44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bbc6156281fb3fd4b66c63dec3f765780fafa855
privacy.sexy/src/application/collections/windows.yaml
undergroundwires bbc6156281 win: add script to remove Widgets
2022-09-27 17:36:14 +02:00

7338 lines
611 KiB
YAML
Raw Blame History

# Structure documented in "docs/collection-files.md"
os: windows
scripting:
language: batchfile
startCode: |-
@echo off
:: {{ $homepage }} — v{{ $version }} — {{ $date }}
:: Ensure admin privileges
fltmc >nul 2>&1 || (
echo Administrator privileges are required.
PowerShell Start -Verb RunAs '%0' 2> nul || (
echo Right-click on the script and select "Run as administrator".
pause & exit 1
)
exit 0
)
endCode: |-
pause
exit /b 0
actions:
-
category: Privacy cleanup
children:
-
category: Clear application history
children:
-
name: Clear Listary indexes
code: del /f /s /q %appdata%\Listary\UserData > nul
-
name: Clear Java cache
recommend: strict
code: rd /s /q "%APPDATA%\Sun\Java\Deployment\cache"
-
name: Clear Flash traces
recommend: standard
code: rd /s /q "%APPDATA%\Macromedia\Flash Player"
-
name: Clear Steam dumps, logs, and traces
recommend: standard
code: |-
del /f /q %ProgramFiles(x86)%\Steam\Dumps
del /f /q %ProgramFiles(x86)%\Steam\Traces
del /f /q %ProgramFiles(x86)%\Steam\appcache\*.log
-
category: Clear Visual Studio data
docs: |-
Visual Studio is an integrated development environment (IDE) from Microsoft that is used to develop software [1].
Visual Studio store data such as your usage of the software and also information about your hardware [2].
The data is stored both in Microsoft cloud [3] and locally on computer.
These scripts allow you to delete the local data that might reveal your personally identifiable data about you
or the way you use the product.
[1]: https://en.wikipedia.org/wiki/Visual_Studio "Visual Studio | Wikipedia"
[2]: https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program "Visual Studio Customer Experience Improvement Program | Microsoft Learn"
[3]: https://www.infoworld.com/article/2609774/microsoft-reinvents-visual-studio-as-an-azure-cloud-service.html "Microsoft reinvents Visual Studio as an Azure cloud service | InfoWorld"
children:
-
category: Clear Visual Studio telemetry and feedback data
docs: |-
These scripts delete data about you and your behavior that's locally stored by Visual Studio on your computer.
These do not clear data that's already collected in Microsoft servers, but it can prevent sending more data by
deleting data waiting to be sent.
children:
-
name: Delete offline Visual Studio telemetry files
recommend: standard
docs: |-
SQM files are text files that are created and used by Microsoft [1].
SQM stands for "Service Quality Monitoring" [1].
When unable to connect to internet Visual Studio stores SQM files in `%LocalAppData%\Microsoft\VSCommon\<vs_version>\SQM` [2].
The number of files grows continuously and it can get to thousands. Cleaning these files speeds up Visual
Studio significantly according to community reports [2].
[1]: https://techshift.net/how-to-open-sqm-file/ "What is a .SQM File And How To Open It - Microsoft (Visual Guide) | TechShift.net"
[2]: https://stackoverflow.com/a/38862596 "Process monitor - Slow Visual Studio, related to SQMClient? | Stack Overflow"
code: |-
rmdir /s /q %LocalAppData%\Microsoft\VSCommon\14.0\SQM
rmdir /s /q %LocalAppData%\Microsoft\VSCommon\15.0\SQM
rmdir /s /q %LocalAppData%\Microsoft\VSCommon\16.0\SQM
rmdir /s /q %LocalAppData%\Microsoft\VSCommon\17.0\SQM
-
name: Delete Visual Studio Application Insights logs
recommend: standard
docs: |-
Application Insights for Visual Studio stores diagnostic data for e.g. exceptions and performance [1].
Application Insights store `.TRN` files that might grow and exceed thousands [2] [3].
[1]: https://azuredevopslabs.com/labs/vsts/monitor/ "Monitoring Applications using Application Insights | Azure DevOps Hands-on-Labs"
[2]: https://developercommunity.visualstudio.com/t/visual-studio-freezes-randomly/224181#T-N257722-N277241-N407607 "Visual Studio freezes randomly | Visual Studio Feedback"
[3]: https://stackoverflow.com/a/53754481 "Visual Studio 2017 (15.3.1) keeps hanging/freezing | Stack Overflow"
code: |-
rmdir /s /q "%LocalAppData%\Microsoft\VSApplicationInsights" 2>nul
rmdir /s /q "%ProgramData%\Microsoft\VSApplicationInsights" 2>nul
rmdir /s /q "%Temp%\Microsoft\VSApplicationInsights" 2>nul
-
name: Delete Visual Studio telemetry folders
recommend: standard
docs: |-
`vstelemetry` is a folder created by both Visual Studio [1] and also by SQL Server Management Studio [2] to
store telemetry data.
There has been security vulnerabilities through these folders that were patched in 2020 by Microsoft [2].
[1]: http://processchecker.com/file/VsHub.exe.html "What is VsHub.exe ? VsHub.exe info | Processchecker.com"
[2]: https://herolab.usd.de/en/security-advisories/usd-2020-0030/ "usd-2020-0030 - usd HeroLab"
code: |-
rmdir /s /q "%AppData%\vstelemetry" 2>nul
rmdir /s /q "%ProgramData%\vstelemetry" 2>nul
-
name: Delete Visual Studio temporary telemetry and log data
recommend: standard
docs: |-
These logs area created by different tools that Visual Studio uses such as its launcher, installer or
data collection agents.
Folders include `VSFaultInfo` [1], `VSFeedbackPerfWatsonData` [2], `VSFeedbackCollector` [2],
`VSFeedbackVSRTCLogs` [3], `VSRemoteControl` [4] [5], `VSFeedbackIntelliCodeLogs` [4] [5],
`VSTelem` [6] [7], `VSTelem.Out` [6].
There are more log and cache data stored by Visual Studio, but not all of them come with privacy
implications. These files can be useful for faster loading, so this script removes only the
sensitive data stored instead of cleaning all the cache completely.
[1]: https://developercommunity.visualstudio.com/t/visual-studio-installer-crashes-after-updating-to/1356122 "Visual Studio Installer crashes after updating to version 16.9.0 - Visual Studio Feedback | Visual Studio Develoepr Community"
[2]: https://developercommunity.visualstudio.com/t/microsoft-visual-studio-1/588200#T-N588861-N594783 "MSTF help | Visual Studio Developer Community"
[3]: https://github.com/MicrosoftDocs/live-share/issues/3584 "Agent logs in %TEMP%\VSFeedbackVSRTCLogs taking up over 87GB · Issue #3584 · MicrosoftDocs/live-share | GitHub"
[4]: https://developercommunity.visualstudio.com/t/please-keep-my-temp-folder-clean/731637 "Please keep my TEMP folder clean! - Visual Studio Feedback | Visual Studio Developer Community"
[5]: https://stackoverflow.com/q/60974427 "Reduce log and other temporary file creation in Visual Studio 2019 | Stack Overflow"
[6]: https://stackoverflow.com/q/72341126 "Visual Studio 2022 - Telemetry | Stack Overflow"
[7]: https://social.msdn.microsoft.com/Forums/vstudio/en-US/5b2a0baa-748f-40e0-b504-f6dfad9b7b4d/vstelem-folder-24000-files-2064kb?forum=msbuild "VSTELEM folder 24000 files 2064Kb | MSDN Forums"
code: |-
rmdir /s /q "%Temp%\VSFaultInfo" 2>nul
rmdir /s /q "%Temp%\VSFeedbackPerfWatsonData" 2>nul
rmdir /s /q "%Temp%\VSFeedbackVSRTCLogs" 2>nul
rmdir /s /q "%Temp%\VSFeedbackIntelliCodeLogs" 2>nul
rmdir /s /q "%Temp%\VSRemoteControl" 2>nul
rmdir /s /q "%Temp%\Microsoft\VSFeedbackCollector" 2>nul
rmdir /s /q "%Temp%\VSTelem" 2>nul
rmdir /s /q "%Temp%\VSTelem.Out" 2>nul
-
category: Clear Visual Studio licenses
docs: |-
Visual Studio stores a local copy of your product key. This information is kept even though
Visual Studio is uninstalled [1] which may reveal unnecessary data and not be desired.
This key is not only stored for purchased Visual Studio products but also for the free trials.
[1]: https://stackoverflow.com/questions/12465361/how-to-change-visual-studio-2012-2013-or-2015-license-key "How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow"
children:
-
name: Clear Visual Studio 2010 licenses
docs: "[How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow](https://stackoverflow.com/a/14810695)"
code: reg delete "HKCR\Licenses\77550D6B-6352-4E77-9DA3-537419DF564B" /va /f
-
name: Clear Visual Studio 2015 licenses
docs: "[How to change Visual Studio 2012,2013 or 2015 License Key? | Stack Overflow](https://stackoverflow.com/a/32482322)"
code: reg delete "HKCR\Licenses\4D8CFBCB-2F6A-4AD2-BABF-10E28F6F2C8F" /va /f
-
name: Clear Visual Studio 2017 licenses
docs: "[Is Visual Studio Community a 30 day trial? | Stack Overflow](https://stackoverflow.com/a/51570570)"
code: reg delete "HKCR\Licenses\5C505A59-E312-4B89-9508-E162F8150517" /va /f
-
name: Clear Visual Studio 2019 licenses
docs: "[How to change Visual Studio 2017 License Key? | Stack Overflow](https://stackoverflow.com/a/46974337)"
code: reg delete "HKCR\Licenses\41717607-F34E-432C-A138-A3CFD7E25CDA" /va /f
-
name: Clear Visual Studio 2022 licenses
docs: |-
Different keys have been reported by community for VS 2022 license [1]. This may depend on different preview versions.
The latest reported key is `1299B4B9-DFCC-476D-98F0-F65A2B46C96D` [2] [3]. I have tested and verified this along with some
other keys of preview versions. This scripts deletes all mentioned keys.
[1]: https://github.com/beatcracker/VSCELicense/issues/14 "VS 2022 key discussion | beatcracker/VSCELicense | GitHub"
[2]: https://learn.microsoft.com/en-us/answers/questions/673243/how-do-i-remove-a-license-from-visual-studio-2022.html "MSFT Answer | Microsoft Learn"
[3]: https://stackoverflow.com/a/71624750 "How to change Visual Studio 2017 License Key? | Stack Overflow"
code: |-
reg delete "HKCR\Licenses\B16F0CF0-8AD1-4A5B-87BC-CB0DBE9C48FC" /va /f
reg delete "HKCR\Licenses\10D17DBA-761D-4CD8-A627-984E75A58700" /va /f
reg delete "HKCR\Licenses\1299B4B9-DFCC-476D-98F0-F65A2B46C96D" /va /f
-
category: Clear most recently used lists (MRU)
children:
-
category: Clear Quick Access (jump) lists
docs: https://cyberforensicator.com/wp-content/uploads/2017/01/1-s2.0-S1742287616300202-main.2-14.pdf
children:
-
name: Clear recently accessed files
recommend: standard
code: del /f /q "%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\*"
-
name: Clear user pins
code: del /f /q "%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\*"
-
name: Clear regedit last key
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit" /va /f
-
name: Clear regedit favorites
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites" /va /f
-
name: Clear list of recent programs opened
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f
-
name: Clear Adobe Media Browser MRU
recommend: standard
code: reg delete "HKCU\Software\Adobe\MediaBrowser\MRU" /va /f
-
name: Clear MSPaint MRU
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List" /va /f
-
name: Clear Wordpad MRU
recommend: standard
code: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List" /va /f
-
name: Clear Map Network Drive MRU MRU
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU" /va /f
-
name: Clear Windows Search Assistant history
recommend: standard
code: reg delete "HKCU\Software\Microsoft\Search Assistant\ACMru" /va /f
-
name: Clear list of Recent Files Opened, by Filetype
recommend: standard
code: |-
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
-
name: Clear windows media player recent files and URLs
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
reg delete "HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentFileList" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\MediaPlayer\Player\RecentURLList" /va /f
-
name: Clear Most Recent Application's Use of DirectX
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Direct3D\MostRecentApplication" /va /f
reg delete "HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication" /va /f
-
name: Clear Windows Run MRU & typedpaths
recommend: standard
code: |-
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /va /f
-
name: Clear Dotnet CLI telemetry
recommend: standard
code: rmdir /s /q "%USERPROFILE%\.dotnet\TelemetryStorageService" 2>nul
-
category: Clear browser history
children:
-
category: Clear Internet Explorer history
children:
-
name: Clear Internet Explorer caches
recommend: standard
docs:
# INetCache
- https://support.microsoft.com/en-us/help/260897/how-to-delete-the-contents-of-the-temporary-internet-files-folder
- https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache
# WebCache
- https://docs.microsoft.com/en-us/troubleshoot/browsers/apps-access-admin-web-cache
code: |-
del /f /q "%localappdata%\Microsoft\Windows\INetCache\IE\*"
rd /s /q "%localappdata%\Microsoft\Windows\WebCache"
-
name: Clear Internet Explorer recent URLs
recommend: strict
docs:
- https://web.archive.org/web/20160304232740/http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/
- https://web.archive.org/web/20160321221849/http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/
- https://web.archive.org/web/20150601014235/http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html
- http://sketchymoose.blogspot.com/2014/02/typedurls-registry-key.html
code: |-
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" /va /f
reg delete "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime" /va /f
-
name: Clear Temporary Internet Files (browser cache)
recommend: standard
docs:
- https://en.wikipedia.org/wiki/Temporary_Internet_Files
- https://www.windows-commandline.com/delete-temporary-internet-files/ # %localappdata%\Temporary Internet Files
- https://www.thewindowsclub.com/temporary-internet-files-folder-location # %localappdata%\Microsoft\Windows\Temporary Internet Files and INetCache
code: |-
:: Windows XP
rd /s /q %userprofile%\Local Settings\Temporary Internet Files
:: Windows 7
rd /s /q "%localappdata%\Microsoft\Windows\Temporary Internet Files"
takeown /f "%localappdata%\Temporary Internet Files" /r /d y
icacls "%localappdata%\Temporary Internet Files" /grant administrators:F /t
rd /s /q "%localappdata%\Temporary Internet Files"
:: Windows 8 and above
rd /s /q "%localappdata%\Microsoft\Windows\INetCache"
-
name: Clear Internet Explorer Feeds Cache
recommend: standard
docs: https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data
code: rd /s /q "%localappdata%\Microsoft\Feeds Cache"
-
name: Clear Internet Explorer cookies
recommend: strict
docs:
- https://docs.microsoft.com/en-us/windows/win32/wininet/managing-cookies
- https://docs.microsoft.com/en-us/internet-explorer/kb-support/ie-edge-faqs
- https://www.thewindowsclub.com/cookies-folder-location-windows
code: |-
:: Windows 7 browsers
rd /s /q "%APPDATA%\Microsoft\Windows\Cookies"
:: Windows 8 and higher
rd /s /q "%localappdata%\Microsoft\Windows\INetCookies"
-
name: Clear Internet Explorer DOMStore
recommend: standard
docs: https://web.archive.org/web/20100416135352/http://msdn.microsoft.com/en-us/library/cc197062(VS.85).aspx
code: rd /s /q "%localappdata%\Microsoft\InternetExplorer\DOMStore"
-
name: Clear all Internet Explorer user data
docs:
- https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+Data
- https://kb.digital-detective.net/display/BF/Location+of+Internet+Explorer+11+Data
- https://www.forensafe.com/blogs/internetexplorer.html
# Includes Internet Explorer cache, tab recovery data, persistance storage (DOMStore, indexed DB etc.)
# Folders: CacheStorage\, Tracking Protection\, Tiles\, TabRoaming\, IECompatData\
# DOMStore\, Recovery\ (that includes browser history), DomainSuggestions\,
# VersionManager\, UrlBlockManager\, Indexed DB\, imagestore\, IEFlipAheadCache\
# EUPP\, EmieUserList\, EmieSiteList\, EmieBrowserModeList\
# Files: brndlog.txt, brndlog.bak, ie4uinit-ClearIconCache.log, ie4uinit-UserConfig.log,
# MSIMGSIZ.DAT
code: rd /s /q "%localappdata%\Microsoft\Internet Explorer"
-
category: Clear Google Chrome history
children:
-
name: Clear Google Chrome crash reports
recommend: standard
docs: https://www.chromium.org/developers/crash-reports
code: |-
rd /s /q "%localappdata%\Google\Chrome\User Data\Crashpad\reports\"
rd /s /q "%localappdata%\Google\CrashReports\"
-
name: Clear Software Reporter Tool logs
recommend: standard
docs: https://support.google.com/chrome/forum/AAAAP1KN0B0T8qnffV5gwM/
code: del /f /q "%localappdata%\Google\Software Reporter Tool\*.log"
-
name: Clear all Chrome user data
docs: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md
code: |-
:: Windows XP
rd /s /q "%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data"
:: Windows Vista and later
rd /s /q "%localappdata%\Google\Chrome\User Data"
-
category: Clear Firefox history
children:
-
name: Clear browsing history and caches
recommend: standard
code: |-
set ignoreFiles="content-prefs.sqlite" "permissions.sqlite" "favicons.sqlite"
for %%d in ("%APPDATA%\Mozilla\Firefox\Profiles\"
"%USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\"
) do (
IF EXIST %%d (
FOR /d %%p IN (%%d*) DO (
for /f "delims=" %%f in ('dir /b /s "%%p\*.sqlite" 2^>nul') do (
set "continue="
for %%i in (%ignoreFiles%) do (
if %%i == "%%~nxf" (
set continue=1
)
)
if not defined continue (
del /q /s /f %%f
)
)
)
)
)
-
name: Clear all Firefox user profiles, settings, and data
code: |-
rd /s /q "%localappdata%\Mozilla\Firefox\Profiles"
rd /s /q "%APPDATA%\Mozilla\Firefox\Profiles"
-
name: Clear all Opera data (user profiles, settings, and data)
code: |-
:: Windows XP
rd /s /q "%USERPROFILE%\Local Settings\Application Data\Opera\Opera"
:: Windows Vista and later
rd /s /q "%localappdata%\Opera\Opera"
rd /s /q "%APPDATA%\Opera\Opera"
-
category: Clear Safari history
children:
-
name: Clear Webpage Icons
recommend: standard
docs: https://www.sans.org/blog/safari-browser-forensics/
code: |-
:: Windows XP
del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Safari\WebpageIcons.db"
:: Windows Vista and later
del /q /s /f "%localappdata%\Apple Computer\Safari\WebpageIcons.db"
-
name: Clear Safari cache
recommend: standard
docs: https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari
code: |-
:: Windows XP
del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cache.db"
:: Windows Vista and later
del /q /s /f "%localappdata%\Apple Computer\Safari\Cache.db"
-
name: Clear Safari cookies
recommend: strict
docs: https://kb.digital-detective.net/display/BF/Location+of+Safari+Data
code: |-
:: Windows XP
del /q /s /f "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari\Cookies.db"
:: Windows Vista and later
del /q /s /f "%localappdata%\Apple Computer\Safari\Cookies.db"
-
name: Clear all Safari data (user profiles, settings, and data)
docs:
- https://kb.digital-detective.net/display/BF/Location+of+Safari+Data
- https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari
- https://zerosecurity.org/2013/04/safari-forensic-tutorial
code: |-
:: Windows XP
rd /s /q "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari"
:: Windows Vista and later
rd /s /q "%AppData%\Apple Computer\Safari"
-
category: Clear Windows logs & caches
children:
-
name: Clear thumbnail cache
code: del /f /s /q /a %LocalAppData%\Microsoft\Windows\Explorer\*.db
-
category: Clear Windows log files
children:
-
category: Clear Windows Update logs
children:
-
name: Clear Windows update and SFC scan logs
docs: https://answers.microsoft.com/en-us/windows/forum/all/cwindowslogscbs/fe4e359a-bcb9-4988-954d-563ef83bac1c
recommend: standard
code: del /f /q %SystemRoot%\Temp\CBS\*
-
name: Clear Windows Update Medic Service logs
recommend: standard
docs: https://answers.microsoft.com/en-us/windows/forum/all/what-is-this-waasmedic-and-why-it-required-to/e5e55a95-d5bb-4bf4-a7ce-4783df371de4
code: |-
takeown /f %SystemRoot%\Logs\waasmedic /r /d y
icacls %SystemRoot%\Logs\waasmedic /grant administrators:F /t
rd /s /q %SystemRoot%\Logs\waasmedic
-
name: Clear Cryptographic Services Traces
recommend: standard
docs: https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows
code: |-
del /f /q %SystemRoot%\System32\catroot2\dberr.txt
del /f /q %SystemRoot%\System32\catroot2.log
del /f /q %SystemRoot%\System32\catroot2.jrs
del /f /q %SystemRoot%\System32\catroot2.edb
del /f /q %SystemRoot%\System32\catroot2.chk
-
name: Windows Update Events Logs
code: del /f /q "%SystemRoot%\Logs\SIH\*"
-
name: Windows Update Logs
code: del /f /q "%SystemRoot%\Traces\WindowsUpdate\*"
-
name: Clear Optional Component Manager and COM+ components logs
recommend: standard
code: del /f /q %SystemRoot%\comsetup.log
-
name: Clear Distributed Transaction Coordinator logs
recommend: standard
code: del /f /q %SystemRoot%\DtcInstall.log
-
name: Clear Pending File Rename Operations logs
code: del /f /q %SystemRoot%\PFRO.log
-
name: Clear Windows Deployment Upgrade Process Logs
recommend: standard
code: |-
del /f /q %SystemRoot%\setupact.log
del /f /q %SystemRoot%\setuperr.log
-
name: Clear Windows Setup Logs
recommend: standard
docs: https://support.microsoft.com/en-gb/help/927521/windows-vista-windows-7-windows-server-2008-r2-windows-8-1-and-windows
code: |-
del /f /q %SystemRoot%\setupapi.log
del /f /q %SystemRoot%\Panther\*
del /f /q %SystemRoot%\inf\setupapi.app.log
del /f /q %SystemRoot%\inf\setupapi.dev.log
del /f /q %SystemRoot%\inf\setupapi.offline.log
-
name: Clear Windows System Assessment Tool logs
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/win32/winsat/windows-system-assessment-tool-portal
code: del /f /q %SystemRoot%\Performance\WinSAT\winsat.log
-
name: Clear Password change events
recommend: standard
code: del /f /q %SystemRoot%\debug\PASSWD.LOG
-
name: Clear user web cache database
recommend: standard
docs: https://support.microsoft.com/en-gb/help/4056823/performance-issue-with-custom-default-user-profile
code: del /f /q %localappdata%\Microsoft\Windows\WebCache\*.*
-
name: Clear system temp folder when no one is logged in
recommend: standard
code: del /f /q %SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\*.*
-
name: Clear DISM (Deployment Image Servicing and Management) Logs
recommend: standard
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files
code: |-
del /f /q %SystemRoot%\Logs\CBS\CBS.log
del /f /q %SystemRoot%\Logs\DISM\DISM.log
-
name: Clear WUAgent (Windows Update History) logs
docs: https://social.technet.microsoft.com/Forums/ie/en-US/f5744a18-d4ca-4631-8324-878b9225251d/windowssoftwaredistribution-folder-cleanup-automation?forum=winserverwsus
code: |- # `sc queryex` output is same in every OS language
setlocal EnableDelayedExpansion
SET /A wuau_service_running=0
SC queryex "wuauserv"|Find "STATE"|Find /v "RUNNING">Nul||(
SET /A wuau_service_running=1
net stop wuauserv
)
del /q /s /f "%SystemRoot%\SoftwareDistribution"
IF !wuau_service_running! == 1 (
net start wuauserv
)
endlocal
-
name: Clear Server-initiated Healing Events Logs
code: del /f /q "%SystemRoot%\Logs\SIH\*"
-
name: Common Language Runtime Logs
recommend: standard
code: |-
del /f /q "%LocalAppData%\Microsoft\CLR_v4.0\UsageTraces\*"
del /f /q "%LocalAppData%\Microsoft\CLR_v4.0_32\UsageTraces\*"
-
name: Network Setup Service Events Logs
recommend: standard
code: del /f /q "%SystemRoot%\Logs\NetSetup\*"
-
name: Disk Cleanup tool (Cleanmgr.exe) Logs
code: del /f /q "%SystemRoot%\System32\LogFiles\setupcln\*"
-
name: Clear Windows temp files
recommend: standard
code: |-
del /f /q %localappdata%\Temp\*
rd /s /q "%WINDIR%\Temp"
rd /s /q "%TEMP%"
-
name: Clear main telemetry file
recommend: standard
code: |-
if exist "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" (
takeown /f "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" /r /d y
icacls "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl" /grant administrators:F /t
echo "" > "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl"
echo Clear successful: "%ProgramData%\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl"
) else (
echo "Main telemetry file does not exist. Good!"
)
-
name: Clear Event Logs in Event Viewer
docs: https://serverfault.com/questions/407838/do-windows-events-from-the-windows-event-log-have-sensitive-information
code: |-
REM https://social.technet.microsoft.com/Forums/en-US/f6788f7d-7d04-41f1-a64e-3af9f700e4bd/failed-to-clear-log-microsoftwindowsliveidoperational-access-is-denied?forum=win10itprogeneral
wevtutil sl Microsoft-Windows-LiveId/Operational /ca:O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)
for /f "tokens=*" %%i in ('wevtutil.exe el') DO (
echo Deleting event log: "%%i"
wevtutil.exe cl %1 "%%i"
)
-
name: Clean Windows Defender scan history
docs: https://www.thewindowsclub.com/clear-windows-defender-protection-history
code: del "%ProgramData%\Microsoft\Windows Defender\Scans\History\" /s /f /q
-
name: Clear credentials from Windows Credential Manager
code: |-
cmdkey.exe /list > "%TEMP%\List.txt"
findstr.exe Target "%TEMP%\List.txt" > "%TEMP%\tokensonly.txt"
FOR /F "tokens=1,2 delims= " %%G IN (%TEMP%\tokensonly.txt) DO cmdkey.exe /delete:%%H
del "%TEMP%\List.txt" /s /f /q
del "%TEMP%\tokensonly.txt" /s /f /q
-
name: Delete controversial default0 user
docs: https://github.com/undergroundwires/privacy.sexy/issues/30
recommend: standard
code: net user defaultuser0 /delete 2>nul
-
name: Empty trash bin
call:
function: RunPowerShell
parameters:
code: |-
$bin = (New-Object -ComObject Shell.Application).NameSpace(10)
$bin.items() | ForEach {
Write-Host "Deleting $($_.Name) from Recycle Bin"
Remove-Item $_.Path -Recurse -Force
}
-
name: Enable Reset Base in Dism Component Store
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\Configuration" /v "DisableResetbase" /t "REG_DWORD" /d "0" /f
-
name: Clear Windows Product Key from Registry
# Helps to protect it from being stolen and used for identity theft or identifying you.
docs: https://winaero.com/blog/remove-windows-10-product-key-from-registry-and-protect-it-from-being-stolen/
# We use cscript.exe to execute instead of `slmgr` command directly to keep the output but surpress the dialogs.
code: cscript.exe //nologo "%SystemRoot%\system32\slmgr.vbs" /cpky
-
name: Clear volume backups (shadow copies)
docs:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
code: vssadmin delete shadows /all /quiet
-
name: Remove Default Apps Associations
recommend: standard
code: dism /online /Remove-DefaultAppAssociations
-
name: Clear (Reset) Network Data Usage
recommend: standard
docs: https://www.windowslifestyle.com/reset-data-usage-tool-reset-network-data-usage-windows-10/
code: |- # `sc queryex` output is same in every OS language
setlocal EnableDelayedExpansion
SET /A dps_service_running=0
SC queryex "DPS"|Find "STATE"|Find /v "RUNNING">Nul||(
SET /A dps_service_running=1
net stop DPS
)
del /F /S /Q /A "%windir%\System32\sru*"
IF !dps_service_running! == 1 (
net start DPS
)
endlocal
-
name: Clear previous Windows installations
code: |-
if exist "%SystemDrive%\Windows.old" (
takeown /f "%SystemDrive%\Windows.old" /a /r /d y
icacls "%SystemDrive%\Windows.old" /grant administrators:F /t
rd /s /q "%SystemDrive%\Windows.old"
echo Deleted previous installation from "%SystemDrive%\Windows.old\"
) else (
echo No previous Windows installation has been found
)
-
category: Disable OS data collection
children:
-
category: Disable Windows telemetry and data collection
children:
-
name: Disable Customer Experience Improvement (CEIP/SQM)
docs: https://docs.microsoft.com/en-us/windows/win32/devnotes/ceipenable
recommend: standard
code: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f
-
name: Disable Application Impact Telemetry (AIT)
recommend: standard
code: reg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "1" /f
-
category: Disable diagnostics telemetry services
children:
-
name: Disable connected user experiences and telemetry service # Connected User Experiences and Telemetry
recommend: standard
docs: http://batcmd.com/windows/10/services/diagtrack/
call:
function: DisableService
parameters:
serviceName: DiagTrack # Check: (Get-Service -Name DiagTrack).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable WAP push message routing service # Device Management Wireless Application Protocol (WAP) Push message Routing Service
recommend: standard
docs: http://batcmd.com/windows/10/services/dmwappushservice/
call:
function: DisableService
parameters:
serviceName: dmwappushservice # Check: (Get-Service -Name dmwappushservice).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable diagnostics hub standard collector service # Microsoft (R) Diagnostics Hub Standard Collector
docs: http://batcmd.com/windows/10/services/diagnosticshub-standardcollector-service/
call:
function: DisableService
parameters:
serviceName: diagnosticshub.standardcollector.service # Check: (Get-Service -Name diagnosticshub.standardcollector.service).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable diagnostic execution service # Diagnostic Execution Service
docs: http://batcmd.com/windows/10/services/diagsvc/
call:
function: DisableService
parameters:
serviceName: diagsvc # Check: (Get-Service -Name diagsvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Customer Experience Improvement Program
recommend: standard
code: |-
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE
revertCode: |-
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /ENABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /ENABLE
schtasks /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /ENABLE
-
category: Disable Webcam Telemetry (devicecensus.exe)
docs:
- https://www.ghacks.net/2019/09/23/what-is-devicecensus-exe-on-windows-10-and-why-does-it-need-internet-connectivity/
- https://answers.microsoft.com/en-us/windows/forum/windows_10-security/devicecensusexe-and-host-process-for-windows-task/520d42a2-45c1-402a-81de-e1116ecf2538
children:
-
name: Disable devicecensus.exe (telemetry) task
recommend: standard
code: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Device Information\Device" /enable
-
name: Disable devicecensus.exe (telemetry) process
recommend: standard
call:
function: KillProcessWhenItStarts
parameters:
processName: DeviceCensus.exe
-
category: Disable Compatibility Telemetry (Application Experience)
children:
-
category: Disable Microsoft Compatibility Appraiser
docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/
children:
-
name: Disable Microsoft Compatibility Appraiser task
recommend: standard
code: schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /enable
-
name: Disable CompatTelRunner.exe (Microsoft Compatibility Appraiser) process
recommend: standard
call:
function: KillProcessWhenItStarts
parameters:
processName: CompatTelRunner.exe
-
name: Disable sending information to Customer Experience Improvement Program
recommend: standard
docs:
- https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/
- https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/permanently-disabling-windows-compatibility/6bf71583-81b0-4a74-ae2e-8fd73305aad1
code: schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /enable
-
name: Disable Application Impact Telemetry Agent task
recommend: standard
docs: https://www.shouldiblockit.com/aitagent.exe-6181.aspx
code: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\AitAgent" /enable
-
name: Disable "Disable apps to improve performance" reminder
recommend: strict
docs: https://www.ghacks.net/2016/10/26/turn-off-the-windows-customer-experience-program/
code: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /disable
revertCode: schtasks /change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /enable
-
name: Disable telemetry in data collection policy
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /d 0 /t REG_DWORD /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "LimitEnhancedDiagnosticDataWindowsAnalytics" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
-
name: Disable license telemetry
recommend: standard
code: reg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t "REG_DWORD" /d "1" /f
-
name: Disable error reporting
recommend: standard
docs:
# Settings
- https://docs.microsoft.com/en-us/windows/win32/wer/wer-settings
- https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63493
# Windows Error Reporting Service
- http://batcmd.com/windows/10/services/wersvc/
# Problem Reports Control Panel Support
- http://batcmd.com/windows/10/services/wercplsupport/
call:
-
function: RunInlineCode
parameters:
code: |-
:: Disable Windows Error Reporting (WER)
reg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t "REG_DWORD" /d "1" /f
:: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "1" /f
:: Disable WER sending second-level data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
:: Disable WER crash dialogs, popups
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
revertCode: |-
:: Enable Windows Error Reporting (WER)
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /f
:: DefaultConsent / 1 - Always ask (default) / 2 - Parameters only / 3 - Parameters and safe data / 4 - All data
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultConsent" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v "DefaultOverrideBehavior" /t REG_DWORD /d "0" /f
:: Enable WER sending second-level data
reg delete "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /f
:: Enable WER crash dialogs, popups
reg add "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "0" /f
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Enable
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Enable
- # Windows Error Reporting Service
function: DisableService
parameters:
serviceName: wersvc # Check: (Get-Service -Name wersvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
- # Problem Reports Control Panel Support
function: DisableService
parameters:
serviceName: wercplsupport # Check: (Get-Service -Name wercplsupport).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
category: Disable automatic driver updates by Windows Update
children:
-
name: Disable device metadata retrieval (breaks auto updates)
recommend: strict
docs:
- https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-21964
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 0 /f
-
name: Do not include drivers with Windows Updates
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::ExcludeWUDriversInQualityUpdate
recommend: strict
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d 0 /f
-
name: Prevent Windows Update for device driver search
docs: https://www.stigviewer.com/stig/windows_7/2018-02-12/finding/V-21965
recommend: strict
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 1 /f
-
name: Disable cloud speech recognition
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#186-speech
code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 1 /f
-
name: Disable active probing (pings to MSFT NCSI server)
recommend: strict
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
-
name: Opt out from Windows privacy consent
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 1 /f
-
name: Disable Windows feedback
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
-
name: Disable text and handwriting collection
recommend: standard
code: |-
reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f
-
category: Deny app access to personal information
children:
-
name: Deny app access to location
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesslocation # LetAppsAccessLocation
- https://www.joseespitia.com/2019/07/24/registry-keys-for-windows-10-application-privacy-settings/ # ConsentStore\location
- https://social.technet.microsoft.com/Forums/en-US/63904312-04af-41e5-8b57-1dd446ea45c5/ # lfsvc\Service\Configuration
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Deny" /f
:: For older Windows (before 1903)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "0" /t REG_DWORD /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /d "Allow" /f
:: For older Windows (before 1903)
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /d "1" /t REG_DWORD /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessLocation_ForceDenyTheseApps" /f
-
name: Deny app access to account info, name, and picture
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessaccountinfo
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Deny" /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /d "Allow" /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessAccountInfo_ForceDenyTheseApps" /f
-
name: Deny app access to motion data
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmotion
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\activity" /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMotion_ForceDenyTheseApps" /f
-
name: Deny app access to phone
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone
code: |-
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessPhone_ForceDenyTheseApps" /f
-
name: Deny app access to trusted devices
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstrusteddevices
recommend: standard
code: |-
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTrustedDevices_ForceDenyTheseApps" /f
-
name: Deny app sync with devices (unpaired, beacons, TVs, etc.)
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappssyncwithdevices
code: |-
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsSyncWithDevices_ForceDenyTheseApps" /f
-
name: Deny app access to camera
docs:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kscategory-video-camera
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscamera
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCamera_ForceDenyTheseApps" /f
-
name: Deny app access to microphone
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophonee
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMicrophone_ForceDenyTheseApps" /f
-
name: Deny apps share and sync non-explicitly paired wireless devices over uPnP
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Deny" /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /t REG_SZ /v "Value" /d "Allow" /f
-
name: Deny app access to diagnostics info about your other apps
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsgetdiagnosticinfo
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Deny" /t REG_SZ /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /d "Allow" /t REG_SZ /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsGetDiagnosticInfo_ForceDenyTheseApps" /f
-
category: Deny app access to your file system
children:
-
name: Deny app access to Document folder
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to Pictures folder
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to Videos folder
recommend: standard
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to other filesystem
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /d "Allow" /t REG_SZ /f
-
name: Deny app access to your contacts
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscontacts
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /t REG_SZ /v "Value" /d "Allow" /f
:: GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessContacts_ForceDenyTheseApps" /f
-
name: Deny app access to Notifications
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO (re-activation through GUI is not possible)
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessNotifications_ForceDenyTheseApps" /f
-
name: Deny app access to Calendar
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscalendar
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCalendar_ForceDenyTheseApps" /f
-
name: Deny app access to call history
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesscallhistory
code: |-
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessCallHistory_ForceDenyTheseApps" /f
-
name: Deny app access to email
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessemail
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d DENY /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessEmail_ForceDenyTheseApps" /f
-
name: Deny app access to tasks
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccesstasks
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Deny" /t REG_SZ /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /d "Allow" /t REG_SZ /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessTasks_ForceDenyTheseApps" /f
-
name: Deny app access to messaging (SMS / MMS)
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmessaging
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Deny" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Deny" /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /t REG_SZ /v "Value" /d "Allow" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{21157C1F-2651-4CC1-90CA-1F28B02263F6}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessMessaging_ForceDenyTheseApps" /f
-
name: Deny app access to radios
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessradios
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Deny" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d DENY /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /t REG_MULTI_SZ /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /t REG_MULTI_SZ /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /d "Allow" /t REG_SZ /f
:: For older Windows (before 1903)
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /t REG_SZ /v "Value" /d "Allow" /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_UserInControlOfTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceAllowTheseApps" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsAccessRadios_ForceDenyTheseApps" /f
-
name: Deny app access to bluetooth devices
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Deny" /t REG_SZ /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /d "Allow" /t REG_SZ /f
-
category: Disable app access to voice activation
children:
-
name: Disable apps and Cortana to activate with voice
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoice
code: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 0 /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /t REG_DWORD /d 2 /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d 1 /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoice" /f
-
name: Disable apps and Cortana to activate with voice when sytem is locked
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppPrivacy::LetAppsActivateWithVoiceAboveLock
code: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 0 /f
:: Using GPO (re-activation through GUI is not possible)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /t REG_DWORD /d 2 /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d 1 /f
:: Using GPO
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsActivateWithVoiceAboveLock" /f
-
category: Disable location access
children:
-
name: Turn off Windows Location Provider
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "0" /f
-
name: Turn off location scripting
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "0" /f
-
name: Turn off location
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "1" /t REG_DWORD /f
:: For older Windows (before 1903)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "0" /t REG_DWORD /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Deny" /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /d "0" /t REG_DWORD /f
:: For older Windows (before 1903)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /d "1" /t REG_DWORD /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "Value" /t REG_SZ /d "Allow" /f
-
name: Turn off sensors
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "0" /f
-
category: Disable windows search data collection
children:
-
category: Disable cortana
children:
-
name: Do not allow Cortana
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowCortana
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /f
-
name: Do not allow Cortana experience
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d 1 /f
-
name: Do not allow search and Cortana to search cloud sources like OneDrive and SharePoint
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d 1 /f
-
name: Disable Cortana speech interaction while the system is locked
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-abovelock
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /f
-
name: Opt out from Cortana consent
recommend: standard
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d 10 /f
-
name: Do not allow Cortana to be enabled
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CanCortanaBeEnabled" /t REG_DWORD /d 1 /f
-
name: Disable Cortana (Internet search results in start menu)
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 1 /f
-
category: Disable Cortana history
children:
-
name: Prevent Cortana from displaying history
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "HistoryViewEnabled" /f
-
name: Prevent Cortana from using device history
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "DeviceHistoryEnabled" /f
-
name: Remove the Cortana taskbar icon
recommend: standard
code: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /t REG_DWORD /d 0 /f
revertCode: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "ShowCortanaButton" /f
-
name: Disable Cortana in ambient mode
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaInAmbientMode" /t REG_DWORD /d 1 /f
-
category: Disable Cortana voice listening
children:
-
name: Disable "Hey Cortana" voice activation
recommend: standard
code: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationOn" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationDefaultOn" /t REG_DWORD /d 1 /f
-
name: Disable Cortana listening to commands on Windows key + C
recommend: standard
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "VoiceShortcut" /t REG_DWORD /d 1 /f
-
name: Disable using Cortana even when device is locked
recommend: standard
code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "VoiceActivationEnableAboveLockscreen" /t REG_DWORD /d 1 /f
-
name: Disable automatic update of Speech Data
recommend: standard
code: reg add "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKCU\Software\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /f
-
name: Disable Cortana voice support during Windows setup
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE" /v "DisableVoice" /f
-
category: Configure Windows search indexing
children:
-
name: Disable search indexing encrypted items / stores
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowindexingencryptedstoresoritems
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /f
-
name: Do not use automatic language detection when indexing
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-alwaysuseautolangdetection
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AlwaysUseAutoLangDetection" /t REG_DWORD /d 1 /f
-
name: Do not allow search to use location
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 1 /f
-
name: Disable web search in search bar
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::DisableWebSearch
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 0 /f
-
name: Do not search the web or display web results in Search
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#21-cortana-and-search-group-policies
recomend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 1 /f
-
name: Disable Bing search
recommend: standard
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 1 /f
-
category: Disable targeted ads and marketing
children:
-
name: Disable ad customization with Advertising ID
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "0" /f
-
category: Disable cloud-based tips and ads
children:
-
name: Disable Windows Tips
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableSoftLanding
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "1" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableSoftLanding" /t REG_DWORD /d "0" /f
-
name: Disable Windows Spotlight (random wallpaper on lock screen)
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/configuration/windows-spotlight
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#25-windows-spotlight
code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t "REG_DWORD" /d "0" /f
-
name: Disable Microsoft consumer experiences
recommend: standard
docs:
- https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-71771
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.CloudContent::DisableWindowsConsumerFeatures
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics
code: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "1" /f
revertCode: reg add "HKLM\Software\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t "REG_DWORD" /d "0" /f
-
name: Turn Off Suggested Content in Settings app
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-2004
- https://www.blogsdna.com/28017/how-to-disable-turn-off-suggested-content-on-windows-10-setting-app.htm
code: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "0" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "0" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "0" /t REG_DWORD /f
revertCode: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /d "1" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /d "1" /t REG_DWORD /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /d "1" /t REG_DWORD /f
-
category: Disable biometrics (breaks fingerprinting/facial login)
children:
-
name: Do not allow the use of biometrics
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableBio
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "1" /f
-
name: Do not allow users to log on using biometrics
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Biometrics::Biometrics_EnableCredProv
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "0" /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider" /v "Enabled" /t "REG_DWORD" /d "1" /f
-
name: Disable Windows Biometric Service
recommend: strict
docs:
- https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-biometric-service
- http://batcmd.com/windows/10/services/wbiosrvc/
call:
function: DisableService
parameters:
serviceName: WbioSrvc # Check: (Get-Service -Name WbioSrvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Wi-Fi sense
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f
-
name: Hide most used apps (tracks app launch)
docs: https://www.thewindowsclub.com/enable-or-disable-app-launch-tracking-in-windows-10
recommend: strict
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 0 /t REG_DWORD /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d 1 /t REG_DWORD /f
-
name: Disable Inventory Collector
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 0 /f
-
name: Disable Website Access of Language List
recommend: standard
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#181-general
code: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d 0 /f
-
name: Disable Auto Downloading Maps
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d 0 /f
-
name: Disable steps recorder
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f
-
name: Disable game screen recording
recommend: standard
code: |-
reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d 0 /f
-
name: Disable Windows DRM internet access
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DigitalRights2::DisableOnline
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
-
name: Disable feedback on write (sending typing info)
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
-
name: Disable Activity Feed
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f
-
category: Disable Windows Insider Program
children:
-
name: Disable Windows Insider Service
docs:
- https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#windows-insider-service
- http://batcmd.com/windows/10/services/wisvc/
recommend: standard
call:
function: DisableService
parameters:
serviceName: wisvc # Check: (Get-Service -Name wisvc).StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Do not let Microsoft try features on this build
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DataCollection::EnableExperimentation
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d 0 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableExperimentation" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "EnableConfigFlighting" /f
reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /f
-
name: Disable getting preview builds of Windows
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AllowBuildPreview::AllowBuildPreview
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" /v "AllowBuildPreview" /f
-
name: Remove "Windows Insider Program" from Settings
docs: https://winaero.com/how-to-hide-the-windows-insider-program-page-from-the-settings-app-in-windows-10/
code: reg add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /t "REG_DWORD" /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "HideInsiderPage" /f
-
category: Disable cloud sync
docs: https://support.microsoft.com/en-us/help/4026102/windows-10-about-sync-settings
children:
-
name: Disable all settings sync
recommend: standard
enabler: all those bottom
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f
-
name: Disable Application Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable App Sync Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Credentials Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f
-
name: Disable Desktop Theme Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Personalization Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Start Layout Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Web Browser Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Windows Setting Sync
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
-
name: Disable Language Setting Sync
recommend: standard
docs:
- https://winaero.com/turn-on-off-sync-settings-windows-10/
- https://www.thewindowsclub.com/how-to-configure-windows-10-sync-settings-using-registry-editor
- https://tuxicoman.jesuislibre.net/blog/wp-content/uploads/Windows10_Telemetrie_1709.pdf # from guide on confidentiality and privacy with Windows 10 distributed to the French police, previous version of guide: https://www.pmenier.net/dotclear/docext/win10/.Windows10-Presentation.pdf
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 0 /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 1 /f
-
category: Configure programs
children:
-
category: Disable Visual Studio data collection
docs: |-
These scripts disable future local and cloud data collection by Visual Studio about you and your behavior.
These do not clean existing data collected about you locally or on cloud servers.
children:
-
name: Opt-out from Visual Studio Customer Experience Improvement Program (VSCEIP)
recommend: standard
docs: |-
`VSCEIP` collects information about errors, computer hardware, and how people use Visual Studio [1].
The information is sent to Microsoft servers for further analysis.
This was previously known as Customer Experience Improvement Program (`PerfWatson`) for Visual Studio
that primarily collected your personal usage and related performance data [2].
For more information about the information collected, processed, or transmitted by the `VSCEIP`, see the
[Microsoft Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement).
Visual Studio uses different keys based on CPU architecture of the host operating system (32bit or 64bit) [1]:
- 32bit: `HKLM\SOFTWARE\Microsoft\VSCommon`
- 64bit: `HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon`
Key `OptIn` can have two different values [1]:
- `0` is opted out (turn off)
- `1` is opted in (turn on)
The default installation sets the key as `1` (opt-in by default) since Visual Studio 2022.
[1]: https://learn.microsoft.com/en-us/visualstudio/ide/visual-studio-experience-improvement-program "Customer Experience Improvement Program - Visual Studio (Windows) | Microsoft Learn"
[2]: https://devblogs.microsoft.com/visualstudio/how-we-use-your-perfwatson-data-to-identify-unresponsive-areas/ "How we use your PerfWatson data to identify Unresponsive areas | Visual Studio Blog"
code: |-
:: Using OS keys
if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit?
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
) else (
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
)
:: Using GPO key
reg add "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /t REG_DWORD /d 0 /f
revertCode: |-
:: Using OS keys
if %PROCESSOR_ARCHITECTURE%==x86 ( REM is 32 bit?
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
) else (
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 1 /f
)
:: Using GPO key
reg delete "HKLM\Software\Policies\Microsoft\VisualStudio\SQM" /v "OptIn" /f 2>nul
-
name: Disable Visual Studio telemetry
docs: |-
This key was first seen to be used in Visual Studio 15 (2017) [1] [2].
By default (after clean installation) the registry key set by this script does not exist
since Visual Studio 2022.
[1]: https://developercommunity.visualstudio.com/t/bad-crashes-when-visualstudiotelemetryturnoffswitc/208693 "Bad crashes when VisualStudio\Telemetry\TurnOffSwitch is set to 0 | Visual Studio Feedback"
[2]: https://social.msdn.microsoft.com/Forums/vstudio/en-US/7796f0c5-ec9a-4fc8-9f62-584a663f9016/vs2015-pro-upd-3-quotthe-application-cannot-startquot-exception-in-obtainoptinstatus 'VS2015 (pro + upd 3): "Forum post showing logs for TurnOffSwitch key | MSDN Forums'
recommend: standard
code: reg add "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKCU\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /f 2>nul
-
name: Disable Visual Studio feedback
docs: |-
Feedback tool in Visual Studio allows users to report a problem from either Visual Studio or its installer.
It collects rich diagnostic information along with personally identifiable information [1]. Information includes large log files,
crash information, screenshots, repro recording, and other artifacts [1].
This script disables feedback dialog and screenshot capture/email input that's prompted to be sent as part of the feedback.
By default (after clean installation) the registry keys are not configured/set since Visual Studio 2022. Having these settings no
set imply that feedback is enabled.
[1]: https://learn.microsoft.com/en-us/visualstudio/ide/how-to-report-a-problem-with-visual-studio "Report a problem with Visual Studio - Visual Studio (Windows) | Microsoft Learn"
recommend: standard
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /f 2>nul
-
name: Stop and disable Visual Studio Standard Collector Service
docs: |-
Visual Studio Standard Collector Service is a service that is part of
[Microsoft Visual Studio and .NET Log Collection Tool](https://www.microsoft.com/en-us/download/details.aspx?id=12493) [1].
This service collects logs for Diagnostics Hub just like Diagnostic Hub Standard Collector [2].
It has been known to be vulnerable to privilege elavation [3].
Disabling this service is recommended because otherwise it would:
- Increase the attack surface of your computer, making it open to potential future vulnerabilities.
- Use computer resources in favor of collecting more data about you and your behavior.
[1]: https://learn.microsoft.com/en-us/answers/questions/891356/i-can39t-start-vsstandardcollectorservice150.html#answer-929168 "I can't start VSStandardCollectorService150 | Microsoft Q&A"
[2]: https://www.atredis.com/blog/cve-2018-0952-privilege-escalation-vulnerability-in-windows-standard-collector-service "CVE-2018-0952: Privilege Escalation Vulnerability in Windows Standard Collector Service | Atredis Partners"
[3]: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0952 "Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability"
recommend: standard
call:
function: DisableService
parameters:
serviceName: VSStandardCollectorService150 # (Get-Service -Name VSStandardCollectorService150).StartType
defaultStartupMode: Manual # Manual since Visual Studio 2022, allowed values: Automatic | Manual
-
name: Disable Diagnostics Hub log collection
docs: |-
Diagnostics Hub is online data collection point for diagnostic tools used by Visual Studio.
It can be disabled by deleting `LogLevel` and `LogDirectory` registery keys [1] and enabled by adding them [2] [3] [4] [5].
The registry keys are not set after installation since Visual Studio 2022.
[1]: https://developercommunity.visualstudio.com/t/cant-disable-diagnostics-hub-in-visual-stuido/1449322#T-N1449680 "Can't disable Diagnostics hub in visual stuido | Visual Studio Feedback"
[2]: https://developercommunity.visualstudio.com/t/diagnostic-tool-no-registered-class/1099781#T-N1106849 "diagnostic tool No registered class | Visual Studio Feedback"
[3]: https://stackoverflow.com/a/39380284 "c# - Visual Studio 2015 diagnostic tools no longer working | Stack Overflow"
[4]: https://developercommunity.visualstudio.com/t/collectionstartfailedhubexception-on-profiler-laun/414212#T-N447791 "CollectionStartFailedHubException on profiler launch | Visual Studio Feedback"
[5]: https://developercommunity.visualstudio.com/t/diagnostics-tools-failed-unexpectedly-unable-to-st/437117#T-N447777 "Diagnostics tools failed unexpectedly--unable to start standard collector | Visual Studio Feedback"
code: |-
reg delete "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /f 2>nul
revertCode: |-
"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe" -property catalog_productDisplayVersion >Nul | findstr "15." >nul && (
reg add "HKLM\Software\Microsoft\VisualStudio\DiagnosticsHub" /v "LogLevel" /t REG_SZ /d "All" /f
)
-
name: Opt-out from IntelliCode data collection
recommend: standard
docs: |-
[IntelliCode for Visual Studio](https://learn.microsoft.com/en-us/visualstudio/intellicode/intellicode-visual-studio) provides AI based
suggestions for the code.
IntelliCode does not send any code to Microsoft servers as long as team completion model training is not used [1] [2]. This script opts-out
from it without breaking the functionality of IntelliCode for local models.
The registry keys set by this script do not exist by default after installation since Visual Studio 2022.
[1]: https://docs.microsoft.com/en-us/visualstudio/intellicode/intellicode-privacy "IntelliCode privacy - Visual Studio IntelliCode | Microsoft Learn"
[2]: https://github.com/MicrosoftDocs/intellicode/blob/50ea60c91a7175e749ed5e094403568a583a292e/docs/intellicode-privacy.md
code: |-
:: Global policy
reg add "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f
:: Local policy
reg add "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f
revertCode: |-
:: Global policy
reg delete "HKLM\SOFTWARE\Policies\Microsoft\VisualStudio\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul
:: Local policy
reg delete "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul
reg delete "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /f 2>nul
-
name: Disable NET Core CLI telemetry
recommend: standard
code: setx DOTNET_CLI_TELEMETRY_OPTOUT 1
revertCode: setx DOTNET_CLI_TELEMETRY_OPTOUT 0
-
name: Disable PowerShell 7+ telemetry
recommend: standard
docs: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_telemetry
code: setx POWERSHELL_TELEMETRY_OPTOUT 1
revertCode: setx POWERSHELL_TELEMETRY_OPTOUT 0
-
category: Disable NVIDIA telemetry
docs:
- https://github.com/privacysexy-forks/nVidia-modded-Inf
- https://github.com/privacysexy-forks/Disable-Nvidia-Telemetry
- https://forum.palemoon.org/viewtopic.php?f=4&t=15686&sid=3d7982d3b9e89c713547f1a581ea44a2&start=20
children:
-
name: Uninstall NVIDIA telemetry tasks
recommend: standard
code: |-
if exist "%ProgramFiles%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL" (
rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer
rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetry
)
-
name: Delete NVIDIA residual telemetry files
recommend: standard
code: |-
del /s %SystemRoot%\System32\DriverStore\FileRepository\NvTelemetry*.dll
rmdir /s /q "%ProgramFiles(x86)%\NVIDIA Corporation\NvTelemetry" 2>nul
rmdir /s /q "%ProgramFiles%\NVIDIA Corporation\NvTelemetry" 2>nul
-
name: Opt out from NVIDIA telemetry
recommend: standard
call:
function: RunInlineCode
parameters:
code: |-
reg add "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d 0 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /f
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /f
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /f
reg delete "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /f
-
name: Disable Nvidia Telemetry Container service
docs: https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/
call:
function: DisableService
parameters:
serviceName: NvTelemetryContainer
# Display name: "NVIDIA Telemetry Container"
# Description: "Container service for NVIDIA Telemetry"
defaultStartupMode: Automatic
-
name: Disable NVIDIA telemetry services
recommend: standard
code: |-
schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE
schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE
schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /DISABLE
revertCode: |-
schtasks /change /TN NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE
schtasks /change /TN NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE
schtasks /change /TN NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /ENABLE
-
category: Disable Visual Studio Code data collection
docs:
- https://code.visualstudio.com/updates/v1_26#_offline-mode
- https://code.visualstudio.com/docs/getstarted/settings
children:
-
name: Disable Visual Studio Code telemetry
docs: https://code.visualstudio.com/docs/getstarted/telemetry
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: telemetry.enableTelemetry
powerShellValue: $false
-
name: Disable Visual Studio Code crash reporting
docs: https://code.visualstudio.com/docs/getstarted/telemetry
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: telemetry.enableCrashReporter
powerShellValue: $false
-
name: Do not run Microsoft online experiments
docs: https://github.com/privacysexy-forks/vscode/blob/1aee0c194cff72d179b9f8ef324e47f34555a07d/src/vs/workbench/contrib/experiments/node/experimentService.ts#L173
recommend: standard
call:
function: SetVsCodeSetting
parameters:
setting: workbench.enableExperiments
powerShellValue: $false
-
name: Choose manual updates over automatic updates
call:
function: SetVsCodeSetting
parameters:
setting: update.mode
powerShellValue: >-
'manual'
-
name: Show Release Notes from Microsoft online service after an update
call:
function: SetVsCodeSetting
parameters:
setting: update.showReleaseNotes
powerShellValue: $false
-
name: Automatically check extensions from Microsoft online service
call:
function: SetVsCodeSetting
parameters:
setting: extensions.autoCheckUpdates
powerShellValue: $false
-
name: Fetch recommendations from Microsoft only on demand
call:
function: SetVsCodeSetting
parameters:
setting: extensions.showRecommendationsOnlyOnDemand
powerShellValue: $true
-
name: Automatically fetch git commits from remote repository
call:
function: SetVsCodeSetting
parameters:
setting: git.autofetch
powerShellValue: $false
-
name: Fetch package information from NPM and Bower
call:
function: SetVsCodeSetting
parameters:
setting: npm.fetchOnlinePackageInfo
powerShellValue: $false
-
category: Disable Microsoft Office telemetry
docs: https://docs.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office
children:
-
name: Disable Microsoft Office logging
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 1 /f
-
name: Disable client telemetry
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 1 /f
-
name: Customer Experience Improvement Program
docs: https://www.stigviewer.com/stig/microsoft_office_system_2013/2014-12-23/finding/V-17612
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 1 /f
-
name: Disable feedback
recommend: standard
code: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 1 /f
-
name: Disable telemetry agent
recommend: standard
code: |-
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /DISABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /DISABLE
revertCode: |-
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /ENABLE
schtasks /change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /ENABLE
# - (breaks office, see https://answers.microsoft.com/en-us/office/forum/office_2016-officeapps/office-2016-click-to-run-service-is-it-necessary/07f87963-7193-488a-9885-d6339105824b)
# name: Disable ClickToRun Service Monitor
# docs: https://web.archive.org/web/20180201221907/https://technet.microsoft.com/en-us/library/jj219427.aspx
# call:
# -
# function: RunInlineCode
# parameters:
# code: schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /DISABLE
# revertCode: schtasks /change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /ENABLE
# -
# function: DisableService
# parameters:
# serviceName: ClickToRunSvc # Check: (Get-Service -Name ClickToRunSvc).StartType
# defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable Subscription Heartbeat
code: |-
schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /DISABLE
schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /DISABLE
revertCode: |-
schtasks /change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /ENABLE
schtasks /change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /ENABLE
-
category: Configure browsers
children:
-
category: Configure Edge
children:
-
category: Chromium Edge settings
children:
-
name: Disable Edge usage and crash-related data reporting (shows "Your browser is managed") # Obselete since Microsoft Edge version 89
recommend: standard
docs:
- https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::MetricsReportingEnabled
- https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#metricsreportingenabled
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "MetricsReportingEnabled" /f
-
name: Disable sending site information (shows "Your browser is managed") # Obselete since Microsoft Edge version 89
recommend: standard
docs:
- https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SendSiteInfoToImproveServices
- https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#sendsiteinfotoimproveservices
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SendSiteInfoToImproveServices" /f
-
name: Disable Automatic Installation of Microsoft Edge Chromium
docs:
- https://admx.help/?Category=EdgeChromium_Blocker&Policy=Microsoft.Policies.EdgeUpdate::NoUpdate
- https://web.archive.org/web/20210118230052/https://docs.microsoft.com/en-us/deployedge/microsoft-edge-blocker-toolkit
code: reg add "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\EdgeUpdate" /v "DoNotUpdateToEdgeWithChromium" /f
-
name: Disable live tile data collection
recommend: standard
docs:
- https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection
code: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main" /v "PreventLiveTileDataCollection" /t REG_DWORD /d 0 /f
-
name: Disable MFU tracking
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableMFUTracking
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d 0 /f
-
name: Disable recent apps
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::DisableRecentApps
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableRecentApps" /t REG_DWORD /d 0/f
-
name: Turn off backtracking
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.EdgeUI::TurnOffBackstack
code: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "TurnOffBackstack" /t REG_DWORD /d 0 /f
-
name: Disable Search Suggestions in Edge
docs:
- https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/address-bar-settings-gp
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.MicrosoftEdge::AllowSearchSuggestionsinAddressBar
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 1 /f
-
category: Configure Internet Explorer
children:
-
name: Disable Geolocation in Internet Explorer
recommend: standard
code: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation" /v "PolicyDisableGeolocation" /t REG_DWORD /d 0 /f
-
name: Disable Internet Explorer InPrivate logging
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE" /v "DisableLogging" /t REG_DWORD /d 0 /f
-
name: Disable Internet Explorer CEIP
recommend: standard
docs: https://www.stigviewer.com/stig/internet_explorer_8/2014-07-03/finding/V-15492
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 1 /f
-
name: Disable calling legacy WCM policies
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "CallLegacyWCMPolicies" /t REG_DWORD /d 1 /f
-
name: Disable SSLv3 fallback
recommend: standard
docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2018-04-02/finding/V-64729
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableSSL3Fallback" /t REG_DWORD /d 0 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v EnableSSL3Fallback /t REG_DWORD /d 3 /f
-
name: Disable ignoring cert errors
recommend: standard
docs: https://www.stigviewer.com/stig/microsoft_internet_explorer_11/2017-03-01/finding/V-64717
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /v "PreventIgnoreCertErrors" /t REG_DWORD /d 0 /f
-
category: Configure Google Chrome
children:
-
name: Disable Chrome Software Reporter Tool
recommend: standard
code: |-
icacls "%localappdata%\Google\Chrome\User Data\SwReporter" /inheritance:r /deny "*S-1-1-0:(OI)(CI)(F)" "*S-1-5-7:(OI)(CI)(F)"
cacls "%localappdata%\Google\Chrome\User Data\SwReporter" /e /c /d %username%
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "software_reporter_tool.exe" /f
revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /f
-
category: Chrome cleanup
children:
-
name: Do not share scanned software data to Google (shows "Your browser is managed")
recommend: standard
docs:
- https://www.chromium.org/administrators/policy-list-3#ChromeCleanupReportingEnabled
- https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81593
code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /f
-
name: Prevent Chrome from scanning the system for cleanup (shows "Your browser is managed")
recommend: standard
docs:
- https://www.chromium.org/administrators/policy-list-3#ChromeCleanupEnabled
- https://www.stigviewer.com/stig/google_chrome_current_windows/2018-09-06/finding/V-81591
code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /f
-
name: Disable Chrome metrics reporting (shows "Your browser is managed")
recommend: standard
docs: https://www.stigviewer.com/stig/google_chrome_v23_windows/2013-01-11/finding/V-35780
code: reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /f
-
category: Configure Mozilla Firefox telemetry
children:
-
category: Disable default browser agent reporting
children:
-
name: Disable default browser agent reporting policy
recommend: standard
docs: https://www.bleepingcomputer.com/news/software/firefox-now-tells-mozilla-what-your-default-browser-is-every-day/
code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 1 /f
revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableDefaultBrowserAgent /t REG_DWORD /d 0 /f
-
name: Disable default browser agent reporting services
recommend: standard
code: |-
schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
revertCode: |-
schtasks.exe /change /enable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
schtasks.exe /change /enable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
-
name: Disable Firefox metrics reporting
recommend: standard
docs: https://github.com/privacysexy-forks/policy-templates#disabletelemetry
code: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 1 /f
revertCode: reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v DisableTelemetry /t REG_DWORD /d 0 /f
-
name: Disable Google update service
recommend: standard
docs:
- https://websetnet.net/how-to-disable-google-chrome-automatic-updates-in-windows-10/
- https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-25791.html #gupdate
- https://www.bleepingcomputer.com/startups/GoogleUpdate.exe-26582.html #gupdatem
call:
-
function: RunInlineCode
parameters:
code: |-
schtasks /change /disable /tn "GoogleUpdateTaskMachineCore"
schtasks /change /disable /tn "GoogleUpdateTaskMachineUA"
revertCode: |-
schtasks /Change /enable /tn "GoogleUpdateTaskMachineCore"
schtasks /change /enable /tn "GoogleUpdateTaskMachineUA"
-
function: DisableService
parameters:
serviceName: gupdate # Check: (Get-Service -Name gupdate).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: gupdatem # Check: (Get-Service -Name gupdatem).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable Adobe Acrobat update service
recommend: standard
call:
-
function: DisableService
parameters:
serviceName: AdobeARMservice # Check: (Get-Service -Name AdobeARMservice).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: adobeupdateservice # Check: (Get-Service -Name adobeupdateservice).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: adobeflashplayerupdatesvc # Check: (Get-Service -Name adobeflashplayerupdatesvc).StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: RunInlineCode
parameters:
code: |-
schtasks /change /tn "Adobe Acrobat Update Task" /disable
schtasks /change /tn "Adobe Flash Player Updater" /disable
revertCode: |-
schtasks /change /tn "Adobe Acrobat Update Task" /enable
schtasks /change /tn "Adobe Flash Player Updater" /enable
-
name: Disable Razer Game Scanner Service
recommend: standard
call:
function: DisableService
parameters:
serviceName: Razer Game Scanner Service # Check: (Get-Service -Name 'Razer Game Scanner Service').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Logitech Gaming Registry Service
recommend: standard
call:
function: DisableService
parameters:
serviceName: LogiRegistryService # Check: (Get-Service -Name 'LogiRegistryService').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Disable Dropbox auto update service
recommend: standard
call:
-
function: DisableService
parameters:
serviceName: dbupdate # Check: (Get-Service -Name 'dbupdate').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: DisableService
parameters:
serviceName: dbupdatem # Check: (Get-Service -Name 'dbupdatem').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
function: RunInlineCode
parameters:
code: |-
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineCore"
schtasks /Change /DISABLE /TN "DropboxUpdateTaskMachineUA"
revertCode: |-
schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineCore"
schtasks /Change /ENABLE /TN "DropboxUpdateTaskMachineUA"
-
category: Disable Media Player data collection
children:
-
name: Do not send Windows Media Player statistics
recommend: standard
code: reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f
-
name: Disable metadata retrieval
recommend: standard
code: |-
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventCDDVDMetadataRetrieval" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
-
name: Disable Windows Media Player Network Sharing Service
docs: http://batcmd.com/windows/10/services/wmpnetworksvc/
recommend: standard
call:
function: DisableService
parameters:
serviceName: WMPNetworkSvc # Check: (Get-Service -Name 'WMPNetworkSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable CCleaner Monitoring
code: |-
reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 1 /f
-
category: Security improvements
children:
-
category: Meltdown and Spectre protection
docs: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot
children:
-
name: Spectre variant 2 and meltdown (own OS)
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f
wmic cpu get name | findstr "Intel" >nul && (
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 0 /f
)
wmic cpu get name | findstr "AMD" >nul && (
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 64 /f
)
revertCode: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d 3 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d 3 /f
-
name: Spectre variant 2 and meltdown (HyperV)
code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f
-
name: Disable administrative shares
recommend: standard
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 1 /f
-
name: Force enable data execution prevention (DEP)
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableHHDEP" /t REG_DWORD /d 1 /f
-
name: Disable AutoPlay and AutoRun
docs:
- https://en.wikipedia.org/wiki/AutoRun
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63667
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63671
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63673
recommend: standard
code: |-
:: 255 (0xff) means all drives
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /t REG_DWORD /d 1 /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoAutorun" /t REG_DWORD /d 2 /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoAutoplayfornonVolume" /f
-
name: Disable remote Assistance
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63651
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d 1 /f
-
name: Disable lock screen camera
recommend: standard
docs: https://www.stigviewer.com/stig/windows_8_8.1/2014-06-27/finding/V-43237
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\Personalization" /v NoLockScreenCamera /f
-
name: Prevent the storage of the LAN Manager hash of passwords
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63797
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "NoLMHash" /t REG_DWORD /d 10 /f
-
name: Disable Windows Installer Always install with elevated privileges
recommend: standard
docs: https://www.stigviewer.com/stig/windows_8/2013-07-03/finding/V-34974
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated" /t REG_DWORD /d 1 /f
-
name: Prevent WinRM from using Basic Authentication
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63335
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" /v "AllowBasic" /t REG_DWORD /d 1 /f
-
name: Restrict anonymous enumeration of shares
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63749
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\LSA" /v "RestrictAnonymous" /t REG_DWORD /d 0 /f
-
name: Refuse less secure authentication
recommend: standard
docs:
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63801
- https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 5 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LmCompatibilityLevel" /t REG_DWORD /d 3 /f
-
name: Enable Structured Exception Handling Overwrite Protection (SEHOP)
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-68849
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d 1 /f
-
name: Block Anonymous enumeration of SAM accounts
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63745
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "RestrictAnonymousSAM" /t REG_DWORD /d 0 /f
-
name: Restrict anonymous access to Named Pipes and Shares
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63759
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d 0 /f
-
category: Disable unsafe features
children:
-
name: Disable unsafe SMBv1 protocol
recommend: standard
docs: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858
code: |-
dism /online /Disable-Feature /FeatureName:"SMB1Protocol" /NoRestart
dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart
dism /Online /Disable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart
revertCode: |-
dism /online /Enable-Feature /FeatureName:"SMB1Protocol" /NoRestart
dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Client" /NoRestart
dism /Online /Enable-Feature /FeatureName:"SMB1Protocol-Server" /NoRestart
-
name: Disable PowerShell 2.0 against downgrade attacks
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2017-02-21/finding/V-70637
code: |-
dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart
dism /online /Disable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart
revertCode: |-
dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2Root" /NoRestart
dism /online /Enable-Feature /FeatureName:"MicrosoftWindowsPowerShellV2" /NoRestart
-
name: Disable the Windows Connect Now wizard
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/win32/wcn/about-windows-connect-now
- https://www.stigviewer.com/stig/windows_server_20122012_r2_domain_controller/2019-01-16/finding/V-15698
code: |-
reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 0 /f
revertCode: |-
reg add "HKLM\Software\Policies\Microsoft\Windows\WCN\UI" /v "DisableWcnUi" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableFlashConfigRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableInBand802DOT11Registrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableUPnPRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "DisableWPDRegistrar" /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars" /v "EnableRegistrars" /t REG_DWORD /d 1 /f
-
category: Increase cryptography on ISS
children:
-
name: Increase Diffie-Hellman key (DHK) exchange to 4096-bit
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ServerMinKeyBitLength /t REG_DWORD /d 0x00001000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00001000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /f /v Enabled /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ServerMinKeyBitLength" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ClientMinKeyBitLength" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "Enabled" /f
-
name: Disable RC2 cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v "Enabled" /f
-
name: Disable RC4 cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v "Enabled" /f
-
name: Disable DES cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v "Enabled" /f
-
name: Disable 3DES (Triple DES) cipher
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v "Enabled" /f
-
name: Disable MD5 hash function
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /v "Enabled" /f
-
name: Disable SHA1
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" /v "Enabled" /f
-
name: Disable null cipher
code: reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /f /v Enabled /t REG_DWORD /d 0x00000000
revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v "Enabled" /f
-
name: Force not to respond to renegotiation requests
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoClients /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v AllowInsecureRenegoServers /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v DisableRenegoOnServer /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /f /v UseScsvForTls /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoClients" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "AllowInsecureRenegoServers" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "DisableRenegoOnServer" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "UseScsvForTls" /f
-
name: Disable DTLS 1.0
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.0\Client" /v "DisabledByDefault" /f
-
name: Disable DTLS 1.1
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.1\Client" /v "DisabledByDefault" /f
-
name: Enable DTLS 1.3 # Windows 10 and Windows 10 Server version 1903 and newer supports DTLS 1.3
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\DTLS 1.3\Client" /v "DisabledByDefault" /f
-
name: Disable TLS 1.0
docs: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls # After disabling TLS 1.0 must be (will be) activated SchUseStrongCrypto for .NET apps
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
-
name: Disable TLS 1.1
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /f
-
name: Enable TLS 1.3
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v Enabled /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000000
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v "DisabledByDefault" /f
-
name: Enabling Strong Authentication for .NET applications (TLS 1.2)
docs: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enabling-strong-authentication-for-net-applications
code: |-
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SchUseStrongCrypto /t REG_DWORD /d 0x00000001
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /f /v SystemDefaultTlsVersions /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v3.0" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /f
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /f
-
name: Disable SSLv2
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /f
-
name: Disable SSLv3
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v Enabled /t REG_DWORD /d 0x00000000
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /f /v DisabledByDefault /t REG_DWORD /d 0x00000001
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "Enabled" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /f
-
category: Privacy over security
children:
-
category: Disable Windows Defender
docs: https://en.wikipedia.org/wiki/Windows_Firewall
# See defender status: Get-MpComputerStatus
children:
-
category: Disable Windows Defender Firewall # Also known as Windows Firewall, Microsoft Defender Firewall
children:
-
name: Disable Firewall through command-line utility
# ❗️ Following must be enabled and in running state:
# - mpsdrv (Windows Defender Firewall Authorization Driver)
# - bfe (Base Filtering Engine)
# - mpssvc (Windows Defender Firewall)
# If the dependent services are not running, the script fails with:
# "An error occurred while attempting to contact the Windows Defender Firewall service. Make sure that the service is running and try your request again."
# Requires rebooting after reverting privacy.sexy scripts for the services mpsdrv, mpssvc
docs: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
call:
function: RunPowerShell
parameters:
code: |-
if(!(Get-Command 'netsh' -ErrorAction Ignore)) {
throw '"netsh" does not exist, is system installed correctly?'
}
$message=netsh advfirewall set allprofiles state off 2>&1
if($?) {
Write-Host "Successfully disabled firewall."
} else {
if($message -like '*Firewall service*') {
Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?'
} else {
throw "Cannot disable: $message"
}
}
revertCode: |-
if(!(Get-Command 'netsh' -ErrorAction Ignore)) {
throw '"netsh" does not exist, is system installed correctly?'
}
$message=netsh advfirewall set allprofiles state on 2>&1
if($?) {
Write-Host "Successfully enabled firewall."
} else {
if($message -like '*Firewall service*') {
Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?'
} else {
throw "Cannot enable: $message"
}
}
-
name: Disable Firewall through registry # Lower-level, good in case command-line utility is not available/functioning
docs:
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpfas/2100c552-7f37-4a7f-9fa0-2a864ab87212
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17415
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2016-05-12/finding/V-17416
- https://www.stigviewer.com/stig/windows_firewall_with_advanced_security/2018-02-21/finding/V-17417
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_1
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsFirewall::WF_EnableFirewall_Name_2
code: |-
:: Policy based
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
:: Non-policy based
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
# When reverting HKLM\SOFTWARE\Policies profiles are deleted as they are not included in clean installation
# On the other hand "StandardProfile", "DomainProfile" and "PublicProfile" exists HKLM\SYSTEM\CurrentControlSet
# so they're not deleted but set to default state
revertCode: |- # HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
:: Policy based
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /f 2>nul
:: Non-policy based
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
-
name: Disable Microsoft Defender Antivirus # Depreciated since Windows 10 version 1903
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpywareDefender
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /f 2>nul
-
category: Disable Defender features
# Status: Get-MpPreference
children:
-
category: Disable Windows Defender Antivirus cloud protection service
docs: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus
# Also known as Microsoft MAPS (Microsoft Active Protection Service) or Microsoft SpyNet
children:
-
category: Disable cloud protection service features
children:
-
name: Turn off block at first sight
docs:
# What is block at first sight? How does it work? How to turn on/off?
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: SetMpPreference
parameters:
property: DisableBlockAtFirstSeen # Status: Get-MpPreference | Select-Object -Property DisableBlockAtFirstSeen
value: $True # Set: Set-MpPreference -Force -DisableBlockAtFirstSeen $True
default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableBlockAtFirstSeen | Set-MpPreference -Force -DisableBlockAtFirstSeen $False
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /f 2>nul
-
name: Set maximum time possible for extended cloud check timeout # Requires "Block at First Sight", "Join Microsoft MAPS", "Send file samples when further analysis is required"
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpBafsExtendedTimeout
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /f 2>nul
-
name: Set lowest possible cloud protection level # Requires "Join Microsoft MAPS"
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_MpCloudBlockLevel
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /f 2>nul
-
name: Disable receiving notifications to disable security intelligence # Requires "Join Microsoft MAPS"
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureDisableNotification
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /f 2>nul
-
category: Disable Defender cloud export for analysis
children:
-
name: Turn off Windows Defender SpyNet reporting
recommend: strict
docs:
- https://www.stigviewer.com/stig/windows_7/2012-07-02/finding/V-15713
# Manage with registry policy
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
# Managing with MDM policy
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#mapsreporting
call:
# 0: Disabled, 1: Basic, 2: Advanced (default)
-
function: SetMpPreference
parameters:
property: MAPSReporting # Status: Get-MpPreference | Select-Object -Property MAPSReporting
value: "'0'" # Set: Set-MpPreference -Force -MAPSReporting 0
default: "'2'" # Default: 2 (Advanced) | Remove-MpPreference -Force -MAPSReporting | Set-MpPreference -Force -MAPSReporting 2
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /f 2>nul
-
name: Do not send file samples for further analysis
recommend: strict
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SubmitSamplesConsent
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#submitsamplesconsent
call:
# 0 = 'Always Prompt', 1 = 'Send safe samples automatically' (default), 2 = 'Never send', 3 = 'Send all samples automatically'
-
function: SetMpPreference
parameters:
property: SubmitSamplesConsent # Status: Get-MpPreference | Select-Object -Property SubmitSamplesConsent
value: "'2'" # Set: Set-MpPreference -Force -SubmitSamplesConsent 2
default: "'1'" # Default: 1 (Send safe samples automatically) | Remove-MpPreference -Force -SubmitSamplesConsent | Set-MpPreference -Force -SubmitSamplesConsent 1
setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 1 (OS default) in Windows 11
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /f 2>nul
-
name: Disable Malicious Software Reporting tool diagnostic data
recommend: strict
docs: https://admx.help/?Category=Windows10_Telemetry&Policy=Microsoft.Policies.Win10Privacy::DontReportInfection
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /f 2>nul
-
name: Disable uploading files for threat analysis in real-time # Requires "Join Microsoft MAPS"
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_RealtimeSignatureDelivery
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /f 2>nul
-
name: Disable the Potentially Unwanted Application (PUA) feature # Already disabled as default
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75147
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus
- https://blogs.technet.microsoft.com/mmpc/2015/11/25/shields-up-on-potentially-unwanted-applications-in-your-enterprise/
- https://admx.help/?Category=security-compliance-toolkit&Policy=Microsoft.Policies.SecGuide::Pol_SecGuide_0101_WDPUA
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Root_PUAProtection
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: SetMpPreference
parameters:
# 0 = 'Disabled' (default), 1 = 'Enabled', 2 = 'AuditMode'
property: PUAProtection # Status: Get-MpPreference | Select-Object -Property PUAProtection
value: "'0'" # Set: Set-MpPreference -Force -PUAProtection 0
default: "'0'" # Default: 0 (Disabled) | Remove-MpPreference -Force -PUAProtection | Set-MpPreference -Force -PUAProtection 0
-
function: RunInlineCode
parameters:
code: |-
:: For legacy versions: Windows 10 v1809 and Windows Server 2019
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
:: For newer Windows versions
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f
revertCode: |-
:: For legacy versions: Windows 10 v1809 and Windows Server 2019
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /f 2>nul
:: For newer Windows versions
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /f 2>nul
-
name: Turn off tamper protection # Added in Windows 10, version 1903
docs:
- https://www.thewindowsclub.com/how-to-enable-tamper-protection-in-windows-10
- https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-tamperprotection
call:
-
function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2)
# ❌ Fails with "ERROR: Access is denied." in Windows 11 21H2 | ✅ Works in Windows 10 >= 20H2
parameters:
code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /f 2>nul
-
function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2)
parameters:
code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /f 2>nul
-
name: Disable file hash computation feature # Added in Windows 10, version 2004
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/defender-csp#configuration-enablefilehashcomputation
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::MpEngine_EnableFileHashComputation
- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-windows-10-and-windows-server-version/ba-p/1543631
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /f 2>nul
-
category: Disable Windows Defender Exploit Guard
docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
children:
-
name: Disable prevention of users and apps from accessing dangerous websites
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_EnableNetworkProtection
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /f 2>nul
-
name: Disable Controlled folder access
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /f 2>nul
-
category: Disable Network Inspection System features
children:
-
name: Disable protocol recognition
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2019-12-12/finding/V-75209
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_DisableProtocolRecognition
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /f 2>nul
-
name: Disable definition retirement
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_DisableSignatureRetirement
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /f 2>nul
-
name: Limit detection events rate to minimum
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Nis_Consumers_IPS_ThrottleDetectionEventsRate
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /f 2>nul
-
category: Disable Real-Time protection
children:
-
name: Disable real-time monitoring
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRealtimeMonitoring
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75227
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerealtimemonitoring
call: # Enabled by default (DisableRealtimeMonitoring is false)
-
function: SetMpPreference
parameters:
property: DisableRealtimeMonitoring # Status: Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring
value: $True # Set: Set-MpPreference -Force -DisableRealtimeMonitoring $True
# ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
default: $False # Default: False (Enabled) | Remove-MpPreference -Force -DisableRealtimeMonitoring | Set-MpPreference -Force -DisableRealtimeMonitoring $False
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /f 2>nul
-
name: Disable Intrusion Prevention System (IPS)
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableIntrusionPreventionSystem
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableintrusionpreventionsystem
call:
-
function: SetMpPreference
parameters:
property: DisableIntrusionPreventionSystem # Status: Get-MpPreference | Select-Object -Property DisableIntrusionPreventionSystem
value: $True # Set: Set-MpPreference -Force -DisableIntrusionPreventionSystem $True
# ❌ Windows 11 and Windows 10: Does not fail but does not change the value
default: $False # Default: empty (no value) | Remove-MpPreference -Force -DisableIntrusionPreventionSystem | Set-MpPreference -Force -DisableIntrusionPreventionSystem $False
# ❗️ Default is empty (no value), but cannot set this way using Set-MpPreference, so $False is set
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /f 2>nul
-
name: Disable Information Protection Control (IPC)
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableInformationProtectionControl
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /f 2>nul
-
category: Disable Defender monitoring of behavior
children:
-
name: Disable behavior monitoring
docs:
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75229
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablebehaviormonitoring
call:
-
function: SetMpPreference
parameters:
property: DisableBehaviorMonitoring # Status: Get-MpPreference | Select-Object -Property DisableBehaviorMonitoring
value: $True # Set: Set-MpPreference -Force -DisableBehaviorMonitoring $True
# ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
default: $False # Default: False | Remove-MpPreference -Force -DisableBehaviorMonitoring | Set-MpPreference -Force -DisableBehaviorMonitoring $False
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /f 2>nul
-
name: Disable sending raw write notifications to behavior monitoring
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableRawWriteNotification
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /f 2>nul
-
category: Disable Defender monitoring of downloaded files and attachments
children:
-
name: Disable scanning for all downloaded files and attachments
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75225
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableioavprotection
call:
-
function: SetMpPreference
parameters:
property: DisableIOAVProtection # Status: Get-MpPreference | Select-Object -Property DisableIOAVProtection
value: $True # Set: Set-MpPreference -Force -DisableIOAVProtection $True
# ❌ Windows 11: Does not fail but does not change the value | ✅ Windows 10: Works as expected
default: $False # Default: False | Remove-MpPreference -Force -DisableIOAVProtection | Set-MpPreference -Force -DisableIOAVProtection $False
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /f 2>nul
-
name: Disable scanning files bigger than 1 KB (minimum possible)
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_IOAVMaxSize
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /f 2>nul
-
category: Disable Defender monitoring of file and program activity
children:
-
name: Disable monitoring file and program activity
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75223
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableOnAccessProtection
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /f 2>nul
-
name: Disable bidirectional scanning of incoming and outgoing file and program activity
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_RealtimeScanDirection
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#realtimescandirection
call:
# 0='Both': bi-directional (full on-access, default)
# 1='Incoming': scan only incoming (disable on-open)
# 2='Outcoming': scan only outgoing (disable on-close)
-
function: SetMpPreference
parameters:
property: RealTimeScanDirection # Status: Get-MpPreference | Select-Object -Property RealTimeScanDirection
value: "'1'" # Set: Set-MpPreference -Force -RealTimeScanDirection 1
default: "'0'" # Default: 0 (Both) | Remove-MpPreference -Force -RealTimeScanDirection | Set-MpPreference -Force -RealTimeScanDirection 0
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /f 2>nul
-
name: Disable process scanning on real-time protection
docs:
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75231
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RealtimeProtection_DisableScanOnRealtimeEnable
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /f 2>nul
-
category: Disable Defender remediation
children:
-
name: Disable routine remediation
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus#admx-microsoftdefenderantivirus-disableroutinelytakingaction
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableRoutinelyTakingAction
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /f 2>nul
-
name: Disable running scheduled auto-remediation
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Remediation_Scan_ScheduleDay
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#remediationscheduleday
call:
# 0: 'Every Day' (default), 1: 'Sunday'..., 7: 'Saturday', 8: 'Never'
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /f 2>nul
-
function: SetMpPreference
parameters:
property: RemediationScheduleDay # Status: Get-MpPreference | Select-Object -Property RemediationScheduleDay
value: "'8'" # Set: Set-MpPreference -Force -RemediationScheduleDay 8
default: "'0'" # Default: 0 | Remove-MpPreference -Force -RemediationScheduleDay | Set-MpPreference -Force -RemediationScheduleDay 0
-
name: Disable remediation actions
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Threats_ThreatSeverityDefaultAction
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
# None = 0 (default), Clean = 1, Quarantine = 2, Remove = 3, Allow = 6, UserDefined = 8, NoAction = 9, Block = 10
call: # Not using ThreatIdDefaultAction as it requires known threat IDs
-
function: SetMpPreference
# https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#unknownthreatdefaultaction
parameters:
property: UnknownThreatDefaultAction # Status: Get-MpPreference | Select-Object -Property UnknownThreatDefaultAction
# Setting or removing `UnknownThreatDefaultAction` has same affect for (sets also same value):
# `LowThreatDefaultAction`, `ModerateThreatDefaultAction`, `HighThreatDefaultAction`, `SevereThreatDefaultAction`.
# E.g. if it's set to 8, all others will also be set to 8, and once it's removed, all others get also removed.
# Those properties cannot have different values than `UnknownThreatDefaultAction`, so we only set `UnknownThreatDefaultAction`
value: "'9'" # Set: Set-MpPreference -Force -UnknownThreatDefaultAction 9
# Default: 0 (none)
# Setting default is not needed because `Remove-MpPreference -Force -UnknownThreatDefaultAction`
# works on both Windows 10 and Windows 11
-
function: RunInlineCode
parameters:
code: |-
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f
:: 1: Clean, 2: Quarantine, 3: Remove, 6: Allow, 8: Ask user, 9: No action, 10: Block, NULL: default (based on the update definition)
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f
revertCode: |-
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /f 2>nul
-
name: Auto-purge items from Quarantine folder
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Quarantine_PurgeItemsAfterDelay
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#quarantinepurgeitemsafterdelay
call:
# Values:
# Default: 90 on both Windows 10 21H1 and Windows 11 21H2
# Minimum: 1
# 0 means indefinitely
-
function: SetMpPreference
parameters:
property: QuarantinePurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property QuarantinePurgeItemsAfterDelay
value: "'1'" # Set: Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 1
default: "'90'" # Default: 90 | Remove-MpPreference -Force -QuarantinePurgeItemsAfterDelay | Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay 90
setDefaultOnWindows11: true # `Remove-MpPreference` sets it to 0 instead 90 (OS default) in Windows 11
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /f 2>nul
-
name: Disable always running antimalware service
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::ServiceKeepAlive
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /f 2>nul
# - Too good to disable, also no reported privacy issues
# category: Disable Windows Defender Device Guard and Credential Guard
# docs: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419
# children:
# -
# name: Disable LSA protection (disabled by default)
# docs:
# - https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
# - https://itm4n.github.io/lsass-runasppl/
# - https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-deviceguard-unattend-lsacfgflags
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# code: |-
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
# reg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 0 /f
# revertCode: |- # Already disabled by default, so just delete the keys
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f 2>nul
# reg delete "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /f 2>nul
# -
# name: Disable virtualization-based security (disabled by default)
# docs:
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage#disable-windows-defender-credential-guard
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# - https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
# code: |-
# :: Virtualization features
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul
# :: Lock
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul
# :: HypervisorEnforcedCodeIntegrity
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f 2>nul
# revertCode: |-
# :: Virtualization features
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f 2>nul
# :: Lock
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f 2>nul
# :: HypervisorEnforcedCodeIntegrity
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f 2>nul
# -
# name: Disable System Guard Secure Launch
# docs:
# - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection
# - https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch
# code: |-
# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 2 /f
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /t REG_DWORD /d 0 /f
# revertCode: |-
# reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /f 2>nul
# reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /f 2>nul
# -
# name: Disable Windows Defender Application Control Code Integrity Policy
# docs:
# - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Windows.DeviceGuard::ConfigCIPolicy
# - https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/dg-readiness-tool
# code: |-
# del "$env:windir\System32\CodeIntegrity\SIPolicy.p7b"
# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /t REG_DWORD /d 0 /f
# revertCode: |-
# reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "DeployConfigCIPolicy" /v "Enabled" /f 2>nul
-
name: Disable auto-exclusions
docs:
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75159
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::DisableAutoExclusions
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableautoexclusions
call:
-
function: SetMpPreference
parameters:
property: DisableAutoExclusions # Status: Get-MpPreference | Select-Object -Property DisableAutoExclusions
value: $True # Set: Set-MpPreference -Force -DisableAutoExclusions $True
default: $False # Default: False | Remove-MpPreference -Force -DisableAutoExclusions | Set-MpPreference -Force -DisableAutoExclusions $False
setDefaultOnWindows11: true # `Remove-MpPreference` has no affect (does not change the value) in Windows 11
-
function: RunInlineCode
parameters:
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /f 2>nul
-
category: Disable Defender scans
children:
-
category: Disable scan actions
children:
-
name: Disable checking for signatures before scan # Default configuration
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::CheckForSignaturesBeforeRunningScan
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#checkforsignaturesbeforerunningscan
call:
-
function: SetMpPreference
parameters:
property: CheckForSignaturesBeforeRunningScan # Status: Get-MpPreference | Select-Object -Property CheckForSignaturesBeforeRunningScan
value: $False # Set: Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False
default: $False # Default: False | Remove-MpPreference -Force -CheckForSignaturesBeforeRunningScan | Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $False
-
function: RunInlineCode
parameters: # Default: Does not exist
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /f 2>nul
-
name: Disable creating system restore point on a daily basis # Default behavior
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRestorePoint
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablerestorepoint
call:
-
function: SetMpPreference
parameters:
property: DisableRestorePoint # Status: Get-MpPreference | Select-Object -Property DisableRestorePoint
value: $True # Set: Set-MpPreference -Force -DisableRestorePoint $True
default: $True # Default: True | Remove-MpPreference -Force -DisableRestorePoint | Set-MpPreference -Force -DisableRestorePoint $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /f 2>nul
-
name: Set minumum time for keeping files in scan history folder
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_PurgeItemsAfterDelay
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanpurgeitemsafterdelay
call: # Default is 15, minimum is 0 which means never removing items
-
function: SetMpPreference
parameters:
property: ScanPurgeItemsAfterDelay # Status: Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay
value: "'1'" # Set: Set-MpPreference -Force -ScanPurgeItemsAfterDelay 1
default: "'15'" # Default: 15 | Remove-MpPreference -Force -ScanPurgeItemsAfterDelay | Set-MpPreference -Force -ScanPurgeItemsAfterDelay 15
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /f 2>nul
-
category: Disable catch-up scans
children:
-
name: Set maximum days before a catch-up scan is forced
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_MissedScheduledScanCountBeforeCatchup
# Default and minumum is 2, maximum is 20
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /f 2>nul
-
name: Disable catch-up full scans # Disabled by default
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupFullScan
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupfullscan
call:
-
function: SetMpPreference
parameters:
property: DisableCatchupFullScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupFullScan
value: $True # Set: Set-MpPreference -Force -DisableCatchupFullScan $True
default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupFullScan | Set-MpPreference -Force -DisableCatchupFullScan $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /f 2>nul
-
name: Disable catch-up quick scans
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableCatchupQuickScan
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablecatchupquickscan
call:
-
function: SetMpPreference
parameters:
property: DisableCatchupQuickScan # Status: Get-MpPreference | Select-Object -Property DisableCatchupQuickScan
value: $True # Set: Set-MpPreference -Force -DisableCatchupQuickScan $True
default: $True # Default: True | Remove-MpPreference -Force -DisableCatchupQuickScan | Set-MpPreference -Force -DisableCatchupQuickScan $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /f 2>nul
-
category: Turn off scan options
children:
-
name: Disable scan heuristics
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableHeuristics
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /f 2>nul
-
category: Limit CPU usage during scans
children:
-
name: Limit CPU usage during scans to minimum
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_AvgCPULoadFactor
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanavgcpuloadfactor
call:
# Default: 50, minimum 1
-
function: SetMpPreference
parameters:
property: ScanAvgCPULoadFactor # Status: Get-MpPreference | Select-Object -Property ScanAvgCPULoadFactor
value: "'1'" # Set: Set-MpPreference -Force -ScanAvgCPULoadFactor 1
default: "'50'" # Default 50 | Remove-MpPreference -Force -ScanAvgCPULoadFactor | Set-MpPreference -Force -ScanAvgCPULoadFactor 50
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /f 2>nul
-
name: Limit CPU usage during idle scans to minumum
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
-
function: SetMpPreference
parameters:
property: DisableCpuThrottleOnIdleScans # Status: Get-MpPreference | Select-Object -Property DisableCpuThrottleOnIdleScans
value: $False # Set: Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $False
default: $True # Default: $True | Remove-MpPreference -Force -DisableCpuThrottleOnIdleScans | Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /f 2>nul
-
name: Disable scanning when not idle # Default OS setting
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanOnlyIfIdle
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanonlyifidleenabled
call:
-
function: SetMpPreference
parameters:
property: ScanOnlyIfIdleEnabled # Status: Get-MpPreference | Select-Object -Property ScanOnlyIfIdleEnabled
value: $True # Set: Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True
default: $True # Default: True | Remove-MpPreference -Force -ScanOnlyIfIdleEnabled | Set-MpPreference -Force -ScanOnlyIfIdleEnabled $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /f 2>nul
-
name: Disable scheduled On Demand anti malware scanner (MRT)
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /f 2>nul
-
category: Limit scanned areas
children:
-
name: Disable e-mail scanning # Disabled by default
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableEmailScanning
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableemailscanning
call:
-
function: SetMpPreference
parameters:
property: DisableEmailScanning # Status: Get-MpPreference | Select-Object -Property DisableEmailScanning
value: $True # Set: Set-MpPreference -Force -DisableEmailScanning $False
default: $True # Default: True | Remove-MpPreference -Force -DisableEmailScanning | Set-MpPreference -Force -DisableEmailScanning $True
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /f 2>nul
-
name: Disable script scanning
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescriptscanning
call:
function: SetMpPreference
parameters:
property: DisableScriptScanning # Status: Get-MpPreference | Select-Object -Property DisableScriptScanning
value: $True # Set: Set-MpPreference -Force -DisableScriptScanning $True
# ❌ Windows 11: Does not fail but does not set $True value | ✅ Windows 10: Works as expected
default: $False # Default: False | Remove-MpPreference -Force -DisableScriptScanning | Set-MpPreference -Force -DisableScriptScanning $False
-
name: Disable reparse point scanning
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableReparsePointScanning
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /f 2>nul
-
name: Disable scanning on mapped network drives on full-scan
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningMappedNetworkDrivesForFullScan
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningmappednetworkdrivesforfullscan
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /f 2>nul
-
function: SetMpPreference
parameters:
property: DisableScanningMappedNetworkDrivesForFullScan # Status: Get-MpPreference | Select-Object -Property DisableScanningMappedNetworkDrivesForFullScan
value: $True # Set: Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $False
default: $True # Default: True | Remove-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan | Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $True
-
name: Disable scanning network files
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableScanningNetworkFiles
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablescanningnetworkfiles
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /f 2>nul
-
function: SetMpPreference
parameters:
property: DisableScanningNetworkFiles # Status: Get-MpPreference | Select-Object -Property DisableScanningNetworkFiles
value: $True # Set: Set-MpPreference -Force -DisableScanningNetworkFiles $True
default: $False # Default: False | Remove-MpPreference -Force -DisableScanningNetworkFiles | Set-MpPreference -Force -DisableScanningNetworkFiles $False
-
name: Disable scanning packed executables
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisablePackedExeScanning
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /f 2>nul
-
category: Disable scanning archive files
children:
-
name: Disable scanning archive files
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableArchiveScanning
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanning
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /f 2>nul
-
function: SetMpPreference
parameters:
property: DisableArchiveScanning # Status: Get-MpPreference | Select-Object -Property DisableArchiveScanning
value: $True # Set: Set-MpPreference -Force -DisableArchiveScanning $True
default: $False # Default: False | Remove-MpPreference -Force -DisableArchiveScanning | Set-MpPreference -Force -DisableArchiveScanning $False
-
name: Limit depth for scanning archive files to minimum
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxDepth
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /f 2>nul
-
name: Limit file size for archive files to be scanned to minimum
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ArchiveMaxSize
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /f 2>nul
-
name: Disable scanning removable drives
docs:
# Disabled by default
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_DisableRemovableDriveScanning
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disablearchivescanningDisableRemovableDriveScanning
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /f 2>nul
-
function: SetMpPreference
parameters:
property: DisableRemovableDriveScanning # Status: Get-MpPreference | Select-Object -Property DisableRemovableDriveScanning
value: $True # Set: Set-MpPreference -Force -DisableRemovableDriveScanning $False
default: $True # Default: True | Remove-MpPreference -Force -DisableRemovableDriveScanning | Set-MpPreference -Force -DisableRemovableDriveScanning $True
-
category: Disable auto-scans
children:
-
name: Disable scheduled scans
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScheduleDay
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scheduleday
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanscheduleday
call:
# Options are:
# 0 = 'Every Day' (default), 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday',
# 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never'
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /f 2>nul
-
function: SetMpPreference
parameters:
property: ScanScheduleDay # Status: Get-MpPreference | Select-Object -Property ScanScheduleDay
value: "'8'" # Set: Set-MpPreference -Force -ScanScheduleDay '8'
default: "'0'" # Default: 0 (Every Day) | Remove-MpPreference -Force -ScanScheduleDay | Set-MpPreference -Force -ScanScheduleDay '0'
-
name: Disable randomizing scheduled task times
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::RandomizeScheduleTaskTimes
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#randomizescheduletasktimes
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /f 2>nul
-
function: SetMpPreference
parameters:
property: RandomizeScheduleTaskTimes # Status: Get-MpPreference | Select-Object -Property RandomizeScheduleTaskTimes
value: $False # Set: Set-MpPreference -Force -RandomizeScheduleTaskTimes $False
default: $True # Default: True | Remove-MpPreference -Force -RandomizeScheduleTaskTimes | Set-MpPreference -Force -RandomizeScheduleTaskTimes $True
-
name: Disable scheduled full-scans
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-scan-scanparameters
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_ScanParameters
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#scanparameters
call:
# Options: 1 = 'Quick Scan' (default), 2 = 'Full Scan'
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /f 2>nul
-
function: SetMpPreference
parameters:
property: ScanParameters # Status: Get-MpPreference | Select-Object -Property ScanParameters
value: "'1'" # Set: Set-MpPreference -Force -ScanParameters '1'
default: "'1'" # Default: 1 | Remove-MpPreference -Force -ScanParameters | Set-MpPreference -Force -ScanParameters '1'
setDefaultOnWindows11: true # ❌ Remove-MpPreference with -ScanParameters fails due to a buggy behavior where it tries to set it to True on Windows 11
-
name: Limit how many times quick scans run per day
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Scan_QuickScanInterval
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /f 2>nul
-
name: Disable scanning after security intelligence (signature) update
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScanOnUpdate
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /f 2>nul
-
category: Limit Defender updates
children:
-
category: Disable Defender Security Intelligence (signature) updates
children:
-
name: Disable forced security intelligence (signature) updates from Microsoft Update
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ForceUpdateFromMU
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /f 2>nul
-
name: Disable security intelligence (signature) updates when running on battery power
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableScheduledSignatureUpdateonBattery
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /f 2>nul
-
name: Disable checking for the latest virus and spyware security intelligence (signature) on startup
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_UpdateOnStartup
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /f 2>nul
-
name: Disable catch-up security intelligence (signature) updates # default is one day
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateCatchupInterval
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdatecatchupinterval
call:
# Options: 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /f 2>nul
-
function: SetMpPreference
parameters:
property: SignatureUpdateCatchupInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateCatchupInterval
value: "'0'" # Set: Set-MpPreference -Force -SignatureUpdateCatchupInterval '0'
default: "'1'" # Default: 1 | Remove-MpPreference -Force -SignatureUpdateCatchupInterval | Set-MpPreference -Force -SignatureUpdateCatchupInterval '1'
-
name: Limit spyware security intelligence (signature) updates # default is one day, recommended is 7 days
# Maximize period when spyware security intelligence (signature) is considered up-to-dates
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ASSignatureDue
- https://www.stigviewer.com/stig/ms_windows_defender_antivirus/2018-03-29/finding/V-75241
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /f 2>nul
-
name: Limit virus security intelligence (signature) updates # default is one day, recommended is 7 days
# Maximize period when virus security intelligence (signature) is considered up-to-date
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_AVSignatureDue
- https://www.stigviewer.com/stig/windows_defender_antivirus/2017-12-27/finding/V-75243
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /f 2>nul
-
name: Disable security intelligence (signature) update on startup
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_DisableUpdateOnStartupWithoutEngine
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturedisableupdateonstartupwithoutengine
call:
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /f 2>nul
-
function: SetMpPreference
parameters:
property: SignatureDisableUpdateOnStartupWithoutEngine # Status: Get-MpPreference | Select-Object -Property SignatureDisableUpdateOnStartupWithoutEngine
value: $True # Set: Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $True
default: $False # Default: False | Remove-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine | Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $False
-
name: Disable automatically checking security intelligence (signature) updates # Already disabled by default
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_ScheduleDay
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signaturescheduleday
call:
# Options:
# 0 = 'Every Day', 1 = 'Sunday', 2 = 'Monday', 3 = 'Tuesday', 4 = 'Wednesday'
# 5 = 'Thursday', 6 = 'Friday', 7 = 'Saturday', 8 = 'Never' (Default)
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /f 2>nul
-
function: SetMpPreference
parameters:
property: SignatureScheduleDay # Status: Get-MpPreference | Select-Object -Property SignatureScheduleDay
value: "'8'" # Set: Set-MpPreference -Force -SignatureScheduleDay '8'
default: "'8'" # Default: 1 | Remove-MpPreference -Force -SignatureScheduleDay | Set-MpPreference -Force -SignatureScheduleDay '8'
-
name: Limit update checks for security intelligence (signature) updates
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-signatureupdateinterval
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::SignatureUpdate_SignatureUpdateInterval
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#signatureupdateinterval
call:
# Valid values range from 1 (every hour) to 24 (once per day).
# If not specified (0), parameter, Windows Defender checks at the default interval
-
function: RunInlineCode
parameters:
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /f 2>nul
-
function: SetMpPreference
parameters:
property: SignatureUpdateInterval # Status: Get-MpPreference | Select-Object -Property SignatureUpdateInterval
value: "'24'" # Set: Set-MpPreference -Force -SignatureUpdateInterval '24'
default: "'0'" # Default: 0 | Remove-MpPreference -Force -SignatureUpdateInterval | Set-MpPreference -Force -SignatureUpdateInterval '0'
-
category: Disable alternate definition updates
children:
-
name: Disable definition updates through both WSUS and the Microsoft Malware Protection Center
docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateHttpLocation
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /f 2>nul
-
name: Disable definition updates through both WSUS and Windows Update
docs: https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /f 2>nul
-
name: Limit Defender updates to those that complete gradual release cycle
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: SetMpPreference
parameters:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
property: DisableGradualRelease # Status: Get-MpPreference | Select-Object -Property DisableGradualRelease
value: $True # Set: Set-MpPreference -Force -DisableGradualRelease $True
default: $False # Default: False | Remove-MpPreference -Force -DisableGradualRelease
-
name: Limit Defender engine updates to those that complete gradual release cycle
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: SetMpPreference
parameters:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
property: EngineUpdatesChannel # Status: Get-MpPreference | Select-Object -Property EngineUpdatesChannel
value: "'Broad'" # Set: Set-MpPreference -Force -EngineUpdatesChannel 'Broad'
# Valid values:
# 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged'
# ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -EngineUpdatesChannel | Set-MpPreference -Force -EngineUpdatesChannel "'NotConfigured'"
-
name: Limit Defender platform updates to those that complete gradual release cycle
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
function: SetMpPreference
parameters:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
property: PlatformUpdatesChannel # Status: Get-MpPreference | Select-Object -Property PlatformUpdatesChannel
value: "'Broad'" # Set: Set-MpPreference -Force -PlatformUpdatesChannel 'Broad'
# Valid values:
# 0 = 'NotConfigured' (default), 'Beta', 'Broad', 'Preview', 'Staged'
# ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -PlatformUpdatesChannel | Set-MpPreference -Force -PlatformUpdatesChannel "'NotConfigured'"
-
name: Limit Defender definition updates to those that complete gradual release cycle
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
call:
# ❌ Not generally supported on Windows (before 4.18.2106.5 Defender platform)
function: SetMpPreference
parameters:
property: DefinitionUpdatesChannel # Status: Get-MpPreference | Select-Object -Property DefinitionUpdatesChannel
# Its former name was "SignaturesUpdatesChannel"
value: "'Broad'" # Set: Set-MpPreference -Force -DefinitionUpdatesChannel 'Broad'
# 0 = 'NotConfigured' (default), 'Beta', Preview' 'Broad', 'Staged'
# ❌ Windows 11 21H2 supports only 'NotConfigured', 'Beta', 'Preview' but not 'Broad', 'Staged'
default: "'NotConfigured'" # Default: 0 (NotConfigured) | Remove-MpPreference -Force -DefinitionUpdatesChannel | Set-MpPreference -Force -DefinitionUpdatesChannel "'NotConfigured'"
-
category: Disable Windows Defender reporting
children:
-
name: Disable Windows Defender logging
code: |-
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
revertCode: |- # 1 as default in registry
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "1" /f
-
name: Disable ETW Provider of Windows Defender (Windows Event Logs)
docs:
- https://m365internals.com/2021/07/05/why-are-windows-defender-av-logs-so-important-and-how-to-monitor-them-with-azure-sentinel/
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-views
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f
revertCode: |- # 1 as default in registry
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 1 /f
-
name: Do not send Watson events
# Deprecated since February 2015 update http://support.microsoft.com/kb/3036437
docs: https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::reporting_disablegenericreports
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /f 2>nul
-
name: Send minimum Windows software trace preprocessor (WPP Software Tracing) levels
docs:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/wpp-software-tracing
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_WppTracingLevel
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /f 2>nul
-
name: Disable auditing events in Microsoft Defender Application Guard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.AppHVSI::AppHVSI_AuditApplicationGuardConfig
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /f 2>nul
-
category: Remove Defender from UI
children:
-
name: Hide Windows Defender Security Center icon
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Systray_HideSystray
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /f 2>nul
-
name: Remove "Scan with Windows Defender" option from context menu
docs:
- https://windowsreport.com/remove-right-click-windows-defender-scan-windows-10/
- https://twigstechtips.blogspot.com/2010/06/windows-remove-with-microsoft-security.html
code: |-
reg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f 2>nul
reg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f 2>nul
reg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul
reg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul
reg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f 2>nul
revertCode: |-
reg add "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f
reg add "HKCR\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f
reg add "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /ve /t REG_SZ /d "%ProgramFiles%\Windows Defender\shellext.dll" /f
reg add "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
reg add "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /t REG_SZ /d "{09A47860-11B0-4DA5-AFA5-26D86198A780}" /f
-
name: Remove Windows Defender Security Center from taskbar
docs: https://www.alfintechcomputer.com/what-is-securityhealthsystray-exe-windows-security-notification-icon/
code: reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f 2>nul # Renamed from WindowsDefender/MSASCuiL.exe in Windows 10 version 1809
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /t REG_EXPAND_SZ /d "%windir%\system32\SecurityHealthSystray.exe" /f
-
category: Hide Defender UI
children:
-
name: Enable headless UI mode
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_UILockdown
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /f 2>nul
-
name: Restrict threat history to administrators
docs:
# Managing with MpPreference module:
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://powershell.one/wmi/root/microsoft/windows/defender/msft_mppreference#disableprivacymode
call:
-
function: SetMpPreference
parameters:
property: DisablePrivacyMode # Status: Get-MpPreference | Select-Object -Property DisablePrivacyMode
value: $True # Set: Set-MpPreference -Force -DisablePrivacyMode $True
default: $False # Default: False | Remove-MpPreference -Force -DisablePrivacyMode | Set-MpPreference -Force -DisablePrivacyMode $False
-
function: RunInlineCodeAsTrustedInstaller # Otherwise we get "ERROR: Access is denied." (>= 20H2)
parameters:
code: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /f 2>nul
-
category: Hide areas in Windows Defender Security Center
children:
-
name: Hide the "Virus and threat protection" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /f 2>nul
-
name: Hide the "Ransomware data recovery" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::VirusThreatProtection_HideRansomwareRecovery
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /f 2>nul
-
name: Hide the "Family options" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FamilyOptions_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /f 2>nul
-
name: Hide the "Device performance and health" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DevicePerformanceHealth_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /f 2>nul
-
name: Hide the "Account protection" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AccountProtection_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /f 2>nul
-
name: Hide the "App and browser protection" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::AppBrowserProtection_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /f 2>nul
-
category: Hide the Device security areas
children:
-
name: Hide the Device security area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /f 2>nul
-
name: Disable the Clear TPM button
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableClearTpmButton
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /f 2>nul
-
name: Disable the Secure boot area button
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideSecureBoot
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /f 2>nul
-
name: Hide the Security processor (TPM) troubleshooter page
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_HideTPMTroubleshooting
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /f 2>nul
-
name: Hide the TPM Firmware Update recommendation
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::DeviceSecurity_DisableTpmFirmwareUpdateWarning
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /f 2>nul
-
name: Hide the "Firewall and network protection" area
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::FirewallNetworkProtection_UILockdown
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /f 2>nul
-
category: Hide Windows Defender notifications
children:
-
category: Hide Windows Defender Security Center notifications
docs: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications
children:
-
name: Hide all notifications
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disablenotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableNotifications
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /f 2>nul
-
name: Hide non-critical notifications
docs:
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter#windowsdefendersecuritycenter-disableenhancednotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefenderSecurityCenter::Notifications_DisableEnhancedNotifications
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::Reporting_DisableEnhancedNotifications
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /f 2>nul
-
name: Disable Windows Action Center security and maintenance notifications # For Windows 10 build 1607 and above
docs: https://web.archive.org/web/20171206070211/https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /f 2>nul
-
name: Disable all Windows Defender Antivirus notifications
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_Notification_Suppress
code: |-
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
revertCode: |-
reg delete "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul
reg delete "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /f 2>nul
-
name: Suppress reboot notifications
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDefender::UX_Configuration_SuppressRebootNotification
code: reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /f 2>nul
-
category: Disable OS components for Defender # Hackers way of disabling Defender
children:
-
category: Disable Defender tasks
children:
-
name: Disable Windows Defender ExploitGuard task
docs: https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
code: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Enable
-
name: Disable Windows Defender Cache Maintenance task
# Cache Maintenance is the storage for temporary files that are being either quarantined by Windows Defender
# or being checked. Running this will clear the Cache.
docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Enable
-
name: Disable Windows Defender Cleanup task
docs: https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae
# Periodic cleanup task
# Clears up files that are not needed anymore by Windows Defender.
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Enable
-
name: Disable Windows Defender Scheduled Scan task # Does not exist in Windows 11
docs:
- https://support.microsoft.com/en-us/windows/schedule-a-scan-in-microsoft-defender-antivirus-54b64e9c-880a-c6b6-2416-0eb330ed5d2d
- https://winbuzzer.com/2020/05/26/windows-defender-how-to-perform-a-scheduled-scan-in-windows-10-xcxwbt/
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Enable 2>nul
-
name: Disable Windows Defender Verification task
# Check if there are any problems with your Windows Defender like in updates, system files, etc,.
# Creates daily restore points
docs:
- https://answers.microsoft.com/en-us/windows/forum/all/win10-windows-defender-schedulable-tasks-what-does/968ddd6b-3a71-46ce-bc80-d2af11f7e1ae
- https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-system-restore-points/86f77a7f-4ee9-411f-b016-223993c55426
- https://www.windowsphoneinfo.com/threads/same-problems-with-windows-defender-verification-and-scan-tasks.121489/#Same_problems_with_Windows_Defender_Verification_and_Scan_Tasks
code: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable 2>nul
revertCode: schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Enable
-
category: Disable Defender services and drivers
# Normally users can disable services on GUI or using commands like "sc config"
# However Defender services are protected with different ways
# 1. Some cannot be disabled (access error) normally but only with DisableServiceInRegistry
# 2. Some cannot be disabled even using DisableServiceInRegistry, must be disabled as TrustedInstaller using RunInlineCodeAsTrustedInstaller
children:
-
name: Disable Windows Defender Firewall service (breaks Microsoft Store and `netsh advfirewall` CLI)
docs:
- http://batcmd.com/windows/10/services/mpssvc/
- https://en.wikipedia.org/wiki/Windows_Firewall
# More information about MpsSvc:
- https://web.archive.org/web/20110203202612/http://technet.microsoft.com/en-us/library/dd364391(v=WS.10).aspx
# More information about boot time protection and stopping the firewall service:
- https://web.archive.org/web/20110131034058/http://blogs.technet.com:80/b/networking/archive/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy.aspx
# Stopping the service associated with Windows Firewall is not supported by Microsoft:
- https://web.archive.org/web/20121106033255/http://technet.microsoft.com/en-us/library/cc753180.aspx
# ❗️ Breaks Microsoft Store
# Can no longer update nor install apps, they both fail with 0x80073D0A
# Also breaks some of Store apps such as Photos:
# - https://answers.microsoft.com/en-us/windows/forum/all/microsoft-store-windows-defender-windows-firewall/f2f68cd7-64ec-4fe1-ade4-9d12cde057f9
# - https://github.com/undergroundwires/privacy.sexy/issues/104#issuecomment-962651791
# > The MpsSvc service host much more functionality than just windows firewall. For instance, Windows
# Service hardening which is a windows protection of system services. It also host network isolatio
# which is a crucial part of the confidence model for Windows Store based applications. 3rd party firewalls
# know this fact and instead of disabling the firewall service they coordinate through public APIs with Windows
# Firewall so that they can have ownership of the firewall policies of the computer. Hence you do not have to do
# anything special once you install a 3rd party security product.
# Source: https://www.walkernews.net/2012/09/23/how-to-fix-windows-store-app-update-error-code-0x80073d0a/
# ❗️ Breaks: `netsh advfirewall set`
# Disabling and stopping it breaks "netsh advfirewall set" commands such as
# `netsh advfirewall set allprofiles state on`, `netsh advfirewall set allprofiles state off`.
# More about `netsh firewall` context: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
call:
-
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters:
serviceName: MpsSvc # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MpsSvc").Start
defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual
-
function: RenameSystemFile
parameters:
filePath: '%WinDir%\system32\mpssvc.dll'
-
name: Disable Windows Defender Antivirus service
# ❗️ Breaks `Set-MpPreference` PowerShell cmdlet that helps to manage Defender
# E.g. `Set-MpPreference -Force -MAPSReporting 0` throws:
# `Set-MpPreference: Operation failed with the following error: 0x800106ba. Operation: Set-MpPreference.`
# `Target: MAPS_MAPSReporting. FullyQualifiedErrorId : HRESULT 0x800106ba,Set-MpPreference`
docs: http://batcmd.com/windows/10/services/windefend/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WinDefend" >nul & sc config "WinDefend" start=disabled
revertCode: sc config "WinDefend" start=auto & sc start "WinDefend" >nul
# - # "Access is denied" when renaming file
# function: RenameSystemFile
# parameters:
# filePath: '%ProgramFiles%\Windows Defender\MsMpEng.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ...
-
category: Disable kernel-level Windows Defender drivers
children:
-
name: Disable Windows Defender Firewall Authorization Driver service (breaks `netsh advfirewall` CLI)
docs:
- http://batcmd.com/windows/10/services/mpsdrv/
# ❗️ Breaks: `netsh advfirewall set`
# Disabling and stopping it breaks "netsh advfirewall set" commands such as
# `netsh advfirewall set allprofiles state on`, `netsh advfirewall set allprofiles state off`.
# More about `netsh firewall` context: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
call:
-
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters:
serviceName: mpsdrv # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\mpsdrv").Start
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
function: RenameSystemFile
parameters:
filePath: '%SystemRoot%\System32\drivers\mpsdrv.sys'
# - Skipping wdnsfltr "Windows Defender Network Stream Filter Driver" as it's Windows 1709 only
-
name: Disable Microsoft Defender Antivirus Network Inspection System Driver service
docs: http://batcmd.com/windows/10/services/wdnisdrv/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
# "net stop" is used to stop dependend services as well, "sc stop" fails
code: net stop "WdNisDrv" /yes >nul & sc config "WdNisDrv" start=disabled
revertCode: sc config "WdNisDrv" start=demand & sc start "WdNisDrv" >nul
-
function: RenameSystemFile
parameters:
filePath: '%SystemRoot%\System32\drivers\WdNisDrv.sys'
# - # "Access is denied" when renaming file
# function: RenameSystemFile
# parameters:
# filePath: '%SystemRoot%\System32\drivers\wd\WdNisDrv.sys'
-
name: Disable Microsoft Defender Antivirus Mini-Filter Driver service
docs:
- https://www.n4r1b.com/posts/2020/01/dissecting-the-windows-defender-driver-wdfilter-part-1/
- http://batcmd.com/windows/10/services/wdfilter/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WdFilter" >nul & sc config "WdFilter" start=disabled
revertCode: sc config "WdFilter" start=boot & sc start "WdFilter" >nul
-
function: RenameSystemFile
parameters:
filePath: '%SystemRoot%\System32\drivers\WdFilter.sys'
# - # "Access is denied" when renaming file
# function: RenameSystemFile
# parameters:
# filePath: '%SystemRoot%\System32\drivers\wd\WdFilter.sys'
-
name: Disable Microsoft Defender Antivirus Boot Driver service
docs: http://batcmd.com/windows/10/services/wdboot/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WdBoot" >nul & sc config "WdBoot" start=disabled
revertCode: sc config "WdBoot" start=boot & sc start "WdBoot" >nul
-
function: RenameSystemFile
parameters:
filePath: '%SystemRoot%\System32\drivers\WdBoot.sys'
# - # "Access is denied" when renaming file
# function: RenameSystemFile
# parameters:
# filePath: '%SystemRoot%\System32\drivers\wd\WdBoot.sys'
-
name: Disable Microsoft Defender Antivirus Network Inspection service
docs:
- http://batcmd.com/windows/10/services/wdnissvc/
- https://www.howtogeek.com/357184/what-is-microsoft-network-realtime-inspection-service-nissrv.exe-and-why-is-it-running-on-my-pc/
call:
-
function: RunInlineCodeAsTrustedInstaller
parameters:
code: sc stop "WdNisSvc" >nul & sc config "WdNisSvc" start=disabled
revertCode: sc config "WdNisSvc" start=auto & sc start "WdNisSvc" >nul
# - # "Access is denied" when renaming file
# function: RenameSystemFile
# parameters:
# filePath: '%ProgramFiles%\Windows Defender\NisSrv.exe' # Found also in C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 and \4.18.2103.7-0 ...
-
name: Disable Windows Defender Advanced Threat Protection Service service
docs: http://batcmd.com/windows/10/services/sense/
call:
-
function: DisableServiceInRegistry # We must disable it on registry level, "Access is denied" for sc config
parameters:
serviceName: Sense # Check: (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense").Start
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
function: RenameSystemFile
parameters:
filePath: '%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe'
-
name: Disable Windows Defender Security Center Service
docs: http://batcmd.com/windows/10/services/securityhealthservice/
call:
-
# Windows 10:
# ❌ Cannot disable through sc config as Administrator; throws "Access is denied"
# ✅ Can disable using registry as Administrator; "DisableServiceInRegistry" function works
# ✅ Can disable using registry as TrustedInstaller
# Windows 11:
# ❌ Cannot disable through sc config as administrator; throws "Access is denied"
# ❌ Cannot disable using registry as Administrator; using DisableServiceInRegistry throws "Requested registry access is not allowed."
# ✅ Can disable using registry as TrustedInstaller
function: RunInlineCodeAsTrustedInstaller
parameters:
code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f
revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 3 /f
-
function: RenameSystemFile
parameters:
filePath: '%WinDir%\system32\SecurityHealthService.exe'
-
category: Disable SmartScreen
docs:
- https://en.wikipedia.org/wiki/Microsoft_SmartScreen
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview
children:
-
category: Disable SmartScreen for apps and files
children:
-
name: Disable SmartScreen for apps and files
docs:
- https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsExplorer::EnableSmartScreen
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /f 2>nul
-
name: Disable SmartScreen in file explorer
docs:
- https://winaero.com/change-windows-smartscreen-settings-windows-10/
- https://www.technobezz.com/how-to-change-the-smartscreen-filter-settings-in-windows-10/
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul
reg delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /f 2>nul
-
name: Disable SmartScreen preventing users from running applications
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ShellConfigureSmartScreen
- https://www.stigviewer.com/stig/windows_10/2018-04-06/finding/V-63685
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /f 2>nul
-
category: Disable SmartScreen in Microsoft browsers
children:
-
name: Prevent Chromium Edge SmartScreen from blocking potentially unwanted apps
docs: https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenPuaEnabled
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /f 2>nul
-
name: Disable SmartScreen in Edge
docs:
- https://www.bleepingcomputer.com/news/microsoft/windows-10-smartscreen-sends-urls-and-app-names-to-microsoft/ # Privacy concerns
- https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-smartscreen
- https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#smartscreen-settings
- https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63713
- https://admx.help/?Category=EdgeChromium&Policy=Microsoft.Policies.Edge::SmartScreenEnabled
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f
:: For Microsoft Edge version 77 or later
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f
revertCode: |-
reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul
reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /f 2>nul
reg delete "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /f 2>nul
:: For Microsoft Edge version 77 or later
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /f 2>nul
-
name: Disable SmartScreen in Internet Explorer
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_Policy_Phishing_9
code: reg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f
revertCode: reg delete "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /f 2>nul
-
category: Disable SmartScreen for Windows Store apps
children:
-
name: Turn off SmartScreen App Install Control feature
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SmartScreen::ConfigureAppInstallControl
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#241-microsoft-defender-smartscreen
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-smartscreen
code: |-
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f
revertCode: |-
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /f 2>nul
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /f 2>nul
-
name: Turn off SmartScreen to check web content (URLs) that apps use
docs: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services
code: |-
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
revertCode: |- # Has "1" value in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" as default
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "1" /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /f 2>nul
-
name: Disable automatic updates
docs:
- https://docs.microsoft.com/fr-fr/security-updates/windowsupdateservices/18127152
- http://batcmd.com/windows/10/services/usosvc/
call:
-
function: RunInlineCode
parameters:
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "3" /f
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul
reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime /f 2>nul
-
function: DisableService
parameters:
serviceName: UsoSvc # Check: (Get-Service -Name 'UsoSvc').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
category: UI for privacy
children:
-
name: Disable lock screen app notifications
recommend: standard
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLockScreenAppNotifications" /t REG_DWORD /d 0 /f
docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-36687
-
category: Disable online content in explorer
children:
-
name: Disable online tips
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanel::AllowOnlineTips
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 0 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d 1 /f
-
name: Turn off Internet File Association service
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseInternetOpenWith_2
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d 0 /f
-
name: Turn off the "Order Prints" picture task
recommend: standard
docs:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellRemoveOrderPrints_2
- https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000042
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoOnlinePrintsWizard" /t REG_DWORD /d 0 /f
-
name: Disable the file and folder Publish to Web option
recommend: standard
docs: https://www.stigviewer.com/stig/windows_server_2012_member_server/2014-01-07/finding/V-14255
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPublishingWizard" /t REG_DWORD /d 0 /f
-
name: Prevent downloading a list of providers for wizards
recommend: standard
docs: https://www.stigviewer.com/stig/windows_10/2017-12-01/finding/V-63621
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWebServices" /t REG_DWORD /d 0 /f
-
category: Recent documents
children:
-
name: Do not keep history of recently opened documents
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::NoRecentDocsHistory
code: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 0 /f
-
name: Clear history of recently opened documents on exit
recommend: strict
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.StartMenu::ClearRecentDocsOnExit
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ClearRecentDocsOnExit" /t REG_DWORD /d 01 /f
-
name: Disable Live Tiles push notifications
recommend: standard
docs: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Notifications::NoTileNotification
code: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 1 /f
revertCode: reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d 0 /f
-
name: Turn off "Look For An App In The Store" option
recommend: standard
docs:
- https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000030
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::ShellNoUseStoreOpenWith_1
code: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 1 /f
revertCode: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d 0 /f
-
name: Do not show recently used files in Quick Access
recommend: strict
docs:
- https://matthewhill.uk/windows/group-policy-disable-recent-files-frequent-folder-explorer/ # ShowRecent
- https://www.howto-connect.com/delete-recent-frequent-from-file-explorer-on-windows-10/ # 3134ef9c-6b18-4996-ad04-ed5912e00eb5
- https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry # Wow6432Node
code: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d 0 /t "REG_DWORD" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit?
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
)
revertCode: |-
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "ShowRecent" /d "1" /t "REG_DWORD" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
if not %PROCESSOR_ARCHITECTURE%==x86 ( REM is 64 bit?
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\HomeFolderDesktop\NameSpace\DelegateFolders\{3134ef9c-6b18-4996-ad04-ed5912e00eb5}" /f
)
-
name: Disable Sync Provider Notifications
code: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 0 /t REG_DWORD /f
revertCode: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /d 1 /t REG_DWORD /f
-
name: Turn hibernate off to disable sleep for quick start
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/compact-os#ram-pagefilesys-and-hiberfilsys
code: powercfg -h off
revertCode: powercfg -h on
-
name: Enable camera on/off OSD notifications
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-coremmres-nophysicalcameraled
- https://www.reddit.com/r/Surface/comments/88nyln/the_webcamled_took_anyone_it_apart/dwm64p5
- https://answers.microsoft.com/en-us/windows/forum/all/enable-osd-notification-for-webcam/caf1fff4-78d3-4b93-905b-ef657097a44e
code: reg add "HKLM\SOFTWARE\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /d 1 /t REG_DWORD /f
revertCode: reg delete "HKLM\Software\Microsoft\OEM\Device\Capture" /v "NoPhysicalCameraLED" /f
-
category: Hide from This PC and Browse in dialog boxes
children:
-
name: 3D Objects
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{31C0DD25-9439-4F12-BF41-7FF4EDA38722}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Desktop
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Documents
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{f42ee2d3-909f-4907-8871-4c22fc0bf756}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Downloads
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Movies
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Music
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
name: Pictures
code: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Hide" /f
revertCode: |-
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
reg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /v "ThisPCPolicy" /t REG_SZ /d "Show" /f
-
category: Disable OS services
children:
-
name: Delivery Optimization (P2P Windows Updates)
recommend: standard
docs:
# Delivery Optimization is a cloud-managed solution to offer Windows updates through
# other users' network (peer-to-peer).
- https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization
# Delivery Optimization service performs content delivery optimization tasks.
- http://batcmd.com/windows/10/services/dosvc/
# Connects to various Microsoft service endpoints to get metadata, policies, content, device information
# and information of other peers (Windows users).
- https://docs.microsoft.com/en-us/windows/deployment/update/delivery-optimization-workflow
call:
function: DisableServiceInRegistry
# Using registry way because because other options such as "sc config" or
# "Set-Service" returns "Access is denied" since Windows 10 1809.
parameters:
serviceName: DoSvc # Check: (Get-Service -Name 'DoSvc').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Microsoft Account Sign-in Assistant (breaks Microsoft Store and Microsoft Account sign-in)
recommend: strict
docs:
# **Summary**
# This script gives you more privacy by preventing OS access to Azure AD to store your personal
# and computer information that can be used to identify you and your computer.
# However it breaks many OS features so you should make a decision based on how you'd like to use
# your Windows. You can also apply and revert it once you need the broken functionality.
# **Service**
# This service communicates with Microsoft Account cloud authentication service
# Many apps and system components that depend on Microsoft Account authentication may lose functionality.
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#12-microsoft-account
# It includes following description:
# > Enables user sign-in through Microsoft account identity services.
# > If this service is stopped, users will not be able to logon to the computer with their Microsoft account.
# Microsoft states it's OK to disable
- https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#microsoft-account-sign-in-assistant
# Formerly it was known as "Microsoft Windows Live ID Service"
# And used only for applications like Office and Windows Live Messenger
- https://www.howtogeek.com/howto/30348/what-are-wlidsvc.exe-and-wlidsvcm.exe-and-why-are-they-running/
# It's part of OS and used for Microsoft account (MSA) that's used to identify your computer
- https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-configuration-manual#required-endpoints
- https://docs.microsoft.com/en-us/troubleshoot/mem/intune/windows-feature-updates-never-offered
# **Breaks**
# ❗️ Breaks Azure AD sign-in
# It may enrollment scenarios that rely on users to complete the enrollment.
# E.g. typically, users are shown an Azure AD sign in window.
# When set to Disable, the Azure AD sign in option may not show.
# Instead, users are asked to accept the EULA, and create a local account, which may not be what you want.
- https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#cloud-and-storage
- https://docs.microsoft.com/en-us/mem/autopilot/pre-provision#user-flow
# ❗️ Breaks Windows Autopilot
- https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot
# This service is required by Windows Autopilot to obtain the Windows Autopilot profile
- https://docs.microsoft.com/en-us/mem/autopilot/policy-conflicts
# ❗️ Breaks Microsoft Store
# On Windows 11 it fails with `PUR-AuthenticationFailure v3ZtcNH7IECS00iL.36.1``
# On Windows 10 it fails with `0x800706d9` and `0x800704cf``
- https://github.com/undergroundwires/privacy.sexy/issues/100
# ❗️ Breaks feature updates (but other features are still offered)
# Because it breaks Subscription Activation feature (license authentication)
- https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates
- https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are
- https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#12-microsoft-account
- https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant
# Feature updates are released annually. Feature updates add new features and functionality to Windows.
# Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- https://docs.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#types-of-updates
call:
function: DisableService
parameters:
serviceName: wlidsvc # Check: (Get-Service -Name 'wlidsvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Program Compatibility Assistant Service
recommend: standard
docs: http://batcmd.com/windows/10/services/pcasvc/
call:
function: DisableService
parameters:
serviceName: PcaSvc # Check: (Get-Service -Name 'PcaSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Downloaded Maps Manager
recommend: standard
docs: http://batcmd.com/windows/10/services/mapsbroker/
call:
function: DisableService
parameters:
serviceName: MapsBroker # Check: (Get-Service -Name 'MapsBroker').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
-
name: Microsoft Retail Demo experience
recommend: standard
docs: http://batcmd.com/windows/10/services/retaildemo/
call:
function: DisableService
parameters:
serviceName: RetailDemo # Check: (Get-Service -Name 'RetailDemo').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
category: Mail, contact, calendar and user data synchronization
children:
-
name: User Data Storage (UnistoreSvc) Service
docs: http://batcmd.com/windows/10/services/unistoresvc/
recommend: strict
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UnistoreSvc_*").Start
serviceName: UnistoreSvc
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
name: Sync Host (OneSyncSvc) Service Service
docs: http://batcmd.com/windows/10/services/onesyncsvc/
recommend: strict
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\OneSyncSvc_*").Start
serviceName: OneSyncSvc
defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual
-
name: Contact data indexing
docs: http://batcmd.com/windows/10/services/pimindexmaintenancesvc/
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_*").Start
serviceName: PimIndexMaintenanceSvc
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
name: App user data access
docs: http://batcmd.com/windows/10/services/userdatasvc/
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\UserDataSvc_*").Start
serviceName: UserDataSvc
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
name: Text messaging
docs: http://batcmd.com/windows/10/services/messagingservice/
call:
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\MessagingService_*").Start
serviceName: MessagingService
defaultStartupMode: Manual # Alowed values: Boot | System | Automatic | Manual
-
name: Windows Push Notification Service (breaks network settings view on Windows 10)
recommend: strict
docs:
# It enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service.
# In the URL below you can read more about how it communicates with other sources.
- https://docs.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview
# Hosts Windows notification platform, which provides support for local and push notifications.
# According the uncited Wikipedia article, it bypasses VPN and connects directly to Microsoft.
# It reveals real IP address of the host which circumvents the anonymity provided by VPN.
- https://en.wikipedia.org/w/index.php?title=Windows_Push_Notification_Service&oldid=1012335551#Privacy_Issue
# System-wide service:
- http://batcmd.com/windows/10/services/wpnservice/
# Per-user service:
- http://batcmd.com/windows/10/services/wpnuserservice/
# Disabling system-wide user service "WpnUserService" breaks accessing access network settings on Windows 10.
# It works fine on Windows 11.
- https://github.com/undergroundwires/privacy.sexy/issues/110
call:
-
function: ShowWarning
parameters:
message: Disabling Network settings on Windows 10 is known to break Network settings.
ignoreWindows11: true
- # Windows Push Notifications System Service
function: DisableService
parameters:
serviceName: WpnService # Check: (Get-Service -Name 'WpnService').StartType
defaultStartupMode: Automatic # Allowed values: Automatic | Manual
- # Windows Push Notifications User Service
function: DisablePerUserService
parameters:
# Check (system-wide): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService").Start
# Check (per-user): (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WpnUserService_*").Start
serviceName: WpnUserService
defaultStartupMode: Automatic # Alowed values: Boot | System | Automatic | Manual
-
category: Disable Xbox services
children:
-
name: Xbox Live Auth Manager
recommend: standard
call:
function: DisableService
parameters:
serviceName: XblAuthManager # Check: (Get-Service -Name 'XblAuthManager').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Xbox Live Game Save
recommend: standard
call:
function: DisableService
parameters:
serviceName: XblGameSave # Check: (Get-Service -Name 'XblGameSave').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Xbox Live Networking Service
recommend: standard
call:
function: DisableService
parameters:
serviceName: XboxNetApiSvc # Check: (Get-Service -Name 'XboxNetApiSvc').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable Volume Shadow Copy Service (breaks System Restore and Windows Backup) # Also known as • Volume Snapshot Service • VSS • VSC
recommend: strict
docs:
- https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service
- https://www.schneier.com/blog/archives/2009/12/the_security_im.html
call:
function: DisableService
parameters:
serviceName: VSS # Check: (Get-Service -Name 'VSS').StartType
defaultStartupMode: Manual # Allowed values: Automatic | Manual
-
name: Disable NetBios for all interfaces
docs:
- https://bobcares.com/blog/disable-netbios-and-llmnr-protocols-in-windows-using-gpo/
- https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5f3c095-1ad2-4963-b075-787f800b81f2/
call:
function: RunPowerShell
parameters:
code: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 2 -Verbose
}
revertCode: |-
$key = 'HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces'
Get-ChildItem $key | ForEach {
Set-ItemProperty -Path "$key\$($_.PSChildName)" -Name NetbiosOptions -Value 0 -Verbose
}
-
category: Remove bloatware
children:
-
category: Uninstall Windows store apps
docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10
children:
-
category: Uninstall provisioned Windows apps
docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#provisioned-windows-apps
children:
-
name: App Connector app
recommend: strict
docs: https://superuser.com/a/1003226
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Appconnector # Discontinued after Windows 10 1511
-
category: Uninstall 3D modeling apps
children:
-
name: Microsoft 3D Builder app
docs: https://www.microsoft.com/en-us/p/3d-builder/9wzdncrfj3t6
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.3DBuilder
-
name: 3D Viewer app
docs: https://www.microsoft.com/en-us/p/3d-viewer/9nblggh42ths
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Microsoft3DViewer
-
category: Uninstall MSN (Bing) apps
children:
-
name: MSN Weather app
docs: https://www.microsoft.com/en-us/p/msn-weather/9wzdncrfj3q2
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingWeather
-
name: MSN Sports app
recommend: standard
docs: https://www.microsoft.com/en-us/p/msn-sports/9wzdncrfhvh4
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingSports
-
name: MSN News app
recommend: standard
docs: https://www.microsoft.com/en-us/p/microsoft-news/9wzdncrfhvfw
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingNews
-
name: MSN Money app
recommend: standard
docs: https://www.microsoft.com/en-us/p/msn-money/9wzdncrfhv4v
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.BingFinance
-
name: Uninstall Cortana app
recommend: standard
docs: https://www.microsoft.com/en-us/p/msn-money/9wzdncrfhv4v
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.549981C3F5F10
-
name: App Installer app
docs: https://www.microsoft.com/en-us/p/app-installer/9nblggh4nns1
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.DesktopAppInstaller
-
name: Get Help app
docs: https://www.microsoft.com/en-us/p/get-help/9nblgggzhtbj
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.GetHelp
-
name: Microsoft Tips app
docs: https://www.microsoft.com/en-us/p/microsoft-tips/9wzdncrdtbjj
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Getstarted
-
category: Extensions
children:
-
name: HEIF Image Extensions app
docs: https://www.microsoft.com/en-us/p/heif-image-extensions/9pmmsr1cgpwg
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.HEIFImageExtension
-
name: VP9 Video Extensions app
docs: https://www.microsoft.com/en-us/p/vp9-video-extensions/9n4d0msmp0pt
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.VP9VideoExtensions
-
name: Web Media Extensions app
docs: https://www.microsoft.com/en-us/p/web-media-extensions/9n5tdp8vcmhs
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WebMediaExtensions
-
name: Webp Image Extensions app
docs: https://www.microsoft.com/en-us/p/webp-image-extensions/9pg2dk419drg
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WebpImageExtension
-
name: Microsoft Messaging app
docs: https://www.microsoft.com/en-us/p/microsoft-messaging/9wzdncrfjbq6
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Messaging
-
name: Mixed Reality Portal app
docs: https://www.microsoft.com/en-us/p/mixed-reality-portal/9ng1h8b3zc7m
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MixedReality.Portal
-
category: Uninstall Microsoft Office apps
children:
-
name: My Office app
recommend: standard
docs: https://www.microsoft.com/en-us/p/my-office-app/9n8vd0f315mh
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MicrosoftOfficeHub
-
name: OneNote app
docs: https://www.microsoft.com/en-us/p/onenote-for-windows-10/9wzdncrfhvjl
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Office.OneNote
-
name: Sway app
docs: https://www.microsoft.com/en-us/p/sway/9wzdncrd2g0j
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Office.Sway
-
name: Feedback Hub app
recommend: standard
docs: https://www.microsoft.com/en-us/p/feedback-hub/9nblggh4r32n
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsFeedbackHub
-
name: Windows Alarms and Clock app
docs: https://www.microsoft.com/en-us/p/windows-alarms-clock/9wzdncrfj3pr
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsAlarms
-
name: Windows Camera app
docs: https://www.microsoft.com/en-us/p/windows-camera/9wzdncrfjbbg
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsCamera
-
name: Paint 3D app
docs: https://www.microsoft.com/en-us/p/paint-3d/9nblggh5fv99
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MSPaint
-
name: Windows Maps app
recommend: standard
docs: https://www.microsoft.com/en-us/p/windows-maps/9wzdncrdtbvb
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsMaps
-
name: Minecraft for Windows 10 app
docs: https://www.microsoft.com/en-us/p/minecraft-for-windows-10/9nblggh2jhxj
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MinecraftUWP
-
name: Microsoft Store app
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsStore
-
name: Microsoft People app
docs: https://www.microsoft.com/en-us/p/microsoft-people/9nblggh10pg8
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.People
-
name: Microsoft Pay app
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Wallet
-
name: Store Purchase app
docs: https://social.technet.microsoft.com/Forums/exchange/en-US/24b1088d-0fc5-4a82-8015-c9c964532603/store-purchase-app?forum=win10itproapps
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.StorePurchaseApp
-
name: Snip & Sketch app
docs: https://www.microsoft.com/en-us/p/snip-sketch/9mz95kl8mr0l
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.ScreenSketch
-
name: Print 3D app
docs: https://www.microsoft.com/en-us/p/print-3d/9pbpch085s3s
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Print3D
-
name: Mobile Plans app
docs: https://www.microsoft.com/en-us/p/mobile-plans/9nblggh5pnb1
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.OneConnect
-
name: Microsoft Solitaire Collection app
docs: https://www.microsoft.com/en-us/p/microsoft-solitaire-collection/9wzdncrfhwd2
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MicrosoftSolitaireCollection
-
name: Microsoft Sticky Notes app
docs: https://www.microsoft.com/en-us/p/microsoft-sticky-notes/9nblggh4qghw
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.MicrosoftStickyNotes
-
category: Xbox
children:
-
name: Xbox Console Companion app
docs: https://www.microsoft.com/en-us/p/xbox-console-companion/9wzdncrfjbd8
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxApp
-
name: Xbox Live in-game experience app
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Xbox.TCUI
-
name: Xbox Game Bar app
docs: https://www.microsoft.com/en-us/p/xbox-game-bar/9nzkpstsnw4p
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxGamingOverlay
-
name: Xbox Game Bar Plugin appcache
docs: https://www.microsoft.com/en-us/p/xbox-game-bar/9nzkpstsnw4p
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxGameOverlay
-
name: Xbox Identity Provider app
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxIdentityProvider
-
name: Xbox Speech To Text Overlay app
recommend: standard
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.XboxSpeechToTextOverlay
-
name: Mail and Calendar app
docs: https://www.microsoft.com/en-us/p/mail-and-calendar/9wzdncrfhvqm
call:
function: UninstallStoreApp
parameters:
packageName: microsoft.windowscommunicationsapps
-
category: Zune
children:
-
name: Groove Music app
docs: https://www.microsoft.com/en-us/p/groove-music/9wzdncrfj3pt
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.ZuneMusic
-
name: Movies and TV app
docs: https://www.microsoft.com/en-us/p/movies-tv/9wzdncrfj3p2
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.ZuneVideo
-
name: Windows Calculator app
docs: https://www.microsoft.com/en-us/p/windows-calculator/9wzdncrfhvn5
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsCalculator
-
name: Microsoft Photos app
docs: https://www.microsoft.com/en-us/p/microsoft-photos/9wzdncrfjbh4
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Windows.Photos
-
name: Skype app
docs: https://www.microsoft.com/en-us/p/skype/9wzdncrfj364
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.SkypeApp
-
name: GroupMe app
docs: https://www.microsoft.com/en-us/p/groupme/9nblggh5z4f2
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.GroupMe10
-
name: Windows Voice Recorder app
docs: https://www.microsoft.com/en-us/p/windows-voice-recorder/9wzdncrfhwkn
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsSoundRecorder
-
category: Phone
children:
-
name: Your Phone Companion app # Depreciated in newer Windows 10
call:
-
function: UninstallStoreApp
parameters:
packageName: Microsoft.WindowsPhone
-
function: UninstallStoreApp
parameters:
packageName: Microsoft.Windows.Phone
-
name: Communications - Phone app # Depreciated in newer Windows 10
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.CommsPhone
-
name: Your Phone app
docs: https://www.microsoft.com/en-us/p/your-phone/9nmpj99vjbwv
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.YourPhone
-
category: Uninstall installed Windows apps
docs: https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#installed-windows-apps
children:
-
name: Microsoft Advertising app
recommend: standard
docs:
- https://docs.microsoft.com/en-us/windows/uwp/monetize/install-the-microsoft-advertising-libraries
- https://social.msdn.microsoft.com/Forums/windowsapps/en-US/db8d44cb-1381-47f7-94d3-c6ded3fea36f/microsoft-ad-monetization-platform-shut-down-as-of-june-1st?forum=aiamgr
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Advertising.Xaml
-
name: Remote Desktop app
docs: https://www.microsoft.com/en-us/p/microsoft-remote-desktop/9wzdncrfj3ps?activetab=pivot:overviewtab
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.RemoteDesktop
-
name: Network Speed Test app
recommend: standard
docs: https://www.microsoft.com/en-us/p/network-speed-test/9wzdncrfhx52
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.NetworkSpeedTest
-
name: Microsoft To Do app
docs: https://www.microsoft.com/en-us/p/microsoft-to-do-lists-tasks-reminders/9nblggh5r558
call:
function: UninstallStoreApp
parameters:
packageName: Microsoft.Todos
-
category: Third party
children:
-
name: Shazam app # Discontinued https://www.windowscentral.com/shazam-pulls-plug-windows-apps
call:
function: UninstallStoreApp
parameters:
packageName: ShazamEntertainmentLtd.Shazam
-
name: Candy Crush Saga app
docs: https://www.microsoft.com/en-us/p/candy-crush-saga/9nblggh18846
call:
-
function: UninstallStoreApp
parameters:
packageName: king.com.CandyCrushSaga
-
function: UninstallStoreApp
parameters:
packageName: king.com.CandyCrushSodaSaga
-
name: Flipboard app
docs: https://www.microsoft.com/en-us/p/flipboard/9wzdncrfj32q
call:
function: UninstallStoreApp
parameters:
packageName: Flipboard.Flipboard
-
name: Twitter app
docs: https://www.microsoft.com/en-us/p/twitter/9wzdncrfj140
call:
function: UninstallStoreApp
parameters:
packageName: 9E2F88E3.Twitter
-
name: iHeartRadio app
docs: https://www.microsoft.com/en-us/p/iheartradio/9wzdncrfj223
call:
function: UninstallStoreApp
parameters:
packageName: ClearChannelRadioDigital.iHeartRadio
-
name: Duolingo app
docs: https://www.microsoft.com/en-us/p/duolingo-learn-languages-for-free/9wzdncrcv5xn
call:
function: UninstallStoreApp
parameters:
packageName: D5EA27B7.Duolingo-LearnLanguagesforFree
-
name: Photoshop Express app
docs: https://www.microsoft.com/en-us/p/adobe-photoshop-express-image-editor-adjustments-filters-effects-borders/9wzdncrfj27n
call:
function: UninstallStoreApp
parameters:
packageName: AdobeSystemIncorporated.AdobePhotoshop
-
name: Pandora app
docs: https://www.microsoft.com/en-us/p/pandora/9wzdncrfj46v
call:
function: UninstallStoreApp
parameters:
packageName: PandoraMediaInc.29680B314EFC2
-
name: Eclipse Manager app
docs: https://www.microsoft.com/en-us/p/eclipse-manager/9wzdncrdjmh1
call:
function: UninstallStoreApp
parameters:
packageName: 46928bounde.EclipseManager
-
name: Code Writer app
docs: https://www.microsoft.com/en-us/p/code-writer/9wzdncrfhzdt
call:
function: UninstallStoreApp
parameters:
packageName: ActiproSoftwareLLC.562882FEEB491
-
name: Spotify app
docs: https://www.microsoft.com/en-us/p/spotify-music/9ncbcszsjrsb
call:
function: UninstallStoreApp
parameters:
packageName: SpotifyAB.SpotifyMusic
-
category: Uninstall system apps
docs:
- https://docs.microsoft.com/en-us/windows/application-management/apps-in-windows-10#system-apps
- https://github.com/privacysexy-forks/Windows10Debloater/blob/d4ede6d3225e7def087b389c7e8cf6be0d5e2cd7/Windows10Debloater.ps1#L43-L47
children:
-
name: File Picker app
call:
function: UninstallSystemApp
parameters:
packageName: 1527c705-839a-4832-9118-54d4Bd6a0c89
-
name: File Explorer app
call:
function: UninstallSystemApp
parameters:
packageName: c5e2524a-ea46-4f67-841f-6a9465d9d515
-
name: App Resolver UX app
call:
function: UninstallSystemApp
parameters:
packageName: E2A4F912-2574-4A75-9BB0-0D023378592B
-
name: Add Suggested Folders To Library app
call:
-
function: UninstallSystemApp
parameters:
packageName: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE
-
function: UninstallSystemApp
parameters:
packageName: InputApp
-
name: Microsoft AAD Broker Plugin app (breaks Night Light settings, taskbar keyboard selection and Office app authentication)
docs:
# Azure Active Directory plugin, is needed for apps using Azure Active Directory authentication.
# More about Azure Active Directory:
- https://azure.microsoft.com/en-us/services/active-directory/
# ❗️ In some version it breaks selection of keyboard in taskbar.
# Clicking on taskbar language selection icon does not show the selection dialog.
- https://github.com/undergroundwires/privacy.sexy/issues/24
# ❗️ Uninstalling it breaks Night Light functionality and sign in for Office app.s
# Reverting the script and rebooting solves the night light functionality.
# About the issue:
- https://github.com/undergroundwires/privacy.sexy/issues/54
# More about night light:
- https://support.microsoft.com/en-us/windows/set-your-display-for-night-time-in-windows-18fe903a-e0a1-8326-4c68-fd23d7aaf136
# recommend: strict (Unrecommended until better warning mechanism is implemented)
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.AAD.BrokerPlugin # Offical docs point to wrong "Microsoft.AAD.Broker.Plugin"
-
name: Microsoft Accounts Control app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.AccountsControl
-
name: Microsoft Async Text Service app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.AsyncTextService
-
category: Windows Hello setup UI
children:
-
name: Bio enrollment app (breaks biometric authentication)
docs: https://answers.microsoft.com/en-us/insider/forum/insider_wintp-insider_store-insiderplat_pc/what-is-bio-enrollment-app/53808b5a-8694-4128-a5bd-34e3b954434a
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.BioEnrollment
-
name: Cred Dialog Host app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.CredDialogHost
-
name: EC app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.ECApp
-
name: Lock app (shows lock screen)
docs: https://www.getwox.com/what-is-lockapp-exe/
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.LockApp
-
category: Microsoft Edge
children:
-
name: Microsoft Edge (Legacy) app
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.MicrosoftEdge
-
name: Microsoft Edge (Legacy) Dev Tools Client app
docs: https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.MicrosoftEdgeDevToolsClient
-
name: Win32 Web View Host app / Desktop App Web Viewer
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Win32WebViewHost
-
name: Microsoft PPI Projection app
docs: https://en.wikipedia.org/wiki/Perceptive_Pixel
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.PPIProjection
-
name: ChxApp app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.Apprep.ChxApp
-
name: Assigned Access Lock App app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.AssignedAccessLockApp
-
name: Capture Picker app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.CapturePicker
-
name: Cloud Experience Host app (breaks Windows Hello password/PIN sign-in options, and Microsoft cloud/corporate sign in)
docs:
# Allows to connect to corporate domains or Microsoft cloud based services
# ❗️ Uninstalling it breaks:
# - Sign-in to Windows using Microsoft account (cloud-based sign-in)
# https://github.com/undergroundwires/privacy.sexy/issues/99
# https://github.com/undergroundwires/privacy.sexy/issues/64
# - Password and PIN sign-in options in Settings > Sign-in Options
# https://github.com/undergroundwires/privacy.sexy/issues/67
# Its functionalites include
# - Microsoft accounts
# Used to connect Microsoft accounts
- https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp
- https://answers.microsoft.com/en-us/windows/forum/all/cant-login-to-microsoft-account-because-of-cloud/0861c72d-3621-45bc-bae0-67d13121f526
# - Corporate login
# Cloud Experience Host is an application used while joining the workplace environment or
# Azure AD for rendering the experience when collecting your company-provided credentials.
# Once you enroll your device to your workplace environment or Azure AD, your organization
# will be able to manage your PC and collect information about you (including your location).
# It might add or remove apps or content, change settings, disable features, prevent you
# from removing your company account, or reset your PC.
- https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology#cloud-experience-host
# - PIN/Biometric/Device authentication
# Used for Windows Hello, that allows authentication through device, or a biometric or PIN code
# Allows joining a machine to Azure AD or on-premises AD domain
- https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning
# - OOBE troubleshooting
# It also helps to detect blocking errors occurring during OOBE (Out-of-box experience) flow
# OOBE consists of a series of screens for license agreement, internet connection, loggining in etc.
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe # More about OOBE
- https://docs.microsoft.com/en-us/windows/privacy/required-windows-11-diagnostic-events-and-fields#cloud-experience-host-events
# recommend: strict (Unrecommended until better warning mechanism is implemented)
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.CloudExperienceHost
-
name: Content Delivery Manager app (automatically installs apps)
docs: https://www.ghacks.net/2019/12/23/how-to-block-the-automatic-installation-of-suggested-windows-10-apps/
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.ContentDeliveryManager
-
category: Uninstall Cortana system apps
children:
-
name: Search app (breaks Windows search)
docs: https://thegeekpage.com/searchui-exe-suspended-error/
call:
-
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.Cortana # Removed since version 2004
-
function: UninstallStoreApp
parameters:
packageName: Microsoft.Windows.Search # Added in version 2004, it was called "Cortana" before now it's plain "Search"
-
name: Holographic First Run app
recommend: standard
docs: https://www.addictivetips.com/windows-tips/check-pc-windows-holographic-app-requirements/
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.Holographic.FirstRun
-
name: OOBE Network Captive Port app
docs: https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details#connect-users-to-the-network
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.OOBENetworkCaptivePortal # Offical docs point to wrong "Microsoft.Windows.OOBENetworkCaptivePort"
-
name: OOBE Network Connection Flow app
docs:
- https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/oobe-screen-details
- https://www.windowscentral.com/windows-10-build-15019-pc-everything-you-need-know
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.OOBENetworkConnectionFlow
-
name: Windows 10 Family Safety / Parental Controls app
recommend: standard
docs: https://account.microsoft.com/family/about
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.ParentalControls
-
category: People Hub
children:
-
name: My People / People Bar App on taskbar (People Experience Host)
docs: https://winaero.com/pin-contacts-taskbar-windows-10/
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.PeopleExperienceHost
-
name: Pinning Confirmation Dialog app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.PinningConfirmationDialog
-
name: Windows Security GUI (Sec Health UI) app
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.SecHealthUI
-
name: Secondary Tile Experience app
docs: https://docs.microsoft.com/en-us/windows/uwp/design/shell/tiles-and-notifications/secondary-tiles
recommend: strict # Individual tiles may track e.g. like Firefox
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.SecondaryTileExperience
-
name: Secure Assessment Browser app (breaks Microsoft Intune/Graph)
recommend: strict
docs: https://docs.microsoft.com/en-us/graph/api/resources/intune-deviceconfig-windows10secureassessmentconfiguration?view=graph-rest-1.0
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.Windows.SecureAssessmentBrowser
# -
# # Not a bloatware, required for different setting windows such as WiFi and battery panes in action bar
# name: Start app
# call:
# function: UninstallSystemApp
# parameters:
# packageName: Microsoft.Windows.ShellExperienceHost
-
category: Windows Feedback
children:
-
name: Windows Feedback app
recommend: standard
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.WindowsFeedback
-
name: Xbox Game Callable UI app (breaks Xbox Live games)
docs: https://docs.microsoft.com/en-us/gaming/xbox-live/features/general/tcui/live-tcui-overview
recommend: strict
call:
function: UninstallSystemApp
parameters:
packageName: Microsoft.XboxGameCallableUI
-
name: CBS Preview app
recommend: standard
call:
function: UninstallSystemApp
parameters:
packageName: Windows.CBSPreview
-
name: Contact Support app
call:
function: UninstallSystemApp
parameters:
packageName: Windows.ContactSupport
# -
# # Not a bloatware, required for core OS functinoality
# name: Settings app
# call:
# function: UninstallSystemApp
# parameters:
# packageName: Windows.immersivecontrolpanel
-
name: Windows Print 3D app
call:
function: UninstallSystemApp
parameters:
packageName: Windows.Print3D
-
name: Print UI app
call:
function: UninstallSystemApp
parameters:
packageName: Windows.PrintDialog
-
category: Remove OneDrive
children:
-
name: Kill OneDrive process
recommend: strict
code: taskkill /f /im OneDrive.exe
revertCode: '"%LOCALAPPDATA%\Microsoft\OneDrive\OneDrive.exe"'
-
name: Uninstall OneDrive
recommend: strict
code: |-
if %PROCESSOR_ARCHITECTURE%==x86 (
%SystemRoot%\System32\OneDriveSetup.exe /uninstall 2>nul
) else (
%SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall 2>nul
)
revertCode: |-
if %PROCESSOR_ARCHITECTURE%==x86 (
%SystemRoot%\System32\OneDriveSetup.exe /silent
) else (
%SystemRoot%\SysWOW64\OneDriveSetup.exe /silent
)
-
name: Remove OneDrive leftovers
recommend: strict
code: |-
rd "%UserProfile%\OneDrive" /q /s
rd "%LocalAppData%\Microsoft\OneDrive" /q /s
rd "%ProgramData%\Microsoft OneDrive" /q /s
rd "%SystemDrive%\OneDriveTemp" /q /s
-
name: Delete OneDrive shortcuts
recommend: strict
docs: https://docs.microsoft.com/en-us/sharepoint/troubleshoot/installation-and-setup/how-to-block-onedrive.exe-from-being-advertised-after-install-office-2016
code: |-
del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk" /s /f /q
del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk" /s /f /q
del "%USERPROFILE%\Links\OneDrive.lnk" /s /f /q
-
name: Disable usage of OneDrive
recommend: strict
code: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSyncNGSC" /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSync" /d 1 /f
revertCode: |-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSyncNGSC" /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /t REG_DWORD /v "DisableFileSync" /d 0 /f
-
name: Prevent automatic OneDrive install for current user
recommend: strict
code: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
revertCode: |-
if %PROCESSOR_ARCHITECTURE%==x86 (
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d " %SystemRoot%\System32\OneDriveSetup.exe /silent" /f
) else (
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\SysWOW64\OneDriveSetup.exe /silent" /f
)
-
name: Prevent automatic OneDrive install for new users
recommend: strict
code: |-
reg load "HKU\Default" "%SystemDrive%\Users\Default\NTUSER.DAT"
reg delete "HKU\Default\software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
reg unload "HKU\Default"
revertCode: |-
reg load "HKU\Default" "%SystemDrive%\Users\Default\NTUSER.DAT"
if %PROCESSOR_ARCHITECTURE%==x86 (
reg add "HKU\Default\software\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d " %SystemRoot%\System32\OneDriveSetup.exe /silent" /f
) else (
reg add "HKU\Default\software\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveSetup" /t REG_SZ /d "%SystemRoot%\SysWOW64\OneDriveSetup.exe /silent" /f
)
reg unload "HKU\Default"
-
name: Remove OneDrive from explorer menu
recommend: strict
code: |-
reg delete "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f
reg delete "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f
reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "0" /t REG_DWORD /f
reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "0" /t REG_DWORD /f
revertCode: |-
reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "1" /t REG_DWORD /f
reg add "HKCR\Wow6432Node\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v System.IsPinnedToNameSpaceTree /d "1" /t REG_DWORD /f
-
name: Delete all OneDrive related Services
recommend: strict
code: for /f "tokens=1 delims=," %%x in ('schtasks /query /fo csv ^| find "OneDrive"') do schtasks /Delete /TN %%x /F
-
name: Delete OneDrive path from registry
recommend: strict
docs: https://stackoverflow.com/questions/46744840/export-registry-value-to-file-and-then-set-a-variable-in-batch
code: reg delete "HKCU\Environment" /v "OneDrive" /f
-
name: Uninstall Edge (chromium-based)
call:
function: RunPowerShell
parameters:
code: |-
$installer = (Get-ChildItem "$env:ProgramFiles*\Microsoft\Edge\Application\*\Installer\setup.exe")
if (!$installer) {
Write-Host 'Could not find the installer'
} else {
& $installer.FullName -Uninstall -System-Level -Verbose-Logging -Force-Uninstall
}
-
category: Disable built-in Windows features
children:
-
name: Direct Play feature
call:
function: DisableFeature
parameters:
featureName: DirectPlay
-
name: Internet Explorer feature
call:
-
function: DisableFeature
parameters:
featureName: Internet-Explorer-Optional-x64
-
function: DisableFeature
parameters:
featureName: Internet-Explorer-Optional-x84
-
function: DisableFeature
parameters:
featureName: Internet-Explorer-Optional-amd64
-
name: Legacy Components feature
call:
function: DisableFeature
parameters:
featureName: LegacyComponents
-
category: Server features for developers & administrators
children:
-
category: Hyper-V Virtualization
children:
-
name: Hyper-V feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-All
-
name: Hyper-V GUI Management Tools feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-Management-Clients
-
name: Hyper-V Management Tools feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-Tools-All
-
name: Hyper-V Module for Windows PowerShell feature
call:
function: DisableFeature
parameters:
featureName: Microsoft-Hyper-V-Management-PowerShell
-
name: Telnet Client feature
docs: https://social.technet.microsoft.com/wiki/contents/articles/38433.windows-10-enabling-telnet-client.aspx
call:
function: DisableFeature
parameters:
featureName: TelnetClient
-
name: Net.TCP Port Sharing feature
docs: https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/net-tcp-port-sharing
call:
function: DisableFeature
parameters:
featureName: WCF-TCP-PortSharing45
-
name: SMB Direct feature
docs: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-direct
call:
function: DisableFeature
parameters:
featureName: SmbDirect
-
name: TFTP Client feature
call:
function: DisableFeature
parameters:
featureName: TFTP
-
category: Printing features
children:
-
category: Printer networking
children:
-
name: Internet Printing Client
call:
function: DisableFeature
parameters:
featureName: Printing-Foundation-InternetPrinting-Client
-
name: LPD Print Service
call:
function: DisableFeature
parameters:
featureName: LPDPrintService
-
name: LPR Port Monitor feature
call:
function: DisableFeature
parameters:
featureName: Printing-Foundation-LPRPortMonitor
-
name: Microsoft Print to PDF feature
call:
function: DisableFeature
parameters:
featureName: Printing-PrintToPDFServices-Features
-
name: Print and Document Services feature
call:
function: DisableFeature
parameters:
featureName: Printing-Foundation-Features
-
name: Work Folders Client feature
docs: https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview
call:
function: DisableFeature
parameters:
featureName: WorkFolders-Client
-
category: XPS support
children:
-
name: XPS Services feature
call:
function: DisableFeature
parameters:
featureName: Printing-XPSServices-Features
-
name: XPS Viewer feature
call:
function: DisableFeature
parameters:
featureName: Xps-Foundation-Xps-Viewer
-
name: Media Features feature
call:
function: DisableFeature
parameters:
featureName: MediaPlayback
-
name: Scan Management feature
call:
function: DisableFeature
parameters:
featureName: ScanManagementConsole
-
name: Windows Fax and Scan feature
call:
function: DisableFeature
parameters:
featureName: FaxServicesClientPackage
-
name: Windows Media Player feature
call:
function: DisableFeature
parameters:
featureName: WindowsMediaPlayer
-
name: Windows Search feature
call:
function: DisableFeature
parameters:
featureName: SearchEngine-Client-Package
-
category: Uninstall capabilities & features on demand
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#fods-that-are-not-preinstalled-but-may-need-to-be-preinstalled
children:
-
category: Preinstalled
children:
-
name: DirectX Configuration Database capability
call:
function: UninstallCapability
parameters:
capabilityName: DirectX.Configuration.Database
-
name: Internet Explorer 11 capability
call:
function: UninstallCapability
parameters:
capabilityName: Browser.InternetExplorer
-
name: Math Recognizer capability
call:
function: UninstallCapability
parameters:
capabilityName: MathRecognizer
-
name: OneSync capability (breaks Mail, People, and Calendar)
recommend: strict
docs: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod#onesync
call:
function: UninstallCapability
parameters:
capabilityName: OneCoreUAP.OneSync
-
name: OpenSSH client capability
call:
function: UninstallCapability
parameters:
capabilityName: OpenSSH.Client
-
name: PowerShell ISE capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.Windows.PowerShell.ISE
-
name: Print Management Console capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.Management.Console
-
name: Quick Assist capability
call:
function: UninstallCapability
parameters:
capabilityName: App.Support.QuickAssist
-
name: Steps Recorder capability
call:
function: UninstallCapability
parameters:
capabilityName: App.StepsRecorder
-
name: Windows Fax and Scan capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.Fax.Scan
# Following are excluded because:
# 1. They are not widely considered as "bloatware" as the community
# 2. Do not have known privacy issues
# 3. Make Windows more functional when running all scripts
# -
# name: WordPad capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.WordPad
# -
# name: Paint capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.MSPaint
# -
# name: Notepad capability
# call:
# function: UninstallCapability
# parameters:
# capabilityName: Microsoft.Windows.Notepad
-
category: Not preinstalled
children:
-
name: .NET Framework capability
call:
function: UninstallCapability
parameters:
capabilityName: NetFX3
-
name: Mixed Reality capability
call:
function: UninstallCapability
parameters:
capabilityName: Analog.Holographic.Desktop
-
name: Wireless Display capability
call:
function: UninstallCapability
parameters:
capabilityName: App.WirelessDisplay.Connect
-
name: Accessibility - Braille Support capability
call:
function: UninstallCapability
parameters:
capabilityName: Accessibility.Braille
-
name: Developer Mode capability
call:
function: UninstallCapability
parameters:
capabilityName: Tools.DeveloperMode.Core
-
name: Graphics Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Tools.Graphics.DirectX
-
name: IrDA capability
call:
function: UninstallCapability
parameters:
capabilityName: Network.Irda
-
name: Microsoft WebDriver capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.WebDriver
-
name: MSIX Packaging Tool Driver capability
call:
function: UninstallCapability
parameters:
capabilityName: Msix.PackagingTool.Driver
-
category: Networking tools
children:
-
name: RAS Connection Manager Administration Kit (CMAK) capability
call:
function: UninstallCapability
parameters:
capabilityName: RasCMAK.Client
-
name: RIP Listener capability
call:
function: UninstallCapability
parameters:
capabilityName: RIP.Listener
-
name: Simple Network Management Protocol (SNMP) capability
call:
function: UninstallCapability
parameters:
capabilityName: SNMP.Client
-
name: SNMP WMI Provider capability
call:
function: UninstallCapability
parameters:
capabilityName: WMI-SNMP-Provider.Client
-
name: OpenSSH Server capability
call:
function: UninstallCapability
parameters:
capabilityName: OpenSSH.Server
-
category: Printing
children:
-
name: Enterprise Cloud Print capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.EnterpriseCloudPrint
-
name: Mopria Cloud Service capability
call:
function: UninstallCapability
parameters:
capabilityName: Print.MopriaCloudService
-
category: Remote server administration tools (RSAT)
children:
-
name: Active Directory Domain Services and Lightweight Directory Services Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.ActiveDirectory.DS-LDS.Tools
-
name: BitLocker Drive Encryption Administration Utilities capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.BitLocker.Recovery.Tools
-
name: Active Directory Certificate Services Tools
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.CertificateServices.Tools
-
name: DHCP Server Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.DHCP.Tools
-
name: DNS Server Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.Dns.Tools
-
name: Failover Clustering Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.FailoverCluster.Management.Tools
-
name: File Services Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.FileServices.Tools
-
name: Group Policy Management Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.GroupPolicy.Management.Tools
-
name: IP Address Management (IPAM) Client capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.IPAM.Client.Tools
-
name: Data Center Bridging LLDP Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.LLDP.Tools
-
name: Network Controller Management Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.NetworkController.Tools
-
name: Network Load Balancing Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.NetworkLoadBalancing.Tools
-
name: Remote Access Management Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.RemoteAccess.Management.Tools
-
name: Server Manager Tools
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.ServerManager.Tools
-
name: Shielded VM Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.Shielded.VM.Tools
-
name: Storage Replica Module for Windows PowerShell capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.StorageReplica.Tools
-
name: Volume Activation Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.VolumeActivation.Tools
-
name: Windows Server Update Services Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.WSUS.Tools
-
name: Storage Migration Service Management Tools capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.StorageMigrationService.Management.Tools
-
name: Systems Insights Module for Windows PowerShell capability
call:
function: UninstallCapability
parameters:
capabilityName: Rsat.SystemInsights.Management.Tools
-
category: Storage
children:
-
name: Windows Storage Management capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.Windows.StorageManagement
-
name: OneCore Storage Management capability
call:
function: UninstallCapability
parameters:
capabilityName: Microsoft.OneCore.StorageManagement
-
name: Windows Emergency Management Services and Serial Console capability
call:
function: UninstallCapability
parameters:
capabilityName: Windows.Desktop.EMS-SAC.Tools
-
name: XPS Viewer capability
call:
function: UninstallCapability
parameters:
capabilityName: XPS.Viewer
-
category: Remove Widgets
docs: |-
Windows 11 adds a new taskbar flyout named "Widgets", which displays a panel with Microsoft Start, a news aggregator
with personalized stories and content (expanding upon the "news and interests" panel introduced in later builds of Windows 10) [1].
It's rebranding/future version of older "Windows 10 News and Interests" feature [2].
The user can customize the panel by adding or removing widgets, rearranging, resizing, and personalizing the content [1].
It has privacy implications as it collects data about your usage of the computer such as diagnostics data [3].
[1]: https://en.wikipedia.org/wiki/Features_new_to_Windows_11#Windows_shell "Features new to Windows 11 | Wikipedia"
[2]: https://www.bleepingcomputer.com/news/microsoft/windows-10-news-and-interests-enabled-for-everyone-in-latest-update/ "Windows 10 News and Interests enabled for everyone in latest update | Bleeping Computer"
[3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "What data does Microsoft collect? | Widgets | Microsoft"
children:
-
name: Unpin Widgets from taskbar
docs: |-
To control whether the Widgets button is visible on the taskbar, Microsoft introduced `TaskbarDa` registry value [1].
Possible `DWORD` 32-bit settings for the `TaskbarDa` value are [1] [2]:
1. 0 = Hidden
2. 1 = Visible
This registry key does not exist in Windows 11 installations by default.
[1]: https://www.elevenforum.com/t/add-or-remove-widgets-button-on-taskbar-in-windows-11.32/ " Add or Remove Widgets Button on Taskbar in Windows 11 | Windows Eleven Forum"
[2]: https://www.bleepingcomputer.com/news/microsoft/new-windows-11-registry-hacks-to-customize-your-device/ "New Windows 11 registry hacks to customize your device | Bleeping Computer"
recommend: strict
code: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d "0" /f
revertCode: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /f 2>nul
-
name: Uninstall Windows Web Experience Pack (breaks Widgets)
recommend: strict
docs: |-
Windows Web Experience Pack is a store app that enables Widgets feature [1].
The app is not needed and not known to break other OS functionality if you do not wish to use Widgets feature.
This app is known to collect diagnostics data, individual widgets might also collect data [2].
See its [Windows Store Page](https://apps.microsoft.com/store/detail/windows-web-experience-pack/9MSSGKG348SP).
It requires you to agree with Microsoft's general privacy terms, see [privacy agreement](http://go.microsoft.com/fwlink/?LinkID=521839) [3].
The agreement allows Microsoft to collect your personal data [3].
[1]: https://support.microsoft.com/en-us/windows/how-to-update-the-windows-web-experience-pack-in-the-microsoft-store-a16c9bf1-f042-4dc9-a523-740cca1e1e60 "How to update the Windows Web Experience Pack in the Microsoft Store | support.microsoft.com"
[2]: https://apps.microsoft.com/store/detail/windows-web-experience-pack/9MSSGKG348SP "Windows Web Experience Pack - Microsoft Store Apps | apps.microsoft.com/store"
[3]: https://support.microsoft.com/en-us/windows/stay-up-to-date-with-widgets-7ba79aaa-dac6-4687-b460-ad16a06be6e4 "Stay up to date with widgets | support.microsoft.com"
call:
function: UninstallStoreApp
parameters:
packageName: MicrosoftWindows.Client.WebExperience
-
name: Remove Meet Now icon from taskbar
recommend: strict
docs: # Skype feature, introduced in 20H2, KB4580364 update
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TaskBar2::HideSCAMeetNow
- https://www.windowscentral.com/how-disable-meet-now-feature-windows-10
code: reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /t REG_DWORD /d 1 /f
revertCode: reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /f
-
category: Advanced settings
children:
-
name: Change NTP (time) server to pool.ntp.org
docs: https://www.pool.ntp.org/en/use.html
recommend: strict
# `sc queryex` output is same in every OS language
code: |-
:: Configure time source
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
:: Stop time service if running
SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||(
net stop w32time
)
:: Start time service and sync now
net start w32time
w32tm /config /update
w32tm /resync
revertCode: |-
:: Configure time source
w32tm /config /syncfromflags:manual /manualpeerlist:"time.windows.com"
:: Stop time service if running
SC queryex "w32time"|Find "STATE"|Find /v "RUNNING">Nul||(
net stop w32time
)
:: Start time servie and sync now
net start w32time
w32tm /config /update
w32tm /resync
-
name: Disable Reserved Storage for updates # since 19H1 (1903)
docs:
- https://techcommunity.microsoft.com/t5/storage-at-microsoft/windows-10-and-reserved-storage/ba-p/428327 # Announcement
- https://techcommunity.microsoft.com/t5/windows-it-pro-blog/managing-reserved-storage-in-windows-10-environments/ba-p/1297070#toc-hId--8696946 # Set-ReservedStorageState
- https://www.howtogeek.com/425563/how-to-disable-reserved-storage-on-windows-10/ # ShippedWithReserves
- https://techcommunity.microsoft.com/t5/windows-servicing/reserve-manager-enabled-with-low-disk-space-block/m-p/2073132 # PassedPolicy
code: |-
dism /online /Set-ReservedStorageState /State:Disabled /NoRestart
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "2" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "0" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "0" /f
revertCode: |-
DISM /Online /Set-ReservedStorageState /State:Enabled /NoRestart
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "MiscPolicyInfo" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "ShippedWithReserves" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ReserveManager" /v "PassedPolicy" /t REG_DWORD /d "1" /f
-
name: Run script on start-up [EXPERIMENTAL]
code: |-
del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat
copy "%~dpnx0" "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat"
revertCode: del /f /q %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\privacy-cleanup.bat
functions:
-
name: KillProcessWhenItStarts
parameters:
- name: processName
# https://docs.microsoft.com/en-us/previous-versions/windows/desktop/xperf/image-file-execution-options
code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'{{ $processName }}'" /v "Debugger" /t REG_SZ /d "%windir%\System32\taskkill.exe" /f
revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'{{ $processName }}'" /v "Debugger" /f
-
name: DisableFeature
parameters:
- name: featureName
code: dism /Online /Disable-Feature /FeatureName:"{{ $featureName }}" /NoRestart
revertCode: dism /Online /Enable-Feature /FeatureName:"{{ $featureName }}" /NoRestart
-
name: UninstallStoreApp
parameters:
- name: packageName
call:
function: RunPowerShell
parameters:
code: Get-AppxPackage '{{ $packageName }}' | Remove-AppxPackage
revertCode: |-
$package = Get-AppxPackage -AllUsers '{{ $packageName }}'
if (!$package) {
Write-Error "Cannot reinstall '{{ $packageName }}'" -ErrorAction Stop
}
$manifest = $package.InstallLocation + '\AppxManifest.xml'
Add-AppxPackage -DisableDevelopmentMode -Register "$manifest"
-
name: UninstallSystemApp
parameters:
- name: packageName
# It simply renames files
# Because system apps are non removable (check: (Get-AppxPackage -AllUsers 'Windows.CBSPreview').NonRemovable)
# Otherwise they throw 0x80070032 when trying to uninstall them
call:
function: RunPowerShell
parameters:
code: |-
$package = Get-AppxPackage -AllUsers '{{ $packageName }}'
if (!$package) {
Write-Host 'Not installed'
exit 0
}
$directories = @($package.InstallLocation, "$env:LOCALAPPDATA\Packages\$($package.PackageFamilyName)")
foreach($dir in $directories) {
if ( !$dir -Or !(Test-Path "$dir") ) { continue }
cmd /c ('takeown /f "' + $dir + '" /r /d y 1> nul')
if($LASTEXITCODE) { throw 'Failed to take ownership' }
cmd /c ('icacls "' + $dir + '" /grant administrators:F /t 1> nul')
if($LASTEXITCODE) { throw 'Failed to take ownership' }
$files = Get-ChildItem -File -Path $dir -Recurse -Force
foreach($file in $files) {
if($file.Name.EndsWith('.OLD')) { continue }
$newName = $file.FullName + '.OLD'
Write-Host "Rename '$($file.FullName)' to '$newName'"
Move-Item -LiteralPath "$($file.FullName)" -Destination "$newName" -Force
}
}
revertCode: |-
$package = Get-AppxPackage -AllUsers '{{ $packageName }}'
if (!$package) {
Write-Error 'App could not be found' -ErrorAction Stop
}
$directories = @($package.InstallLocation, "$env:LOCALAPPDATA\Packages\$($package.PackageFamilyName)")
foreach($dir in $directories) {
if ( !$dir -Or !(Test-Path "$dir") ) { continue; }
cmd /c ('takeown /f "' + $dir + '" /r /d y 1> nul')
if($LASTEXITCODE) { throw 'Failed to take ownership' }
cmd /c ('icacls "' + $dir + '" /grant administrators:F /t 1> nul')
if($LASTEXITCODE) { throw 'Failed to take ownership' }
$files = Get-ChildItem -File -Path "$dir\*.OLD" -Recurse -Force
foreach($file in $files) {
$newName = $file.FullName.Substring(0, $file.FullName.Length - 4)
Write-Host "Rename '$($file.FullName)' to '$newName'"
Move-Item -LiteralPath "$($file.FullName)" -Destination "$newName" -Force
}
}
-
name: UninstallCapability
parameters:
- name: capabilityName
call:
function: RunPowerShell
parameters:
code: Get-WindowsCapability -Online -Name '{{ $capabilityName }}*' | Remove-WindowsCapability -Online
revertCode: |-
$capability = Get-WindowsCapability -Online -Name '{{ $capabilityName }}*'
Add-WindowsCapability -Name "$capability.Name" -Online
-
name: RenameSystemFile
parameters:
- name: filePath
code: |-
if exist "{{ $filePath }}" (
takeown /f "{{ $filePath }}"
icacls "{{ $filePath }}" /grant administrators:F
move "{{ $filePath }}" "{{ $filePath }}.OLD" && (
echo Moved "{{ $filePath }}" to "{{ $filePath }}.OLD"
) || (
echo Could not move {{ $filePath }} 1>&2
)
) else (
echo No action required: {{ $filePath }} is not found.
)
revertCode: |-
if exist "{{ $filePath }}.OLD" (
takeown /f "{{ $filePath }}.OLD"
icacls "{{ $filePath }}.OLD" /grant administrators:F
move "{{ $filePath }}.OLD" "{{ $filePath }}" && (
echo Moved "{{ $filePath }}.OLD" to "{{ $filePath }}"
) || (
echo Could restore from backup file {{ $filePath }}.OLD 1>&2
)
) else (
echo Could not find backup file "{{ $filePath }}.OLD" 1>&2
)
-
name: SetVsCodeSetting
parameters:
- name: setting
- name: powerShellValue
call:
function: RunPowerShell
parameters:
code: |-
$jsonfile = "$env:APPDATA\Code\User\settings.json"
if (!(Test-Path $jsonfile -PathType Leaf)) {
Write-Host "No updates. Settings file was not at $jsonfile"
exit 0
}
$json = Get-Content $jsonfile | Out-String | ConvertFrom-Json
$json | Add-Member -Type NoteProperty -Name '{{ $setting }}' -Value {{ $powerShellValue }} -Force
$json | ConvertTo-Json | Set-Content $jsonfile
revertCode: |-
$jsonfile = "$env:APPDATA\Code\User\settings.json"
if (!(Test-Path $jsonfile -PathType Leaf)) {
Write-Error "Settings file could not be found at $jsonfile" -ErrorAction Stop
}
$json = Get-Content $jsonfile | ConvertFrom-Json
$json.PSObject.Properties.Remove('{{ $setting }}')
$json | ConvertTo-Json | Set-Content $jsonfile
-
name: RunPowerShell
parameters:
- name: code
- name: revertCode
optional: true
code: PowerShell -ExecutionPolicy Unrestricted -Command "{{ $code | inlinePowerShell | escapeDoubleQuotes }}"
revertCode: |-
{{ with $revertCode }}
PowerShell -ExecutionPolicy Unrestricted -Command "{{ . | inlinePowerShell | escapeDoubleQuotes }}"
{{ end }}
-
name: DisablePerUserService
parameters:
- name: serviceName
- name: defaultStartupMode # Alowed values: Boot | System | Automatic | Manual
# More about per-user services: https://docs.microsoft.com/en-us/windows/application-management/per-user-services-in-windows
call:
- # System-wide variant: every per-user service has also system-wide counterpart with same default startup mode
function: DisableServiceInRegistry
parameters:
serviceName: '{{ $serviceName }}'
defaultStartupMode: '{{ $defaultStartupMode }}'
- # Per-user variant
function: DisableServiceInRegistry
parameters:
serviceName: '{{ $serviceName }}_*'
defaultStartupMode: '{{ $defaultStartupMode }}'
-
name: RunInlineCode
parameters:
- name: code
- name: revertCode
optional: true
code: '{{ $code }}'
revertCode: '{{ with $revertCode }}{{ . }}{{ end }}'
-
name: RunPowerShellWithSameCodeAndRevertCode
parameters:
- name: code
call:
function: RunPowerShell
parameters:
code: '{{ $code }}'
revertCode: '{{ $code }}'
-
name: RunInlineCodeAsTrustedInstaller
parameters:
- name: code
- name: revertCode
call:
function: RunPowerShell
parameters:
# PowerShell commands (`Unregister-ScheduledTask` and `Get-ScheduledTask`) sometimes fail to find existing tasks.
# Seen e.g. on Windows 11 when reverting scripts after executing them and reboot.
# They are seen to throw different exceptions:
# - `Unregister-ScheduledTask : The system cannot find the file specified`
# `ObjectNotFound: (MSFT_ScheduledTask:Root/Microsoft/...T_ScheduledTask)` with `HRESULT 0x80070002`
# - `No MSFT_ScheduledTask objects found with property 'TaskName'`
# - Because task is already running but `Get-ScheduledTask` cannot find it it throws:
# `Failed to execute with exit code: 267009`
# Solution
# Checking if task is running:
# - ❌ Not using `$(schtasks.exe /query /tn "$taskName" 2>$null)".Contains('Running')` because it outputs
# different text (not always "Running") in German/English versions.
# - ❌ Not using `(Get-ScheduledTask $taskName -ErrorAction Ignore).State -eq 'Running'
# because `Get-ScheduledTask `sometimes fails.
# - ✅ Using `(Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009` where "267009" indicates running.
# Deleting existing task:
# - ❌ Not using `Unregister-ScheduledTask $taskName -Confirm:$false` because it sometimes fails with `0x80070002`
# - ✅ Using `schtasks.exe /delete /tn "$taskName" /f` with additional `| Out-Null` or `2>&1 | Out-Null`
# to suppress errors.
code: |-
$command = '{{ $code }}'
$trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464')
$trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount])
$streamOutFile = New-TemporaryFile
$batchFile = New-TemporaryFile
try {
$batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru
"@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII
$taskName = 'privacy.sexy invoke'
schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output
$taskAction = New-ScheduledTaskAction `
-Execute 'cmd.exe' `
-Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1"
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask `
-TaskName $taskName `
-Action $taskAction `
-Settings $settings `
-Force `
-ErrorAction Stop `
| Out-Null
try {
($scheduleService = New-Object -ComObject Schedule.Service).Connect()
$scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null
$timeOutLimit = (Get-Date).AddMinutes(5)
Write-Host "Running as $trustedInstallerName"
while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {
Start-Sleep -Milliseconds 200
if((Get-Date) -gt $timeOutLimit) {
Write-Warning "Skipping results, it took so long to execute script."
break;
}
}
if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {
Write-Error "Failed to execute with exit code: $result."
}
} finally {
schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors
}
Get-Content $streamOutFile
} finally {
Remove-Item $streamOutFile, $batchFile
}
revertCode: |- # Duplicated until custom pipes are implemented
$command = '{{ $revertCode }}'
$trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464')
$trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount])
$streamOutFile = New-TemporaryFile
$batchFile = New-TemporaryFile
try {
$batchFile = Rename-Item $batchFile "$($batchFile.BaseName).bat" -PassThru
"@echo off`r`n$command`r`nexit 0" | Out-File $batchFile -Encoding ASCII
$taskName = 'privacy.sexy invoke'
schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null # Clean if something went wrong before, suppress any output
$taskAction = New-ScheduledTaskAction `
-Execute 'cmd.exe' `
-Argument "cmd /c `"$batchFile`" > $streamOutFile 2>&1"
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask `
-TaskName $taskName `
-Action $taskAction `
-Settings $settings `
-Force `
-ErrorAction Stop `
| Out-Null
try {
($scheduleService = New-Object -ComObject Schedule.Service).Connect()
$scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null
$timeOutLimit = (Get-Date).AddMinutes(5)
Write-Host "Running as $trustedInstallerName"
while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {
Start-Sleep -Milliseconds 200
if((Get-Date) -gt $timeOutLimit) {
Write-Warning "Skipping results, it took so long to execute script."
break;
}
}
if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {
Write-Error "Failed to execute with exit code: $result."
}
} finally {
schtasks.exe /delete /tn "$taskName" /f | Out-Null # Outputs only errors
}
Get-Content $streamOutFile
} finally {
Remove-Item $streamOutFile, $batchFile
}
-
name: DisableServiceInRegistry
parameters:
- name: serviceName
- name: defaultStartupMode # Allowed values: Boot | System | Automatic | Manual
call:
function: RunPowerShell
parameters:
code: |- # We do registry way because GUI, "sc config" or "Set-Service" won't not work
$serviceQuery = '{{ $serviceName }}'
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue
if(!$service) {
Write-Host "Service query `"$serviceQuery`" did not yield any results, no need to disable it."
Exit 0
}
$serviceName = $service.Name
Write-Host "Disabling service: `"$serviceName`"."
# -- 2. Stop if running
if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is running, trying to stop it."
try {
Stop-Service -Name "$serviceName" -Force -ErrorAction Stop
Write-Host "Stopped `"$serviceName`" successfully."
} catch {
Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_"
}
} else {
Write-Host "`"$serviceName`" is not running, no need to stop."
}
# -- 3. Skip if service info is not found in registry
$registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
if(!(Test-Path $registryKey)) {
Write-Host "`"$registryKey`" is not found in registry, cannot enable it."
Exit 0
}
# -- 4. Skip if already disabled
if( $(Get-ItemProperty -Path "$registryKey").Start -eq 4) {
Write-Host "`"$serviceName`" is already disabled from start, no further action is needed."
Exit 0
}
# -- 5. Disable service
try {
Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop
Write-Host "Disabled `"$serviceName`" successfully."
} catch {
Write-Error "Could not disable `"$serviceName`": $_"
}
revertCode: |-
$serviceQuery = '{{ $serviceName }}'
$defaultStartupMode = '{{ $defaultStartupMode }}'
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue
if(!$service) {
Write-Warning "Service query `"$serviceQuery`" did not yield and results, cannot enable it."
Exit 1
}
$serviceName = $service.Name
Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start."
# -- 2. Skip if service info is not found in registry
$registryKey = "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"
if(!(Test-Path $registryKey)) {
Write-Warning "`"$registryKey`" is not found in registry, cannot enable it."
Exit 1
}
# -- 3. Enable if not already enabled
$defaultStartupRegValue = `
if ($defaultStartupMode -eq 'Boot') { '0' } `
elseif($defaultStartupMode -eq 'System') { '1' } `
elseif($defaultStartupMode -eq 'Automatic') { '2' } `
elseif($defaultStartupMode -eq 'Manual') { '3' } `
else { throw "Unknown start mode: $defaultStartupMode"}
if( $(Get-ItemProperty -Path "$registryKey").Start -eq $defaultStartupRegValue) {
Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start."
} else {
try {
Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force
Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer."
} catch {
Write-Error "Could not enable `"$serviceName`": $_"
Exit 1
}
}
# -- 4. Start if not running (must be enabled first)
if($defaultStartupMode -eq 'Automatic') {
if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is not running, trying to start it."
try {
Start-Service $serviceName -ErrorAction Stop
Write-Host "Started `"$serviceName`" successfully."
} catch {
Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_"
}
} else {
Write-Host "`"$serviceName`" is already running, no need to start."
}
}
-
name: SetMpPreference
# Configures preferences for Windows Defender scans and updates.
# ❗️ Requires "WinDefend" service in running state, otherwise fails
parameters:
- name: property
- name: value
-
# When provided, it sets defaults using `Set-MpPreference`.
# Used by default in Windows 10 as `Remove-MpPreference` cmdlet is very limited/poor in Windows 10.
# Ignored by default in Windows 11 with providing a value for `setDefaultOnWindows11`
name: default
optional: true
-
# When reverting in Windows 11, `Set-MpPreference` is called instead of `Remove-MpPreference`
# Should be used in cases where `Remove-MpPreference` cmdlet is not setting expected values in Windows 11.
name: setDefaultOnWindows11
optional: true
call:
function: RunPowerShell
parameters:
# Unsupported arguments ->
# Skips when error contains "Cannot convert", this happens e.g. when trying to set `PlatformUpdatesChannel`,
# `EngineUpdatesChannel`, `DefinitionUpdatesChannel` to `Broad`. `Broad` is not supported on all platforms
# and throws e.g. with:
# `Cannot process argument transformation on parameter 'EngineUpdatesChannel'. Cannot convert value
# "Broad" to type "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.UpdatesChannelType".
# Error: "Unable to match the identifier name Broad to a valid enumerator name. Specify one of the
# following enumerator names and try again: NotConfigured, Beta, Preview"`
code: |-
$propertyName = '{{ $property }}'
$value = {{ $value }}
if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {
Write-Host "Skipping. `"$propertyName`" is already `"$value`" as desired."
exit 0
}
$command = Get-Command 'Set-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Set-MpPreference".'
exit 0
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"
Set-MpPreference -Force -{{ $property }} $value -ErrorAction Stop
Write-Host "Successfully set `"$propertyName`" to `"$value`"."
exit 0
} catch {
if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"
exit 0
} elseif (($_ | Out-String) -like '*Cannot convert*') {
Write-Host "Skipping. Argument `"$value`" for property `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
} else {
Write-Error "Failed to set using $($command.Name): $_"
exit 1
}
}
# `Remove-MpPreference` is different in Windows 11 / 10
# Windows 11 and 10 have different revert behavior which is caused by different `Remove-MpPreference` cmdlet versions used
# Windows 10 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2019-ps
# Windows 11 version: https://docs.microsoft.com/en-us/powershell/module/defender/remove-mppreference?view=windowsserver2022-ps
# On Windows 11:
# - By default, `Remove-MpPreference` sets default values for settings for all cases.
# - `setDefaultOnWindows11` parameter changes this behavior to set the default value using `Set-MpPreference`
# On Windows 10:
# - If `default` argument is is provided, it's set using `Set-MpPreference`
# - `default` argument should not be provided if `Remove-MpPreference` is supported in Windows 10.
revertCode: |-
$propertyName = '{{ $property }}'
{{ with $default }} $defaultValue = {{ . }} {{ end }}
$setDefaultOnWindows10 = {{ with $default }} $true # {{ end }} $false
$setDefaultOnWindows11 = {{ with $setDefaultOnWindows11 }} $true # {{ end }} $false
$osVersion = [System.Environment]::OSVersion.Version
function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) }
function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) }
# ------ Set-MpPreference ------
if(($setDefaultOnWindows10 -and (Test-IsWindows10)) -or ($setDefaultOnWindows11 -and (Test-IsWindows11))) {
if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $defaultValue) {
Write-Host "Skipping. `"$propertyName`" is already configured as desired `"$defaultValue`"."
exit 0
}
$command = Get-Command 'Set-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Set-MpPreference".'
exit 1
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName `$defaultValue -ErrorAction Stop"
Write-Host "Successfully restored `"$propertyName`" to its default `"$defaultValue`"."
exit 0
} catch {
if ($_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"
} else {
Write-Error "Failed to set using $($command.Name): $_"
}
exit 1
}
}
# ------ Remove-MpPreference ------
$command = Get-Command 'Remove-MpPreference' -ErrorAction Ignore
if (!$command) {
Write-Warning 'Skipping. Command not found: "Remove-MpPreference".'
exit 1
}
if(!$command.Parameters.Keys.Contains($propertyName)) {
Write-Host "Skipping. `"$propertyName`" is not supported for `"$($command.Name)`"."
exit 0
}
try {
Invoke-Expression "$($command.Name) -Force -$propertyName -ErrorAction Stop"
Write-Host "Successfully restored `"$propertyName`" to its default."
exit 0
} catch {
if ($_.FullyQualifiedErrorId -like '*0x800106ba*') {
Write-Warning "Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"
} else {
Write-Error "Failed to set using $($command.Name): $_"
}
exit 1
}
-
name: DisableService
parameters:
- name: serviceName
- name: defaultStartupMode # Allowed values: Automatic | Manual
call:
function: RunPowerShell
# Careful with Set-Service cmdlet:
# 1. It exits with positive code even if service is disabled
# 2. It had breaking API change for `-StartupMode` parameter:
# Powershell >= 6.0 : Automatic, AutomaticDelayedStart, Disabled, InvalidValue, Manual
# PowerShell <= 5 : Boot, System, Automatic, Manual, Disabled
# So "Disabled", "Automatic" and "Manual" are only consistent ones.
# Read more:
# https://github.com/PowerShell/PowerShell/blob/v7.2.0/src/Microsoft.PowerShell.Commands.Management/commands/management/Service.cs#L2966-L2978
# https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.1
parameters:
code: |-
$serviceName = '{{ $serviceName }}'
Write-Host "Disabling service: `"$serviceName`"."
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if(!$service) {
Write-Host "Service `"$serviceName`" could not be not found, no need to disable it."
Exit 0
}
# -- 2. Stop if running
if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is running, stopping it."
try {
Stop-Service -Name "$serviceName" -Force -ErrorAction Stop
Write-Host "Stopped `"$serviceName`" successfully."
} catch {
Write-Warning "Could not stop `"$serviceName`", it will be stopped after reboot: $_"
}
} else {
Write-Host "`"$serviceName`" is not running, no need to stop."
}
# -- 3. Skip if already disabled
$startupType = $service.StartType # Does not work before .NET 4.6.1
if(!$startupType) {
$startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode
if(!$startupType) {
$startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode
}
}
if($startupType -eq 'Disabled') {
Write-Host "$serviceName is already disabled, no further action is needed"
}
# -- 4. Disable service
try {
Set-Service -Name "$serviceName" -StartupType Disabled -Confirm:$false -ErrorAction Stop
Write-Host "Disabled `"$serviceName`" successfully."
} catch {
Write-Error "Could not disable `"$serviceName`": $_"
}
revertCode: |-
$serviceName = '{{ $serviceName }}'
$defaultStartupMode = '{{ $defaultStartupMode }}'
Write-Host "Enabling service: `"$serviceName`" with `"$defaultStartupMode`" start."
# -- 1. Skip if service does not exist
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if(!$service) {
Write-Warning "Service `"$serviceName`" could not be not found, cannot enable it."
Exit 1
}
# -- 2. Enable or skip if already enabled
$startupType = $service.StartType # Does not work before .NET 4.6.1
if(!$startupType) {
$startupType = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$serviceName'" -ErrorAction Ignore).StartMode
if(!$startupType) {
$startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$serviceName'" -ErrorAction Ignore).StartMode
}
}
if($startupType -eq "$defaultStartupMode") {
Write-Host "`"$serviceName`" is already enabled with `"$defaultStartupMode`" start, no further action is needed."
} else {
try {
Set-Service -Name "$serviceName" -StartupType "$defaultStartupMode" -Confirm:$false -ErrorAction Stop
Write-Host "Enabled `"$serviceName`" successfully with `"$defaultStartupMode`" start, may require restarting your computer."
} catch {
Write-Error "Could not enable `"$serviceName`": $_"
Exit 1
}
}
# -- 4. Start if not running (must be enabled first)
if($defaultStartupMode -eq 'Automatic') {
if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {
Write-Host "`"$serviceName`" is not running, starting it."
try {
Start-Service $serviceName -ErrorAction Stop
Write-Host "Started `"$serviceName`" successfully."
} catch {
Write-Warning "Could not start `"$serviceName`", requires restart, it will be started after reboot.`r`n$_"
}
} else {
Write-Host "`"$serviceName`" is already running, no need to start."
}
}
-
name: ShowWarning
parameters:
- name: message
- name: ignoreWindows11 # Ignores warning message on Windows 11, allowed values: true | false, default: false
- name: ignoreWindows10 # Ignores warning message on Windows 10, allowed values: true | false, default: false
call:
function: RunPowerShell
parameters:
code: |-
$warningMessage = '{{ $message }}'
$ignoreWindows10 = {{ with $ignoreWindows10 }} $true # {{ end }} $false
$ignoreWindows11 = {{ with $ignoreWindows11 }} $true # {{ end }} $false
$osVersion = [System.Environment]::OSVersion.Version
function Test-IsWindows10 { ($osVersion.Major -eq 10) -and ($osVersion.Build -lt 22000) }
function Test-IsWindows11 { ($osVersion.Major -gt 10) -or (($osVersion.Major -eq 10) -and ($osVersion.Build -ge 22000)) }
if (($ignoreWindows10 -and (Test-IsWindows10)) -or ($ignoreWindows11 -and (Test-IsWindows11))) {
exit 0 # Skip
}
Write-Warning "$warningMessage"
# revertCode: No warnings needed when reverting
Reference in New Issue View Git Blame Copy Permalink