRun
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f
-
name: Disable remote Assistance
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f
-
name: Disable lock screen camera
recommend: true
docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f
-
name: Prevent the storage of the LAN Manager hash of passwords
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f
-
name: Disable Windows Installer Always install with elevated privileges
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f
-
name: Prevent WinRM from using Basic Authentication
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f
-
name: Restrict anonymous enumeration of shares
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f
-
name: Systems must be maintained at a supported (security) level
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63349
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f
-
name: Refuse less secure authentication
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 5 /f
-
name: Enable Structured Exception Handling Overwrite Protection (SEHOP)
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f
-
name: Block Anonymous enumeration of SAM accounts
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f
-
name: Restrict anonymous access to Named Pipes and Shares
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f
-
category: Disable unsafe features
children:
-
name: Disable unsafe SMBv1 protocol
recommend: true
docs: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
code: |-
dism /online /Disable-Feature /FeatureName:"SMB1Protocol" /NoRestart
dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart
dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart
-
name: Disable PowerShell 2.0 against downgrade attacks
recommend: true
docs: https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637
code: |-
dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart
dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart
-
name: Disable the Windows Connect Now wizard
recommend: true
docs:
- https://docs.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now
- https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698
code: |-
reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f
-
category: Privacy over security
children:
-
name: Disable Windows Defender
recommend: false
code: |-
netsh advfirewall set allprofiles state off
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 4 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 4 /f
revertCode: |-
netsh advfirewall set allprofiles state on
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /v "Start" /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d 2 /f
-
name: Disable Smart Screen
recommend: false
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Warn" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 1 /f
-
name: Disable scheduled On Demand anti malware scanner (MRT)
recommend: false
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 0 /f
-
name: Disable automatic updates
recommend: false
docs: https://docs.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f
sc stop "UsoSvc" & sc config "UsoSvc" start=disabled
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "3" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "0" /f
sc config "UsoSvc" start=auto
-
category: UI for privacy
children:
-
name: Disable lock screen app notifications
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 0 /f
docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687
-
name: Disable online content in explorer
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f
-
name: Disable and auto-clear recent documents in explorer
recommend: true
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f
-
name: Disable Live Tiles push notifications
recommend: true
code: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 1 /f
-
name: Turn off "Look For An App In The Store" option
recommend: true
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 1 /f
-
name: Do not show recently used files in Quick Access
recommend: true
docs: https://www.tenforums.com/tutorials/2713-add-remove-recent-files-quick-access-windows-10-a.html
code: |-
if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit?
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d 0 /t REG_DWORD /f
) else (
reg delete HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5} /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5} /f
)
-
name: Disable Sync Provider Notifications
recommend: false
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 0 /t REG_DWORD /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 1 /t REG_DWORD /f
-
name: Turn hibernate off to disable sleep for quick start
recommend: false
code: powercfg -h off
revertCode: powercfg -h on
docs: http://www.windows10windows7.com/w10/win10zs/100102504.html
-
category: Hide from This PC and Browse in dialog boxes
children:
-
name: 3D Objects
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
recommend: false
-
name: Desktop
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
recommend: false
-
name: Documents
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
recommend: false
-
name: Downloads
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
recommend: false
-
name: Movies
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
recommend: false
-
name: Music
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
recommend: false
-
name: Pictures
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
recommend: false
-
category: Disable OS services
children:
-
name: Delivery Optimization (P2P Windows Updates)
recommend: true
code: sc stop "DoSvc" & sc config "DoSvc" start=disabled
-
name: Microsoft Windows Live ID Service
recommend: true
code: sc stop "wlidsvc" & sc config "wlidsvc" start=demand
-
name: Program Compatibility Assistant Service
recommend: true
code: sc stop "PcaSvc" & sc config "PcaSvc" start=disabled
-
name: Downloaded Maps Manager
recommend: true
code: sc stop "MapsBroker" & sc config "MapsBroker" start=disabled
-
name: Microsoft Retail Demo experience
recommend: true
code: sc stop "RetailDemo" & sc config "RetailDemo" start=disabled
-
name: Mail, contact, calendar and user data synchronization.
recommend: false
code: |-
sc stop "OneSyncSvc" & sc config "OneSyncSvc" start=disabled
sc stop "UnistoreSvc" & sc config "UnistoreSvc" start=disabled
reg add HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc /V Start /t REG_DWORD /d "0x4" /f
-
name: Contact data indexing
recommend: false
code: |-
sc stop "PimIndexMaintenanceSvc" & sc config "PimIndexMaintenanceSvc" start=disabled
-
name: App user data access
recommend: false
code: sc stop "UserDataSvc" & sc config "UserDataSvc" start=disabled
-
name: Text messaging
recommend: false
code: sc stop "MessagingService" & sc config "MessagingService" start=disabled
-
name: Windows Push Notification Service
recommend: true
docs: https://en.wikipedia.org/wiki/Windows_Push_Notification_Service#Privacy_Issue
code: sc stop "WpnService" & sc config "WpnService" start=disabled
-
category: Disable Xbox services
children:
-
name: Xbox Live Auth Manager
recommend: true
code: sc stop "XblAuthManager" & sc config "XblAuthManager" start=disabled
revetCode: sc config "XblAuthManager" start=demand
-
name: Xbox Live Game Save
recommend: true
code: sc stop "XblGameSave" & sc config "XblGameSave" start=disabled
revertCode: sc config "XblGameSave" start=demand
-
name: Xbox Live Networking Service
recommend: true
code: sc stop "XboxNetApiSvc" & sc config "XboxNetApiSvc" start=disabled
revetCode: sc config "XboxNetApiSvc" start=demand
-
name: Windows Biometric Service
recommend: true
docs: https://en.wikipedia.org/wiki/Windows_Push_Notification_Service#Privacy_Issue
code: sc stop "WbioSrvc" & sc config "WbioSrvc" start=disabled
-
name: Volume Shadow Copy Service
recommend: true
docs: https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service
code: sc stop "VSS" & sc config "VSS" start=disabled
revertCode: sc config vss start=auto
-
category: Remove bloatware
children:
-
category: Uninstall Windows store apps
docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10
children:
-
category: Provisioned Windows apps
children:
-
name: Microsoft 3D Builder
code: PowerShell -Command "Get-AppxPackage Microsoft.3DBuilder | Remove-AppxPackage"
docs: https://www.microsoft.com/en-us/p/3d-builder/9wzdncrfj3t6
-
category: MSN
children:
-
name: MSN Weather app
recommend: true
docs: https://www.microsoft.com/en-us/p/msn-weather/9wzdncrfj3q2
code: PowerShell -Command "Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage"
-
name: MSN Sports app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage"
-
name: MSN News app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage"
-
name: MSN Money app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage"
-
name: App Installer app
code: PowerShell -Command "Get-AppxPackage Microsoft.DesktopAppInstaller | Remove-AppxPackage"
docs: https://www.microsoft.com/en-us/p/app-installer/9nblggh4nns1?activetab=pivot:overviewtab
-
name: Get Help app
code: PowerShell -Command "Get-AppxPackage Microsoft.GetHelp | Remove-AppxPackage"
-
name: Microsoft Tips app
code: PowerShell -Command "Get-AppxPackage Microsoft.Getstarted | Remove-AppxPackage"
-
category: Extensions
children:
-
name: HEIF Image Extensions app
code: PowerShell -Command "Get-AppxPackage Microsoft.HEIFImageExtension | Remove-AppxPackage"
-
name: VP9 Video Extensions app
code: PowerShell -Command "Get-AppxPackage Microsoft.VP9VideoExtensions | Remove-AppxPackage"
-
name: Web Media Extensions app
code: PowerShell -Command "Get-AppxPackage Microsoft.WebMediaExtensions | Remove-AppxPackage"
-
name: Webp Image Extension app
code: PowerShell -Command "Get-AppxPackage Microsoft.WebpImageExtension | Remove-AppxPackage"
-
name: Microsoft Messaging app
code: PowerShell -Command "Get-AppxPackage Microsoft.Messaging | Remove-AppxPackage"
-
category: Mixed Reality
children:
-
name: Mixed Reality Portal app
code: PowerShell -Command "Get-AppxPackage Microsoft.MixedReality.Portal | Remove-AppxPackage"
-
name: Mixed Reality Viewer app
code: PowerShell -Command "Get-AppxPackage Microsoft.Microsoft3DViewer | Remove-AppxPackage"
-
category: Microsoft Office
children:
-
name: My Office app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage"
docs: https://www.microsoft.com/en-us/p/my-office-app/9n8vd0f315mh
-
name: OneNote app
code: PowerShell -Command "Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage"
docs: https://www.microsoft.com/en-us/p/onenote-for-windows-10/9wzdncrfhvjl
-
name: Sway app
code: PowerShell -Command "Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage"
-
name: Feedback Hub app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsFeedbackHub | Remove-AppxPackage"
-
name: Windows Alarms and Clock app
code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsAlarms | Remove-AppxPackage"
-
name: Windows Camera app
code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsCamera | Remove-AppxPackage"
-
name: Paint 3D app
code: PowerShell -Command "Get-AppxPackage Microsoft.MSPaint | Remove-AppxPackage"
-
name: Windows Maps app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsMaps | Remove-AppxPackage"
-
name: Minecraft app
code: PowerShell -Command "Get-AppxPackage Microsoft.MinecraftUWP | Remove-AppxPackage"
-
name: Microsoft Store app
code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsStore | Remove-AppxPackage"
-
name: Microsoft People app
code: PowerShell -Command "Get-AppxPackage Microsoft.People | Remove-AppxPackage"
-
name: Microsoft Pay app
code: PowerShell -Command "Get-AppxPackage Microsoft.Wallet | Remove-AppxPackage"
-
name: Store Purchase app
code: PowerShell -Command "Get-AppxPackage Microsoft.StorePurchaseApp | Remove-AppxPackage"
-
name: Snip and Sketch app
code: PowerShell -Command "Get-AppxPackage Microsoft.ScreenSketch | Remove-AppxPackage"
-
name: Print3D app
code: PowerShell -Command "Get-AppxPackage Microsoft.Print3D | Remove-AppxPackage"
-
name: Paid Wi-Fi and Cellular app
code: PowerShell -Command "Get-AppxPackage Microsoft.OneConnect | Remove-AppxPackage"
-
name: Microsoft Solitaire Collection app
code: PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftSolitaireCollection | Remove-AppxPackage"
-
name: Microsoft Sticky Notes app
code: PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage"
-
category: Xbox
children:
-
name: Xbox app
code: PowerShell -Command "Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage"
-
name: Xbox TCUI app
code: PowerShell -Command "Get-AppxPackage Microsoft.Xbox.TCUI | Remove-AppxPackage"
-
name: Xbox Game Bar app
code: PowerShell -Command "Get-AppxPackage Microsoft.XboxGameOverlay | Remove-AppxPackage"
-
name: Xbox Gaming Overlay app
code: PowerShell -Command "Get-AppxPackage Microsoft.XboxGamingOverlay | Remove-AppxPackage"
-
name: Xbox Identity Provider app
code: PowerShell -Command "Get-AppxPackage Microsoft.XboxIdentityProvider | Remove-AppxPackage"
-
name: Xbox Speech To Text Overlay app
code: PowerShell -Command "Get-AppxPackage Microsoft.XboxSpeechToTextOverlay | Remove-AppxPackage"
-
name: Mail and Calendar app
code: PowerShell -Command "Get-AppxPackage microsoft.windowscommunicationsapps | Remove-AppxPackage"
-
category: Zune
children:
-
name: Zune Music app
code: PowerShell -Command "Get-AppxPackage Microsoft.ZuneMusic | Remove-AppxPackage"
-
name: Zune Video app
code: PowerShell -Command "Get-AppxPackage Microsoft.ZuneVideo | Remove-AppxPackage"
-
name: Windows Calculator app
code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsCalculator | Remove-AppxPackage"
-
name: Microsoft Photos app
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.Photos | Remove-AppxPackage"
-
name: Skype app
code: PowerShell -Command "Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage"
-
name: Windows Voice Recorder app
code: PowerShell -Command "Get-AppxPackage Microsoft.WindowsSoundRecorder | Remove-AppxPackage"
-
category: Phone
children:
-
name: Windows Phone app
code: |-
PowerShell -Command "Get-AppxPackage Microsoft.WindowsPhone | Remove-AppxPackage"
PowerShell -Command "Get-AppxPackage Microsoft.Windows.Phone | Remove-AppxPackage"
-
name: Comms Phone app
code: PowerShell -Command "Get-AppxPackage Microsoft.CommsPhone | Remove-AppxPackage"
-
name: Your Phone app
code: PowerShell -Command "Get-AppxPackage Microsoft.YourPhone | Remove-AppxPackage"
-
category: Installed Windows apps
children:
-
name: Microsoft Advertising app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Advertising.Xaml | Remove-AppxPackage"
-
name: Remote Desktop app
code: PowerShell -Command "Get-AppxPackage Microsoft.RemoteDesktop | Remove-AppxPackage"
-
name: Network Speed Test app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.NetworkSpeedTest | Remove-AppxPackage"
-
category: Third party
children:
-
name: Shazam app
code: PowerShell -Command "Get-AppxPackage ShazamEntertainmentLtd.Shazam | Remove-AppxPackage"
-
name: Candy Crush Saga app
code: |-
PowerShell -Command "Get-AppxPackage king.com.CandyCrushSaga | Remove-AppxPackage"
PowerShell -Command "Get-AppxPackage king.com.CandyCrushSodaSaga | Remove-AppxPackage"
-
name: Flipboard app
code: PowerShell -Command "Get-AppxPackage Flipboard.Flipboard | Remove-AppxPackage"
-
name: Twitter app
code: PowerShell -Command "Get-AppxPackage 9E2F88E3.Twitter | Remove-AppxPackage"
-
name: iHeartRadio app
code: PowerShell -Command "Get-AppxPackage ClearChannelRadioDigital.iHeartRadio | Remove-AppxPackage"
-
name: Duolingo app
code: PowerShell -Command "Get-AppxPackage D5EA27B7.Duolingo-LearnLanguagesforFree | Remove-AppxPackage"
-
name: Photoshop Express app
code: PowerShell -Command "Get-AppxPackage AdobeSystemIncorporated.AdobePhotoshop | Remove-AppxPackage"
-
name: Pandora app
code: PowerShell -Command "Get-AppxPackage PandoraMediaInc.29680B314EFC2 | Remove-AppxPackage"
-
name: Eclipse Manager app
code: PowerShell -Command "Get-AppxPackage 46928bounde.EclipseManager | Remove-AppxPackage"
-
name: Code Writer app
code: PowerShell -Command "Get-AppxPackage ActiproSoftwareLLC.562882FEEB491 | Remove-AppxPackage"
-
category: System apps
children:
-
name: File Picker app
code: PowerShell -Command "Get-AppxPackage 1527c705-839a-4832-9118-54d4Bd6a0c89 | Remove-AppxPackage"
-
name: File Explorer app
code: PowerShell -Command "Get-AppxPackage c5e2524a-ea46-4f67-841f-6a9465d9d515 | Remove-AppxPackage"
-
name: App Resolver UX app
code: PowerShell -Command "Get-AppxPackage E2A4F912-2574-4A75-9BB0-0D023378592B | Remove-AppxPackage"
-
name: Add Suggested Folders To Library app
recommend: true
code: |-
PowerShell -Command "Get-AppxPackage F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | Remove-AppxPackage"
PowerShell -Command "Get-AppxPackage InputApp | Remove-AppxPackage"
-
name: Microsoft.AAD.Broker.Plugin app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.AAD.Broker.Plugin | Remove-AppxPackage"
-
name: Microsoft.AccountsControl app
code: PowerShell -Command "Get-AppxPackage Microsoft.AccountsControl | Remove-AppxPackage"
-
name: Microsoft.AsyncTextService app
code: PowerShell -Command "Get-AppxPackage Microsoft.AsyncTextService | Remove-AppxPackage"
-
category: Hello setup UI
children:
-
name: Bio enrollment app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.BioEnrollment | Remove-AppxPackage"
-
name: Cred Dialog Host app
code: PowerShell -Command "Get-AppxPackage Microsoft.CredDialogHost | Remove-AppxPackage"
-
name: EC App
code: PowerShell -Command "Get-AppxPackage Microsoft.ECApp | Remove-AppxPackage"
-
name: Lock App
code: PowerShell -Command "Get-AppxPackage Microsoft.LockApp | Remove-AppxPackage"
-
category: Microsoft Edge
children:
-
name: Microsoft Edge app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftEdge | Remove-AppxPackage"
-
name: Microsoft Edge Dev Tools Client app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.MicrosoftEdgeDevToolsClient | Remove-AppxPackage"
-
name: Microsoft PPI Projection app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.PPIProjection | Remove-AppxPackage"
-
name: Win32 Web View Host app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Win32WebViewHost | Remove-AppxPackage"
-
name: ChxApp app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.Apprep.ChxApp | Remove-AppxPackage"
-
name: Assigned Access Lock App app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.AssignedAccessLockApp | Remove-AppxPackage"
-
name: Capture Picker app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.CapturePicker | Remove-AppxPackage"
-
name: Cloud Experience Host app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.CloudExperienceHost | Remove-AppxPackage"
-
name: Content Delivery Manager app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.ContentDeliveryManager | Remove-AppxPackage"
-
category: Cortana
children:
-
name: Cortana app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.Cortana | Remove-AppxPackage"
-
name: Holographic First Run app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.Holographic.FirstRun | Remove-AppxPackage"
-
name: OOBE Network Captive Port app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.OOBENetworkCaptivePort | Remove-AppxPackage"
-
name: OOBE Network Connection Flow app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.OOBENetworkConnectionFlow | Remove-AppxPackage"
-
name: Parental Controls app
recommend: true
code: PowerShell -Command "Get-AppxPackage Microsoft.Windows.ParentalControls | Remove-AppxPackage"
-
category: People Hub
children:
-
name: People Experience Host app
recommend: true
code: PowerShell -Command "Microsoft.Windows.PeopleExperienceHost | Remove-AppxPackage"
-
name: Pinning Confirmation Dialog app
recommend: true
code: PowerShell -Command "Microsoft.Windows.PinningConfirmationDialog | Remove-AppxPackage"
-
name: Sec Health UI app
recommend: true
code: PowerShell -Command "Microsoft.Windows.SecHealthUI | Remove-AppxPackage"
-
name: Secondary Tile Experience app
recommend: true
code: PowerShell -Command "Microsoft.Windows.SecondaryTileExperience | Remove-AppxPackage"
-
name: Secure Assessment Browser app
recommend: true
code: PowerShell -Command "Microsoft.Windows.SecureAssessmentBrowser | Remove-AppxPackage"
-
name: Start app
code: PowerShell -Command "Microsoft.Windows.ShellExperienceHost | Remove-AppxPackage"
-
category: Windows Feedback
children:
-
name: Windows Feedback app
recommend: true
code: PowerShell -Command "Microsoft.WindowsFeedback | Remove-AppxPackage"
-
name: Xbox Game Callable UI app
recommend: true
code: PowerShell -Command "Microsoft.XboxGameCallableUI | Remove-AppxPackage"
-
name: CBS Preview app
recommend: true
code: PowerShell -Command "Windows.CBSPreview | Remove-AppxPackage"
-
name: Contact Support app
code: PowerShell -Command "Windows.ContactSupport | Remove-AppxPackage"
-
name: Settings app
code: PowerShell -Command "Windows.immersivecontrolpanel | Remove-AppxPackage"
-
name: Windows Print 3D app
code: PowerShell -Command "Windows.Print3D | Remove-AppxPackage"
-
name: Print UI app
code: PowerShell -Command "Windows.PrintDialog | Remove-AppxPackage"
-
name: App Connector app
code: PowerShell -Command "Get-AppxPackage Microsoft.Appconnector | Remove-AppxPackage"
-
name: Remove OneDrive
code: |-
taskkill /f /im OneDrive.exe
%SystemRoot%\System32\OneDriveSetup.exe /uninstall
%SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
rd "%UserProfile%\OneDrive" /q /s
rd "%LocalAppData%\Microsoft\OneDrive" /q /s
rd "%ProgramData%\Microsoft OneDrive" /q /s
rd "C:\OneDriveTemp" /q /s
del "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" /s /f /q
reg delete "HKEY_CLASSES_ROOT\CLSID{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f
reg delete "HKEY_CLASSES_ROOT\Wow6432Node\CLSID{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f
reg add "HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "0" /t REG_DWORD /f
for /f "tokens=1 delims=," %%x in ('schtasks /query /fo csv ^| find "OneDrive"') do schtasks /Delete /TN %%x /F
-
category: Disable built-in Windows features
children:
-
name: Direct Play feature
code: dism /Online /Disable-Feature /FeatureName:"DirectPlay" /NoRestart
recommend: false
-
name: Internet Explorer feature
code:
dism /Online /Disable-Feature /FeatureName:"Internet-Explorer-Optional-x64" /NoRestart
dism /Online /Disable-Feature /FeatureName:"Internet-Explorer-Optional-x84" /NoRestart
dism /Online /Disable-Feature /FeatureName:"Internet-Explorer-Optional-amd64" /NoRestart
recommend: false
-
name: Legacy Components feature
code: dism /Online /Disable-Feature /FeatureName:"LegacyComponents" /NoRestart
recommend: false
-
category: Server features for developers & administrators
children:
-
category: Hyper-V Virtualization
children:
-
name: Hyper-V feature
code: dism /Online /Disable-Feature /FeatureName:"Microsoft-Hyper-V-All" /NoRestart
recommend: false
-
name: Hyper-V GUI Management Tools feature
code: dism /Online /Disable-Feature /FeatureName:"Microsoft-Hyper-V-Management-Clients" /NoRestart
recommend: false
-
name: Hyper-V Management Tools feature
code: dism /Online /Disable-Feature /FeatureName:"Microsoft-Hyper-V-Tools-All" /NoRestart
recommend: false
-
name: Hyper-V Module for Windows PowerShell feature
code: dism /Online /Disable-Feature /FeatureName:"Microsoft-Hyper-V-Management-PowerShell" /NoRestart
recommend: false
-
name: Telnet Client feature
code: dism /Online /Disable-Feature /FeatureName:"TelnetClient" /NoRestart
docs: https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx
recommend: false
-
name: Net.TCP Port Sharing feature
code: dism /Online /Disable-Feature /FeatureName:"WCF-TCP-PortSharing45" /NoRestart
recommend: false
docs: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing
-
name: SMB Direct feature
code: dism /Online /Disable-Feature /FeatureName:"SmbDirect" /NoRestart
recommend: false
docs: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-direct
-
name: TFTP Client feature
code: dism /Online /Disable-Feature /FeatureName:"TFTP" /NoRestart
recommend: false
-
category: Printing features
children:
-
category: Printer networking
children:
-
name: Internet Printing Client v
code: dism /Online /Disable-Feature /FeatureName:"Printing-Foundation-InternetPrinting-Client" /NoRestart
recommend: false
-
name: LPD Print Service v
code: dism /Online /Disable-Feature /FeatureName:"Printing-Foundation-LPDPrintService" /NoRestart
recommend: false
-
name: LPR Port Monitor feature
code: dism /Online /Disable-Feature /FeatureName:"Printing-Foundation-LPRPortMonitor" /NoRestart
recommend: false
-
name: Microsoft Print to PDF feature
code: dism /Online /Disable-Feature /FeatureName:"Printing-PrintToPDFServices-Features" /NoRestart
recommend: false
-
name: Print and Document Services feature
code: dism /Online /Disable-Feature /FeatureName:"Printing-Foundation-Features" /NoRestart
recommend: false
-
name: Work Folders Client feature
code: dism /Online /Disable-Feature /FeatureName:"WorkFolders-Client" /NoRestart
recommend: false
docs: https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview
-
category: XPS support
children:
-
name: XPS Services feature
code: dism /Online /Disable-Feature /FeatureName:"Printing-XPSServices-Features" /NoRestart
recommend: false
-
name: XPS Viewer feature
code: dism /Online /Disable-Feature /FeatureName:"Xps-Foundation-Xps-Viewer" /NoRestart
recommend: false
-
name: Media Features feature
code: dism /Online /Disable-Feature /FeatureName:"MediaPlayback" /NoRestart
recommend: false
-
name: Scan Management feature
code: dism /Online /Disable-Feature /FeatureName:"ScanManagementConsole" /NoRestart
recommend: false
-
name: Windows Fax and Scan feature
code: dism /Online /Disable-Feature /FeatureName:"FaxServicesClientPackage" /NoRestart
recommend: false
-
name: Windows Media Player feature
code: dism /Online /Disable-Feature /FeatureName:"WindowsMediaPlayer" /NoRestart
recommend: false
-
name: Windows Search feature
code: dism /Online /Disable-Feature /FeatureName:"SearchEngine-Client-Package" /NoRestart
recommend: false
-
category: Disable capabilities & features on demand
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#fods-that-are-not-preinstalled-but-may-need-to-be-preinstalled
children:
-
category: Preinstalled
children:
-
name: DirectX Configuration Database capability
code: dism /online /Remove-Capability /CapabilityName:"DirectX.Configuration.Database~~~~0.0.1.0" /NoRestart
-
name: Internet Explorer 11 capability
code: dism /online /Remove-Capability /CapabilityName:"Browser.InternetExplorer~~~~0.0.11.0" /NoRestart
-
name: Math Recognizer capability
code: dism /online /Remove-Capability /CapabilityName:"MathRecognizer~~~~0.0.1.0" /NoRestart
-
name: Notepad capability
code: dism /online /Remove-Capability /CapabilityName:"Microsoft.Windows.Notepad~~~~0.0.1.0" /NoRestart
-
name: OneSync capability
code: dism /online /Remove-Capability /CapabilityName:"OneCoreUAP.OneSync~~~~0.0.1.0" /NoRestart
recommend: true
-
name: OpenSSH client capability
code: dism /online /Remove-Capability /CapabilityName:"OpenSSH.Client~~~~0.0.1.0" /NoRestart
-
name: Paint capability
code: dism /online /Remove-Capability /CapabilityName:"Microsoft.Windows.MSPaint~~~~0.0.1.0" /NoRestart
-
name: PowerShell ISE capability
code: dism /online /Remove-Capability /CapabilityName:"Microsoft.Windows.PowerShell.ISE~~~~0.0.1.0" /NoRestart
-
name: Print Management Console capability
code: dism /online /Remove-Capability /CapabilityName:"Print.Management.Console~~~~0.0.1.0" /NoRestart
-
name: Quick Assist capability
code: dism /online /Remove-Capability /CapabilityName:"App.Support.QuickAssist~~~~0.0.1.0" /NoRestart
-
name: Steps Recorder capability
code: dism /online /Remove-Capability /CapabilityName:"App.StepsRecorder~~~~0.0.1.0" /NoRestart
-
name: Windows Fax and Scan capability
code: dism /online /Remove-Capability /CapabilityName:"Print.Fax.Scan~~~~0.0.1.0" /NoRestart
-
name: WordPad capability
code: dism /online /Remove-Capability /CapabilityName:"Microsoft.Windows.WordPad~~~~0.0.1.0" /NoRestart
-
category: Not preinstalled
children:
-
name: .NET Framework capability
code: dism /online /Remove-Capability /CapabilityName:"NetFX3~~~~" /NoRestart
-
name: Mixed Reality capability
code: dism /online /Remove-Capability /CapabilityName:"Analog.Holographic.Desktop~~~~0.0.1.0" /NoRestart
-
name: Wireless Display capability
code: dism /online /Remove-Capability /CapabilityName:"App.WirelessDisplay.Connect~~~~0.0.1.0" /NoRestart
-
name: Accessibility - Braille Support capability
code: dism /online /Remove-Capability /CapabilityName:"Accessibility.Braille~~~~0.0.1.0" /NoRestart
-
name: Developer Mode capability
code: dism /online /Remove-Capability /CapabilityName:"Tools.DeveloperMode.Core~~~~0.0.1.0" /NoRestart
-
name: Graphics Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Tools.Graphics.DirectX~~~~0.0.1.0" /NoRestart
-
name: IrDA capability
code: dism /online /Remove-Capability /CapabilityName:"Network.Irda~~~~0.0.1.0" /NoRestart
-
name: Microsoft WebDriver capability
code: dism /online /Remove-Capability /CapabilityName:"Microsoft.WebDriver~~~~0.0.1.0" /NoRestart
-
name: MSIX Packaging Tool Driver capability
code: dism /online /Remove-Capability /CapabilityName:"Msix.PackagingTool.Driver~~~~0.0.1.0" /NoRestart
-
category: Networking tools
children:
-
name: RAS Connection Manager Administration Kit (CMAK) capability
code: dism /online /Remove-Capability /CapabilityName:"/NoRestart RasCMAK.Client~~~~0.0.1.0"
-
name: RIP Listener capability
code: dism /online /Remove-Capability /CapabilityName:"/NoRestart RIP.Listener~~~~0.0.1.0"
-
name: Simple Network Management Protocol (SNMP) capability
code: dism /online /Remove-Capability /CapabilityName:"/NoRestart SNMP.Client~~~~0.0.1.0"
-
name: SNMP WMI Provider capability
code: dism /online /Remove-Capability /CapabilityName:"/NoRestart WMI-SNMP-Provider.Client~~~~0.0.1.0"
-
name: OpenSSH Server capability
code: dism /online /Remove-Capability /CapabilityName:"/NoRestart OpenSSH.Server~~~~0.0.1.0"
-
category: Printing
children:
-
name: Enterprise Cloud Print capability
code: dism /online /Remove-Capability /CapabilityName:"/NoRestart Print.EnterpriseCloudPrint~~~~0.0.1.0"
-
name: Mopria Cloud Service capability
code: dism /online /Remove-Capability /CapabilityName:"/NoRestart Print.MopriaCloudService~~~~0.0.1.0"
-
category: Remote server administration tools (RSAT)
children:
-
name: Active Directory Domain Services and Lightweight Directory Services Tools capability
code: dism /online /Remove-Capability /CapabilityName:"/NoRestart Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
-
name: BitLocker Drive Encryption Administration Utilities capability
code: dism /online /Remove-Capability /CapabilityName:"/NoRestart Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0"
-
name: Active Directory Certificate Services Tools v
code: dism /online /Remove-Capability /CapabilityName:"Rsat.CertificateServices.Tools~~~~0.0.1.0" /NoRestart
-
name: DHCP Server Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.DHCP.Tools~~~~0.0.1.0" /NoRestart
-
name: DNS Server Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.Dns.Tools~~~~0.0.1.0" /NoRestart
-
name: Failover Clustering Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.FailoverCluster.Management.Tools~~~~0.0.1.0" /NoRestart
-
name: File Services Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.FileServices.Tools~~~~0.0.1.0" /NoRestart
-
name: Group Policy Management Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0" /NoRestart
-
name: IP Address Management (IPAM) Client capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.IPAM.Client.Tools~~~~0.0.1.0" /NoRestart
-
name: Data Center Bridging LLDP Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.LLDP.Tools~~~~0.0.1.0" /NoRestart
-
name: Network Controller Management Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.NetworkController.Tools~~~~0.0.1.0" /NoRestart
-
name: Network Load Balancing Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.NetworkLoadBalancing.Tools~~~~0.0.1.0" /NoRestart
-
name: Remote Access Management Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.RemoteAccess.Management.Tools~~~~0.0.1.0" /NoRestart
-
name: Server Manager v
code: dism /online /Remove-Capability /CapabilityName:"Rsat.ServerManager.Tools~~~~0.0.1.0" /NoRestart
-
name: Shielded VM Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.Shielded.VM.Tools~~~~0.0.1.0" /NoRestart
-
name: Storage Replica Module for Windows PowerShell capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.StorageReplica.Tools~~~~0.0.1.0" /NoRestart
-
name: Volume Activation Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.VolumeActivation.Tools~~~~0.0.1.0" /NoRestart
-
name: Windows Server Update Services Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.WSUS.Tools~~~~0.0.1.0" /NoRestart
-
name: Storage Migration Service Management Tools capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.StorageMigrationService.Management.Tools~~~~0.0.1.0" /NoRestart
-
name: Systems Insights Module for Windows PowerShell capability
code: dism /online /Remove-Capability /CapabilityName:"Rsat.SystemInsights.Management.Tools~~~~0.0.1.0" /NoRestart
-
category: Storage
children:
-
name: Windows Storage Management capability
code: dism /online /Remove-Capability /CapabilityName:"Microsoft.Windows.StorageManagement~~~~0.0.1.0" /NoRestart
-
name: OneCore Storage Management capability
code: dism /online /Remove-Capability /CapabilityName:"Microsoft.OneCore.StorageManagement~~~~0.0.1.0" /NoRestart
-
name: Windows Emergency Management Services and Serial Console capability
code: dism /online /Remove-Capability /CapabilityName:"Windows.Desktop.EMS-SAC.Tools~~~~0.0.1.0" /NoRestart
-
name: XPS Viewer capability
code: dism /online /Remove-Capability /CapabilityName:"XPS.Viewer~~~~0.0.1.0" /NoRestart
-
category: Advanced settings
children:
-
name: Change NTP (time) server to pool.ntp.org
recommend: false
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\Parameters" /v "NtpServer" /t REG_SZ /d "pool.ntp.org, 0x8" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\Parameters" /v "Type" /t REG_SZ /d "NTP" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "CrossSiteSyncFlags" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "EventLogFlags" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "ResolvePeerBackoffMaxTimes" /t REG_DWORD /d 7 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "ResolvePeerBackoffMinutes" /t REG_DWORD /d 15 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient" /v "SpecialPollInterval" /t REG_DWORD /d 1024 /f
-
name: Disable Reserved Storage for updates
recommend: false
docs:
- https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327
- https://www.tenforums.com/tutorials/124858-enable-disable-reserved-storage-windows-10-a.html
code: |-
dism /online /Set-ReservedStorageState /State:Disabled /NoRestart
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "2" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f
revertCode: |-
DISM /Online /Set-ReservedStorageState /State:Enabled /NoRestart
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f
-
name: Run script on start-up [EXPERIMENTAL]
recommend: false
code: |-
del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat
copy "%~dpnx0" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat"
Reference in New Issue View Git Blame Copy Permalink